Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect and BSOD


  • This topic is locked This topic is locked
14 replies to this topic

#1 BigDreamer

BigDreamer

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 03 June 2012 - 06:17 PM

Here is my first post link:
http://www.bleepingcomputer.com/forums/topic455783.html

I think I got the bug as no more BSOD or redirct so far but now, as I stated on my old post, I need to clean up my directory tree.

Thank You for your help

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Ron at 15:36:13 on 2012-06-03
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.1828 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\mqsvc.exe
C:\Program Files\ShadowExplorer\sesvc.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\mqtgsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Ron\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: SteadyVideoBHO Class: {6c680bae-655c-4e3d-8fc4-e6a520c3d928} - c:\program files\amd\steadyvideo\SteadyVideo.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120526160503.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: IE Toolbar: {bfb5f154-9212-46f3-b547-ac6106030a54} - c:\progra~1\dospop~1\tbuf5c6\dospop.dll
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [Google Update] "c:\users\ron\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [HydraVisionDesktopManager] "c:\program files\ati technologies\hydravision\HydraDM.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [DU Meter] c:\program files\du meter\DUMeter.exe
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [ModPS2] ModPS2Key.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [ShowWnd] ShowWnd.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm
IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: mcafee.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/B/E/5BE645ED-2F2D-4E4D-9C54-AFB56EFCB312/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{C64672EE-847C-4811-B5D6-716F576D08F9} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\program files\amd\steadyvideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\program files\amd\steadyvideo\VideoMIMEFilter.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ron\appdata\roaming\mozilla\firefox\profiles\lrzqvslb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nascar.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=.
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ron\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\ron\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\ron\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\ron\program files\dna\plugins\npbtdna.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-2-22 464304]
R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-5-26 169608]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2012-5-26 64912]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-4-5 217600]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-4-5 291840]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-10 654408]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-5-26 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-5-26 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-5-26 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-5-26 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-5-26 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-5-26 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-5-26 151880]
R2 sesvc;ShadowExplorer Service;c:\program files\shadowexplorer\sesvc.exe [2011-6-12 9216]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-11-17 37944]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2012-4-5 9334784]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2012-4-5 275968]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-5-26 57600]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-6 22344]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-5-26 180848]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-5-26 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-5-26 340920]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\drivers\cv2k1.sys [2007-9-8 9906]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-4 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-5-26 87656]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 129976]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-24 15872]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-15 27192]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-24 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-7 1343400]
S4 Windows7FirewallService;Windows7FirewallService;c:\program files\windows7firewallcontrol\Windows7FirewallService.exe [2011-5-31 372736]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-06-03 20:07:11 208896 ----a-w- c:\windows\MBR.exe
2012-06-03 20:07:08 98816 ----a-w- c:\windows\sed.exe
2012-06-03 20:07:08 518144 ----a-w- c:\windows\SWREG.exe
2012-06-03 20:07:08 256000 ----a-w- c:\windows\PEV.exe
2012-06-03 20:07:02 -------- d-s---w- C:\ComboFix
2012-06-03 19:59:05 -------- d-----w- c:\users\ron\appdata\local\{1E1137A6-01B8-43A0-B4DA-F3FC1237F0DA}
2012-06-03 19:58:54 -------- d-----w- c:\users\ron\appdata\local\{FE1DD924-C306-47EE-8D12-5CAC3A3AD3E3}
