Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search result redirects. Trojan.vundo


  • This topic is locked This topic is locked
46 replies to this topic

#1 brocklanders

brocklanders

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 19 October 2011 - 02:08 PM

Thank you in advance for the help.

I was referred here by someone helping me that told me I have some sort of Vundo Trojan/virus/whatever. The problem I'm having is that whenever I do a search on google or yahoo or anywhere else that when I click on the search results it redirects me to a different page than the one I'm trying to access.

I am attaching the DDS attach file and the GMER file as requested in the preparation guide.

Here is my log from DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_18
Run by lynnwade at 12:16:20 on 2011-10-19
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.767.141 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\SysMonitor.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\MRT.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {58776b25-a6b1-453d-b73f-8a7363ad68cf} - c:\windows\system32\lasipuna.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [????r]
uRun: [?????????] ??????????????e
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [CTZDetec.exe] c:\program files\creative\creative media lite\CTZDetec.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Lala Music Mover] "c:\program files\lala.com\lala music mover\LalaMover.exe" /minimized
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eRecoveryService]
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [zzzHPSETUP] E:\Setup.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\lynnwade\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {00085C14-0000-0000-0000-000000000000} - hxxps://cwscp.sbcis.sbc.com/wizlet/Vista/ModemConfigInstaller.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{59491320-FDB5-405E-AD8F-A5AA7722D0C3} : DhcpNameServer = 192.168.2.1
AppInit_DLLs: c:\windows\system32\husebasi.dll, c:\windows\system32\mizojuna.dll
LSA: Notification Packages = scecli c:\windows\system32\mizojuna.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBqNdCS
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lynnwade\appdata\roaming\mozilla\firefox\profiles\qimbb799.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\users\lynnwade\appdata\roaming\mozilla\firefox\profiles\qimbb799.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\lynnwade\appdata\roaming\mozilla\firefox\profiles\qimbb799.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\lynnwade\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\lynnwade\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\lynnwade\appdata\roaming\move networks\plugins\npqmp071701000002.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2011-6-6 84832]
.
=============== Created Last 30 ================
.
2011-10-19 16:39:39 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bbbba1cf-e875-47f4-8c7b-1264cc30cc87}\offreg.dll
2011-10-18 21:19:33 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bbbba1cf-e875-47f4-8c7b-1264cc30cc87}\mpengine.dll
2011-10-17 22:34:35 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-02 17:36:31 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-10-02 17:36:31 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-10-02 17:35:23 -------- d-----w- c:\program files\iPod
2011-10-02 17:21:47 -------- d-----w- c:\program files\Bonjour
2011-10-02 16:27:50 -------- d-----w- c:\program files\iTunes
2011-10-02 13:55:10 -------- d--h--w- c:\programdata\Common Files
2011-10-02 13:51:15 -------- d-----w- c:\programdata\AVG2012
2011-10-02 13:48:56 -------- d-----w- c:\program files\AVG
2011-10-02 13:42:33 -------- d-----w- c:\programdata\MFAData
2011-09-30 13:41:45 -------- d-----w- c:\programdata\AVAST Software
2011-09-30 13:41:45 -------- d-----w- c:\program files\AVAST Software
2011-09-24 13:33:59 -------- d-----w- c:\users\lynnwade\appdata\roaming\Malwarebytes
2011-09-24 13:33:41 -------- d-----w- c:\programdata\Malwarebytes
2011-09-24 13:33:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
============= FINISH: 12:23:13.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:24 AM

Posted 21 October 2011 - 07:17 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 21 October 2011 - 06:02 PM

I ran Combofix and have a log but I did have a couple of problems:

1. It ran for about an hour and then said it was going to restart the computer. But it got stuck on the "logging out" screen and would not restart. I had to shut the computer off and then back on to get it to restart.

2. When it restarted I got a message saying that I need to reinstall my router, it said to Reinstall Belkin software from the setup cd because the "exe" file had been removed or something to that effect.

3. I also got a message regarding Seagate Dashboard - the "exe" file - said "Illegal operation attempted on a registry key that has been marked for deletion.

4. Firefox crashed when I tried doing a google search.

Otherwise, here is the log:

