[godawgs]

hi I am now on an old laptop because I removed spybot and restarted the laptop I then did the windows gadget fix and now there is nothing on my lap top.

I'm sorry, but I don't quite understand what you are saying. What "windows gadget fix" are you referring to?

When you say there's nothing on your laptop do you mean the desktop is gone and there isn't any files/folders when you bring up Windows Explorer?

When you say you can't log on do you mean you can't log on to windows?

When you re-downloaded Chrome were you able to install it on the sick computer?

[Advertisements]

I am on the sick laptop and down loaded chrome again as it was not on my desk top


I did windows side bar info and then uninstalled livid when the laptop restarted all my pictures downloads have gone. There are no icons for IE or google on my desk top

I did this


Windows Sidebar Info

Microsoft has discovered a security vulnerability in Windows Sidebar and Gadgets. Your log shows Windows sidebar running.
I recommend that you disable the sidebar.
Please see the following articles for information on how to do that:

Microsoft Security Advisor

Microsoft Urges Users to Shut Down Windows Gadgets or Risk Attack

Microsoft fix kills Windows Gadgets, warns it could lead to PC hijacks

[dustypink]

I am on the sick laptop and down loaded chrome again as it was not on my desk top


I did windows side bar info and then uninstalled livid when the laptop restarted all my pictures downloads have gone. There are no icons for IE or google on my desk top

I did this


Windows Sidebar Info

Microsoft has discovered a security vulnerability in Windows Sidebar and Gadgets. Your log shows Windows sidebar running.
I recommend that you disable the sidebar.
Please see the following articles for information on how to do that:

Microsoft Security Advisor

Microsoft Urges Users to Shut Down Windows Gadgets or Risk Attack

Microsoft fix kills Windows Gadgets, warns it could lead to PC hijacks

[godawgs]

Did you run the Fixit?

[dustypink]

yes i think so

[godawgs]

Running the Microsoft FixIt or uninstalling iLivid wouldn't have anything to do with the pictures on the computer or the desktop icons. I'm thinking it's the malware. Please complete Steps 2, 3 and 4 of post #12 and post the logs.

[dustypink]

Ok Will do . Just to let you know that I can not save any pictures it is telling me there is no where to save them

[dustypink]

OTL has gone. When I try and down load it to desk top it says there is no location to down load it to

[dustypink]

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry value HKEY_USERS\S-1-5-21-2224336733-3827985366-2820195230-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{687578b9-7132-4a7a-80e4-30ee31099e03} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{687578b9-7132-4a7a-80e4-30ee31099e03}\ not found.
Registry key HKEY_USERS\S-1-5-21-2224336733-3827985366-2820195230-1001\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
C:\Users\amanda\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\searchplugin folder moved successfully.
C:\Users\amanda\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\modules folder moved successfully.
C:\Users\amanda\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\META-INF folder moved successfully.
C:\Users\amanda\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\defaults folder moved successfully.
C:\Users\amanda\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\components folder moved successfully.
C:\Users\amanda\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\chrome folder moved successfully.
C:\Users\amanda\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03} folder moved successfully.
Registry value HKEY_USERS\S-1-5-21-2224336733-3827985366-2820195230-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{687578B9-7132-4A7A-80E4-30EE31099E03} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{687578B9-7132-4A7A-80E4-30EE31099E03}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\cmd.bat deleted successfully.
C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0375E17E-14B0-46C7-B379-4191E066ABE1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0375E17E-14B0-46C7-B379-4191E066ABE1}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{94F6D316-E682-4033-AD13-A0031AEE90D2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94F6D316-E682-4033-AD13-A0031AEE90D2}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Journal

User: RegBack

User: systemprofile

User: TxR

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21953434 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50266 bytes
RecycleBin emptied: 1026 bytes

Total Files Cleaned = 21.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12202012_201851

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[dustypink]

I can not do step 3..when I click on scan the laptop shows a blue screen with writing on it then shuts down. Do you want me to do step 4.

Also there are times when a box comes up stating toshiba notepad is not working another box states windows explorer is shutting down


All my photos etc have returned

[godawgs]

Yes. See if you can do step 4 please.

[dustypink]

.

Edited by dustypink, 21 December 2012 - 01:42 PM.

