Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirecting virus ???


  • This topic is locked This topic is locked
42 replies to this topic

#1 gerigirlp

gerigirlp

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 26 March 2012 - 09:54 PM

Something is wrong with my pc... please help! Redirecting.. i run windows 7. tried combofix. but it is still redirecting. i just want my pc back. lol Thank you

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Pendino at 21:45:16 on 2012-03-26
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1272.564 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\ProgramData\dot3gpclnt32.exe
C:\Windows\system32\audiosrv32.exe
C:\ProgramData\AuditPolicyGPInterop32.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\audiosrv32.exe
C:\ProgramData\api-ms-win-core-heap-l1-1-032.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {01e2d731-4cc6-451c-bbf2-27c7af87878e} - c:\windows\system32\api-ms-win-core-heap-l1-1-032.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: 482f483b: {7e1e7a7b-a8eb-f54e-a944-393b02f53658} - c:\programdata\api-ms-win-core-heap-l1-1-032.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: @c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
StartupFolder: c:\users\pendino\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{95F78AAF-6CFA-4D96-B3D9-5E68EC210BCA} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 459728]
R2 Audiosrv32;Windows Audio ;c:\programdata\dot3gpclnt32.exe [2011-11-30 767488]
R2 hkmsvc32;Health Key and Certificate Management ;c:\windows\system32\audiosrv32.exe [2011-6-17 767488]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-1 148520]
R2 WPCSvc32;Parental Controls ;c:\programdata\audiosrv32.exe [2011-11-30 767488]
R2 WPDBusEnum32;Portable Device Enumerator Service ;c:\programdata\api-ms-win-core-heap-l1-1-032.exe [2011-11-30 767488]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-1 271480]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-3 1343400]
.
=============== Created Last 30 ================
.
2012-03-27 01:54:10 167424 ----a-w- c:\programdata\api-ms-win-core-heap-l1-1-032.dll
2012-03-26 03:46:15 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-26 03:16:39 -------- d-----w- c:\users\pendino\appdata\local\temp
2012-03-26 02:56:47 98816 ----a-w- c:\windows\sed.exe
2012-03-26 02:56:47 518144 ----a-w- c:\windows\SWREG.exe
2012-03-26 02:56:47 256000 ----a-w- c:\windows\PEV.exe
2012-03-26 02:56:47 208896 ----a-w- c:\windows\MBR.exe
2012-03-03 18:03:22 -------- d-----w- c:\users\pendino\appdata\local\PackageAware
.
==================== Find3M ====================
.
.
============= FINISH: 21:45:42.61 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 AM

Posted 26 March 2012 - 11:23 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gerigirlp

gerigirlp
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 27 March 2012 - 07:40 PM

good evening,
no problems running combofix. but pc is still rediresting. this time it was scour. not sure if that helps. thanks

ComboFix 12-03-25.01 - Pendino 03/27/2012 19:12:20.31.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1272.815 [GMT -5:00]
Running from: c:\users\Pendino\Documents\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\68dc1f69
c:\programdata\api-ms-win-core-heap-l1-1-032.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-28 00:23 . 2012-03-28 00:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-28 00:23 . 2012-03-28 00:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-26 03:16 . 2012-03-28 00:27 -------- d-----w- c:\users\Pendino\AppData\Local\temp
2012-03-03 18:03 . 2012-03-03 18:03 -------- d-----w- c:\users\Pendino\AppData\Local\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01E2D731-4CC6-451C-BBF2-27C7AF87878e}]
2011-11-30 15:11 358912 ----a-w- c:\windows\System32\api-ms-win-core-heap-l1-1-032.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
.
c:\users\Pendino\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S2 Audiosrv32;Windows Audio ;c:\programdata\dot3gpclnt32.exe [2011-06-18 767488]
S2 hkmsvc32;Health Key and Certificate Management ;c:\windows\system32\audiosrv32.exe [2011-06-18 767488]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-03-13 148520]
S2 WPCSvc32;Parental Controls ;c:\programdata\audiosrv32.exe [2011-06-18 767488]
S2 WPDBusEnum32;Portable Device Enumerator Service ;c:\programdata\api-ms-win-core-heap-l1-1-032.exe [2011-06-18 767488]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2003980863-517347170-832581109-1000Core.job
- c:\users\Pendino\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 01:26]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2003980863-517347170-832581109-1000UA.job
- c:\users\Pendino\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 01:26]
.
2011-11-05 c:\windows\Tasks\hpwebreg_CN118131XT05JW.job
- c:\program files\HP\HP Officejet 6500 E710n-z\Bin\hpwebreg.exe [2010-11-17 02:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{5987066E-B855-877F-C9A5-17E28D1BB54A} - c:\programdata\api-ms-win-core-heap-l1-1-032.dll
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\7b57e974]
"imagepath"="\??\c:\windows\TEMP\7D0D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\programdata\AuditPolicyGPInterop32.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-03-27 19:32:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-28 00:32
ComboFix2.txt 2012-03-26 03:47
ComboFix3.txt 2012-03-26 03:26
ComboFix4.txt 2011-12-06 04:31
ComboFix5.txt 2012-03-28 00:11
.
Pre-Run: 19,545,186,304 bytes free
Post-Run: 19,390,668,800 bytes free
.
- - End Of File - - 2A4B88884338232EC3162181348598AC