2012-06-03 06:47:50 -------- d-----w- c:\users\ron\appdata\local\{022827E3-9847-49EE-964E-4AEA116458A1}
2012-06-03 06:47:39 -------- d-----w- c:\users\ron\appdata\local\{C99349CD-99A4-4149-9870-DBE32151649D}
2012-06-02 18:47:27 -------- d-----w- c:\users\ron\appdata\local\{DC9E4832-828A-4DDE-9103-7DE37DE5E55D}
2012-06-02 18:47:16 -------- d-----w- c:\users\ron\appdata\local\{73F52761-4F1B-41C1-9D96-2B62A8B5BFA1}
2012-06-02 06:46:48 -------- d-----w- c:\users\ron\appdata\local\{D1219BB9-6573-42CF-B02A-A066EC861D9D}
2012-06-02 06:46:37 -------- d-----w- c:\users\ron\appdata\local\{66D7605A-063F-4760-92EB-38D4B936AA4E}
2012-06-01 18:46:08 -------- d-----w- c:\users\ron\appdata\local\{FFE86336-AD8B-4157-A24D-AEEE863C0D6E}
2012-06-01 18:45:58 -------- d-----w- c:\users\ron\appdata\local\{3B3F1876-7C94-47BF-9C2D-16C8FD752683}
2012-06-01 06:45:29 -------- d-----w- c:\users\ron\appdata\local\{EFD10B88-2CD4-423A-95CC-8D00C84A0273}
2012-06-01 06:45:18 -------- d-----w- c:\users\ron\appdata\local\{991DFEE5-B15D-4A12-B1C5-C33495A14180}
2012-05-31 18:44:49 -------- d-----w- c:\users\ron\appdata\local\{D1AE543D-C1B6-4426-8841-E86B87C1E8C5}
2012-05-31 18:44:39 -------- d-----w- c:\users\ron\appdata\local\{3568B494-BB02-48AD-B024-20B15D649B43}
2012-05-31 05:59:40 -------- d-----w- c:\users\ron\appdata\local\{7532F2F9-4DB3-49E7-9A01-1D7A1D748D60}
2012-05-31 05:59:29 -------- d-----w- c:\users\ron\appdata\local\{0EB2632F-A8CB-414C-995A-33E9350F7AB8}
2012-05-30 17:58:59 -------- d-----w- c:\users\ron\appdata\local\{1C299C84-043A-409E-9AB9-1211579EFC5E}
2012-05-30 17:58:49 -------- d-----w- c:\users\ron\appdata\local\{8A4C0E30-E18F-4A26-8C33-8B4747387E08}
2012-05-30 05:48:24 -------- d-----w- c:\users\ron\appdata\local\{C880A2B6-8FB4-43FF-9115-D6463963685F}
2012-05-30 05:48:14 -------- d-----w- c:\users\ron\appdata\local\{DDB3518F-4A7E-46F2-865E-11541F9FF241}
2012-05-29 17:47:56 -------- d-----w- c:\users\ron\appdata\local\{2CD66F7A-D5E7-4E64-8E60-0BFBB82E887E}
2012-05-29 17:47:45 -------- d-----w- c:\users\ron\appdata\local\{94F566E9-7858-4A98-927E-115FAABF4D4A}
2012-05-28 20:19:52 -------- d-----w- c:\users\ron\appdata\local\{75044EDC-C9FF-4CAC-81B1-D4262A42B194}
2012-05-28 20:19:41 -------- d-----w- c:\users\ron\appdata\local\{0996E22E-3005-4BA9-AE16-D92698D0A4AB}
2012-05-27 19:51:23 -------- d-----w- c:\users\ron\appdata\local\{F115FBA9-01BA-499A-8072-3368AF05FEC0}
2012-05-27 19:51:13 -------- d-----w- c:\users\ron\appdata\local\{1CFC9508-E76C-4698-9C08-65145CD85E17}
2012-05-27 07:50:43 -------- d-----w- c:\users\ron\appdata\local\{7D2F9FAF-15B0-48B4-9857-5E3A97F402F4}
2012-05-27 07:50:32 -------- d-----w- c:\users\ron\appdata\local\{8A1918E6-87E1-40CD-A14E-4C2B045C032F}
2012-05-26 23:10:55 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2a02161c-9591-4ec7-9abf-0871f0fb5042}\mpengine.dll
2012-05-26 23:05:03 29272 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2012-05-26 23:05:02 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-05-26 23:04:32 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-05-26 23:04:32 64912 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2012-05-26 23:04:32 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-05-26 23:04:32 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-05-26 23:04:32 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-05-26 23:04:32 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-05-26 23:04:32 169608 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-05-26 23:04:23 -------- d-----w- c:\program files\McAfee.com
2012-05-26 23:04:23 -------- d-----w- c:\program files\common files\Mcafee
2012-05-26 22:55:17 151880 ----a-w- c:\windows\system32\mfevtps.exe
2012-05-26 19:50:02 -------- d-----w- c:\users\ron\appdata\local\{177CE3AB-19AF-4667-ACBD-292C3288237F}
2012-05-26 19:49:51 -------- d-----w- c:\users\ron\appdata\local\{5C2C68AE-F1A4-4CCA-8015-ABEE68DF90B7}
2012-05-25 22:25:31 -------- d-----w- c:\users\ron\appdata\local\{6264A3FB-59E9-458D-B598-69FD39614952}
2012-05-25 22:25:21 -------- d-----w- c:\users\ron\appdata\local\{22313502-850E-4E63-B784-3206149FC5CD}
2012-05-25 07:20:42 -------- d-----w- c:\users\ron\appdata\local\{3BA1F5DB-EC30-4901-AC82-24C691BEE727}
2012-05-25 07:20:32 -------- d-----w- c:\users\ron\appdata\local\{1816A9F4-9AC1-444C-8690-B23BBFB43C5A}
2012-05-24 19:20:03 -------- d-----w- c:\users\ron\appdata\local\{A6BFED24-DE10-4C27-BB17-5A7164D1C29C}
2012-05-24 19:19:53 -------- d-----w- c:\users\ron\appdata\local\{F9671999-631A-4856-A631-5068561032B9}
2012-05-23 20:25:10 -------- d-----w- c:\users\ron\appdata\local\{CCD1DC46-91BF-42F3-ADD4-898397580622}
2012-05-23 20:24:59 -------- d-----w- c:\users\ron\appdata\local\{5B64E6BF-0408-48EF-A65B-33DB892D873B}
2012-05-22 19:41:15 -------- d-----w- c:\users\ron\appdata\local\{6A2ED20B-3243-46D1-8320-A1ABA3E522E8}
2012-05-22 19:41:04 -------- d-----w- c:\users\ron\appdata\local\{E2670E66-3327-40C6-AF82-84BCFA6E5D38}
2012-05-22 07:17:27 -------- d-----w- c:\users\ron\appdata\local\{5E1D52D5-FE03-4A9D-BFF7-4BD66A54FB93}
2012-05-22 07:17:17 -------- d-----w- c:\users\ron\appdata\local\{1C765C14-543C-4F13-9A8E-586DEFEE839E}
2012-05-21 19:17:01 -------- d-----w- c:\users\ron\appdata\local\{D7A859BC-151E-4316-BBB7-43DDB35768FF}