[dustypink]

# AdwCleaner v2.101 - Logfile created 12/21/2012 at 19:41:15
# Updated 16/12/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : amanda - AMANDA-TOSH
# Boot Mode : Normal
# Running from : C:\Users\amanda\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\Public\Desktop\eBay.lnk
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\ConduitEngine
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\ProgramData\Premium
Folder Found : C:\Users\amanda\AppData\Local\Conduit
Folder Found : C:\Users\amanda\AppData\Local\Ilivid Player
Folder Found : C:\Users\amanda\AppData\LocalLow\Conduit
Folder Found : C:\Users\amanda\AppData\LocalLow\ConduitEngine
Folder Found : C:\Users\amanda\AppData\LocalLow\TheBflix
Folder Found : C:\Users\amanda\AppData\Roaming\iWin

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\conduitEngine
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\searchqutoolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Key Found : HKLM\SOFTWARE\Classes\AppID\DNSBHO.dll
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Key Found : HKLM\SOFTWARE\DataMngr
Key Found : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\amanda\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3243 octets] - [21/12/2012 19:41:15]

########## EOF - C:\AdwCleaner[R1].txt - [3303 octets] ##########

[godawgs]

Hi,
I'm looking at the last logs now. Sorry I didn't get back yesterday...things came up. I'll be back shortly with some new instructions.

[godawgs]

OK,

That's a littile progress.

Here's one thing that concerns me. This is from the Extras.txt log you posted:

Error - 12/17/2012 9:44:10 AM | Computer Name = amanda-TOSH | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

I have discussed this with a colleague. This is usually an indication that the mother board is going bad. But I've also seen system errors like this that went away when the malware was removed. So what we want to do is remove the malware (if it isn't the mother board) and then see where we are.

The system crashes when aswMBR is run is also an indication that malware is preventing it from running.

In this round we are gonna run AdwCleaner again and have it remove the rest of the bad toolbar and BHO items on the machine. Then I want to rename aswMBR and see if we can get it to run.


Step-1.

Re-run AdwCleaner Fix

Close all open windows and browsers.

Re-open AdwCleaner

• Double click the adwcleaner.exe file to run AdwCleaner. (Vista and 7 users)right click The adwcleaner.exe, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  
• Click the Deletion button and wait for the scan.
  
  
• Everything that was found will be deleted.
• When the scan ends, a report appears.
• Once done it will ask to reboot, allow this
  
  
  
• On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner[S1].txt

Step-2.

Run aswMBR

Change the name of the aswMBR.exe file. To do that:

• Right click on the aswMBR.exe file and click Rename in the context menu.
• Rename the aswMBR.exe file to iexplore.exe.

• Double click the iexplore.exe file to run it. (Windows /7 users: Right click the file and click Run as Administrator. If you get a UAC window, allow the file to run.
• If it asks you if you want to download the latest virus definitions, click "No"
  
  
• Click the "Scan" button to start the scan
  
  
• On completion of the scan click save log. Save it to your desktop and post in your next reply.
  

NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename executable to iexplore.exe and try it again.


Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The AdwCleaner[S1].txt log
2. The aswMBR (iexplore.exe) log

[dustypink]

ok just to let you know when I re boot the blue screen comes up for ages about 3 minutes

# AdwCleaner v2.101 - Logfile created 12/22/2012 at 16:38:56
# Updated 16/12/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : amanda - AMANDA-TOSH
# Boot Mode : Normal
# Running from : C:\Users\amanda\Desktop\adwcleaner (1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Public\Desktop\eBay.lnk
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\ConduitEngine
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\amanda\AppData\Local\Conduit
Folder Deleted : C:\Users\amanda\AppData\Local\Ilivid Player
Folder Deleted : C:\Users\amanda\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\amanda\AppData\LocalLow\ConduitEngine
Folder Deleted : C:\Users\amanda\AppData\LocalLow\TheBflix
Folder Deleted : C:\Users\amanda\AppData\Roaming\iWin

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\searchqutoolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DNSBHO.dll
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Key Deleted : HKLM\SOFTWARE\DataMngr
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\amanda\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3362 octets] - [21/12/2012 19:41:15]
AdwCleaner[S1].txt - [3385 octets] - [22/12/2012 16:38:56]

########## EOF - C:\AdwCleaner[S1].txt - [3445 octets] ##########