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 AM

Posted 27 March 2012 - 08:18 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gerigirlp

gerigirlp
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 27 March 2012 - 09:24 PM

ok. i ran the TDSSKILLER. it did not reboot. i clicked on report and tried to copy . but would not let me. not sure what i was doing wrong. Next i ran the aswMBR and same thing happened. i saved it to my desktop. when i tried to pull it up, said i cant. not sure what i am doing wrong????

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 AM

Posted 27 March 2012 - 09:46 PM

what does it say


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 AM

Posted 29 March 2012 - 11:21 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gerigirlp

gerigirlp
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 30 March 2012 - 09:34 PM

this the report from aswmbr. how do i save this so it is readable?? not so computer savvy.



3м |ؾ | Ph ~ |


#9 gerigirlp

gerigirlp
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 30 March 2012 - 09:38 PM

i found the tdskiller report.. yeah. i still hav the redirecting issue.. the aswmbr report is stating i have several files infected...

20:22:23.0158 3972 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
20:22:23.0517 3972 ============================================================
20:22:23.0517 3972 Current date / time: 2012/03/27 20:22:23.0517
20:22:23.0517 3972 SystemInfo:
20:22:23.0517 3972
20:22:23.0517 3972 OS Version: 6.1.7600 ServicePack: 0.0
20:22:23.0517 3972 Product type: Workstation
20:22:23.0517 3972 ComputerName: PENDINO-PC
20:22:23.0517 3972 UserName: Pendino
20:22:23.0517 3972 Windows directory: C:\Windows
20:22:23.0517 3972 System windows directory: C:\Windows
20:22:23.0517 3972 Processor architecture: Intel x86
20:22:23.0517 3972 Number of processors: 1
20:22:23.0517 3972 Page size: 0x1000
20:22:23.0517 3972 Boot type: Normal boot
20:22:23.0517 3972 ============================================================
20:22:24.0548 3972 Drive \Device\Harddisk0\DR0 - Size: 0x9516AE000 (37.27 Gb), SectorSize: 0x200, Cylinders: 0x1431, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
20:22:24.0548 3972 \Device\Harddisk0\DR0:
20:22:24.0548 3972 MBR used
20:22:24.0548 3972 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
20:22:24.0548 3972 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x4A58000
20:22:24.0580 3972 Initialize success
20:22:24.0580 3972 ============================================================
20:22:26.0830 0808 ============================================================
20:22:26.0830 0808 Scan started
20:22:26.0830 0808 Mode: Manual;
20:22:26.0830 0808 ============================================================
20:22:28.0048 0808 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
20:22:28.0048 0808 1394ohci - ok
20:22:28.0142 0808 7b57e974 - ok
20:22:28.0251 0808 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
20:22:28.0251 0808 ACPI - ok
20:22:28.0392 0808 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
20:22:28.0392 0808 AcpiPmi - ok
20:22:28.0517 0808 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
20:22:28.0533 0808 adp94xx - ok
20:22:28.0658 0808 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
20:22:28.0673 0808 adpahci - ok
20:22:28.0798 0808 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
20:22:28.0814 0808 adpu320 - ok
20:22:28.0892 0808 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
20:22:28.0892 0808 AeLookupSvc - ok
20:22:29.0033 0808 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
20:22:29.0048 0808 AFD - ok
20:22:29.0142 0808 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
20:22:29.0142 0808 agp440 - ok
20:22:29.0220 0808 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
20:22:29.0220 0808 aic78xx - ok
20:22:29.0314 0808 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
20:22:29.0330 0808 ALG - ok
20:22:29.0423 0808 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
20:22:29.0423 0808 aliide - ok
20:22:29.0486 0808 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
20:22:29.0486 0808 amdagp - ok
20:22:29.0595 0808 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
20:22:29.0595 0808 amdide - ok
20:22:29.0673 0808 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
20:22:29.0673 0808 AmdK8 - ok
20:22:29.0751 0808 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
20:22:29.0767 0808 AmdPPM - ok
20:22:29.0892 0808 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
20:22:29.0892 0808 amdsata - ok
20:22:29.0986 0808 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
20:22:30.0001 0808 amdsbs - ok
20:22:30.0080 0808 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
20:22:30.0080 0808 amdxata - ok
20:22:30.0205 0808 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
20:22:30.0205 0808 AppID - ok
20:22:30.0283 0808 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
20:22:30.0283 0808 AppIDSvc - ok
20:22:30.0361 0808 Appinfo (7dead9e3f65dcb2794f2711003bbf650) C:\Windows\System32\appinfo.dll
20:22:30.0361 0808 Appinfo - ok
20:22:30.0455 0808 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
20:22:30.0455 0808 AppMgmt - ok
20:22:30.0564 0808 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