ComboFix 11-10-21.05 - lynnwade 10/21/2011 15:55:14.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.767.256 [GMT -5:00]
Running from: c:\users\lynnwade\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\lynnwade\AppData\Local\{62A3DE52-EC6C-496A-A153-48CDF0375C87}
c:\users\lynnwade\AppData\Local\{62A3DE52-EC6C-496A-A153-48CDF0375C87}\chrome\content\overlay.xul
c:\users\lynnwade\AppData\Local\{62A3DE52-EC6C-496A-A153-48CDF0375C87}\install.rdf
c:\users\lynnwade\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\users\lynnwade\Desktop\Internet Explorer.lnk
c:\users\lynnwade\Documents\~WRL0011.tmp
c:\users\lynnwade\Documents\~WRL1226.tmp
c:\users\lynnwade\Documents\~WRL3655.tmp
c:\windows\system32\agebotir.ini
c:\windows\system32\SCdNqBeg.ini
c:\windows\system32\SCdNqBeg.ini2
c:\windows\Tasks\tpvcnevr.job
.
c:\windows\explorer.exe . . . is infected!!
.
c:\windows\System32\wininit.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
.
.
2011-10-21 21:51 . 2011-10-21 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-17 22:34 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-02 17:36 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-10-02 17:36 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-10-02 17:35 . 2011-10-02 17:35 -------- d-----w- c:\program files\iPod
2011-10-02 17:31 . 2011-10-02 17:35 -------- d-----w- c:\programdata\Apple Computer
2011-10-02 17:28 . 2011-10-02 17:29 -------- d-----w- c:\program files\Apple Software Update
2011-10-02 17:21 . 2011-10-02 17:21 -------- d-----w- c:\program files\Bonjour
2011-10-02 16:27 . 2011-10-02 17:36 -------- d-----w- c:\program files\iTunes
2011-10-02 13:55 . 2011-10-02 13:55 -------- d--h--w- c:\programdata\Common Files
2011-10-02 13:51 . 2011-10-02 14:25 -------- d-----w- c:\programdata\AVG2012
2011-10-02 13:48 . 2011-10-02 13:48 -------- d-----w- c:\program files\AVG
2011-10-02 13:42 . 2011-10-02 20:08 -------- d-----w- c:\programdata\MFAData
2011-09-30 13:41 . 2011-09-30 13:41 -------- d-----w- c:\programdata\AVAST Software
2011-09-30 13:41 . 2011-09-30 13:41 -------- d-----w- c:\program files\AVAST Software
2011-09-24 13:33 . 2011-09-24 13:33 -------- d-----w- c:\users\lynnwade\AppData\Roaming\Malwarebytes
2011-09-24 13:33 . 2011-09-24 13:33 -------- d-----w- c:\programdata\Malwarebytes
2011-09-24 13:33 . 2011-10-18 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-21 22:20 . 2011-10-21 07:06 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F32F9447-5261-4D30-96A2-3026EE55FE38}\offreg.dll
2011-10-07 03:48 . 2011-10-21 07:06 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F32F9447-5261-4D30-96A2-3026EE55FE38}\mpengine.dll
2011-08-31 00:58 . 2011-08-31 00:58 489672 ----a-w- c:\users\lynnwade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-10-01 04:41 . 2011-10-01 04:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"?????????"="??????????????e" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2007-12-18 401408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-27 39408]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2010-10-07 2985328]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-11-23 319488]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-04-30 79112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
c:\users\lynnwade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-1-6 528384]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-4-28 415072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3391914120-3035634451-1718377386-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 135664]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 135664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2007-07-04 47360]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2010-04-30 14088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 02:53]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 02:53]
.
2011-10-21 c:\windows\Tasks\User_Feed_Synchronization-{5B575585-12FB-4EEB-A38C-F850C81536C2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
TCP: DhcpNameServer = 192.168.2.1
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {00085C14-0000-0000-0000-000000000000} - hxxps://cwscp.sbcis.sbc.com/wizlet/Vista/ModemConfigInstaller.cab
FF - ProfilePath - c:\users\lynnwade\AppData\Roaming\Mozilla\Firefox\Profiles\qimbb799.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{58776b25-a6b1-453d-b73f-8a7363ad68cf} - c:\windows\system32\lasipuna.dll
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Lala Music Mover - c:\program files\Lala.com\Lala Music Mover\LalaMover.exe
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-zzzHPSETUP - E:\Setup.exe
AddRemove-hp instant support - c:\progra~1\HEWLET~1\hpis\Uninstall.exe \
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTZDetec.exe = c:\program files\Creative\Creative Media Lite\CTZDetec.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1364)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\ShowErrMsg.dll
c:\program files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL
c:\program files\Hewlett-Packard\HP Share-to-Web\S2WNSRES.DLL
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnfps.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\windows\RtHDVCpl.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-10-21 17:31:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-21 22:31
.
Pre-Run: 61,646,315,520 bytes free
Post-Run: 66,821,935,104 bytes free
.
- - End Of File - - 7142B806FEE01B0BB4E7FD050E3F3FAA

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:24 AM

Posted 21 October 2011 - 10:01 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
wininit.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 22 October 2011 - 02:17 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 14:11 on 22/10/2011 by lynnwade
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\Windows\explorer.exe --a---- 2923520 bytes [22:02 11/12/2008] [06:20 29/10/2008] 7C6605BB051B385CA3A3AA02902C83BA
C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe --a---- 2927104 bytes [21:14 12/06/2008] [07:33 19/01/2008] FFA764631CB70A30065C12EF8E174F9F
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe --a---- 2923520 bytes [08:47 02/11/2006] [09:45 02/11/2006] FD8C53FB002217F6F888BCF6F5D7084D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe --a---- 2923520 bytes [09:02 14/11/2007] [09:02 14/11/2007] 6D06CD98D954FE87FB2DB8108793B399
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe --a---- 2923520 bytes [22:02 11/12/2008] [06:20 29/10/2008] 37440D09DEAE0B672A04DCCF7ABF06BE
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe --a---- 2923520 bytes [09:02 14/11/2007] [09:02 14/11/2007] BD06F0BF753BC704B653C3A50F89D362
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe --a---- 2923520 bytes [22:02 11/12/2008] [02:15 28/10/2008] E7156B0B74762D9DE0E66BDCDE06E5FB
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe --a---- 2927104 bytes [22:02 11/12/2008] [06:29 29/10/2008] 4F554999D7D5F05DAAEBBA7B5BA1089D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe --a---- 2927616 bytes [22:02 11/12/2008] [03:59 30/10/2008] 50BA5850147410CDE89C523AD3BC606E

Searching for "wininit.exe"
C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe --a---- 96768 bytes [21:13 12/06/2008] [07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED
C:\Windows\System32\wininit.exe --a---- 95744 bytes [08:44 02/11/2006] [09:45 02/11/2006] EF6B49C09CD11474D0EABEDB3B126019
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe --a---- 95744 bytes [08:44 02/11/2006] [09:45 02/11/2006] D4385B03E8CCCEE6F0EE249F827C1F3E

