Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer redirect problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 edwsal59

edwsal59

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 26 June 2010 - 06:50 PM

Thank you for any help. Everytime I use the MS explorer search I'm redirected to another site. DDS log is below>

Thank you again.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed Lap at 19:00:32.74 on Sat 06/26/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3037.1798 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\temp\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100626104309.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: yahoo.com\m.www
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\chkwudrv32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-6-26 385536]
R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-6-26 160720]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-6-26 64304]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-1-1 176128]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-26 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-26 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-26 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-26 55456]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2010-2-24 64032]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-26 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-26 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-26 312616]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-26 83496]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-3 1343400]

=============== Created Last 30 ================

2010-06-26 23:00:20 525824 ----a-w- c:\temp\dds.scr
2010-06-26 22:46:54 284915 ----a-w- c:\temp\gmer.zip
2010-06-26 22:08:07 0 d-----w- C:\!KillBox
2010-06-26 22:05:39 0 d-----w- c:\programdata\Yahoo! Companion
2010-06-26 22:05:35 0 d-----w- c:\program files\CCleaner
2010-06-26 21:43:30 0 d-----w- c:\program files\Trend Micro
2010-06-26 21:39:34 0 d-----w- c:\program files\Web fix
2010-06-26 14:43:08 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-26 14:42:19 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-26 14:42:19 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-26 14:42:19 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-06-26 14:42:19 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-26 14:42:19 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-06-26 14:42:19 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-26 14:42:19 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-06-26 14:42:19 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-26 14:42:18 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-26 14:42:11 0 d-----w- c:\program files\McAfee.com
2010-06-26 14:42:11 0 d-----w- c:\program files\common files\Mcafee
2010-06-26 14:42:08 0 d-----w- c:\program files\McAfee
2010-06-26 12:03:47 0 d-----w- c:\programdata\McAfee
2010-06-26 12:03:28 0 d-----w- c:\temp\Apps
2010-06-26 12:03:28 0 d-----w- c:\temp\1033
2010-06-26 10:43:35 0 d-----w- C:\4ca054e8500836d603de534392
2010-06-25 03:08:24 763832 ----a-w- c:\windows\BDTSupport.dll.old
2010-06-25 03:08:24 1652664 ----a-w- c:\windows\PCTBDCore.dll.old
2010-06-25 01:06:41 0 d-----w- c:\programdata\WinZip
2010-06-24 23:18:22 325632 ----a-w- c:\programdata\bthci32.dll
2010-06-24 20:49:48 325632 ----a-w- c:\programdata\DevicePairing32.dll
2010-06-24 00:11:00 325632 ----a-w- c:\programdata\AppIdPolicyEngineApi32.dll
2010-06-23 23:18:26 0 d-----w- C:\norton Temp
2010-06-23 01:33:12 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 01:33:12 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 01:33:12 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 01:33:12 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 01:33:12 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 01:32:16 0 d-----w- c:\program files\MSXML 4.0
2010-06-23 01:09:27 0 d-----w- c:\users\edlap~1\appdata\roaming\Malwarebytes
2010-06-23 01:09:21 0 d-----w- c:\programdata\Malwarebytes
2010-06-22 21:46:00 50176 ----a-w- c:\users\edlap~1\appdata\roaming\4adf4511.exe
2010-06-22 21:28:37 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-22 21:28:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-22 21:28:29 417792 ----a-w- c:\windows\system32\msdri.dll
2010-06-22 21:28:29 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-06-22 21:28:29 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-06-22 00:21:16 90112 ----a-w- c:\windows\unvise32.exe
2010-06-22 00:18:48 0 d-----w- c:\program files\common files\Pinnacle
2010-06-22 00:17:36 0 d-----w- c:\programdata\Pinnacle Studio Ultimate Collection
2010-06-22 00:12:45 0 d-----w- c:\program files\common files\Pegasus Imaging
2010-06-22 00:12:44 0 d-----w- c:\programdata\Studio 14
2010-06-22 00:12:44 0 d-----w- c:\programdata\Pinnacle Studio Plus
2010-06-22 00:12:44 0 d-----w- c:\program files\common files\Yahoo!
2010-06-22 00:10:46 118784 ----a-w- c:\windows\system32\cngaudit32.dll
2010-06-22 00:10:21 320512 ----a-w- c:\windows\system32\bderepair32.dll
2010-06-22 00:09:07 0 d-----w- c:\program files\Pinnacle
2010-06-22 00:07:17 0 d-sh--w- c:\programdata\SysWoW32
2010-06-22 00:07:08 118784 ----a-w- c:\windows\system32\ATIDEMGX32.dll
2010-06-22 00:07:00 203776 --sh--w- c:\programdata\unrar.exe
2010-06-22 00:07:00 0 d-----w- c:\programdata\955528730
2010-06-22 00:06:58 325632 ----a-w- c:\programdata\CRPPresentation32.dll
2010-06-22 00:06:53 0 d-sh--w- c:\users\edlap~1\appdata\roaming\SystemProc
2010-06-22 00:06:44 320512 ----a-w- c:\windows\system32\cic32.dll
2010-06-22 00:06:42 208896 ----a-w- c:\windows\system32\chkwudrv32.dll
2010-06-21 21:10:36 0 d-----w- c:\temp\Pinnacle Studio 14 HD Ultimate Collection - by Mick
2010-06-21 01:17:57 0 d-----w- c:\program files\Yahoo!
2010-06-21 01:15:03 0 d-----w- c:\temp\Pinnacle Studio 14 HD Ultimate Collection - by Mick (Full Version)
2010-06-20 01:22:53 0 d-----w- c:\programdata\Pinnacle
2010-06-13 09:50:11 0 d-----w- c:\program files\Creative
2010-06-12 23:37:24 0 d-----w- c:\temp\Adobe_CS2_Large
2010-06-12 23:37:13 0 d-----w- C:\temp
2010-06-08 21:51:51 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-08 21:51:46 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 21:51:44 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 21:51:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 21:51:32 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-29 00:26:46 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-05-29 00:26:46 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-29 00:14:26 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-05-29 00:14:01 0 d-----w- c:\windows\PCHEALTH
2010-05-29 00:14:01 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-29 00:09:42 0 d-----w- c:\program files\Microsoft Analysis Services

