Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google and Yahoo searches being redirected - explorer.exe infected

  • This topic is locked This topic is locked
2 replies to this topic

#1 Jpslater


  • Members
  • 1 posts
  • Local time:07:31 AM

Posted 18 August 2010 - 03:13 AM

A couple of days ago I visited a website that installed malware on my bootcamped XP computer, Antimalware doctor was one of them. Malwarebytes seemed to take care of that - however I'm still getting redirected to random sites when I click on search results in Google and Yahoo (and probably others).

IE 7 had it's LAN connection settings changed to use a proxy server, which I changed back to 'automatically detect settings' which briefly helped.

Hitman Pro detected a proxy server, and said that c:\windows\explorer.exe was infected. It fixed the proxy server, but couldn't fix the explorer.exe issue even after repeated reboots.

I'm still getting redirected and explorer.exe is still seen as infected by Hitman Pro - but nothing seems to be able to get rid of it.

I have an old version of ComboFix installed on my computer from about a year ago, but I haven't run it since then. I have tried the recovery console but I just get a blue screen crash when it tries to run.

Here are my logs...


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by John Smith at 14:45:08.03 on Tue 08/17/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2024.1617 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Documents\Installers\System\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {9F3209E2-334B-41E9-B09C-703F398742E7} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: TMIEGBHO Class: {f1ad4a42-ba52-47bc-89df-3f68f24c017f} - c:\program files\trend micro\browser guard 2010\TMAMS.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: TMBGBAR TOOLBAR: {c8137a8d-415d-450c-a1b1-d0c519d45296} - c:\program files\trend micro\browser guard 2010\tmeig.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: GP Bar: {c3538050-face-11de-8a39-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www8.agame.com/games/shockwave/d/dance_trends_3d/dance_trends_3d_girlsgogames_com.htm"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Apple_KbdMgr] c:\program files\boot camp\KbdMgr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [\\NAN\EPSON Stylus CX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaea.exe /p34 "\\nan\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" update "software\cyberlink\powerproducer\4.0"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Trend Micro Browser Guard v2.0 Beta] "c:\program files\trend micro\browser guard 2010\BGUI.EXE"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
StartupFolder: c:\docume~1\johnsl~1\startm~1\programs\startup\ypops.lnk - c:\documents and settings\john smith\ypops\YPOPs
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ebay.com\signin
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {395E58B9-090C-461A-8F27-087D1C727947} - hxxp://
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/plugin/downloads/pc/
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnsm~1\applic~1\mozilla\firefox\profiles\q5fe97k1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_17.dll
FF - plugin: c:\program files\java\jre6\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {5917A4C7-DFE3-40DC-8562-99911D2FB911} - c:\documents and settings\john smith\local settings\application data\{5917A4C7-DFE3-40DC-8562-99911D2FB911}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-8 20744]
R3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2009-1-6 10496]
R3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2009-1-6 29696]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-8-17 16968]
R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2009-1-6 16512]
R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-1-6 23552]
S0 qzgbbsg;qzgbbsg; [x]
S1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2010-5-9 127744]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2008-9-12 136496]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2008-9-12 99632]
S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2009-9-26 819600]
S2 DVDRIVER;DVdriver;c:\windows\system32\drivers\dvdriver.sys [2010-4-21 35016]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-11-15 5760]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2008-9-12 6784]
S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-9-23 447832]
S2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
S2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2009-10-27 66944]
S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [2009-10-22 10240]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
S3 FMS;Flash Media Server (FMS);c:\program files\adobe\flash media server 3.5\FMSMaster.exe [2009-8-3 2428928]
S3 FMSAdmin;Flash Media Administration Server;c:\program files\adobe\flash media server 3.5\FMSAdmin.exe [2009-8-3 2596864]
S3 FMSHttpd;FMSHttpd;c:\program files\adobe\flash media server 3.5\apache2.2\bin\httpd.exe [2009-8-3 24635]
S3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2010-5-8 157184]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
S3 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-4-2 3742064]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\system32\drivers\qcmdmxp.sys [2006-12-27 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\system32\drivers\qcserxp.sys [2009-8-31 92800]
S3 ServoyService;Servoy Application Server;c:\program files\servoy\application_server\service\wrapper.exe [2010-7-22 253952]
S3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSXP.sys [2009-9-23 543064]
S3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplayxp.sys [2009-9-23 190312]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-9-23 21864]
S3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVolXP.sys [2009-9-23 14680]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-9-23 203608]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2010-7-28 704000]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2010-7-28 24192]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-10-27 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-10-27 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-10-27 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-10-27 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-10-27 25704]