20:22:30.0580 0808 arc - ok
20:22:30.0642 0808 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
20:22:30.0642 0808 arcsas - ok
20:22:30.0751 0808 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
20:22:30.0751 0808 AsyncMac - ok
20:22:30.0830 0808 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
20:22:30.0830 0808 atapi - ok
20:22:30.0939 0808 AudioEndpointBuilder (510c873bfa135aa829f4180352772734) C:\Windows\System32\Audiosrv.dll
20:22:30.0955 0808 AudioEndpointBuilder - ok
20:22:30.0986 0808 Audiosrv (510c873bfa135aa829f4180352772734) C:\Windows\System32\Audiosrv.dll
20:22:31.0001 0808 Audiosrv - ok
20:22:31.0111 0808 Audiosrv32 (c5b39235f4b5bb7e3c8553291df38b52) C:\ProgramData\dot3gpclnt32.exe
20:22:31.0142 0808 Audiosrv32 - ok
20:22:31.0251 0808 AxInstSV (dd6a431b43e34b91a767d1ce33728175) C:\Windows\System32\AxInstSV.dll
20:22:31.0251 0808 AxInstSV - ok
20:22:31.0376 0808 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
20:22:31.0392 0808 b06bdrv - ok
20:22:31.0501 0808 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
20:22:31.0501 0808 b57nd60x - ok
20:22:31.0611 0808 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
20:22:31.0611 0808 BDESVC - ok
20:22:31.0689 0808 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
20:22:31.0689 0808 Beep - ok
20:22:31.0814 0808 BFE (85ac71c045ceb054ed48a7841aae0c11) C:\Windows\System32\bfe.dll
20:22:31.0830 0808 BFE - ok
20:22:31.0939 0808 BITS (53f476476f55a27f580661bde09c4ec4) C:\Windows\system32\qmgr.dll
20:22:31.0970 0808 BITS - ok
20:22:32.0080 0808 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
20:22:32.0080 0808 blbdrive - ok
20:22:32.0158 0808 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
20:22:32.0158 0808 bowser - ok
20:22:32.0283 0808 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
20:22:32.0283 0808 BrFiltLo - ok
20:22:32.0330 0808 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
20:22:32.0330 0808 BrFiltUp - ok
20:22:32.0455 0808 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
20:22:32.0455 0808 BridgeMP - ok
20:22:32.0533 0808 Browser (598e1280e7ff3744f4b8329366cc5635) C:\Windows\System32\browser.dll
20:22:32.0533 0808 Browser - ok
20:22:32.0642 0808 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
20:22:32.0673 0808 Brserid - ok
20:22:32.0767 0808 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
20:22:32.0767 0808 BrSerWdm - ok
20:22:32.0830 0808 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
20:22:32.0830 0808 BrUsbMdm - ok
20:22:32.0939 0808 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
20:22:32.0939 0808 BrUsbSer - ok
20:22:33.0001 0808 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
20:22:33.0001 0808 BTHMODEM - ok
20:22:33.0095 0808 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
20:22:33.0095 0808 bthserv - ok
20:22:33.0205 0808 catchme - ok
20:22:33.0330 0808 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
20:22:33.0330 0808 cdfs - ok
20:22:33.0470 0808 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
20:22:33.0470 0808 cdrom - ok
20:22:33.0580 0808 CertPropSvc (628a9e30ec5e18dd5de6be4dbdc12198) C:\Windows\System32\certprop.dll
20:22:33.0580 0808 CertPropSvc - ok
20:22:33.0673 0808 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
20:22:33.0673 0808 circlass - ok
20:22:33.0767 0808 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
20:22:33.0783 0808 CLFS - ok
20:22:33.0892 0808 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:22:33.0892 0808 clr_optimization_v2.0.50727_32 - ok
20:22:34.0033 0808 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:22:34.0033 0808 clr_optimization_v4.0.30319_32 - ok
20:22:34.0126 0808 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
20:22:34.0126 0808 CmBatt - ok
20:22:34.0189 0808 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
20:22:34.0189 0808 cmdide - ok
20:22:34.0267 0808 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
20:22:34.0283 0808 CNG - ok
20:22:34.0392 0808 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
20:22:34.0392 0808 Compbatt - ok
20:22:34.0501 0808 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
20:22:34.0501 0808 CompositeBus - ok
20:22:34.0580 0808 COMSysApp - ok
20:22:34.0642 0808 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
20:22:34.0642 0808 crcdisk - ok
20:22:34.0751 0808 CryptSvc (9c231178ce4fb385f4b54b0a9080b8a4) C:\Windows\system32\cryptsvc.dll
20:22:34.0751 0808 CryptSvc - ok
20:22:34.0876 0808 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
20:22:34.0892 0808 CSC - ok
20:22:35.0001 0808 CscService (56fb5f222ea30d3d3fc459879772cb73) C:\Windows\System32\cscsvc.dll
20:22:35.0033 0808 CscService - ok
20:22:35.0142 0808 DcomLaunch (b82cd39e336973359d7c9bf911e8e84f) C:\Windows\system32\rpcss.dll
20:22:35.0158 0808 DcomLaunch - ok
20:22:35.0220 0808 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
20:22:35.0236 0808 defragsvc - ok
20:22:35.0345 0808 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
20:22:35.0345 0808 DfsC - ok
20:22:35.0455 0808 Dhcp (c56495fbd770712367cad35e5de72da6) C:\Windows\system32\dhcpcore.dll
20:22:35.0470 0808 Dhcp - ok
20:22:35.0580 0808 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
20:22:35.0580 0808 discache - ok
20:22:35.0689 0808 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 AM