Searching for "winlogon.exe"
C:\Windows\ERDNT\cache\winlogon.exe --a---- 308224 bytes [22:27 21/10/2011] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD
C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a---- 314880 bytes [21:13 12/06/2008] [07:33 19/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
C:\Windows\System32\winlogon.exe --a---- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe --a---- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD

-= EOF =-

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:24 AM

Posted 22 October 2011 - 03:04 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
"C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe" C:\Windows\explorer.exe
"C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe" C:\Windows\System32\wininit.exe

  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 22 October 2011 - 03:27 PM

Hmm. Upon reboot, I have a black screen where the desktop should be. I managed to open up Windows task manager and open Firefox from there, but otherwise I don't know what to do. I got a message that "windows explorer has stopped working" on the first reboot and the black screen on the 2nd manual reboot. Also got "the ordinal874 could not be located in the dynamic link library shell32.dll.

This was all after doing as instructed using BlitzBank.

Edited by brocklanders, 22 October 2011 - 03:27 PM.


#8 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 22 October 2011 - 03:35 PM

And I'm not sure where to find the Blitzbank report either. I can open programs using windows task manager, but still a black screen.

Edited by brocklanders, 22 October 2011 - 03:35 PM.


#9 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 22 October 2011 - 03:49 PM

Is this it?


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\softwaredistribution\download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\softwaredistribution\download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe", destinationFile = "\??\c:\windows\system32\wininit.exe"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:24 AM

Posted 22 October 2011 - 09:02 PM

Hello

open task manager and click file
click on run
type explorer.exe and press ok and see if your desktop comes back


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 22 October 2011 - 09:42 PM

No luck. "explorer.exe - ordinal not found."

"the ordinal874 could not be located in the dynamic link library shell32.dll."

"Windows explorer has stopped working."

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:24 AM

Posted 22 October 2011 - 11:53 PM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 23 October 2011 - 12:25 AM

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.7
Ran by SYSTEM at 2011-10-23 00:16:14
Running from K:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe [319488 2006-11-23] ()
HKLM\...\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup [3166208 2006-12-13] (Leader Technologies)
HKLM\...\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [453120 2006-11-17] (HiTRUST)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [1197648 2006-10-16] (CANON INC.)
HKLM\...\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe [368706 2002-09-10] (BroadJump, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [246504 2010-01-11] (Sun Microsystems, Inc.)
HKLM\...\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r [110592 2003-08-18] (Sonic Solutions)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13535776 2008-06-19] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-06-19] (NVIDIA Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM\...\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [69632 2002-04-17] (Hewlett-Packard)
HKLM\...\Run: [InstaLAN] "C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1485208 2010-07-28] (Affinegy, Inc.)
HKLM\...\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui [79112 2010-04-30] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2011-08-18] (Apple Inc.)
HKU\lynnwade\...\Run: [????r] [x]
HKU\lynnwade\...\Run: [?????????] ??????????????e [x]
HKU\lynnwade\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125440 2006-11-02] (Microsoft Corporation)
HKU\lynnwade\...\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe [401408 2007-12-18] (Creative Technology Ltd.)
HKU\lynnwade\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-08-27] (Google Inc.)
HKU\lynnwade\...\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe" [2985328 2010-10-06] (BitTorrent, Inc.)
HKU\lynnwade\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [201728 2006-11-02] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

================================ Services (Whitelisted) ==================

2 AcerMemUsageCheckService; C:\Acer\Empowering Technology\ePerformance\MemCheck.exe [24576 2006-11-12] ()
2 AffinegyService; "C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe" [569752 2010-07-28] (Affinegy, Inc.)
2 CTDevice_Srv; C:\Program Files\Creative\Shared Files\CTDevSrv.exe [61440 2007-04-02] (Creative Technology Ltd)
2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [45056 2006-12-08] (Acer Inc.)
2 McciCMService; "C:\Program Files\Common Files\Motive\McciCMService.exe" [303104 2009-01-26] (Motive Communications, Inc.)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [143360 2005-01-21] ()
2 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2010-04-30] (Memeo)
2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

========================== Drivers (Whitelisted) =============

3 ASPI; \??\C:\Windows\System32\DRIVERS\ASPI32.sys [84832 2002-07-17] (Adaptec)
2 int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [76584 2006-12-07] ()
3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [41752 2007-10-11] (Logitech Inc.)
3 mr7910; C:\Windows\System32\DRIVERS\mr7910.sys [46848 2007-03-20] (Mars Semiconductor Corp.)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2009-01-26] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2009-01-26] (Printing Communications Assoc., Inc. (PCAUSA))
3 NTIDrvr; C:\Windows\System32\DRIVERS\NTIDrvr.sys [6144 2006-01-06] (NewTech Infosystems, Inc.)
3 pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [47360 2007-07-03] (VSO Software)
3 PID_0928; C:\Windows\System32\DRIVERS\LV561AV.SYS [490776 2007-10-11] (Logitech Inc.)
0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [10624 2006-11-10] (HiTRUST)
0 PSDNServ; C:\Windows\System32\drivers\PSDNServ.sys [7936 2006-11-10] (HiTRUST)
0 psdvdisk; C:\Windows\System32\drivers\psdvdisk.sys [53760 2006-11-08] (HiTRUST)
3 smserial; C:\Windows\System32\DRIVERS\smserial.sys [1010560 2006-11-01] (Motorola Inc.)
0 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [13952 2006-08-28] ()
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2006-11-02] (Promise Technology, Inc.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [x]
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