2012-05-21 19:16:50 -------- d-----w- c:\users\ron\appdata\local\{82A62670-23A5-4530-8831-AF398D66DA6E}
2012-05-21 07:16:22 -------- d-----w- c:\users\ron\appdata\local\{B25D9F49-F7C0-4FEC-B684-CF22EC9C45C1}
2012-05-21 07:16:11 -------- d-----w- c:\users\ron\appdata\local\{A11223C2-416B-43C7-B83D-F70B5CF841F0}
2012-05-20 19:15:57 -------- d-----w- c:\users\ron\appdata\local\{7E692CF6-8F37-4106-8380-44CDFAE496E9}
2012-05-20 19:15:47 -------- d-----w- c:\users\ron\appdata\local\{634B3679-F948-4A61-8B1F-F562BE9E79D5}
2012-05-20 06:05:49 -------- d-----w- c:\users\ron\appdata\local\{6073D198-99E3-46AC-9EF3-94E19ADE8525}
2012-05-20 06:05:39 -------- d-----w- c:\users\ron\appdata\local\{51A20BCE-3BBD-4101-9757-B9A8F55407CA}
2012-05-19 18:05:22 -------- d-----w- c:\users\ron\appdata\local\{19862413-18AF-403E-BF0E-A520A88AD307}
2012-05-19 18:05:12 -------- d-----w- c:\users\ron\appdata\local\{3F50C3DE-2B03-4346-9C8C-8FB5A35CE12D}
2012-05-19 05:57:06 -------- d-----w- c:\users\ron\appdata\local\{1F96D3B2-4599-40EA-96F1-6C3244C7B546}
2012-05-19 05:56:55 -------- d-----w- c:\users\ron\appdata\local\{D5A4B0BB-431D-4656-A525-10A98A4A7EA7}
2012-05-18 17:56:24 -------- d-----w- c:\users\ron\appdata\local\{094FEE83-40ED-4D2A-BD7B-91124964AA61}
2012-05-18 17:56:14 -------- d-----w- c:\users\ron\appdata\local\{C7E08C5C-2DFB-436F-8AD9-84F591D11143}
2012-05-18 05:55:47 -------- d-----w- c:\users\ron\appdata\local\{0D591B32-6474-45EB-B551-C09B973D01BB}
2012-05-18 05:55:36 -------- d-----w- c:\users\ron\appdata\local\{898AEE4A-AE73-4F50-B0E0-279FD8679944}
2012-05-17 17:55:05 -------- d-----w- c:\users\ron\appdata\local\{6597E2DE-1420-4A8C-9CFB-E790524029D3}
2012-05-17 17:54:53 -------- d-----w- c:\users\ron\appdata\local\{EEF807AE-AE45-4212-9059-0D7614901080}
2012-05-16 19:56:08 -------- d-----w- c:\users\ron\appdata\local\{A7EA1C2B-F283-4CC6-8A30-560B6F6FABA8}
2012-05-16 19:55:57 -------- d-----w- c:\users\ron\appdata\local\{FB11B110-168E-4B9D-BF8D-F298F33B9487}
2012-05-15 19:17:57 -------- d-----w- c:\users\ron\appdata\local\{4061209F-FBA3-4769-BE68-E852BEFBEABB}
2012-05-15 19:17:47 -------- d-----w- c:\users\ron\appdata\local\{33EBB4B6-891B-4096-9FB2-B7B87B1A1BFD}
2012-05-09 03:30:33 -------- d-----w- C:\59ca9f86056109347e08
2012-05-09 03:18:56 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-09 03:18:56 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-09 03:18:56 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-09 03:18:56 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-09 03:18:50 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-09 03:18:50 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-09 03:18:50 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 03:18:47 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-09 03:18:35 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 03:17:28 1077248 ----a-w- c:\windows\system32\DWrite.dll
.
==================== Find3M ====================
.
2012-05-16 19:53:33 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 19:53:33 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-06 05:21:10 9334784 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-04-06 02:22:00 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-04-06 02:21:52 909312 ----a-w- c:\windows\system32\aticfx32.dll
2012-04-06 02:16:52 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-04-06 02:16:24 451072 ----a-w- c:\windows\system32\atieclxx.exe
2012-04-06 02:15:50 217600 ----a-w- c:\windows\system32\atiesrxx.exe
2012-04-06 02:14:36 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2012-04-06 02:14:28 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-04-06 02:14:20 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-04-06 02:13:42 6800896 ----a-w- c:\windows\system32\atidxx32.dll
2012-04-06 02:00:08 52736 ----a-w- c:\windows\system32\coinst.dll
2012-04-06 01:50:56 19753984 ----a-w- c:\windows\system32\atioglxx.dll
2012-04-06 01:34:50 1831424 ----a-w- c:\windows\system32\atiumdmv.dll
2012-04-06 01:34:04 6203392 ----a-w- c:\windows\system32\atiumdag.dll
2012-04-06 01:30:14 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-04-06 01:30:06 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-04-06 01:25:30 13764096 ----a-w- c:\windows\system32\aticaldd.dll
2012-04-06 01:22:54 4795904 ----a-w- c:\windows\system32\atiumdva.dll
2012-04-06 01:11:18 360448 ----a-w- c:\windows\system32\atiadlxx.dll
2012-04-06 01:11:04 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-04-06 01:10:52 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-04-06 01:10:22 275968 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-04-06 01:09:48 41984 ----a-w- c:\windows\system32\atiuxpag.dll
2012-04-06 01:09:34 32256 ----a-w- c:\windows\system32\atiu9pag.dll
2012-04-06 01:09:02 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-04-06 01:06:04 53760 ----a-w- c:\windows\system32\atimpc32.dll
2012-04-06 01:06:04 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-22 22:24:38 9906 ----a-w- c:\windows\system32\drivers\cv2k1.sys
2012-03-09 01:50:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2012-03-09 01:37:20 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-03-09 01:32:24 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
.
============= FINISH: 15:37:36.92 ===============