Posted 30 March 2012 - 09:43 PM

Hello


did you click on the save report button - the report you are trying to send me is a backup of the MBR

the report I want pops up when you click on save report



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gerigirlp

gerigirlp
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 30 March 2012 - 09:53 PM

i believe this is it. for somereason it would not save to my desk top. but did when i downloaded it...

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-30 20:36:10
-----------------------------
20:36:10.822 OS Version: Windows 6.1.7600
20:36:10.822 Number of processors: 1 586 0x401
20:36:10.822 ComputerName: PENDINO-PC UserName: Pendino
20:36:22.197 Initialize success
20:42:17.381 AVAST engine defs: 12033001
20:51:49.991 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:51:50.006 Disk 0 Vendor: WDC_WD400BB-22HEA1 14.03G14 Size: 38166MB BusType: 3
20:51:50.022 Disk 0 MBR read successfully
20:51:50.022 Disk 0 MBR scan
20:51:50.038 Disk 0 Windows 7 default MBR code
20:51:50.053 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:51:50.084 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 38064 MB offset 206848
20:51:50.100 Disk 0 scanning sectors +78161920
20:51:50.178 Disk 0 scanning C:\Windows\system32\drivers
20:51:59.553 Service scanning
20:52:02.334 Service Audiosrv32 C:\ProgramData\dot3gpclnt32.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:52:10.053 Service hkmsvc32 C:\Windows\system32\audiosrv32.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:52:36.397 Service WPCSvc32 C:\ProgramData\audiosrv32.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:52:37.069 Service WPDBusEnum32 C:\ProgramData\api-ms-win-core-heap-l1-1-032.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:52:38.397 Modules scanning
20:52:51.741 Disk 0 trace - called modules:
20:52:51.756 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
20:52:51.772 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85563ac8]
20:52:51.788 3 CLASSPNP.SYS[8826e59e] -> nt!IofCallDriver -> [0x8481a608]
20:52:51.803 5 ACPI.sys[87a3f3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84816610]
20:52:52.553 AVAST engine scan C:\Windows
20:52:54.959 AVAST engine scan C:\Windows\system32
20:52:57.459 File: C:\Windows\system32\api-ms-win-core-heap-l1-1-032.dll **INFECTED** Win32:Dracur-F [Cryp]
20:52:59.319 File: C:\Windows\system32\audiosrv32.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:54:44.288 File: C:\Windows\system32\TSChannel32.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:55:57.366 AVAST engine scan C:\Windows\system32\drivers
20:56:11.709 AVAST engine scan C:\Users\Pendino
20:56:23.663 File: C:\Users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe **INFECTED** Win32:Malware-gen
20:56:23.803 File: C:\Users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleUpdate.exe **INFECTED** Win32:Trojan-gen
20:57:12.147 File: C:\Users\Pendino\AppData\Local\temp\_av4_\data\aswar0.dll **INFECTED** Win32:Malware-gen
20:57:12.397 File: C:\Users\Pendino\AppData\Local\temp\_av4_\data\updldr0.bin **INFECTED** Win32:Malware-gen
20:57:24.553 File: C:\Users\Pendino\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\25dc9bdb-5423723c **INFECTED** Win32:Rootkit-gen [Rtk]
20:57:24.663 File: C:\Users\Pendino\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\32f4961b-42e9c368 **INFECTED** Win32:MalOb-GR [Cryp]
20:57:32.225 File: C:\Users\Pendino\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3b9983b5-1fb3941a **INFECTED** Win32:Ransom-ER [Trj]
20:57:32.303 File: C:\Users\Pendino\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3b9983b5-2affc60a **INFECTED** Win32:Ransom-ER [Trj]
20:59:19.178 AVAST engine scan C:\ProgramData
20:59:20.053 File: C:\ProgramData\api-ms-win-core-heap-l1-1-032.dll **INFECTED** Win32:Dracur-F [Cryp]
20:59:20.178 File: C:\ProgramData\api-ms-win-core-heap-l1-1-032.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:59:20.334 File: C:\ProgramData\audiosrv32.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:59:20.459 File: C:\ProgramData\AuditPolicyGPInterop32.exe **INFECTED** Win32:Downloader-HZR [Trj]
20:59:20.616 File: C:\ProgramData\dot3gpclnt32.exe **INFECTED** Win32:Downloader-HZR [Trj]
21:00:20.647 Scan finished successfully
21:19:27.836 File "C:\Users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleUpdate.exe" has been saved successfully to:
21:19:27.852 "C:\Users\Pendino\Desktop\copy_GoogleUpdate.exe"
21:50:47.946 Disk 0 MBR has been saved successfully to "C:\Users\Pendino\Downloads\MBR.dat"
21:50:47.946 The log file has been saved successfully to "C:\Users\Pendino\Downloads\aswMBR.txt"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 AM

Posted 30 March 2012 - 10:19 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Folder::
C:\Users\Pendino\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27
C:\Users\Pendino\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53

File::
C:\ProgramData\audiosrv32.exe
C:\ProgramData\api-ms-win-core-heap-l1-1-032.dll
C:\Users\Pendino\AppData\Local\temp\_av4_\data\updldr0.bin
C:\Users\Pendino\AppData\Local\temp\_av4_\data\aswar0.dll
C:\Users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleUpdate.exe
C:\Users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\ProgramData\dot3gpclnt32.exe
C:\Windows\system32\audiosrv32.exe
C:\ProgramData\audiosrv32.exe
C:\ProgramData\api-ms-win-core-heap-l1-1-032.exe
C:\Windows\system32\api-ms-win-core-heap-l1-1-032.dll
C:\ProgramData\api-ms-win-core-heap-l1-1-032.exe
C:\Windows\system32\TSChannel32.exe
C:\ProgramData\AuditPolicyGPInterop32.exe
C:\ProgramData\dot3gpclnt32.exe

Driver::
WPDBusEnum32
Audiosrv32
WPCSvc32
hkmsvc32

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gerigirlp

gerigirlp
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 30 March 2012 - 10:58 PM