62544-153-00 24512:30311 - 2009-02-16 13:26 - 0006456 ___AH C:\Windows\System32\susafode
2011-10-23 00:16 - 2011-10-23 00:16 - 0000000 ____D C:\FRST
2011-10-22 12:12 - 2011-10-22 12:12 - 0001200 ____A C:\blitzblank.log
2011-10-22 12:06 - 2011-10-22 12:06 - 1153912 ____A (Emsi Software GmbH) C:\Users\lynnwade\Downloads\BlitzBlank.exe
2011-10-22 11:18 - 2011-10-22 11:18 - 0006878 ____A C:\Users\lynnwade\Desktop\SystemLook.txt
2011-10-22 11:11 - 2011-10-22 11:11 - 0139264 ____A C:\Users\lynnwade\Downloads\SystemLook.exe
2011-10-21 15:06 - 2011-10-21 15:06 - 0013592 ____A C:\Users\lynnwade\Desktop\combofix1.txt
2011-10-21 14:31 - 2011-10-21 14:31 - 0013592 ____A C:\ComboFix.txt
2011-10-21 14:23 - 2011-10-21 14:23 - 0000000 __SHD C:\$RECYCLE.BIN
2011-10-21 14:20 - 2011-10-21 14:20 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2011-10-21 13:57 - 2011-10-21 13:57 - 0262144 ___AH C:\Windows\System32\config\security.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0262144 ___AH C:\Windows\System32\config\default.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\security.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\default.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG1
2011-10-21 12:49 - 2011-10-21 14:31 - 0000000 ____D C:\Qoobox
2011-10-21 12:49 - 2011-10-21 14:27 - 0000000 ____D C:\Windows\ERDNT
2011-10-21 12:49 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2011-10-21 12:49 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2011-10-21 12:49 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2011-10-21 12:49 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2011-10-21 12:49 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2011-10-21 12:49 - 2000-08-30 16:00 - 0212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2011-10-21 12:49 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2011-10-21 12:49 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2011-10-21 12:49 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2011-10-21 12:46 - 2011-10-21 12:47 - 4269231 ____R (Swearware) C:\Users\lynnwade\Downloads\ComboFix.exe
2011-10-19 10:59 - 2011-10-19 10:59 - 0003891 ____A C:\Users\lynnwade\Desktop\ark.txt
2011-10-19 09:37 - 2011-10-19 09:37 - 0302592 ____A C:\Users\lynnwade\Downloads\w88fwf6c.exe
2011-10-19 09:31 - 2011-10-19 09:31 - 0013999 ____A C:\Users\lynnwade\Desktop\DDS.txt
2011-10-19 09:31 - 2011-10-19 09:31 - 0004010 ____A C:\Users\lynnwade\Desktop\Attach.txt
2011-10-19 09:15 - 2011-10-19 09:16 - 0607260 ____R (Swearware) C:\Users\lynnwade\Downloads\dds.scr
2011-10-19 08:26 - 2011-10-19 08:26 - 0001217 ____A C:\Windows\System32\MRT.INI
2011-10-19 08:15 - 2011-10-05 07:09 - 48324552 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-10-17 16:30 - 2011-10-17 16:32 - 0069800 ____A C:\TDSSKiller.2.6.10.0_17.10.2011_19.30.33_log.txt
2011-10-17 16:29 - 2011-10-17 16:30 - 1540929 ____A C:\Users\lynnwade\Downloads\tdsskiller(1).zip
2011-10-17 16:28 - 2011-10-17 16:28 - 0000412 ____A C:\TDSSKiller.2.5.0.0_17.10.2011_19.28.31_log.txt
2011-10-17 14:34 - 2011-10-17 14:34 - 0000910 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-10-17 14:34 - 2011-08-31 14:00 - 0022216 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-10-17 14:32 - 2011-10-17 14:33 - 9852544 ____A (Malwarebytes Corporation ) C:\Users\lynnwade\Downloads\mbam-setup-1.51.2.1300.exe
2011-10-03 13:00 - 2011-10-03 13:00 - 0000000 ____D C:\Users\lynnwade\Downloads\Dum Dum Girls - Only in Dreams (2011)
2011-10-02 09:37 - 2011-10-02 09:37 - 0001668 ____A C:\Users\Public\Desktop\iTunes.lnk
2011-10-02 09:36 - 2009-05-18 10:17 - 0026600 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2011-10-02 09:36 - 2008-04-17 09:12 - 0107368 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
2011-10-02 09:35 - 2011-10-02 09:35 - 0000000 ____D C:\Program Files\iPod
2011-10-02 09:32 - 2011-10-02 09:32 - 0001730 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2011-10-02 09:32 - 2011-10-02 09:32 - 0000000 ____D C:\Program Files\QuickTime
2011-10-02 09:31 - 2011-10-02 09:35 - 0000000 ____D C:\ProgramData\Apple Computer
2011-10-02 09:28 - 2011-10-02 09:29 - 0000000 ____D C:\Program Files\Apple Software Update
2011-10-02 09:21 - 2011-10-02 09:21 - 0000000 ____D C:\Program Files\Bonjour
2011-10-02 09:16 - 2011-10-02 09:17 - 81229680 ____A (Apple Inc.) C:\Users\lynnwade\Downloads\iTunesSetup(1).exe
2011-10-02 08:27 - 2011-10-02 09:36 - 0000000 ____D C:\Program Files\iTunes
2011-10-02 05:51 - 2011-10-02 06:25 - 0000000 ____D C:\ProgramData\AVG2012
2011-10-02 05:48 - 2011-10-02 05:48 - 0000000 ____D C:\Program Files\AVG
2011-10-02 05:42 - 2011-10-02 12:08 - 0000000 ____D C:\ProgramData\MFAData
2011-10-02 05:41 - 2011-10-02 05:43 - 3897592 ____A (AVG Technologies) C:\Users\lynnwade\Downloads\avg_isct_stb_all_2012_1809_ms.exe
2011-10-01 21:27 - 2011-10-01 21:27 - 0000132 ____A C:\Users\lynnwade\Desktop\BelkinUserLog.txt
2011-09-30 05:41 - 2011-09-30 05:41 - 0000000 ____D C:\ProgramData\AVAST Software
2011-09-30 05:41 - 2011-09-30 05:41 - 0000000 ____D C:\Program Files\AVAST Software
2011-09-30 04:30 - 2011-09-30 04:30 - 0001160 ____A C:\Users\lynnwade\Desktop\checkup.txt
2011-09-29 14:38 - 2011-09-29 14:38 - 0007556 ____A C:\Users\lynnwade\Desktop\gmer.txt
2011-09-29 14:37 - 2011-09-29 14:37 - 0000000 ____A C:\Users\lynnwade\Desktop\New Text Document.txt
2011-09-29 13:34 - 2011-09-29 13:34 - 0062906 ____A C:\Users\lynnwade\Desktop\Extras.Txt
2011-09-29 13:31 - 2011-09-29 13:42 - 0080894 ____A C:\Users\lynnwade\Desktop\OTL.Txt
2011-09-29 12:56 - 2011-09-29 12:56 - 0010238 ____A C:\Users\lynnwade\Documents\hijackthis.log
2011-09-29 04:36 - 2011-09-29 04:37 - 0025088 ____A C:\Users\lynnwade\Downloads\English Survey Home Page.doc
2011-09-24 05:33 - 2011-10-17 16:16 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2011-09-24 05:33 - 2011-09-24 05:33 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\Malwarebytes
2011-09-24 05:33 - 2011-09-24 05:33 - 0000000 ____D C:\ProgramData\Malwarebytes