==================== Find3M ====================

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 01:17:46 12 ----a-w- c:\users\edlap~1\appdata\roaming\kqyvwo.dat
2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-08-19 19:47:33 37052 ----a-w- c:\windows\inf\perflib\041d\perfd.dat
2009-08-19 19:47:33 37052 ----a-w- c:\windows\inf\perflib\041d\perfc.dat
2009-08-19 19:47:33 294764 ----a-w- c:\windows\inf\perflib\041d\perfi.dat
2009-08-19 19:47:33 294764 ----a-w- c:\windows\inf\perflib\041d\perfh.dat
2009-08-19 18:31:41 39446 ----a-w- c:\windows\inf\perflib\0419\perfd.dat
2009-08-19 18:31:41 39446 ----a-w- c:\windows\inf\perflib\0419\perfc.dat
2009-08-19 18:31:41 336704 ----a-w- c:\windows\inf\perflib\0419\perfi.dat
2009-08-19 18:31:41 336704 ----a-w- c:\windows\inf\perflib\0419\perfh.dat
2009-08-19 18:25:23 43068 ----a-w- c:\windows\inf\perflib\0413\perfd.dat
2009-08-19 18:25:23 43068 ----a-w- c:\windows\inf\perflib\0413\perfc.dat
2009-08-19 18:25:23 341322 ----a-w- c:\windows\inf\perflib\0413\perfi.dat
2009-08-19 18:25:23 341322 ----a-w- c:\windows\inf\perflib\0413\perfh.dat
2009-08-19 18:19:37 36156 ----a-w- c:\windows\inf\perflib\0414\perfd.dat
2009-08-19 18:19:37 36156 ----a-w- c:\windows\inf\perflib\0414\perfc.dat
2009-08-19 18:19:37 298300 ----a-w- c:\windows\inf\perflib\0414\perfi.dat
2009-08-19 18:19:37 298300 ----a-w- c:\windows\inf\perflib\0414\perfh.dat
2009-08-19 18:14:15 37534 ----a-w- c:\windows\inf\perflib\0410\perfd.dat
2009-08-19 18:14:15 37534 ----a-w- c:\windows\inf\perflib\0410\perfc.dat
2009-08-19 18:14:15 335478 ----a-w- c:\windows\inf\perflib\0410\perfi.dat
2009-08-19 18:14:15 335478 ----a-w- c:\windows\inf\perflib\0410\perfh.dat
2009-08-19 18:08:30 38160 ----a-w- c:\windows\inf\perflib\040c\perfd.dat
2009-08-19 18:08:30 38160 ----a-w- c:\windows\inf\perflib\040c\perfc.dat
2009-08-19 18:08:30 344522 ----a-w- c:\windows\inf\perflib\040c\perfi.dat
2009-08-19 18:08:30 344522 ----a-w- c:\windows\inf\perflib\040c\perfh.dat
2009-08-19 18:02:49 38258 ----a-w- c:\windows\inf\perflib\040b\perfd.dat
2009-08-19 18:02:49 38258 ----a-w- c:\windows\inf\perflib\040b\perfc.dat
2009-08-19 18:02:49 279790 ----a-w- c:\windows\inf\perflib\040b\perfi.dat
2009-08-19 18:02:49 279790 ----a-w- c:\windows\inf\perflib\040b\perfh.dat
2009-08-19 17:57:50 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfd.dat
2009-08-19 17:57:50 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfc.dat
2009-08-19 17:57:50 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfi.dat
2009-08-19 17:57:50 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfh.dat
2009-08-19 17:52:05 38104 ----a-w- c:\windows\inf\perflib\0407\perfd.dat
2009-08-19 17:52:05 38104 ----a-w- c:\windows\inf\perflib\0407\perfc.dat
2009-08-19 17:52:05 295922 ----a-w- c:\windows\inf\perflib\0407\perfi.dat
2009-08-19 17:52:05 295922 ----a-w- c:\windows\inf\perflib\0407\perfh.dat
2009-08-19 17:46:48 39236 ----a-w- c:\windows\inf\perflib\0406\perfd.dat
2009-08-19 17:46:48 39236 ----a-w- c:\windows\inf\perflib\0406\perfc.dat
2009-08-19 17:46:48 306636 ----a-w- c:\windows\inf\perflib\0406\perfi.dat
2009-08-19 17:46:48 306636 ----a-w- c:\windows\inf\perflib\0406\perfh.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-23 10:37:33 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 11:21:28 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 11:20:56 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:03:51.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 01 July 2010 - 05:22 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:08 PM