=============== Created Last 30 ================

2010-08-17 18:24:49 1033728 ----a-r- c:\windows\explorer.exe
2010-08-17 17:01:44 328 ----a-w- c:\windows\system32\.crusader
2010-08-17 17:01:35 1033728 ----a-w- c:\windows\Explorer.vir
2010-08-17 16:17:56 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-17 16:17:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-17 16:17:17 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-16 16:40:15 0 d-----w- c:\docume~1\johnsm~1\applic~1\Scendix Software
2010-08-16 16:40:08 0 d-----w- c:\docume~1\johnsm~1\applic~1\Softland
2010-08-16 16:39:47 7549 ----a-w- c:\windows\system32\novav7.ctm
2010-08-16 16:39:47 26440 ----a-w- c:\windows\system32\novamnv7.dll
2010-08-16 16:39:47 20808 ----a-w- c:\windows\system32\novamiv7.dll
2010-08-16 16:38:34 0 d-----w- c:\program files\PamFax
2010-08-16 16:25:29 0 d-----w- c:\program files\Trend Micro
2010-08-16 16:25:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Browser Guard 2010
2010-08-14 15:38:46 0 d-----w- c:\docume~1\johnsm~1\applic~1\Malwarebytes
2010-08-14 15:38:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-14 15:38:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-14 15:38:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-14 15:38:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 15:22:28 2838 ----a-w- c:\windows\amoforeq.dll
2010-08-14 05:40:08 2838 ----a-w- c:\windows\ekafidequ.dll
2010-08-14 03:31:59 2838 ----a-w- c:\windows\Tfetum.dat
2010-08-14 03:31:59 0 ----a-w- c:\windows\Nvayan.bin
2010-08-14 03:31:13 5 ----a-w- C:\zrpt.xml
2010-08-14 03:30:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-14 03:29:59 0 d-----w- c:\docume~1\johnsm~1\applic~1\9A4C723CCC19FE77381D6A6DC1A85C08
2010-08-13 20:48:55 0 d-----w- c:\temp\Fixed ppt
2010-08-12 06:32:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Napster
2010-08-06 02:22:22 0 d-----w- c:\program files\Asoftech
2010-08-06 02:22:22 0 d-----w- c:\docume~1\johnsm~1\applic~1\asoftech
2010-07-29 08:50:08 0 d-----w- c:\program files\StampPlotPro_V3
2010-07-29 08:24:01 0 d-----w- c:\program files\StampPlotPro V3.8
2010-07-28 15:33:27 704000 ----a-w- c:\windows\system32\drivers\USA19H2k.sys
2010-07-28 15:33:27 49152 ----a-w- c:\windows\system32\k19hinst.dll
2010-07-28 15:33:27 32256 ----a-w- c:\windows\system32\Usa19hPropPage.dll
2010-07-28 15:33:27 24192 ----a-w- c:\windows\system32\drivers\USA19H2kp.sys
2010-07-28 15:33:26 0 d-----w- c:\program files\Keyspan
2010-07-28 15:26:51 0 d-----w- c:\program files\Parallax Inc
2010-07-22 19:42:21 0 d-----w- c:\documents and settings\john smith\servoy_workspace
2010-07-22 19:03:15 0 d-----w- c:\program files\Servoy
2010-07-20 23:07:39 0 d-----w- c:\docume~1\johnsm~1\applic~1\InfraRecorder

==================== Find3M ====================

2010-08-14 05:34:45 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15:26 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-07 22:08:43 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-06-07 22:08:43 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-20 19:25:49 72080 ----a-w- c:\documents and settings\john smith\g2mdlhlpx.exe
2009-03-30 15:37:39 0 ----a-w- c:\program files\error.dat
2007-09-20 16:47:46 20256064 ----a-w- c:\program files\QuickTimeInstaller.exe
2005-10-05 16:00:42 12846248 ----a-w- c:\program files\QuickTimeFullInstaller.exe
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-01-12 19:35:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010520090112\index.dat
2009-01-12 19:35:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011220090113\index.dat

============= FINISH: 14:45:52.71 ===============

Attached Files

BC AdBot (Login to Remove)


#2 SpySentinel


  • Staff Emeritus
  • 2,090 posts
  • Gender:Male
  • Location:The United States
  • Local time:07:31 AM

Posted 25 August 2010 - 05:57 PM

Hi Jpslater,

welcome.gif to Bleeping Computer My name is SpySentinel and I will be helping you fix your malware problem.
Sorry for the delay, we have been very busy lately, and I apologize for your wait.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 SpySentinel


  • Staff Emeritus
  • 2,090 posts
  • Gender:Male
  • Location:The United States
  • Local time:07:31 AM

Posted 08 September 2010 - 04:22 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact Me or another staff member.

This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users