============ 3 Months Modified Files and Folders ===============

2011-10-23 00:16 - 2011-10-23 00:16 - 0000000 ____D C:\FRST
2011-10-22 21:09 - 2010-06-08 19:11 - 0049152 ____A C:\Windows\System32\Ikeext.etl
2011-10-22 21:09 - 2006-11-02 05:01 - 0032572 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-10-22 21:09 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-10-22 21:07 - 2010-02-25 18:54 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-10-22 21:07 - 2007-04-30 10:09 - 804839424 __ASH C:\hiberfil.sys
2011-10-22 21:07 - 2006-11-02 04:47 - 0003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-10-22 21:07 - 2006-11-02 04:47 - 0003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-10-22 21:06 - 2007-04-30 10:14 - 1710776 ____A C:\Windows\WindowsUpdate.log
2011-10-22 21:01 - 2006-11-02 02:33 - 0716948 ____A C:\Windows\System32\PerfStringBackup.INI
2011-10-22 20:54 - 2010-02-25 18:54 - 0000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-10-22 20:17 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\tracing
2011-10-22 18:42 - 2007-05-30 16:53 - 0000424 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{5B575585-12FB-4EEB-A38C-F850C81536C2}.job
2011-10-22 12:12 - 2011-10-22 12:12 - 0001200 ____A C:\blitzblank.log
2011-10-22 12:12 - 2008-12-11 14:02 - 2927104 ____A (Microsoft Corporation) C:\Windows\explorer.exe
2011-10-22 12:12 - 2006-11-02 00:44 - 0096768 ____A (Microsoft Corporation) C:\Windows\System32\wininit.exe
2011-10-22 12:06 - 2011-10-22 12:06 - 1153912 ____A (Emsi Software GmbH) C:\Users\lynnwade\Downloads\BlitzBlank.exe
2011-10-22 11:18 - 2011-10-22 11:18 - 0006878 ____A C:\Users\lynnwade\Desktop\SystemLook.txt
2011-10-22 11:11 - 2011-10-22 11:11 - 0139264 ____A C:\Users\lynnwade\Downloads\SystemLook.exe
2011-10-22 11:11 - 2007-05-03 07:25 - 0000000 ____D C:\Program Files\Mozilla Firefox
2011-10-22 02:47 - 2010-10-06 18:25 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\BitTorrent
2011-10-21 15:06 - 2011-10-21 15:06 - 0013592 ____A C:\Users\lynnwade\Desktop\combofix1.txt
2011-10-21 14:31 - 2011-10-21 14:31 - 0013592 ____A C:\ComboFix.txt
2011-10-21 14:31 - 2011-10-21 12:49 - 0000000 ____D C:\Qoobox
2011-10-21 14:31 - 2006-11-02 03:18 - 0000000 ___RD C:\users\Public
2011-10-21 14:27 - 2011-10-21 12:49 - 0000000 ____D C:\Windows\ERDNT
2011-10-21 14:23 - 2011-10-21 14:23 - 0000000 __SHD C:\$RECYCLE.BIN
2011-10-21 14:21 - 2006-11-02 02:23 - 0000215 ____A C:\Windows\system.ini
2011-10-21 14:20 - 2011-10-21 14:20 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2011-10-21 14:20 - 2006-01-06 20:35 - 0129184 ____A C:\Windows\PFRO.log
2011-10-21 14:14 - 2006-11-02 02:22 - 34603008 ____A C:\Windows\System32\config\software.bak
2011-10-21 13:58 - 2006-11-02 02:22 - 16252928 ____A C:\Windows\System32\config\system.bak
2011-10-21 13:57 - 2011-10-21 13:57 - 0262144 ___AH C:\Windows\System32\config\security.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0262144 ___AH C:\Windows\System32\config\default.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\security.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG1
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\default.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG2
2011-10-21 13:57 - 2011-10-21 13:57 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG1
2011-10-21 13:57 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security.bak
2011-10-21 13:57 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\default.bak
2011-10-21 12:47 - 2011-10-21 12:46 - 4269231 ____R (Swearware) C:\Users\lynnwade\Downloads\ComboFix.exe
2011-10-21 00:16 - 2006-11-02 02:22 - 30670848 ____A C:\Windows\System32\config\COMPON~3.bak
2011-10-19 10:59 - 2011-10-19 10:59 - 0003891 ____A C:\Users\lynnwade\Desktop\ark.txt
2011-10-19 09:37 - 2011-10-19 09:37 - 0302592 ____A C:\Users\lynnwade\Downloads\w88fwf6c.exe
2011-10-19 09:31 - 2011-10-19 09:31 - 0013999 ____A C:\Users\lynnwade\Desktop\DDS.txt