Posted 01 July 2010 - 05:22 PM

<Edited>

Edited by m0le, 01 July 2010 - 07:39 PM.

Posted Image
m0le is a proud member of UNITE

#4 edwsal59

edwsal59
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 01 July 2010 - 07:13 PM

Thank you for your help. I turned off everything you said. Downloded Combofix from your link on put it on my desktop. Ran as administrator, combofix starts, drive searches, then the install stops, no drive action and no screen prompts. Thank you again for your help.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 02 July 2010 - 08:56 AM

Hello.

Sounds like there's something interfering with ComboFix. We need some more information.

Please proceed to the GMER scan step. Also include a new DDS log.

With Regards,
The Panda

#6 edwsal59

edwsal59
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 02 July 2010 - 11:58 AM

Hi Panda,

I have attached the files you asked for.

Thank you very much for your help.

Ed

Attached Files



#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 02 July 2010 - 09:33 PM

Hello.

There are some signs of infection.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

After, please complete the GMER scan per the instructions on this post.

With Regards,
The Panda

#8 edwsal59

edwsal59
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 03 July 2010 - 11:55 AM

Panda,

Combofix run.

GMER log files added.

Thank you,

Ed

Attached Files



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 03 July 2010 - 12:24 PM

Hello.

Please post the contents of C:\ComboFix.txt.

With Regards,
The Panda

#10 edwsal59

edwsal59
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 03 July 2010 - 03:47 PM

Added, thank you,

Ed

ComboFix 10-07-01.02 - Ed Lap 07/03/2010 6:57.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3037.2503 [GMT -4:00]
Running from: c:\temp\recovery files\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\chkwudrv32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\programdata\SysWoW32
c:\programdata\SysWoW32\@u1352403751v4
c:\programdata\SysWoW32\@u1352403751v5
c:\programdata\SysWoW32\@u1352403751v6
c:\programdata\SysWoW32\@u1352403751v7
c:\programdata\SysWoW32\_u1352403751v0
c:\programdata\SysWoW32\_u1352403751v1
c:\programdata\SysWoW32\_u1352403751v2
c:\programdata\SysWoW32\_u1352403751v3
c:\programdata\SysWoW32\_u1352403751v4
c:\programdata\SysWoW32\_u1352403751v5
c:\programdata\SysWoW32\_u1352403751v6
c:\programdata\SysWoW32\_u1352403751v7
c:\programdata\SysWoW32\mu1352403751v4
c:\programdata\SysWoW32\mu1352403751v4.kwd
c:\programdata\SysWoW32\mu1352403751v5
c:\programdata\SysWoW32\mu1352403751v5.kwd
c:\programdata\SysWoW32\mu1352403751v6
c:\programdata\SysWoW32\mu1352403751v6.kwd
c:\programdata\SysWoW32\mu1352403751v7
c:\programdata\SysWoW32\mu1352403751v7.kwd
c:\programdata\SysWoW32\wu1352403751v0
c:\programdata\SysWoW32\wu1352403751v0.kwd
c:\programdata\SysWoW32\wu1352403751v1
c:\programdata\SysWoW32\wu1352403751v1.kwd
c:\programdata\SysWoW32\wu1352403751v2
c:\programdata\SysWoW32\wu1352403751v2.kwd
c:\programdata\SysWoW32\wu1352403751v3
c:\programdata\SysWoW32\wu1352403751v3.kwd
c:\programdata\unrar.exe
c:\users\Ed Lap\AppData\Local\{B2A166FB-1AC8-4B9D-B42F-175A15F2137E}
c:\users\Ed Lap\AppData\Local\{B2A166FB-1AC8-4B9D-B42F-175A15F2137E}\chrome.manifest
c:\users\Ed Lap\AppData\Local\{B2A166FB-1AC8-4B9D-B42F-175A15F2137E}\chrome\content\_cfg.js
c:\users\Ed Lap\AppData\Local\{B2A166FB-1AC8-4B9D-B42F-175A15F2137E}\chrome\content\overlay.xul
c:\users\Ed Lap\AppData\Local\{B2A166FB-1AC8-4B9D-B42F-175A15F2137E}\install.rdf
c:\users\Ed Lap\AppData\Local\ijemotetacoyuceg.dll
c:\users\Ed Lap\AppData\Local\VEXpeosc.dll
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957C.manifest
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957O.manifest
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957P.manifest
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957S.manifest
c:\users\Ed Lap\AppData\Roaming\8EB7.tmp
c:\users\Ed Lap\AppData\Roaming\AA52.tmp
c:\users\Ed Lap\AppData\Roaming\BFE4.tmp
c:\users\Ed Lap\AppData\Roaming\F45E.tmp
c:\users\Ed Lap\AppData\Roaming\SystemProc
c:\users\Ed Lap\AppData\Roaming\SystemProc\lsass.exe
c:\windows\7Loader.TAG
c:\windows\system32\cic32.dll