Good evening again,
combofix went well. no issues running it. unfurtunately. Stil redirecting in Bing. tried in google and that seemed ok.
ComboFix 12-03-30.06 - Pendino 03/30/2012 22:31:54.32.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1272.802 [GMT -5:00]
Running from: c:\users\Pendino\Desktop\ComboFix.exe
Command switches used :: c:\users\Pendino\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\programdata\api-ms-win-core-heap-l1-1-032.dll"
"c:\programdata\api-ms-win-core-heap-l1-1-032.exe"
"c:\programdata\audiosrv32.exe"
"c:\programdata\AuditPolicyGPInterop32.exe"
"c:\programdata\dot3gpclnt32.exe"
"c:\users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe"
"c:\users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleUpdate.exe"
"c:\users\Pendino\AppData\Local\temp\_av4_\data\aswar0.dll"
"c:\users\Pendino\AppData\Local\temp\_av4_\data\updldr0.bin"
"c:\windows\system32\api-ms-win-core-heap-l1-1-032.dll"
"c:\windows\system32\audiosrv32.exe"
"c:\windows\system32\TSChannel32.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\api-ms-win-core-heap-l1-1-032.dll
c:\programdata\api-ms-win-core-heap-l1-1-032.exe
c:\programdata\audiosrv32.exe
c:\programdata\AuditPolicyGPInterop32.exe
c:\programdata\dot3gpclnt32.exe
c:\users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
c:\users\Pendino\AppData\Local\Google\Update\1.3.21.111\GoogleUpdate.exe
c:\windows\system32\api-ms-win-core-heap-l1-1-032.dll
c:\windows\system32\audiosrv32.exe
c:\windows\system32\TSChannel32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Audiosrv32
-------\Service_hkmsvc32
-------\Service_WPCSvc32
-------\Service_WPDBusEnum32
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-31 )))))))))))))))))))))))))))))))
.
.
2012-03-03 18:03 . 2012-03-03 18:03 -------- d-----w- c:\users\Pendino\AppData\Local\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01E2D731-4CC6-451C-BBF2-27C7AF87878e}]
c:\windows\system32\api-ms-win-core-heap-l1-1-032.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{837CA569-6C38-E9CC-49B0-D4904EF16716}]
2012-03-31 03:43 167424 ----a-w- c:\programdata\AuthFWSnapin32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
.
c:\users\Pendino\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-03-13 148520]
S2 RasAuto32;Remote Access Auto Connection Manager ;c:\programdata\authfwcfg32.exe [2011-06-18 767488]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2003980863-517347170-832581109-1000Core.job
- c:\users\Pendino\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 01:26]
.
2012-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2003980863-517347170-832581109-1000UA.job
- c:\users\Pendino\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 01:26]
.
2011-11-05 c:\windows\Tasks\hpwebreg_CN118131XT05JW.job
- c:\program files\HP\HP Officejet 6500 E710n-z\Bin\hpwebreg.exe [2010-11-17 02:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\7b57e974]
"imagepath"="\??\c:\windows\TEMP\7D0D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\AuditPolicyGPInterop32.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-03-30 22:48:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-31 03:48
ComboFix2.txt 2012-03-28 00:32
ComboFix3.txt 2012-03-26 03:47
ComboFix4.txt 2012-03-26 03:26
ComboFix5.txt 2012-03-31 03:30
.
Pre-Run: 19,197,636,608 bytes free
Post-Run: 19,542,016,000 bytes free
.
- - End Of File - - 919D1A33986B586DBAE6CD33476B845C

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 AM

Posted 30 March 2012 - 11:04 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gerigirlp

gerigirlp
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 30 March 2012 - 11:20 PM

OTL logfile created on: 3/30/2012 11:08:23 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Pendino\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 62.27% Memory free
2.48 Gb Paging File | 2.01 Gb Available in Paging File | 80.95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 37.17 Gb Total Space | 18.26 Gb Free Space | 49.11% Space Free | Partition Type: NTFS

Computer Name: PENDINO-PC | User Name: Pendino | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found
PRC - C:\Users\Pendino\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\ProgramData\authfwcfg32.exe (CrypKey Inc.)
PRC - C:\Windows\System32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe File not found
SRV - (HPSLPSVC) -- C:\Users\Pendino\AppData\Local\temp\7zS0DA4\hpslpsvc32.dll File not found
SRV - (RasAuto32) -- C:\ProgramData\authfwcfg32.exe (CrypKey Inc.)
SRV - (mfevtp) -- C:\Windows\System32\mfevtps.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found
DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found
DRV - (mbr) -- C:\Users\Pendino\AppData\Local\Temp\mbr.sys File not found
DRV - (MBAMSwissArmy) -- C:\Windows\system32\drivers\mbamswissarmy.sys File not found
DRV - (catchme) -- C:\Users\Pendino\AppData\Local\Temp\catchme.sys File not found
DRV - (7b57e974) -- C:\Windows\TEMP\7D0D.tmp File not found
DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\Windows\System32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (UsbDiag) -- C:\Windows\System32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\Windows\System32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (LVUSBSta) -- C:\Windows\System32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (PID_0928) Logitech QuickCam Express(PID_0928) -- C:\Windows\System32\drivers\LV561AV.SYS (Logitech Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - No CLSID value found
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2559647