2011-10-19 09:31 - 2011-10-19 09:31 - 0004010 ____A C:\Users\lynnwade\Desktop\Attach.txt
2011-10-19 09:16 - 2011-10-19 09:15 - 0607260 ____R (Swearware) C:\Users\lynnwade\Downloads\dds.scr
2011-10-19 08:39 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam.bak
2011-10-19 08:26 - 2011-10-19 08:26 - 0001217 ____A C:\Windows\System32\MRT.INI
2011-10-17 16:32 - 2011-10-17 16:30 - 0069800 ____A C:\TDSSKiller.2.6.10.0_17.10.2011_19.30.33_log.txt
2011-10-17 16:30 - 2011-10-17 16:29 - 1540929 ____A C:\Users\lynnwade\Downloads\tdsskiller(1).zip
2011-10-17 16:28 - 2011-10-17 16:28 - 0000412 ____A C:\TDSSKiller.2.5.0.0_17.10.2011_19.28.31_log.txt
2011-10-17 16:21 - 2010-09-20 14:24 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2011-10-17 16:21 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Provisioning
2011-10-17 16:17 - 2011-03-11 09:00 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\Ycsyla
2011-10-17 16:16 - 2011-09-24 05:33 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2011-10-17 14:34 - 2011-10-17 14:34 - 0000910 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-10-17 14:33 - 2011-10-17 14:32 - 9852544 ____A (Malwarebytes Corporation ) C:\Users\lynnwade\Downloads\mbam-setup-1.51.2.1300.exe
2011-10-09 10:12 - 2007-11-10 09:53 - 0002585 ____A C:\Users\lynnwade\Desktop\Microsoft Word.lnk
2011-10-05 07:09 - 2011-10-19 08:15 - 48324552 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-10-03 15:32 - 2006-11-02 04:52 - 0024825 ____A C:\Windows\setupact.log
2011-10-03 13:00 - 2011-10-03 13:00 - 0000000 ____D C:\Users\lynnwade\Downloads\Dum Dum Girls - Only in Dreams (2011)
2011-10-02 12:08 - 2011-10-02 05:42 - 0000000 ____D C:\ProgramData\MFAData
2011-10-02 12:08 - 2010-09-08 18:59 - 0000000 ____D C:\ProgramData\McAfee Security Scan
2011-10-02 12:08 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\spool
2011-10-02 12:08 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\registration
2011-10-02 12:08 - 2006-11-02 02:22 - 34603008 ____A C:\Windows\System32\config\software_previous
2011-10-02 12:08 - 2006-11-02 02:22 - 16252928 ____A C:\Windows\System32\config\system_previous
2011-10-02 12:06 - 2006-11-02 02:22 - 30670848 ____A C:\Windows\System32\config\components_previous
2011-10-02 12:06 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam_previous
2011-10-02 10:56 - 2007-11-19 14:28 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\Apple Computer
2011-10-02 10:35 - 2011-02-27 11:17 - 0000000 ____D C:\ProgramData\Apple
2011-10-02 09:37 - 2011-10-02 09:37 - 0001668 ____A C:\Users\Public\Desktop\iTunes.lnk
2011-10-02 09:36 - 2011-10-02 08:27 - 0000000 ____D C:\Program Files\iTunes
2011-10-02 09:35 - 2011-10-02 09:35 - 0000000 ____D C:\Program Files\iPod
2011-10-02 09:35 - 2011-10-02 09:31 - 0000000 ____D C:\ProgramData\Apple Computer
2011-10-02 09:35 - 2011-02-27 11:17 - 0000000 ____D C:\Program Files\Common Files\Apple
2011-10-02 09:32 - 2011-10-02 09:32 - 0001730 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2011-10-02 09:32 - 2011-10-02 09:32 - 0000000 ____D C:\Program Files\QuickTime
2011-10-02 09:29 - 2011-10-02 09:28 - 0000000 ____D C:\Program Files\Apple Software Update
2011-10-02 09:27 - 2007-04-30 10:45 - 0000000 ____D C:\users\lynnwade
2011-10-02 09:21 - 2011-10-02 09:21 - 0000000 ____D C:\Program Files\Bonjour
2011-10-02 09:17 - 2011-10-02 09:16 - 81229680 ____A (Apple Inc.) C:\Users\lynnwade\Downloads\iTunesSetup(1).exe
2011-10-02 09:03 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2011-10-02 09:03 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\default_previous
2011-10-02 06:25 - 2011-10-02 05:51 - 0000000 ____D C:\ProgramData\AVG2012
2011-10-02 05:48 - 2011-10-02 05:48 - 0000000 ____D C:\Program Files\AVG
2011-10-02 05:43 - 2011-10-02 05:41 - 3897592 ____A (AVG Technologies) C:\Users\lynnwade\Downloads\avg_isct_stb_all_2012_1809_ms.exe
2011-10-01 21:27 - 2011-10-01 21:27 - 0000132 ____A C:\Users\lynnwade\Desktop\BelkinUserLog.txt
2011-10-01 14:45 - 2011-08-30 04:42 - 0022016 ____A C:\Users\lynnwade\Documents\microchip.doc