Infected copy of c:\windows\system32\drivers\csc.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-03 10:44 . 2010-07-03 10:45 -------- d-----w- C:\32788R22FWJFW
2010-07-02 22:21 . 2010-07-03 10:36 120 ----a-w- c:\users\Ed Lap\AppData\Local\Klijiqaquzuwocu.dat
2010-07-02 22:21 . 2010-07-03 06:14 0 ----a-w- c:\users\Ed Lap\AppData\Local\Adowodeje.bin
2010-07-02 20:18 . 2010-07-02 20:18 -------- d-----w- c:\temp\active
2010-07-02 00:32 . 2010-07-02 00:32 72973 ----a-w- c:\temp\attachments_2010_07_01.zip
2010-07-01 22:50 . 2010-07-01 22:50 366592 ----a-w- c:\programdata\dbnetlib32.dll
2010-07-01 09:28 . 2010-07-01 09:28 373248 ----a-w- c:\programdata\azroleui32.dll
2010-07-01 09:23 . 2010-07-01 09:23 373248 ----a-w- c:\programdata\AuxiliaryDisplayCpl32.dll
2010-06-30 23:42 . 2010-06-30 23:42 373248 ----a-w- c:\programdata\d3dx11_4232.dll
2010-06-30 23:38 . 2010-06-30 23:38 373248 ----a-w- c:\programdata\certcli32.dll
2010-06-29 21:36 . 2010-06-29 21:36 373248 ----a-w- c:\programdata\cmlua32.dll
2010-06-29 00:16 . 2010-06-29 00:16 373248 ----a-w- c:\programdata\auditcse32.dll
2010-06-27 00:24 . 2010-06-27 00:24 -------- d-----w- c:\programdata\Adobe Systems
2010-06-27 00:18 . 2010-06-27 00:18 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-06-27 00:00 . 2010-07-03 10:44 -------- d-----w- c:\temp\recovery files
2010-06-26 23:22 . 2010-06-26 23:22 373248 ----a-w- c:\programdata\C_G1803032.dll
2010-06-26 23:22 . 2010-06-26 23:22 373248 ----a-w- c:\programdata\csrsrv32.dll
2010-06-26 23:00 . 2010-06-26 23:00 525824 ----a-w- c:\temp\dds.scr
2010-06-26 22:08 . 2010-06-26 22:08 -------- d-----w- C:\!KillBox
2010-06-26 22:05 . 2010-06-26 22:05 -------- d-----w- c:\programdata\Yahoo! Companion
2010-06-26 22:05 . 2010-06-26 22:05 -------- d-----w- c:\program files\CCleaner
2010-06-26 21:43 . 2010-06-26 21:43 -------- d-----w- c:\program files\Trend Micro
2010-06-26 21:39 . 2010-06-26 21:41 -------- d-----w- c:\program files\Web fix
2010-06-26 14:42 . 2010-07-01 23:51 -------- d-----w- c:\program files\Common Files\Mcafee
2010-06-26 12:03 . 2010-07-01 23:51 -------- d-----w- c:\programdata\McAfee
2010-06-26 12:03 . 2010-06-27 00:14 -------- d-----w- c:\temp\Apps
2010-06-26 10:43 . 2010-06-26 10:43 -------- d-----w- C:\4ca054e8500836d603de534392
2010-06-25 01:06 . 2010-06-25 01:07 -------- d-----w- c:\programdata\WinZip
2010-06-24 23:18 . 2010-06-24 23:18 325632 ----a-w- c:\programdata\bthci32.dll
2010-06-24 20:49 . 2010-06-24 20:49 325632 ----a-w- c:\programdata\DevicePairing32.dll
2010-06-24 00:11 . 2010-06-24 00:11 325632 ----a-w- c:\programdata\AppIdPolicyEngineApi32.dll
2010-06-23 23:18 . 2010-06-23 23:19 -------- d-----w- C:\norton Temp
2010-06-23 01:33 . 2009-11-25 16:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 01:33 . 2009-11-25 16:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 01:33 . 2009-11-25 16:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 01:33 . 2009-11-25 16:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 01:33 . 2009-11-25 16:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 01:32 . 2010-06-23 01:32 -------- d-----w- c:\program files\MSXML 4.0
2010-06-23 01:09 . 2010-06-23 01:09 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\Malwarebytes
2010-06-23 01:09 . 2010-06-23 01:09 -------- d-----w- c:\programdata\Malwarebytes
2010-06-22 21:28 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-22 21:28 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-22 21:28 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll
2010-06-22 00:28 . 2010-06-22 00:28 -------- d-----w- c:\users\Ed Lap\AppData\Local\Pinnacle
2010-06-22 00:21 . 2004-03-29 21:23 90112 ----a-w- c:\windows\unvise32.exe
2010-06-22 00:18 . 2010-06-22 00:18 29926 ----a-r- c:\users\Ed Lap\AppData\Roaming\Microsoft\Installer\{6DE721A5-5E89-4D74-994C-652BB3C0672E}\ARPPRODUCTICON.exe
2010-06-22 00:18 . 2010-06-22 00:18 -------- d-----w- c:\program files\Common Files\Pinnacle
