Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus Help


  • This topic is locked This topic is locked
21 replies to this topic

#1 CMWren

CMWren

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 12 April 2012 - 12:06 PM

Ok, I have this virus now that redirects me to various sites to include Happili and Scour. There are 2 accounts on this laptop, but only the one is affected. It is a compaq running windows 7 Home Premium. SP-1 32 bit. I use Microsoft Security Essentials as well. I have tried numerous things and can not get it to stop so I am coming here to get help. I saw several post, but it seems each is unique so I dont want to follow their steps without being directed.

Thanks,
Mike

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 12 April 2012 - 04:05 PM

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 AM

Posted 15 April 2012 - 08:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please read the instructions and post the requested log as suggested on the previous post.

I will review them.

#4 CMWren

CMWren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 17 April 2012 - 01:49 PM

Getleman,

Thank you for the reply and my appologies for my late reply. I wanted to post 2 things. First, the redirect issue was with my laptop. However, I did a system restore while waiting for the reply here and it seemed to have helped, however, I still followed the steps and would like to procedd to ensure nothing is on my computer still. Second, I also followed the same instructions for my Desktop and would like to include it in the help to ensure that I did not share something through the network at my home. My desktop is a 64 bit system, therefore I did not run a GMER per the instructions. I have labled each file with either desktop or laptop so that you could distinguish the two of them from each other. Now, as far as any issues with the steps, there was only one. When attempting to run the GMER on the laptop, I got the error of a bad file when using the first download link. When I went to the second link, it allowed me to run the program with no issue and is currently still running the program. With that said, I have attached the requested files from my desktop in this reply and will attach the ones from the laptop in a second reply when it is finished.

Attached Files



#5 CMWren

CMWren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 17 April 2012 - 02:06 PM

Ok Gentleman,

Here are the two files requested for the laptop.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 AM

Posted 18 April 2012 - 07:31 AM

We do not verify two computers on the same topic.

It's difficult enough to follow instructions for one computer without having two of them in the picture.

Decide which computer you want me to look at in this topic. Then please post the logs from the following tools.


Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

p.s. You possibly still have this tool. What I need to see is the DDS.txt file. You already have posted the extra.txt file.
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Post the logs for my review and let me know the issues you are having with this computer.
Include the URL for the other computer. See my note below.

===

p.s.

Next start a new topic.

Post the the results of the same scans in it.
Copy the URL (the link) in your first topic. I will review and expedite the matter.

Let me know what issues you are having with this computer.

#7 CMWren

CMWren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 18 April 2012 - 07:40 AM

Nasdaq,

Thank you for the reply. I do already have the file that you mentioned, the instructions just said to upload the two that I'd. I am currently traveling for the next 15 hours so I won't be able to get to the computers until tomorrow. I will also leave this thread for the laptop and start the new one for the desktop.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 AM

Posted 18 April 2012 - 09:25 AM

I will be here.

#9 CMWren

CMWren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 19 April 2012 - 08:21 AM

Nasdaq,

Here is the additional information requested for my laptop.