2011-09-30 05:41 - 2011-09-30 05:41 - 0000000 ____D C:\ProgramData\AVAST Software
2011-09-30 05:41 - 2011-09-30 05:41 - 0000000 ____D C:\Program Files\AVAST Software
2011-09-30 04:30 - 2011-09-30 04:30 - 0001160 ____A C:\Users\lynnwade\Desktop\checkup.txt
2011-09-29 14:38 - 2011-09-29 14:38 - 0007556 ____A C:\Users\lynnwade\Desktop\gmer.txt
2011-09-29 14:37 - 2011-09-29 14:37 - 0000000 ____A C:\Users\lynnwade\Desktop\New Text Document.txt
2011-09-29 13:42 - 2011-09-29 13:31 - 0080894 ____A C:\Users\lynnwade\Desktop\OTL.Txt
2011-09-29 13:34 - 2011-09-29 13:34 - 0062906 ____A C:\Users\lynnwade\Desktop\Extras.Txt
2011-09-29 12:56 - 2011-09-29 12:56 - 0010238 ____A C:\Users\lynnwade\Documents\hijackthis.log
2011-09-29 06:29 - 2007-05-11 03:52 - 0000000 ____D C:\Users\lynnwade\AppData\Local\Google
2011-09-29 04:37 - 2011-09-29 04:36 - 0025088 ____A C:\Users\lynnwade\Downloads\English Survey Home Page.doc
2011-09-24 05:55 - 2006-11-02 03:18 - 0000000 ___SD C:\Windows\Downloaded Program Files
2011-09-24 05:33 - 2011-09-24 05:33 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\Malwarebytes
2011-09-24 05:33 - 2011-09-24 05:33 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-09-22 07:02 - 2011-09-22 07:02 - 0000850 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2011-09-22 06:57 - 2011-09-22 06:56 - 13983976 ____A (Mozilla) C:\Users\lynnwade\Downloads\Firefox Setup 6.0.2.exe
2011-09-13 19:53 - 2011-09-13 19:53 - 0022016 ____A C:\Users\lynnwade\Downloads\Lesson Plans 9-14.doc
2011-09-13 06:45 - 2011-09-13 06:45 - 0022528 ____A C:\Users\lynnwade\Documents\Controlling Controlled Drugs CE points.doc
2011-09-11 06:17 - 2011-09-11 06:17 - 1256357 ____A C:\Users\lynnwade\Downloads\clinic logo.jpg
2011-09-08 16:53 - 2007-05-11 17:46 - 0055296 ____A C:\Users\lynnwade\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-09-07 06:21 - 2011-09-07 06:20 - 0090659 ____A C:\Users\lynnwade\Desktop\media_3810013032394a6bb21a0c529af578bd_t607.jpg
2011-09-04 17:57 - 2011-09-04 17:44 - 0000000 ____D C:\Users\lynnwade\Downloads\Life Fantastic
2011-08-31 14:00 - 2011-10-17 14:34 - 0022216 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-08-31 03:12 - 2011-07-26 20:05 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\Spotify
2011-08-30 16:58 - 2011-08-30 16:58 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\Catalina Marketing Corp
2011-08-30 16:58 - 2011-08-30 16:56 - 0489672 ____A (Catalina Marketing Corp. ) C:\Users\lynnwade\Downloads\CouponActivator.exe
2011-08-30 04:38 - 2011-08-30 04:38 - 0013994 ____A C:\Users\lynnwade\Downloads\monthPSf1-Sep-2011-GMbJ.doc
2011-08-27 06:02 - 2011-08-27 06:02 - 0020480 ____A C:\Users\lynnwade\Documents\Microchipping.doc
2011-08-27 06:01 - 2011-08-27 06:01 - 0000162 ___AH C:\Users\lynnwade\Documents\~$ppy Vaccinations and Wellness.doc
2011-08-27 05:46 - 2011-08-19 10:14 - 0025600 ____A C:\Users\lynnwade\Documents\controlled drugs points.doc
2011-08-22 18:59 - 2011-08-21 07:38 - 0000000 ____D C:\Users\lynnwade\Documents\FVH
2011-08-21 17:34 - 2011-08-03 19:01 - 0419328 ____A C:\Users\lynnwade\Documents\harry potter spells.doc
2011-08-21 08:19 - 2011-08-21 08:18 - 0216217 ____A C:\Users\lynnwade\Downloads\MC900438888.JPG
2011-08-14 12:59 - 2011-08-13 06:20 - 0024576 ____A C:\Users\lynnwade\Documents\Puppy Vaccinations and Wellness.doc
2011-08-14 11:16 - 2009-06-24 13:17 - 10324096 ____A C:\Users\lynnwade\Downloads\Yim Yames -- Behind That Locked Door.mp3
2011-08-14 11:16 - 2009-04-03 19:11 - 6492053 ____A C:\Users\lynnwade\Downloads\thenational_sofararoundthebend.mp3
2011-08-14 11:15 - 2011-03-15 13:44 - 0002669 ___SH C:\Users\lynnwade\Downloads\AlbumArt_{ACAA0E6F-86A4-4F38-BAA8-0FC0D293F498}_Large.jpg
2011-08-14 11:15 - 2011-03-15 13:44 - 0001079 ___SH C:\Users\lynnwade\Downloads\AlbumArt_{ACAA0E6F-86A4-4F38-BAA8-0FC0D293F498}_Small.jpg
2011-08-14 11:15 - 2011-03-15 13:41 - 0012322 ___SH C:\Users\lynnwade\Downloads\AlbumArt_{C652B5AF-DC21-4178-8774-98A200DE857D}_Large.jpg