2010-06-22 00:17 . 2010-06-22 00:17 -------- d-----w- c:\programdata\Pinnacle Studio Ultimate Collection
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\program files\Common Files\Pegasus Imaging
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\programdata\Studio 14
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\programdata\Pinnacle Studio Plus
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\program files\Common Files\Yahoo!
2010-06-22 00:10 . 2010-06-22 00:10 118784 ----a-w- c:\windows\system32\cngaudit32.dll
2010-06-22 00:10 . 2010-06-22 00:10 320512 ----a-w- c:\windows\system32\bderepair32.dll
2010-06-22 00:09 . 2010-06-22 00:20 -------- d-----w- c:\program files\Pinnacle
2010-06-22 00:07 . 2010-06-22 00:07 118784 ----a-w- c:\windows\system32\ATIDEMGX32.dll
2010-06-22 00:07 . 2010-06-26 10:03 -------- d-----w- c:\programdata\955528730
2010-06-22 00:06 . 2010-06-22 00:06 325632 ----a-w- c:\programdata\CRPPresentation32.dll
2010-06-22 00:06 . 2010-07-03 10:47 208896 ----a-w- c:\windows\system32\chkwudrv32.dll
2010-06-22 00:06 . 2010-06-22 00:06 208896 ----a-w- c:\windows\system32\chkwudrv32.dll.vir
2010-06-21 01:17 . 2010-06-21 01:17 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\Yahoo!
2010-06-21 01:17 . 2010-06-26 22:05 -------- d-----w- c:\program files\Yahoo!
2010-06-20 01:22 . 2010-06-22 00:16 -------- d-----w- c:\programdata\Pinnacle
2010-06-13 09:50 . 2010-06-13 09:50 -------- d-----w- c:\program files\Creative
2010-06-13 09:49 . 2010-06-13 09:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-12 23:37 . 2010-07-02 20:18 -------- d-----w- C:\temp
2010-06-08 21:51 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-08 21:51 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 21:51 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 21:51 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 21:51 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 00:34 . 2010-01-01 17:02 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\LimeWire
2010-06-27 00:27 . 2010-01-01 14:01 140120 ----a-w- c:\users\Ed Lap\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-27 00:19 . 2009-12-31 22:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-26 23:54 . 2010-02-11 22:01 -------- d-----w- c:\programdata\Microsoft Help
2010-06-26 10:44 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft.NET
2010-06-25 01:16 . 2010-02-20 16:27 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\BitTorrent
2010-06-13 10:35 . 2010-01-01 15:18 -------- d-----w- c:\programdata\Apple Computer
2010-06-13 10:17 . 2010-01-29 12:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 09:18 . 2010-02-22 23:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 00:15 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-05-29 00:14 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-05-29 00:14 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-05-29 00:14 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-29 00:09 . 2010-05-29 00:09 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-05-21 18:14 . 2009-12-31 21:20 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-21 01:17 . 2010-05-21 01:17 12 ----a-w- c:\users\Ed Lap\AppData\Roaming\kqyvwo.dat
2010-05-13 14:59 . 2010-05-13 14:59 -------- d-----w- c:\program files\iTunes
2010-05-13 14:59 . 2010-05-13 14:59 -------- d-----w- c:\program files\iPod
2010-05-13 14:59 . 2010-01-01 15:16 -------- d-----w- c:\program files\Common Files\Apple
2010-05-13 14:57 . 2010-05-13 14:57 -------- d-----w- c:\program files\Bonjour
2010-05-13 14:50 . 2010-05-13 14:50 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-12 20:26 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-04-23 07:13 . 2010-05-25 20:51 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01BE6265-C540-4BE8-9981-F8CB68B8ED0f}]
2010-06-30 23:42 373248 ----a-w- c:\programdata\d3dx11_4232.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 06:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-25 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]