Attached Files


Edited by Noviciate, 04 June 2012 - 03:00 PM.
Added log from attachment.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:20 AM

Posted 04 June 2012 - 03:07 PM

Good evening. :)

Download Junction.zip by Mark Russinovich from here and save it to your Desktop - you'll need to unzip this one as well.

  • Copy and paste the file junction.exe into the Windows directory (C:\Windows).
  • Go to Start, copy the following into the Search programs and files textbox and click OK:

    • cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A Command Window will open and the tool will start scanning.
  • When it's done, a text file called log.txt will appear - i'd like a copy of that in your next reply.

Also, do you need to recover any of the files and folders within the ComboFix directory?

Edited by Noviciate, 04 June 2012 - 03:10 PM.

So long, and thanks for all the fish.

 

 


#3 BigDreamer

BigDreamer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 04 June 2012 - 05:59 PM

Hello Noviciate

Thank You for getting back to me and I hope you had a great day.

Well the good news is I did everything you told me to do and the bad news is it crashed my PC. My PC just went dead, no BSOD, nothing.

I did get a log.txt file that is 8 mg in size and is 57150 lines long and before I post it all I wanted to check that you do want me to post it???

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:20 AM

Posted 05 June 2012 - 02:45 PM

Good evening. :)

Also, do you need to recover any of the files and folders within the ComboFix directory?

I'd like to know the answer to the above first.

So long, and thanks for all the fish.

 

 


#5 BigDreamer

BigDreamer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 05 June 2012 - 02:59 PM

Hello

No, I used ShadowExplorer and recovered everything.

Thank You and have a great day!

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:20 AM

Posted 05 June 2012 - 03:53 PM

So all you want to do is to delete the ComboFix folder and all it's subfolders? I ask just so that I don't do something that you'll regret later.
Assuming that is the case, do you have either the ability to burn a disk or do you have a flashdrive of at least 128 Mb that you can wipe clean and use? The simplest way to handle the folder deletion is to use an alternate operating system that won't take any notice of Windows specific issues.

So long, and thanks for all the fish.

 

 


#7 BigDreamer

BigDreamer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 05 June 2012 - 04:18 PM

Yes I want to delete the subfolders, please. I have both a burner w/ disc and a 8gb flashdrive.

BTW, all my browsers are working OK but I did get anther BSOD yesterday.

Hope you and yours have a great evening. Thanks for your help

PS What would happen I just used the restore point that ComboFix made?

#8 BigDreamer

BigDreamer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 05 June 2012 - 06:11 PM

Update: I ran memtest86 and got to 47% and crashed again so it does look like a memory problem. So let not worry about the BSOD anymore.
Thanks

Edited by BigDreamer, 05 June 2012 - 06:41 PM.