2011-08-14 11:15 - 2011-03-15 13:41 - 0002546 ___SH C:\Users\lynnwade\Downloads\AlbumArt_{C652B5AF-DC21-4178-8774-98A200DE857D}_Small.jpg
2011-08-14 11:15 - 2007-10-24 08:52 - 0002669 ___SH C:\Users\lynnwade\Downloads\Folder.jpg
2011-08-14 11:15 - 2007-10-24 08:52 - 0001079 ___SH C:\Users\lynnwade\Downloads\AlbumArtSmall.jpg
2011-08-14 10:29 - 2011-08-14 10:29 - 0000000 _RASH C:\MSDOS.SYS
2011-08-14 10:29 - 2011-08-14 10:29 - 0000000 _RASH C:\IO.SYS
2011-08-14 10:28 - 2007-04-30 10:45 - 0000000 ____D C:\Program Files\Yahoo!
2011-08-14 10:23 - 2007-08-05 07:53 - 0000000 ____D C:\Program Files\DivX
2011-08-14 10:19 - 2011-08-14 10:19 - 0000000 ____D C:\Program Files\illiminable
2011-08-14 10:19 - 2007-05-24 11:18 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\yahoo!
2011-08-14 10:19 - 2007-05-03 15:39 - 0000000 ____D C:\ProgramData\yahoo!
2011-08-14 10:19 - 2007-05-03 07:06 - 0000000 ____D C:\Users\lynnwade\AppData\Local\Yahoo
2011-08-14 10:19 - 2007-05-03 07:05 - 0000000 ____D C:\ProgramData\Yahoo
2011-08-14 10:18 - 2007-05-03 07:04 - 0000150 ____A C:\YServer.txt
2011-08-14 10:15 - 2006-01-06 20:22 - 0000000 ___HD C:\Program Files\InstallShield Installation Information
2011-08-14 10:15 - 2006-01-06 19:05 - 0000000 ____D C:\Acer
2011-08-14 08:42 - 2011-08-14 08:42 - 0000000 ____D C:\Users\lynnwade\AppData\Roaming\Seagate
2011-08-14 08:41 - 2011-08-14 08:41 - 0001030 ____A C:\Users\lynnwade\Desktop\Seagate Dashboard.lnk
2011-08-14 08:41 - 2011-08-14 08:38 - 0000000 ____D C:\Program Files\Seagate
2011-08-13 19:47 - 2011-08-13 19:47 - 0883488 ____A (Sun Microsystems, Inc.) C:\Users\lynnwade\Downloads\JavaSetup6u23.exe
2011-08-12 03:46 - 2011-08-10 19:33 - 0058880 ____A C:\Users\lynnwade\Documents\Nirvana.doc
2011-08-09 12:14 - 2011-08-09 12:14 - 0026342 ____A C:\Users\lynnwade\Downloads\july beer_1.docx
2011-08-02 12:56 - 2011-01-25 14:37 - 0000000 ____D C:\Users\lynnwade\Documents\Anesthesia Note cards
2011-07-30 14:00 - 2011-07-30 14:00 - 0014248 ____A C:\Users\lynnwade\Downloads\monthLSf1-Aug-2011-MP72.doc
2011-07-26 20:31 - 2011-07-26 20:05 - 0000000 ____D C:\Users\lynnwade\AppData\Local\Spotify
2011-07-26 20:05 - 2011-07-26 20:05 - 0000792 ____A C:\Users\lynnwade\Desktop\Spotify.lnk
2011-07-26 20:05 - 2011-07-26 20:05 - 0000000 ____D C:\Program Files\Spotify
2011-07-26 20:05 - 2011-07-26 20:03 - 5340600 ____A C:\Users\lynnwade\Downloads\Spotify Installer.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2008-12-11 14:02] - [2011-10-22 12:12] - 2927104 ____A (Microsoft Corporation) FFA764631CB70A30065C12EF8E174F9F

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 25%
Total physical RAM: 766.94 MB
Available physical RAM: 572.07 MB
Total Pagefile: 740.17 MB
Available Pagefile: 625.9 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:113.2 GB) (Free:65.9 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:112.85 GB) (Free:112.62 GB) NTFS
4 Drive f: (FreeAgent GoFlex Drive) (Fixed) (Total:931.51 GB) (Free:865.41 GB) NTFS
9 Drive k: (LEXAR MEDIA) (Removable) (Total:0.12 GB) (Free:0.01 GB) FAT
10 Drive x: (PQSERVICE) (Fixed) (Total:6.83 GB) (Free:1.86 GB) NTFS

==========================================================

Last Boot: 2011-10-22 12:24

======================= End Of Log ==========================

#14 brocklanders

brocklanders
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 24 October 2011 - 02:06 PM

Just bumping this in case you missed it.

Did I do everything ok with the FRST?

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:24 AM

Posted 24 October 2011 - 06:07 PM

In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to BartPe and run FRST.
Type the following in the edit box after "Search:".

winlogon.exe;explorer.exe

Note: The file names should be separated by semicolon (;)

It then should look like:

Search: winlogon.exe;explorer.exe

Click Search button and post the log (Search.txt) it makes to your reply.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users