Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Search Links being re-routed


  • This topic is locked This topic is locked
2 replies to this topic

#1 Hadokin

Hadokin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 17 April 2009 - 11:39 PM

Hello Everyone,

I know this is only my second post, but I've followed the instructions outlined in the preparation topic and hope that someone can help me. I consider myself a fairly competent user and have been very particular about security on my system, having already gone through one bout of identity theft. I believe I was infected by some browser hijacking virus yesterday. I have an active subscription with McAfee Security Suite which, up until today, had thought was doing a pretty good job.

While surfing yesterday, the McAfee notification popped-up and alerted me to a Trojan, which it quarantined and deleted, or so I thought. I was then prompted to restart my machine. Since it was in the morning, I shut down my system, went to work, came home later and booted up (Vista 32bit). A window popped up asking me to choose a program that had "works" in the file name. It was not an executable. Having just completed a fresh install of my PC about a month ago, I thought this was somehow related to MS Works. I chose the stripped down word processor that comes with Works to try and open the file, but it failed, not recognizing the file type. (I know--I should've been more suspicious and just ignored the file until I could find out more about it). I believe that's when all my problems started.

While Googling around today, I noticed that my search results were being re-directed to different commercial websites. I knew something was up and the first thing I did was to delete the cache, cookies, etc using Delete All in IE7, and then did went to advanced options to do a Reset. I then re-booted my computer, fired up IE again and still had the same problem. I then ran a full virus-scan using McAfee. It found about 3 minor items (cookies), and one trojan which it was able to delete after another reboot. I tried to Google with IE again and still had the problem.

My next step was to to do a System Restore. No joy. It said my files were corrupt. Ok. To rule-out whether this was system-wide versus browser dependent, I downloaded and installed Firefox 3.0. A couple of searches with Firefox showed I had the same problem--I was getting redirected to various commercial and pay-per-click sites. Pop-up blocker caught most of the pop-ups and unders, but some were getting through. I jumped on my wife's PC and started doing some searches and came across folks with similar problems and tried some of those. I tried to get the latest version of Microsoft's Malicious Software Removal tool, but it wouldn't let me. Instead of the file, I get a screen that says:

Internet Explorer cannot display the webpage
Most likely causes:
- You are not connected to the Internet
- The website is encountering problems.
- There might be a typing error in the address.

None of the above of course is true. So I turned to Mozilla. Same thing. I get a Page Load Error – Failed to Connect. Firefox can’t establish a connection to the server at download.microsoft.com. I had the same problems with trying to download Spybot S&D, and Malwarebytes. So I downloaded those on my wifes PC and copied them over the network to mine. This is where it really gets interesting. Neither of those programs could complete their installations. Spybot would choke when it got to the update part of the install and refused to go further because it couldn’t connect to the server. Malwarebytes crashed right after the install. So, I booted in Safe-mode and tried the installs again, to no effect.

Fortunately, Trend Micro’s Hijack This produced the log files, and that’s how I got redirected to you guys.

In the time it’s taken me to get to this point, I just checked my firewall logs and noticed 17 inbound attempts to access my PC in the past hour:

“A computer at 85.255.112.85.static.ukrtelegroup.com.ua has attempted an unsolicited connection to UDP port 63578 on your computer”

Not sure if this is related but it has me nervous. Seeing that I just went through the ordeal of reinstalling and re-configuring my system a month ago after a hard disk failure, I’d hate to have to do it again. That’s where I hope you guys can offer some assistance.

Based on these logs, if you see something that may indicate my system is compromised and that a complete reformat-reinstall is required (I hope not), please let me know. Otherwise, I would greatly appreciate any assistance in resolving this issue.

Please let me know what other information you require. I apologize for the wall of text, but wanted to be thorough.

Thank you.

=====================================


DDS (Ver_09-03-16.01) - NTFSx86
Run by Hadokin at 22:30:02.97 on Fri 04/17/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.2233 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Hadokin\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [InetChk] c:\users\hadokin\appdata\local\temp\ms1239913414.exe work
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\hadokin\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\hadokin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.85,85.255.112.180
TCP: {6E515926-5E7C-4A87-8829-9DFFEECC14A9} = 85.255.112.85,85.255.112.180

================= FIREFOX ===================

FF - ProfilePath - c:\users\hadokin\appdata\roaming\mozilla\firefox\profiles\ri16ws83.default\

============= SERVICES / DRIVERS ===============

R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2009-3-25 134688]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S2 SessionLauncher;SessionLauncher;c:\users\hadokin\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\hadokin\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-3-26 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-3-26 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]