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:20 AM

Posted 07 June 2012 - 02:26 PM

Good evening. :)

To be honest this isn't something i've come across before, so i'm a little reluctant to just "go for it". I'd like a little information and then i'll try to recreate the situation on my PC and see what happens if I do what I intend having you do.
If it works for me, it should hopefully work for you, and if it doesn't, we'll not bother having you try it too.

I'd like you to do the following and then attach the log that is produced in a zipped folder in your next reply - I suspect that it will be a large log, hence the need to zip it and attach it.


Click the Start button and enter the following into the Search programs and files textbox: cmd
Hit <ENTER> and a Command Window should open.
Copy and paste the following into that and hit <ENTER>: dir /s C:\ComboFix >> "%userprofile%\desktop\results.txt"

All being well you should see a text file appear on your Desktop. Once the prompt reappears in the Command Window the command should have completed and you can close the Window and zip up and attach the text file.

So long, and thanks for all the fish.

 

 


#10 BigDreamer

BigDreamer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 07 June 2012 - 11:40 PM

Its very small as you can see. Lucky me.

Volume in drive C has no label.
Volume Serial Number is 240B-9103

Directory of C:\ComboFix

06/03/2012 04:57 PM <DIR> .
06/03/2012 04:57 PM <DIR> ..
06/03/2012 01:07 PM 55,615 023.dat
11/26/2010 12:07 PM 2,181 023v.dat
02/12/2010 10:55 AM 660 023w7.dat
06/03/2012 01:09 PM 163 AppData.folder.dat
08/30/2000 05:00 PM 6,760 appinit.bad
07/13/2009 08:09 AM 602 asp.str
07/13/2009 06:14 PM 16,384 ATTRIB.3XE
01/03/2012 02:27 AM 40,960 BFE.dat
06/03/2012 01:21 PM 0 BHO.dat
06/03/2012 01:21 PM 0 BHOFiles.dat
06/03/2012 01:21 PM 1,790 BHOQuery.dat
06/03/2012 01:23 PM 0 BitsPath
06/03/2012 01:23 PM 739 BitsStr
06/03/2012 01:07 PM 0 c.mrk
06/03/2012 01:10 PM 8,192 C@VBR.dat
06/03/2012 01:09 PM 309 Cache.folder.dat
04/17/2009 02:37 AM 147,456 catchme.3XE
04/17/2009 02:37 AM 147,456 Catchme.tmp
06/03/2012 01:21 PM 0 catch_k.dat
06/03/2012 01:06 PM 302,592 CF31831.3XE
06/03/2012 01:10 PM 8,192 cfdummy
06/03/2012 01:23 PM 9,614,597 Cfiles.dat
06/03/2012 01:23 PM 1,509,504 Cfolders.dat
06/03/2012 01:10 PM 0 cfrun
06/03/2012 01:09 PM 1,478,873 ClistB.dat
06/03/2012 01:07 PM 720,174 clsid.dat
06/03/2012 01:21 PM 29,921,593 ClsidDumped
06/03/2012 01:21 PM 744,513 ClsidFiles
06/03/2012 01:06 PM 302,592 cmd.3XE
08/30/2000 05:00 PM 236,032 ComboFix-Download.3XE
06/03/2012 01:10 PM 548 ComboFix.txt
06/03/2012 01:09 PM 2,431 ConEnv.sed
06/03/2012 01:23 PM 597,864 Creg.dat
09/01/2011 10:03 AM 4,564 CregC.cmd
06/03/2012 01:28 PM 55,759 CregC.dat
06/03/2012 01:07 PM 958 CregC_.dat
07/13/2009 06:14 PM 126,976 CSCRIPT.3XE
06/03/2012 01:26 PM 16 d-delB.dat
06/06/2011 02:52 AM 101,376 dd.3XE
05/24/2009 06:59 PM 7,983 ddsDo.sed
06/03/2012 01:28 PM 204,532 del00
06/03/2012 01:28 PM 449 del01
06/03/2012 01:28 PM 3,046 del02
06/03/2012 01:28 PM 0 del03
06/03/2012 01:22 PM 0 delclsid00
06/03/2012 01:28 PM 0 DelFile.mrk
06/03/2012 01:06 PM 6 DisclaimED.dat