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 31 D7 E2 01 C6 4C 1C 45 BB F2 27 C7 AF 87 87 8E [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 31 D7 E2 01 C6 4C 1C 45 BB F2 27 C7 AF 87 87 8E [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 31 D7 E2 01 C6 4C 1C 45 BB F2 27 C7 AF 87 87 8E [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 31 D7 E2 01 C6 4C 1C 45 BB F2 27 C7 AF 87 87 8E [binary data]

IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 45 80 03 E0 F4 A1 CA 01 [binary data]
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 31 D7 E2 01 C6 4C 1C 45 BB F2 27 C7 AF 87 87 8E [binary data]
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=FWV5&o=14193&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=FM&apn_dtid=TES002JHUS&apn_uid=f53d9296-b65f-43d4-b392-12b4ff4824e5&apn_sauid=012CF2FE-2E6F-4644-AC70-BF50A43C9035
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_en
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2559647
IE - HKU\S-1-5-21-2003980863-517347170-832581109-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Pendino\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Pendino\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/08/29 11:04:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2011/08/29 11:04:48 | 000,000,000 | ---D | M]

[2010/02/01 15:09:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Pendino\AppData\Roaming\Mozilla\Extensions
[2010/02/01 15:09:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Pendino\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

========== Chrome ==========

CHR - default_search_provider: ()
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =

O1 HOSTS File: ([2012/03/30 22:43:24 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Reg Error: Value error.) - {01E2D731-4CC6-451C-BBF2-27C7AF87878e} - C:\Windows\system32\api-ms-win-core-heap-l1-1-032.dll File not found
O2 - BHO: (482f483b) - {837CA569-6C38-E9CC-49B0-D4904EF16716} - C:\ProgramData\AuthFWSnapin32.dll (CrypKey Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2003980863-517347170-832581109-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2003980863-517347170-832581109-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2003980863-517347170-832581109-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2003980863-517347170-832581109-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{95F78AAF-6CFA-4D96-B3D9-5E68EC210BCA}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-2003980863-517347170-832581109-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/30 23:06:13 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\Pendino\Desktop\OTL.exe
[2012/03/30 22:47:12 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/03/30 22:43:01 | 000,167,424 | ---- | C] (CrypKey Inc.) -- C:\ProgramData\AuthFWSnapin32.dll
[2012/03/30 22:40:49 | 000,767,488 | ---- | C] (CrypKey Inc.) -- C:\ProgramData\authfwcfg32.exe
[2012/03/30 22:29:59 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/03/30 22:29:59 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/03/30 22:29:59 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/03/30 22:29:27 | 004,450,054 | R--- | C] (Swearware) -- C:\Users\Pendino\Desktop\ComboFix.exe
[2012/03/27 20:30:07 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Pendino\Desktop\aswMBR.exe
[2012/03/27 20:21:54 | 002,068,016 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Pendino\Desktop\tdsskiller.exe
[2012/03/26 21:44:43 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Pendino\Desktop\dds.scr
[2012/03/25 22:16:39 | 000,000,000 | ---D | C] -- C:\Users\Pendino\AppData\Local\temp
[2012/03/25 21:56:14 | 004,444,319 | R--- | C] (Swearware) -- C:\Users\Pendino\Documents\ComboFix.exe
[2012/03/25 21:36:15 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Pendino\Documents\dds.scr
[2012/03/03 13:03:22 | 000,000,000 | ---D | C] -- C:\Users\Pendino\AppData\Local\PackageAware
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Pendino\Desktop\*.tmp files -> C:\Users\Pendino\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/30 23:06:17 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Pendino\Desktop\OTL.exe
[2012/03/30 23:00:09 | 000,000,020 | ---- | M] () -- C:\ProgramData\68dc1f69
[2012/03/30 22:50:55 | 000,639,994 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/30 22:50:55 | 000,111,712 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/30 22:47:17 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2003980863-517347170-832581109-1000UA.job
[2012/03/30 22:43:24 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/03/30 22:43:01 | 000,167,424 | ---- | M] (CrypKey Inc.) -- C:\ProgramData\AuthFWSnapin32.dll
[2012/03/30 22:43:01 | 000,000,121 | ---- | M] () -- C:\Windows\System32\1123159833
[2012/03/30 22:42:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/30 22:42:51 | 999,989,248 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/30 22:29:27 | 004,450,054 | R--- | M] (Swearware) -- C:\Users\Pendino\Desktop\ComboFix.exe