=============== Created Last 30 ================

2009-04-17 21:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-17 21:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 21:50 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-17 21:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 21:50 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-17 21:22 <DIR> --d----- c:\program files\Trend Micro
2009-04-17 20:42 <DIR> --d----- C:\SDFix
2009-04-17 13:17 153,088 a------- c:\program files\UNWISE.EXE
2009-04-14 21:45 0 a------- C:\LHT62C8.tmp
2009-04-14 19:01 <DIR> --d----- c:\windows\system32\AGEIA
2009-04-14 19:01 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-14 19:00 <DIR> --d----- C:\NVIDIA
2009-04-14 12:39 <DIR> --d----- c:\users\hadokin\appdata\roaming\Intuit
2009-04-14 12:39 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-04-14 12:35 <DIR> --d----- c:\programdata\Intuit
2009-04-14 12:35 <DIR> --d----- c:\program files\common files\Intuit
2009-04-14 12:35 <DIR> --d----- c:\progra~2\Intuit
2009-04-14 12:34 <DIR> --d----- c:\program files\TurboTax
2009-04-04 02:29 <DIR> --d----- c:\program files\Photo Story 3 for Windows
2009-04-04 01:24 322,571,017 a------- c:\windows\MEMORY.DMP
2009-04-03 23:28 17 a------- c:\windows\MovingPicture.ini
2009-04-03 23:11 <DIR> --d----- c:\program files\AdorageI-SAL
2009-04-03 23:11 <DIR> --d----- c:\program files\AdorageI-GfxDatas
2009-04-03 22:40 <DIR> --d----- c:\users\hadokin\appdata\roaming\proDAD
2009-04-03 22:40 <DIR> --d----- c:\program files\proDAD
2009-04-03 22:22 401,408 a------- c:\windows\system32\pvmjpg30.dll
2009-04-03 22:22 44,544 a------- c:\windows\system32\msxml4a.dll
2009-04-03 22:22 1,712,128 a------- c:\windows\system32\GDIPLUS.DLL
2009-04-03 22:19 84,992 a------- c:\windows\system32\ATL70.DLL
2009-04-03 22:19 138,752 a------- c:\windows\system32\mase32.dll
2009-04-03 22:19 57,856 a------- c:\windows\system32\masd32.dll
2009-04-03 22:19 196,096 a------- c:\windows\system32\macd32.dll
2009-04-03 22:19 136,192 a------- c:\windows\system32\mamc32.dll
2009-04-03 22:19 27,648 a------- c:\windows\system32\ma32.dll
2009-04-03 22:18 14,165 a------- c:\windows\system32\drivers\Pclepci.sys
2009-04-03 22:16 441,472 a------- c:\windows\system32\drivers\MarvinUsb.sys
2009-04-03 22:16 196,608 a------- c:\windows\system32\MarvinUsb.ax
2009-04-03 22:16 81,920 a------- c:\windows\system32\PCLECoInst.dll
2009-04-03 22:14 <DIR> --d----- c:\programdata\Pinnacle Studio
2009-04-03 22:14 <DIR> --d----- c:\progra~2\Pinnacle Studio
2009-04-03 21:57 <DIR> --d----- c:\programdata\Pinnacle
2009-04-03 21:57 <DIR> --d----- c:\program files\Pinnacle
2009-04-02 13:28 <DIR> --d----- c:\users\hadokin\appdata\roaming\Flickr
2009-04-02 13:28 <DIR> --d----- c:\program files\Flickr Uploadr
2009-03-31 20:56 <DIR> --d----- c:\programdata\Azureus
2009-03-31 20:56 <DIR> --d----- c:\progra~2\Azureus
2009-03-31 20:56 <DIR> --d----- c:\users\hadokin\appdata\roaming\Azureus
2009-03-31 20:56 <DIR> --d----- c:\program files\Vuze
2009-03-31 20:56 <DIR> --d----- c:\program files\common files\i4j_jres
2009-03-31 20:48 <DIR> --d----- c:\program files\Sony Setup
2009-03-29 17:08 <DIR> --d----- c:\users\hadokin\appdata\roaming\mIRC
2009-03-29 17:08 <DIR> --d----- c:\program files\mIRC
2009-03-29 16:48 <DIR> --d----- c:\program files\common files\Real
2009-03-29 16:47 <DIR> --d----- c:\program files\Rhapsody
2009-03-29 15:47 <DIR> --d----- c:\programdata\Adobe Systems
2009-03-29 15:43 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-03-29 15:42 <DIR> --d----- c:\programdata\Adobe
2009-03-27 15:19 <DIR> --d----- c:\program files\Alcohol Soft
2009-03-27 15:16 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-03-27 15:01 0 a------- C:\LHT44BF.tmp
2009-03-27 13:14 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-03-27 13:14 <DIR> --d----- c:\programdata\Blizzard
2009-03-27 13:14 <DIR> --d----- c:\progra~2\Blizzard
2009-03-26 22:30 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-26 15:20 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-26 12:59 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-03-26 12:59 261,480 a------- c:\windows\system32\xactengine2_7.dll
2009-03-26 12:59 255,848 a------- c:\windows\system32\xactengine2_6.dll
2009-03-26 12:59 251,672 a------- c:\windows\system32\xactengine2_5.dll
2009-03-26 12:59 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-03-26 12:59 237,848 a------- c:\windows\system32\xactengine2_4.dll
2009-03-26 12:59 15,128 a------- c:\windows\system32\x3daudio1_1.dll
2009-03-26 12:59 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-03-26 12:25 299,923 a------- c:\windows\system32\drivers\sonyhcs.sys
2009-03-26 12:25 102,220 a------- c:\windows\system32\drivers\sonypvs1.sys