06/03/2012 01:09 PM 3,193 dll_whitelist.dat
06/03/2012 01:09 PM 30,207 dnd.dat
08/30/2000 05:00 PM 746 DPF.str
06/03/2012 01:28 PM 5,990 drev.dat
06/03/2012 01:10 PM 8 Drive.folder.dat
06/03/2012 01:09 PM 84 DriveFile.dat
06/03/2012 01:10 PM 6 Drives.dat
08/30/2000 05:00 PM 51,200 dumphive.3XE
08/30/2000 05:00 PM 303 embedded.sed
06/03/2012 04:57 PM <DIR> en-US
06/03/2012 01:09 PM 529 Env.sed
10/20/2005 05:02 AM 163,328 ERDNT.e_e
08/30/2000 05:00 PM 2,815 ERDNTDOS.LOC
08/30/2000 05:00 PM 3,275 ERDNTWIN.LOC
06/03/2012 01:28 PM 488 ErrTrap1
10/20/2005 05:00 AM 394,752 ERUNT.3XE
06/03/2012 01:07 PM 10 erunt.dat
08/30/2000 05:00 PM 4,090 ERUNT.LOC
05/20/2012 03:33 AM 17,583 Exe.reg
08/30/2000 05:00 PM 52,736 extract.3XE
06/03/2012 01:11 PM 16 FavFolderD.dat
06/03/2012 01:09 PM 34 FdsvOK
08/30/2000 05:00 PM 145,920 FileKill.3XE
08/09/2010 01:32 PM 677 Fin.dat
06/03/2012 01:07 PM 895 ForeignWht
06/03/2012 01:07 PM 0 f_system
06/03/2012 01:09 PM 13 Gateway
06/03/2011 02:43 AM 6,090 GetHive.cmd
08/30/2000 05:00 PM 80,412 grep.3XE
08/30/2000 05:00 PM 15,360 gsar.3XE
11/17/2008 10:15 PM 417,136 handle.3XE
08/15/2005 10:54 AM 1,536 hidec.3XE
06/03/2012 01:09 PM 56 History.folder.dat
08/30/2000 05:00 PM 1,057 image001.gif
09/04/2010 04:07 PM 224 Imefile.dat
06/03/2012 01:07 PM 13 kmd.dat
06/03/2012 01:07 PM 14 LatestVer
06/03/2012 01:10 PM 896 LegacyFull
06/03/2012 01:10 PM 123 LegacyNoSvc
06/03/2012 01:09 PM 137 LocalAppData.folder.dat
08/30/2000 05:00 PM 225 LocalService.dat
08/30/2000 05:00 PM 91 LocalServiceNetworkRestricted.dat
06/03/2012 01:09 PM 137 LocalSettings.folder.dat
08/30/2000 05:00 PM 198 LocalSystemNetworkRestricted.dat
06/03/2012 01:10 PM 0 max_.dat
10/24/2009 03:11 PM 184,320 mbr.3XE
08/28/2010 08:30 PM 2,141 mbr.chk
06/03/2012 01:07 PM 74 Mirrors
02/10/2012 09:48 PM 8,192 MpsSvc.dat
08/30/2000 05:00 PM 11,264 mtee.3XE
06/03/2012 01:06 PM 7 MUI
06/03/2012 01:09 PM 47 Music.folder.dat
06/03/2012 01:07 PM 794 MWindows.dat
08/30/2000 05:00 PM 0 mynul.dat
12/24/2009 01:12 AM 283 ndis_combofix.dat
06/03/2012 01:09 PM 68 NetHood.folder.dat
06/03/2012 01:28 PM 64,812 netsvc.bad.dat
06/03/2012 01:07 PM 489 netsvc.dat
08/30/2000 05:00 PM 88 NetworkService.dat
04/19/2009 09:56 PM 60,416 NirCmd.3XE
04/19/2009 09:56 PM 58,880 NirCmdC.3XE
04/19/2009 09:56 PM 60,416 NIRKMD.3XE
06/03/2012 01:06 PM 6 NlsLanguageDefault
06/03/2012 01:09 PM 176 notifykeys.dat
06/03/2012 01:09 PM 210 notifykeysB.dat
06/03/2012 01:10 PM 3 NULL
06/03/2012 01:28 PM <DIR> N_
06/03/2012 01:22 PM 5,841 OriO4Files.dat
06/03/2012 01:22 PM 4,036 OriO4FilesB.dat
06/03/2012 01:07 PM 80 OsId.txt
06/03/2012 01:22 PM 0 patched.af
06/03/2012 01:22 PM 94 PathSearch
09/28/2002 10:01 PM 180,224 pausep.3XE
06/03/2012 01:09 PM 802 pend.txt
06/25/2011 11:45 PM 256,000 pev.3XE
01/27/2011 06:28 PM 102,400 pevb.3XE
06/03/2012 01:09 PM 117 Pictures.folder.dat
07/13/2009 06:14 PM 15,360 PING.3XE
07/05/2009 12:51 PM 2,992 Policies.dat
05/13/2010 01:57 AM 64 powp.dat
06/03/2012 01:09 PM 37 PreDIR
06/03/2012 01:09 PM 68 PrintHood.folder.dat
06/03/2012 01:09 PM 199 Profiles.Folder.dat
06/03/2012 01:09 PM 263 Profiles.Folder.folder.dat
06/03/2012 01:10 PM 213,496 progfile.dat