c:\users\Ed Lap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\chkwudrv32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-03 1343400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-06-25 176128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-02-24 64032]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: yahoo.com\m.www
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Dreto - c:\users\Ed Lap\AppData\Local\VEXpeosc.dll
HKCU-Run-Qsuyubikehejonu - c:\users\Ed Lap\AppData\Local\ijemotetacoyuceg.dll


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\System32\chkwudrv32.dll

- - - - - - - > 'lsass.exe'(496)
c:\windows\System32\chkwudrv32.dll
.
Completion time: 2010-07-03 07:15:23
ComboFix-quarantined-files.txt 2010-07-03 11:15
ComboFix2.txt 2009-12-31 16:07

Pre-Run: 271,104,737,280 bytes free
Post-Run: 271,029,518,336 bytes free

- - End Of File - - 9EC8A21EE439B4341122CF7FA262C723

Attached Files


Edited by PropagandaPanda, 04 July 2010 - 09:35 AM.


#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 04 July 2010 - 09:52 AM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/327349/explorer-redirect-problem/
    Collect::
    c:\windows\system32\chkwudrv32.dll
    c:\programdata\d3dx11_4232.dll
    c:\programdata\auditcse32.dll
    c:\windows\system32\cngaudit32.dll

    KILLALL::

    File::
    c:\users\Ed Lap\AppData\Local\Klijiqaquzuwocu.dat
    c:\users\Ed Lap\AppData\Local\Adowodeje.bin
    c:\programdata\dbnetlib32.dll
    c:\programdata\azroleui32.dll
    c:\programdata\AuxiliaryDisplayCpl32.dll
    c:\programdata\d3dx11_4232.dll
    c:\programdata\certcli32.dll
    c:\programdata\cmlua32.dll
    c:\programdata\auditcse32.dll
    c:\programdata\C_G1803032.dll
    c:\programdata\csrsrv32.dll
    c:\programdata\bthci32.dll
    c:\programdata\DevicePairing32.dll
    c:\programdata\AppIdPolicyEngineApi32.dll
    c:\windows\system32\bderepair32.dll
    c:\programdata\CRPPresentation32.dll
    c:\windows\system32\chkwudrv32.dll.vir
    c:\users\Ed Lap\AppData\Roaming\kqyvwo.dat


    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01BE6265-C540-4BE8-9981-F8CB68B8ED0f}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
The Panda

#12 edwsal59

edwsal59
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 04 July 2010 - 12:44 PM

Panda,

I ran the combofix with the script file. On an interesting note: Combofix with the script would not run from the desktop. Would start then stop. To solve the problem, I setup the files in C:\temp\recovery files. Then ran as you asked, no problems. Combofix log file attached.

Thank you,

Ed

ComboFix 10-07-01.02 - Ed Lap 07/04/2010 13:17:09.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3037.2242 [GMT -4:00]
Running from: c:\temp\recovery files\ComboFix.exe
Command switches used :: c:\temp\recovery files\CFScript.txt
* Created a new restore point