2009-03-26 12:25 53,248 a------- c:\windows\system32\SONYHCY.DLL
2009-03-26 12:25 38,739 a------- c:\windows\system32\drivers\sonyhcc.sys
2009-03-26 12:25 6,097 a------- c:\windows\system32\drivers\sonyhcb.sys
2009-03-26 12:25 3,654 a------- c:\windows\system32\drivers\Sonyhcp.dll
2009-03-26 12:25 <DIR> --d----- C:\Drivers
2009-03-26 12:24 122,864 a------- c:\windows\system32\PxInsI64.exe
2009-03-26 12:12 <DIR> --d----- c:\program files\Sony
2009-03-26 12:10 <DIR> --d----- c:\programdata\Sony Corporation
2009-03-26 12:10 <DIR> --d----- c:\progra~2\Sony Corporation
2009-03-26 11:46 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-26 11:46 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-26 11:46 <DIR> --d----- c:\program files\iPod
2009-03-26 11:46 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-26 11:46 <DIR> --d----- c:\program files\iTunes
2009-03-26 11:46 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-26 11:45 <DIR> --d----- c:\program files\Bonjour
2009-03-26 11:45 <DIR> --d----- c:\programdata\Apple Computer
2009-03-26 11:44 <DIR> --d----- c:\programdata\Apple
2009-03-26 11:18 <DIR> --d----- c:\programdata\Uninstall
2009-03-26 11:18 <DIR> --d----- c:\progra~2\Uninstall
2009-03-26 11:16 <DIR> --d----- c:\programdata\Sonic
2009-03-26 11:14 <DIR> --d----- c:\programdata\Roxio
2009-03-26 11:14 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-03-26 11:12 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-03-26 11:12 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-03-26 11:10 <DIR> --d----- c:\programdata\InstallShield
2009-03-26 11:10 <DIR> --d----- c:\program files\Roxio
2009-03-26 11:09 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-03-26 11:09 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-03-26 11:09 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-03-26 10:04 376 a------- c:\windows\ODBC.INI
2009-03-26 10:04 28,040 a------- c:\windows\system32\mdimon.dll
2009-03-26 10:03 <DIR> --d----- c:\program files\common files\L&H
2009-03-26 10:03 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-03-26 10:02 <DIR> --d----- c:\windows\PCHEALTH
2009-03-26 09:50 1,080 a------- c:\windows\system32\settingsbkup.sfm
2009-03-26 09:50 1,080 a------- c:\windows\system32\settings.sfm
2009-03-26 09:43 54,904 a------- c:\windows\system32\BMXStateBkp-{00000002-00000000-00000007-00001102-00000005-002C1102}.rfx
2009-03-26 09:43 54,904 a------- c:\windows\system32\BMXState-{00000002-00000000-00000007-00001102-00000005-002C1102}.rfx
2009-03-26 09:43 788 a------- c:\windows\system32\DVCState-{00000002-00000000-00000007-00001102-00000005-002C1102}.rfx
2009-03-26 09:22 <DIR> --d----- c:\users\hadokin\appdata\roaming\Foxit
2009-03-26 09:22 <DIR> --d----- c:\program files\Foxit Software
2009-03-26 09:12 102,400 a------- c:\windows\system32\cttele32.dll
2009-03-26 09:12 <DIR> --d----- c:\programdata\Creative
2009-03-26 09:12 87 a---hr-- c:\windows\ctfile.rfc
2009-03-26 09:12 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-03-26 09:12 144,896 a------- c:\windows\system32\APOMngr.DLL
2009-03-26 09:12 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-03-26 09:12 71,168 a------- c:\windows\system32\CmdRtr.DLL
2009-03-26 09:12 <DIR> --d----- c:\program files\OpenAL
2009-03-26 09:11 11,776 a------- c:\windows\INRES.DLL
2009-03-26 09:11 <DIR> --d----- c:\windows\system32\Data
2009-03-26 09:11 <DIR> --d----- c:\program files\common files\Creative Labs Shared
2009-03-26 09:10 <DIR> --d----- c:\program files\Creative
2009-03-26 09:10 20,888,640 a------- c:\windows\system32\AppSetup.exe
2009-03-25 16:05 <DIR> --d----- c:\program files\Dell DataSafe Online
2009-03-25 15:59 106 a------- c:\users\hadokin\appdata\roaming\wklnhst.dat
2009-03-25 15:30 3,636 a------- c:\windows\system32\drivers\nvphy.bin
2009-03-25 15:09 20,247 a------- c:\windows\system32\Config.MPF
2009-03-25 15:08 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-25 15:07 213,640 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:07 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:07 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:07 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:07 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-25 15:07 130,424 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-25 15:07 <DIR> --d----- c:\program files\McAfee.com
2009-03-25 15:07 <DIR> --d----- c:\program files\common files\McAfee
2009-03-25 15:07 <DIR> --d----- c:\program files\McAfee
2009-03-25 15:05 <DIR> --d----- c:\programdata\McAfee
2009-03-25 14:56 364,544 a------- c:\windows\system32\nvraiins.dll
2009-03-25 14:56 364,544 a------- c:\windows\system32\nvraidco.dll