08/30/2000 05:00 PM 404 Purity.dat
03/02/2006 11:42 PM 73,728 PV.3XE
03/02/2006 08:42 AM 73,728 pv.com
08/30/2000 05:00 PM 7,478 RCLink.dat
06/03/2012 01:27 PM 417 RcRdyList
06/03/2012 01:07 PM 7 RcVer00
06/03/2012 01:09 PM 57 Recent.folder.dat
08/30/2000 05:00 PM 3,558 REGDACL.sed
08/30/2000 05:00 PM 9,203 RegDo.sed
09/16/2010 01:03 PM 1,153 region.dat
06/03/2012 01:22 PM 6 RegRun01
06/03/2012 01:07 PM 398,336 REGT.3XE
06/03/2012 01:22 PM 0 RenVDel.dat
06/03/2012 01:22 PM 0 RenVSuspect
06/03/2012 01:06 PM 344 Resident.txt
06/03/2012 01:07 PM 0 restore_pt.dat
11/07/2010 10:20 AM 208,896 rmbr.3XE
08/30/2000 05:00 PM 820 rogues.dat
07/13/2009 06:14 PM 17,920 ROUTE.3XE
06/03/2012 01:09 PM 1,872 run.sed
08/30/2000 05:00 PM 287 run2.sed
06/09/2009 08:38 PM 30 Rust.str
11/10/1999 09:00 AM 38,400 s0rt.3XE
08/30/2000 05:00 PM 329 safeboot.dat
06/03/2012 01:07 PM 1,867 safeboot.def.dat
08/30/2000 05:00 PM 98,816 sed.3XE
06/03/2012 01:09 PM 57 SendTo.folder.dat
06/03/2012 01:10 PM 47,517 ServiceFiles.dat
06/03/2012 01:10 PM 23,301 ServiceFiles00
08/30/2000 05:00 PM 66,172 setpath.3XE
05/23/2012 09:10 AM 376,832 ShAccess.dat
06/01/2012 08:45 PM 351,385 srizbi.md5
06/03/2012 01:09 PM 467 StartUp.folder.dat
06/03/2012 01:07 PM 2 Start_dat
06/03/2012 01:21 PM 0 SuspectB_netsvc.dat
06/03/2012 01:23 PM 1,089 suspectSvc.dat
06/03/2012 01:23 PM 84,337 SvcCovered
06/03/2012 01:10 PM 0 SvcDiff
06/03/2012 01:10 PM 32,525 SvcDump
06/03/2012 01:10 PM 5,534 SvcDumpB
06/03/2012 01:10 PM 1,900,499 SvcDumpFull
06/03/2012 01:10 PM 5,548 SvcFull
10/17/2009 09:14 PM 956 svchost.dat
06/03/2012 01:10 PM 29,143 svclist.dat
06/03/2012 01:10 PM 117 SvcTarget.dat
06/03/2012 01:28 PM 1,508,912 SvcTempAa
06/03/2012 01:07 PM 14,828 svc_wht.dat
08/30/2000 05:00 PM 518,144 swreg.3XE
08/30/2000 05:00 PM 406,528 swsc.3XE
08/30/2000 05:00 PM 212,480 swxcacls.3XE
06/03/2012 01:07 PM 829 SysPath.dat
08/30/2000 05:00 PM 276 system_ini.dat
11/09/1999 05:00 PM 35,328 tail.3XE
06/03/2012 01:21 PM 0 temp0900
06/03/2012 01:21 PM 0 temp2000
06/03/2012 01:23 PM 0 temp4000
10/29/2009 10:26 PM 633 toolbar.sed
06/03/2012 01:09 PM 606 unhand.dat
06/03/2012 01:10 PM 0 Unhandled.dat
06/03/2012 01:21 PM 0 UploadThese
06/03/2012 01:21 PM 0 V-FilesB.dat
06/03/2012 01:22 PM 0 v-tmp.dat
06/03/2012 01:07 PM 35 version.txt
06/03/2012 01:09 PM 382,773 VikPev00
06/03/2012 01:21 PM 0 Vikpev01
06/03/2012 01:27 PM 19,130 VInfo2
06/22/2011 01:40 AM 557 VINFO3
05/10/2010 08:30 AM 308 Vipev.dat
06/03/2012 01:07 PM 4 Vista.krl
07/26/2010 12:17 PM 440 vistaMcode.dat
06/03/2012 01:22 PM 53,149 vRun_DLL
06/20/2010 01:05 PM 7,584 vun.dat
07/31/2010 02:05 AM 244 VwinTemp.dacl
06/03/2012 01:21 PM 4,600 v_str.dat
06/03/2012 01:09 PM 49,076 v_wht.dat
06/03/2012 01:06 PM 6 W7.mac
07/23/2010 01:20 PM 440 w7Mcode.dat
06/03/2012 01:09 PM 88,829 whiteAll.dat
06/03/2012 01:09 PM 20,617 whitedir.dat
06/03/2012 01:09 PM 1,099 whitedirCreated.dat
06/03/2012 01:22 PM 375 WrgNameDLL
07/22/2010 07:14 AM 440 xpmcode.dat
08/30/2000 05:00 PM 23,773 zDomain.dat
06/03/2012 01:07 PM 69,509 zhsvc.dat
08/30/2000 05:00 PM 68,096 zip.3XE
06/03/2012 01:10 PM 0 Zlob01
216 File(s) 56,364,584 bytes