[2012/03/30 20:47:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2003980863-517347170-832581109-1000Core.job
[2012/03/30 20:34:32 | 000,017,360 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/30 20:34:32 | 000,017,360 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/27 21:21:53 | 000,001,026 | ---- | M] () -- C:\Users\Pendino\Documents\MBR.dat
[2012/03/27 21:21:53 | 000,001,026 | ---- | M] () -- C:\Users\Pendino\Desktop\MBR.dat
[2012/03/27 21:21:53 | 000,001,026 | ---- | M] () -- C:\Users\Pendino\Desktop\MBR - Copy.dat
[2012/03/27 20:30:07 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Pendino\Desktop\aswMBR.exe
[2012/03/27 20:22:08 | 002,068,016 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Pendino\Desktop\tdsskiller.exe
[2012/03/26 21:44:47 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Pendino\Desktop\dds.scr
[2012/03/26 21:18:10 | 000,001,993 | ---- | M] () -- C:\Users\Pendino\Desktop\aswMBR - Shortcut.lnk
[2012/03/26 21:18:01 | 000,001,525 | ---- | M] () -- C:\Users\Pendino\Desktop\MBR.dat - Shortcut.lnk
[2012/03/25 21:54:01 | 004,444,319 | R--- | M] (Swearware) -- C:\Users\Pendino\Documents\ComboFix.exe
[2012/03/25 21:36:18 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Pendino\Documents\dds.scr
[2012/03/25 21:34:58 | 000,000,156 | ---- | M] () -- C:\Users\Pendino\defogger_reenable
[2012/03/25 21:34:24 | 000,050,477 | ---- | M] () -- C:\Users\Pendino\Documents\Defogger.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Pendino\Desktop\*.tmp files -> C:\Users\Pendino\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/30 22:51:43 | 000,000,020 | ---- | C] () -- C:\ProgramData\68dc1f69
[2012/03/30 22:29:59 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/03/30 22:29:59 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/03/30 22:29:59 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/03/30 22:29:59 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/03/30 22:29:59 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/03/30 21:21:32 | 000,001,026 | ---- | C] () -- C:\Users\Pendino\Desktop\MBR - Copy.dat
[2012/03/27 21:21:18 | 000,001,026 | ---- | C] () -- C:\Users\Pendino\Desktop\MBR.dat
[2012/03/26 21:18:10 | 000,001,993 | ---- | C] () -- C:\Users\Pendino\Desktop\aswMBR - Shortcut.lnk
[2012/03/26 21:18:01 | 000,001,525 | ---- | C] () -- C:\Users\Pendino\Desktop\MBR.dat - Shortcut.lnk
[2012/03/25 23:01:58 | 000,001,026 | ---- | C] () -- C:\Users\Pendino\Documents\MBR.dat
[2012/03/25 21:34:56 | 000,000,156 | ---- | C] () -- C:\Users\Pendino\defogger_reenable
[2012/03/25 21:34:24 | 000,050,477 | ---- | C] () -- C:\Users\Pendino\Documents\Defogger.exe
[2011/11/28 10:10:48 | 000,027,568 | -HS- | C] () -- C:\ProgramData\3f48tv1q66o284
[2011/06/24 17:11:20 | 000,011,950 | -HS- | C] () -- C:\ProgramData\wd164l50c1772543h77un28mct71mrq41f3pt0p
[2011/06/22 11:25:52 | 000,011,290 | -HS- | C] () -- C:\ProgramData\w568slnqkb30e8664s56
[2011/04/19 20:47:31 | 000,010,858 | -HS- | C] () -- C:\ProgramData\74naa86484b4h4547ab5g2x7g1n374va28l
[2011/04/10 11:06:14 | 000,010,230 | -HS- | C] () -- C:\ProgramData\jbh27swk8608knbyp822
[2011/02/04 20:13:01 | 000,000,056 | ---- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/04/19 14:11:41 | 000,193,960 | ---- | C] () -- C:\Windows\System32\mlfcache.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:131C0EE9

< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users