2009-03-25 14:56 134,688 a------- c:\windows\system32\drivers\nvrd32.sys
2009-03-25 14:56 110,624 a------- c:\windows\system32\drivers\nvstor32.sys
2009-03-25 14:54 4,155,936 a------- c:\windows\system32\nvvitvsr.dll
2009-03-25 14:54 2,980,384 a------- c:\windows\system32\nvwssr.dll
2009-03-25 14:54 2,861,600 a------- c:\windows\system32\nvmoblsr.dll
2009-03-25 14:54 465,440 a------- c:\windows\system32\nvmccssr.dll
2009-03-25 14:54 207,392 a------- c:\windows\system32\nvvsvc.exe
2009-03-25 14:54 92,704 a------- c:\windows\system32\nvmctray.dll
2009-03-25 14:54 5,806,624 a------- c:\windows\system32\nvdispsr.dll
2009-03-25 14:54 3,430,944 a------- c:\windows\system32\nvgamesr.dll
2009-03-25 14:54 150,048 a------- c:\windows\system32\nvcolor.exe
2009-03-25 14:54 118,784 a------- c:\windows\system32\nvcod130.dll
2009-03-25 14:54 <DIR> --d----- C:\dell
2009-03-25 14:52 <DIR> --d----- c:\programdata\NVIDIA
2009-03-25 14:51 <DIR> --d----- c:\windows\Panther
2009-03-25 14:51 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-03-25 14:51 333,203 a--shr-- C:\bootmgr
2009-03-25 14:51 <DIR> --dsh--- C:\Boot
2009-03-25 14:51 24 a---hr-- c:\windows\dell_version
2009-03-25 14:51 <DIR> --d----- c:\windows\system32\OEM
2009-03-25 11:55 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-25 00:37 1,079,840 a------- c:\windows\system32\nvcpluir.dll
2009-03-25 00:37 801,312 a------- c:\windows\system32\nvcplui.exe
2009-03-25 00:37 453,152 a------- c:\windows\system32\nvuninst.exe
2009-03-25 00:37 420,384 a------- c:\windows\system32\nvcpl.cpl
2009-03-25 00:34 2,048 a------- c:\windows\system32\tzres.dll
2009-03-25 00:27 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-25 00:27 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-25 00:27 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-25 00:27 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-25 00:27 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-25 00:27 11,264 a------- c:\windows\system32\icardres.dll
2009-03-25 00:27 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-25 00:27 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-25 00:24 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-25 00:24 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-25 00:24 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-25 00:24 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-25 00:24 83,968 a------- c:\windows\system32\mscories.dll
2009-03-25 00:22 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-03-25 00:19 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-03-25 00:16 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-25 00:16 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-25 00:16 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-25 00:16 31,232 a------- c:\windows\system32\wuapp.exe
2009-03-25 00:13 <DIR> --d----- c:\windows\system32\vmm32
2009-03-25 00:13 <DIR> --d----- c:\program files\Dell
2009-03-25 00:12 <DIR> --dsh--- c:\windows\Installer
2009-03-25 00:09 <DIR> --d----- c:\users\Hadokin

==================== Find3M ====================

2009-04-14 19:01 51,200 a------- c:\windows\inf\infpub.dat
2009-04-14 19:00 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-14 19:00 86,016 a------- c:\windows\inf\infstor.dat
2009-03-25 02:49 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-16 22:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 22:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 22:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 23:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 23:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 23:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 23:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 23:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 23:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 23:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 23:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 23:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 23:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 22:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 21:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 21:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-13 03:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 03:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-08 22:10 2,033,152 a------- c:\windows\system32\win32k.sys
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:30:20.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:35 AM

Posted 24 April 2009 - 06:01 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:35 AM

Posted 04 May 2009 - 09:28 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users