FILE ::
"c:\programdata\AppIdPolicyEngineApi32.dll"
"c:\programdata\auditcse32.dll"
"c:\programdata\AuxiliaryDisplayCpl32.dll"
"c:\programdata\azroleui32.dll"
"c:\programdata\bthci32.dll"
"c:\programdata\C_G1803032.dll"
"c:\programdata\certcli32.dll"
"c:\programdata\cmlua32.dll"
"c:\programdata\CRPPresentation32.dll"
"c:\programdata\csrsrv32.dll"
"c:\programdata\d3dx11_4232.dll"
"c:\programdata\dbnetlib32.dll"
"c:\programdata\DevicePairing32.dll"
"c:\users\Ed Lap\AppData\Local\Adowodeje.bin"
"c:\users\Ed Lap\AppData\Local\Klijiqaquzuwocu.dat"
"c:\users\Ed Lap\AppData\Roaming\kqyvwo.dat"
"c:\windows\system32\bderepair32.dll"
"c:\windows\system32\chkwudrv32.dll.vir"

file zipped: c:\programdata\auditcse32.dll
file zipped: c:\programdata\d3dx11_4232.dll
file zipped: c:\windows\system32\chkwudrv32.dll
file zipped: c:\windows\system32\cngaudit32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\AppIdPolicyEngineApi32.dll
c:\programdata\auditcse32.dll
c:\programdata\AuxiliaryDisplayCpl32.dll
c:\programdata\azroleui32.dll
c:\programdata\bthci32.dll
c:\programdata\C_G1803032.dll
c:\programdata\certcli32.dll
c:\programdata\cmlua32.dll
c:\programdata\CRPPresentation32.dll
c:\programdata\csrsrv32.dll
c:\programdata\d3dx11_4232.dll
c:\programdata\dbnetlib32.dll
c:\programdata\DevicePairing32.dll
c:\users\Ed Lap\AppData\Local\Adowodeje.bin
c:\users\Ed Lap\AppData\Local\Klijiqaquzuwocu.dat
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957C.manifest
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957O.manifest
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957P.manifest
c:\users\Ed Lap\AppData\Roaming\0200000052228b99957S.manifest
c:\users\Ed Lap\AppData\Roaming\kqyvwo.dat
c:\windows\system32\bderepair32.dll
c:\windows\system32\chkwudrv32.dll
c:\windows\system32\chkwudrv32.dll.vir
c:\windows\system32\cngaudit32.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-04 17:26 . 2010-07-04 17:29 -------- d-----w- c:\users\Ed Lap\AppData\Local\temp
2010-07-04 17:26 . 2010-07-04 17:26 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-04 17:26 . 2010-07-04 17:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-04 17:15 . 2010-07-04 17:15 -------- d-----w- C:\32788R22FWJFW
2010-07-02 20:18 . 2010-07-02 20:18 -------- d-----w- c:\temp\active
2010-07-02 00:32 . 2010-07-02 00:32 72973 ----a-w- c:\temp\attachments_2010_07_01.zip
2010-06-27 00:24 . 2010-06-27 00:24 -------- d-----w- c:\programdata\Adobe Systems
2010-06-27 00:18 . 2010-06-27 00:18 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-06-27 00:00 . 2010-07-04 17:16 -------- d-----w- c:\temp\recovery files
2010-06-26 23:00 . 2010-06-26 23:00 525824 ----a-w- c:\temp\dds.scr
2010-06-26 22:08 . 2010-06-26 22:08 -------- d-----w- C:\!KillBox
2010-06-26 22:05 . 2010-06-26 22:05 -------- d-----w- c:\programdata\Yahoo! Companion
2010-06-26 22:05 . 2010-06-26 22:05 -------- d-----w- c:\program files\CCleaner
2010-06-26 21:43 . 2010-06-26 21:43 -------- d-----w- c:\program files\Trend Micro
2010-06-26 21:39 . 2010-06-26 21:41 -------- d-----w- c:\program files\Web fix
2010-06-26 14:42 . 2010-07-01 23:51 -------- d-----w- c:\program files\Common Files\Mcafee
2010-06-26 12:03 . 2010-07-01 23:51 -------- d-----w- c:\programdata\McAfee
2010-06-26 12:03 . 2010-06-27 00:14 -------- d-----w- c:\temp\Apps
2010-06-26 10:43 . 2010-06-26 10:43 -------- d-----w- C:\4ca054e8500836d603de534392
2010-06-25 01:06 . 2010-06-25 01:07 -------- d-----w- c:\programdata\WinZip
2010-06-23 23:18 . 2010-06-23 23:19 -------- d-----w- C:\norton Temp
2010-06-23 01:33 . 2009-11-25 16:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 01:33 . 2009-11-25 16:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 01:33 . 2009-11-25 16:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 01:33 . 2009-11-25 16:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 01:33 . 2009-11-25 16:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 01:32 . 2010-06-23 01:32 -------- d-----w- c:\program files\MSXML 4.0
2010-06-23 01:09 . 2010-06-23 01:09 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\Malwarebytes
2010-06-23 01:09 . 2010-06-23 01:09 -------- d-----w- c:\programdata\Malwarebytes
2010-06-22 21:28 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-22 21:28 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-22 21:28 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll
2010-06-22 00:28 . 2010-06-22 00:28 -------- d-----w- c:\users\Ed Lap\AppData\Local\Pinnacle
2010-06-22 00:21 . 2004-03-29 21:23 90112 ----a-w- c:\windows\unvise32.exe
2010-06-22 00:18 . 2010-06-22 00:18 -------- d-----w- c:\program files\Common Files\Pinnacle
2010-06-22 00:17 . 2010-06-22 00:17 -------- d-----w- c:\programdata\Pinnacle Studio Ultimate Collection
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\program files\Common Files\Pegasus Imaging
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\programdata\Studio 14
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\programdata\Pinnacle Studio Plus
2010-06-22 00:12 . 2010-06-22 00:12 -------- d-----w- c:\program files\Common Files\Yahoo!
2010-06-22 00:09 . 2010-06-22 00:20 -------- d-----w- c:\program files\Pinnacle
2010-06-22 00:07 . 2010-06-22 00:07 118784 ----a-w- c:\windows\system32\ATIDEMGX32.dll
2010-06-22 00:07 . 2010-06-26 10:03 -------- d-----w- c:\programdata\955528730
2010-06-21 01:17 . 2010-06-21 01:17 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\Yahoo!
2010-06-21 01:17 . 2010-06-26 22:05 -------- d-----w- c:\program files\Yahoo!
2010-06-20 01:22 . 2010-06-22 00:16 -------- d-----w- c:\programdata\Pinnacle
2010-06-13 09:50 . 2010-06-13 09:50 -------- d-----w- c:\program files\Creative
2010-06-13 09:49 . 2010-06-13 09:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-12 23:37 . 2010-07-04 15:59 -------- d-----w- C:\temp
2010-06-08 21:51 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-08 21:51 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 21:51 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 21:51 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 21:51 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 23:28 . 2010-02-20 16:27 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\BitTorrent
2010-07-03 00:34 . 2010-01-01 17:02 -------- d-----w- c:\users\Ed Lap\AppData\Roaming\LimeWire
2010-06-27 00:27 . 2010-01-01 14:01 140120 ----a-w- c:\users\Ed Lap\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-27 00:19 . 2009-12-31 22:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-26 23:54 . 2010-02-11 22:01 -------- d-----w- c:\programdata\Microsoft Help
2010-06-26 10:44 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft.NET
2010-06-13 10:35 . 2010-01-01 15:18 -------- d-----w- c:\programdata\Apple Computer
2010-06-13 10:17 . 2010-01-29 12:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 09:18 . 2010-02-22 23:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 00:15 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-05-29 00:14 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-05-29 00:14 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-05-29 00:14 . 2010-05-29 00:14 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-29 00:09 . 2010-05-29 00:09 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-05-21 18:14 . 2009-12-31 21:20 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-13 14:59 . 2010-05-13 14:59 -------- d-----w- c:\program files\iTunes
2010-05-13 14:59 . 2010-05-13 14:59 -------- d-----w- c:\program files\iPod
2010-05-13 14:59 . 2010-01-01 15:16 -------- d-----w- c:\program files\Common Files\Apple
2010-05-13 14:57 . 2010-05-13 14:57 -------- d-----w- c:\program files\Bonjour
2010-05-12 20:26 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-04-23 07:13 . 2010-05-25 20:51 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 06:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-25 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]