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by Staples at 13:24:05 on 2012-04-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1979.968 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\HPSIsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\3.5\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [AprvRemoveLegacyExcelKeys] "c:\program files\approveit\support\tools\aprvclean.exe" -k hkcu software\microsoft\office\excel\addins\OfficeAddIn.OfficeAddIn
mRun: [AprvRemoveLegacyWordKeys] "c:\program files\approveit\support\tools\aprvclean.exe" -k hkcu software\microsoft\office\word\addins\OfficeAddIn.OfficeAddIn
mRun: [ApproveItForOfficeSetup] "c:\program files\approveit\support\tools\approveitforofficesetup.exe " /1 /p "c:\program files\approveit\"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
StartupFolder: c:\users\staples\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\users\staples\appdata\roaming\micros~1\windows\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\approv~1.lnk - c:\windows\installer\{6ecd42b2-32af-4898-880d-0608ea5c592a}\Icon9557F1BC1.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smartprint\smartprintsetup.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://liveops.webex.com/client/T27LB/nbr/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{0C5031B5-D106-4BCD-B080-F361958B4232} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{0C5031B5-D106-4BCD-B080-F361958B4232}\16474777966696 : DhcpNameServer = 192.168.4.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{0C5031B5-D106-4BCD-B080-F361958B4232}\35052594E445E414659575946494D2330343D2430383 : DhcpNameServer = 10.10.16.1
TCP: Interfaces\{0C5031B5-D106-4BCD-B080-F361958B4232}\C696E6B6379737 : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165648]
R1 MpKsl3e485d11;MpKsl3e485d11;c:\programdata\microsoft\microsoft antimalware\definition updates\{7cfb160b-3596-469b-8700-fe33c6929c28}\MpKsl3e485d11.sys [2012-4-17 29904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2012-3-27 99896]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2011-1-7 13312]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-23 136176]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-17 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-23 136176]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-12-17 9472]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-9 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-11 1343400]
.
=============== Created Last 30 ================
.
2012-04-17 18:22:44 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{7cfb160b-3596-469b-8700-fe33c6929c28}\MpKsl3e485d11.sys
2012-04-17 18:05:03 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-17 18:05:03 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-17 14:58:57 6582328 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{7cfb160b-3596-469b-8700-fe33c6929c28}\mpengine.dll
2012-04-17 02:21:39 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2012-04-17 01:36:01 -------- d-----w- c:\program files\Adobe Download Assistant
2012-04-16 17:07:55 -------- d-----w- c:\program files\Paint.NET
2012-04-16 17:07:25 -------- d-----w- c:\users\staples\appdata\local\Paint.NET
2012-04-13 15:47:58 -------- d-----w- c:\programdata\Ant.com
2012-04-12 19:39:23 5402624 ----a-w- C:\CraigsPal_FREE_v4.7.6_win.msi
2012-04-12 18:48:52 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 18:48:52 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 18:48:51 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 18:48:51 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 18:42:51 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 18:42:51 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 16:25:21 -------- d-----w- c:\users\staples\appdata\roaming\Malwarebytes
2012-04-12 16:25:12 -------- d-----w- c:\programdata\Malwarebytes
2012-04-11 23:22:57 -------- d-----w- c:\program files\PC Tools
2012-04-11 23:19:03 -------- d-----w- c:\programdata\PC Tools
2012-04-11 23:19:01 -------- d-----w- c:\users\staples\appdata\roaming\TestApp
2012-04-11 22:10:22 -------- d-----w- c:\program files\Microsoft IntelliPoint
2012-04-10 19:14:04 -------- d-----w- C:\ComboFix
2012-03-27 20:50:08 47104 ----a-r- c:\windows\system32\HP1100SMs.dll
2012-03-27 20:50:06 69632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HP1100PP.dll
2012-03-27 20:50:06 151552 ----a-w- c:\windows\system32\HP1100LM.DLL
2012-03-27 20:50:06 1511424 ----a-w- c:\windows\system32\HP1100SM.EXE
2012-03-27 20:49:28 99896 ----a-w- c:\windows\system32\HPSIsvc.exe
2012-03-27 20:42:55 284160 ----a-w- c:\windows\system32\mvhlewsi.dll
2012-03-27 20:42:26 -------- d-----w- c:\program files\common files\SWF Studio
2012-03-27 20:41:04 -------- d-----w- C:\LJP1100_P1560_P1600_Full_Solution
2012-03-26 15:41:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-04-12 18:40:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-28 05:38:52 981504 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 03:52:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54:27 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 05:32:35 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 05:32:34 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 05:27:51 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
============= FINISH: 13:24:23.78 ===============

Attached Files



#10 CMWren

CMWren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 19 April 2012 - 08:34 AM

Nasdaq,

Here is the url for the new topic on the Desktop. I wasnt sure if you wanted me to post it here or not, so I decided to. http://www.bleepingcomputer.com/forums/topic450641.html

Thanks,
Mike

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 AM

Posted 19 April 2012 - 01:00 PM

Your DDS log is clean.

Lets check further.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

I'm checking your other computer right now.

#12 CMWren

CMWren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 19 April 2012 - 03:06 PM

Laptop ComboFix file attached.

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 AM

Posted 20 April 2012 - 06:45 AM

Get the latest version of the Adobe Reader for this computer.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Your log is clean.
Any remaining issues with this laptop?

#14 CMWren

CMWren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 20 April 2012 - 07:48 AM

Nasdaq,

I have tried to open the above mentioned link and I get an error code:

Unable to download XXXXXXXXXXXXX
Unable to open this internet site. The requested site is either unavailable or can not be found. Please try again later.


Again, this is the same error that I get from my desktop as well. Do you think it is because I still have my CD Emulation software disabled? When I ran Defogger per the instructions to disable it, they said to not reinable it again until told so by whoever was working my issue.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:20 AM

Posted 20 April 2012 - 09:15 AM

Same as my other message. Right Click on the link.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users