Directory of C:\ComboFix\en-US

06/03/2012 04:57 PM <DIR> .
06/03/2012 04:57 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\ComboFix\N_

06/03/2012 01:28 PM <DIR> .
06/03/2012 01:28 PM <DIR> ..
06/03/2012 01:28 PM 0 12010
06/03/2012 01:28 PM 103 12348
06/03/2012 01:28 PM 0 17948
06/03/2012 01:28 PM 0 18397
06/03/2012 01:28 PM 444 19030
06/03/2012 01:28 PM 449 2112
06/03/2012 01:28 PM 0 25005
06/03/2012 01:28 PM 0 25973
06/03/2012 01:28 PM 119 28029
06/03/2012 01:28 PM 0 28534
06/03/2012 01:28 PM 380 31625
06/03/2012 01:28 PM 0 3246
06/03/2012 01:28 PM 63 CmdLine00
13 File(s) 1,558 bytes

Total Files Listed:
229 File(s) 56,366,142 bytes
8 Dir(s) 206,022,115,328 bytes free

#11 BigDreamer

BigDreamer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 07 June 2012 - 11:47 PM

I see you didnt sign on yesterday so I hope you had a good day off.

What do you say for me to just try the restore point ComboFix made??
It may save us both a lot of time and maybe headaches. Your the boss.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:20 AM

Posted 08 June 2012 - 02:26 PM

Good evening. :)

What concerns me with regard to the Restore Point is that you wind the PC clock back to when you had an active infection and then you'd need to start all over again removing it.

The log that you posted doesn't seem to tally with the screenshot you posted in the thread you linked to in your first post. Will you check for me whether or not the list of the contents of the folder C:\ComboFix above matches what you have on your system and not what the image showed and let me know which is right.

So long, and thanks for all the fish.

 

 


#13 BigDreamer

BigDreamer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 08 June 2012 - 05:08 PM

Hey Hey Noviciate
A good day to you.

I did not download Combo Fix from you. I got it from www.softpedia.com where I also got a couple others.
The infection was removed before I ran Combo Fix. I ran Combo Fix to see if it found anything. Now I don't believe Combo Fix ever deleted any virus'.
Nothing personal but you never know who you are dealing with on the net so I watched Combo Fix do it scan and it stopped at 50 stages and started to delete files I know are safe so I pulled the plug after only seconds of it deleting. So after reading your last 2 posts and how much work this has become, I ran the restore point today and the multi Combo Fix tree is gone and so far the redirect is also gone.

BSOD are another story which points to memory problems. I run a cpu stress test and AOK but I run memory test and the PC crashes.
Please tell me if Im wrong but I think this is hardware and not a virus which is not your cup of tea.

You have been great in giving of your free time to people you dont even know but I dont feel right asking you for anymore time then you have already given so thats why I ran the restore point.

PS to answer your last post the tree still had mutli Combo Fix directories and I dont know why the report did not show it. That last report was ran before I did anything to the PC but auto update the virus scan which I forgot to turn off.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:20 AM

Posted 09 June 2012 - 03:04 PM

Good evening. :)

I run a cpu stress test and AOK but I run memory test and the PC crashes...

Please tell me if Im wrong but I think this is hardware and not a virus...

Had a similar issue with blue screens and memtest confirmed sick RAM - new RAM, happy PC, simple solution. If you have multiple sticks then you can run the PC with less memory if you can identify the sick stick.
Assuming that your copy of memtest is a Linux boot disk then you can pretty much rule out a virus as the cause - if you don't boot into Windows then you don't "activate" the virus, if it is present, or suffer from any effects that it has had on the operating system when it struck.

...which is not your cup of tea.

True. :whistle:

You have been great in giving of your free time to people you dont even know but I dont feel right asking you for anymore time then you have already given so thats why I ran the restore point.

It was a good call, even before you knew that it worked - if it hadn't you could have undone it anyway, so it's a freebie fix.

PS to answer your last post the tree still had mutli Combo Fix directories and I dont know why the report did not show it.

I hope that you just had a one-off issue and I don't have to deal with another and then it just falls under the heading of "odd but forgettable".

So long, and thanks for all the fish.

 

 


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:20 AM

Posted 14 June 2012 - 02:35 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users