c:\users\Ed Lap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-03 1343400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-06-25 176128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-02-24 64032]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: yahoo.com\m.www
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.
- - - - ORPHANS REMOVED - - - -

BHO-{9C05907F-0526-16A1-0D96-5DD04DC44AEB} - c:\windows\System32\chkwudrv32.dll


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2010-07-04 13:37:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-04 17:37
ComboFix2.txt 2010-07-03 11:15
ComboFix3.txt 2009-12-31 16:07

Pre-Run: 269,644,722,176 bytes free
Post-Run: 269,584,879,616 bytes free

- - End Of File - - 531F87F95F3479664D4DEB3966C6B8DA
Upload was successful

Attached Files


Edited by PropagandaPanda, 04 July 2010 - 02:02 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 04 July 2010 - 02:07 PM

Hello.

It looks much better. Let's finish off a couple leftovers and then run an online scan.

If you need to, please run ComboFix the way you did last time.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    File::
    c:\windows\system32\ATIDEMGX32.dll

    Folder::
    c:\programdata\955528730
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


With Regards,
The Panda

#14 edwsal59

edwsal59
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 05 July 2010 - 02:03 PM

Panda,

The two logs you requested are attached.

Thank you,

Ed

Attached Files



#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 05 July 2010 - 03:53 PM

Hello Ed.

It looks all good from the Kaspersky log. You attached an older ComboFix log though, so please post the contents of this file for a final check.
c:\ComboFix.txt

Are there any issues at the moment?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users