explorer.exe 0xc000022 error

[chiro.j.elliott]

Task 1 completed:
However i noticed when i clicked and dragged file into combofix i was not able select "run as admin" but other than that it ran and said it deleted the file rebooted to safemode to get report here it is!

ComboFix 12-02-11.02 - Ryan 02/12/2012 13:21:39.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3361 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DpPwdFlt.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 19:28 . 2012-02-12 19:31 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-12 19:28 . 2012-02-12 19:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-12 19:28 . 2012-02-12 19:28 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-11 13:46 . 2012-02-11 21:22 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 21:22 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-12 13:37:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-12 19:37
ComboFix2.txt 2012-02-11 14:04
.
Pre-Run: 217,970,937,856 bytes free
Post-Run: 217,764,872,192 bytes free
.
- - End Of File - - 6CB009C7319ABC98610E80ADFECF89BC





Task #2 completed- dowloaded- run- and rebooted all in safemode!

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.12.05

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.19088
Ryan :: RYAN-PC [administrator]

2/12/2012 1:48:12 PM
mbam-log-2012-02-12 (13-48-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205216
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99b340f7-76e0-44ab-9948-b95a1b475d39} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d09094b3-b426-4f16-a6d9-e211fe222127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\Environment|AVAPP (Rogue.PersonalAntiVirus) -> Data: C:\Program Files (x86)\PersonalAV -> Quarantined and deleted successfully.
HKCU\Environment|AVUNINST (Rogue.PersonalAntiVirus) -> Data: C:\Program Files (x86)\Common Files\Uninstall\PersonalAV\Uninstall.lnk -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

TASK #3- unable to perform

Tried to copy file name into site and never would let me past it i couldnt even click in the search box. nor would it let me click on browse!! does it have to do with me being in safemode??? I tryed searching my computer for that file just to see if i could find it and drag it but my computer search didnt find that name!!!

Hope I did everything right and i just want to say thank you sooo much for your help sooo far!!

Chiro

[oldman960]

Hichiro.j.elliott,

I'm not sure why safe mode would make any difference. Try submitting it to VirSCAN.org FREE on-line scan service

If that doesn't work:

The file should be in the combofix quarantine folder. Open windows explorer and navigate to the C:\ drive. Open the Qoobox folder and expand the paths untill you reach the file



C:\Qoobox\Quarantine\C\WINDOWS\system32\DpPwdFlt.dll.vir

If it's not to big try zipping it and attaching it to your reply. I'll submit it.

[chiro.j.elliott]

C:\Qoobox\Quarantine\C\WINDOWS\
is as far as i can get in your chain "SysWOW64" is the only folder in the windows folder. there is no system32 folder there!!!

[chiro.j.elliott]

and virSCAN.org does the same thing to me when I try to input anything into the scan box!! wont let me type anything and brows button wont open any new windows or anything

[oldman960]

Hi

Have a look in the "SysWOW64" folder. If it's a 32bit file that's where it would be.

[chiro.j.elliott]

Antivirus Result Update
nProtect - 20120212
CAT-QuickHeal - 20120212
McAfee - 20120212
K7AntiVirus - 20120211
TheHacker - 20120212
VirusBuster - 20120212
NOD32 - 20120213
F-Prot - 20120213
Symantec - 20120213
Norman - 20120212
ByteHero - 20120211
TrendMicro-HouseCall - 20120213
Avast - 20120212
eSafe Win32.TrojanHorse 20120212
ClamAV - 20120212
Kaspersky - 20120213
BitDefender - 20120212
SUPERAntiSpyware - 20120206
Sophos - 20120212
Comodo - 20120212
F-Secure - 20120212
DrWeb - 20120213
VIPRE - 20120212
AntiVir - 20120212
TrendMicro - 20120212
McAfee-GW-Edition - 20120212
Emsisoft - 20120213
eTrust-Vet - 20120211
Jiangmin - 20120212
Antiy-AVL - 20120211
Microsoft - 20120212
ViRobot - 20120212
Prevx - 20120213
GData - 20120212
Commtouch - 20120213
AhnLab-V3 - 20120212
VBA32 - 20120210
PCTools - 20120207
Rising - 20120210
Ikarus - 20120212
Fortinet - 20120213
AVG - 20120213
Panda - 20120

[chiro.j.elliott]

dont know what all this is but it was under additional info. if you have any questions ill do my best to explain!!



ssdeep
768:eQlw1kB2Q553vAREHe+TMVGUcyIxz7BnNgIdloCo3Zj:eh1HQ55IavTmBIxH1CIXo3Zj
TrID
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEiD packer identifier
Armadillo v1.xx - v2.xx
ExifTool

CodeSize.................: 28672
FileDescription..........: ndisapi
Comments.................: NDISRD IOCTL wrapper DLL
InitializedDataSize......: 32768
ImageVersion.............: 0.0
ProductName..............: Windows Packet Filter Kit
FileVersionNumber........: 3.0.5.1
LanguageCode.............: Neutral
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: ndisapi.dll
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 3, 0, 5, 1
TimeStamp................: 2009:05:14 10:58:01+01:00
FileType.................: Win32 DLL
PEType...................: PE32
InternalName.............: ndisapi
SubsystemVersion.........: 4.0
ProductVersion...........: 3, 0, 5, 1
UninitializedDataSize....: 0
OSVersion................: 4.0
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright NT Kernel Resources 2000-2009
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: NT Kernel Resources
LegalTrademarks..........: WinpkFilter
FileSubtype..............: 0
ProductVersionNumber.....: 3.0.5.1
EntryPoint...............: 0x3957
ObjectFileType...........: Dynamic link library

Sigcheck

publisher................: NT Kernel Resources
product..................: Windows Packet Filter Kit
internal name............: ndisapi
copyright................: Copyright (c) NT Kernel Resources 2000-2009
original name............: ndisapi.dll
comments.................: NDISRD IOCTL wrapper DLL
file version.............: 3, 0, 5, 1
description..............: ndisapi

Portable Executable structural information

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 25546 28672 6.11 db375aa2e42d98e9e02228409aa678ac
.rdata 32768 6416 8192 4.83 492b2072f94cf3a8ae72ad4c4eb1ad3e
.data 40960 13196 12288 1.13 d7a59ed881b25743a8a59683569758ea
.rsrc 57344 1016 4096 1.06 8758de4a8955c8ed01cca3d3d59b817f
.reloc 61440 3502 4096 3.47 5aa43948033a15270f67e9bca1ff39e1

PE Imports....................:

ADVAPI32.dll
RegEnumKeyExA, RegQueryValueExA, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA

KERNEL32.dll
DeviceIoControl, FreeLibrary, LoadLibraryA, CloseHandle, GetLastError, ResetEvent, CreateFileA, CreateEventA, GetVersionExA, GetModuleHandleA, GetProcAddress, WaitForSingleObject, GetCurrentProcess, HeapFree, HeapAlloc, GetCommandLineA, GetVersion, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, RtlUnwind, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, GetCPInfo, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetACP, GetOEMCP, GetStringTypeA, GetStringTypeW


PE Exports....................:

_, _, 0, C, N, d, i, s, A, p, i, @, @, Q, A, E, @, A, B, V, 0, @, @, Z, ,, , _, _, 0, C, N, d, i, s, A, p, i, @, @, Q, A, E, @, P, B, D, @, Z, ,, , _, _, 1, C, N, d, i, s, A, p, i, @, @, U, A, E, @, X, Z, ,, , _, _, 4, C, N, d, i, s, A, p, i, @, @, Q, A, E, A, A, V, 0, @, A, B, V, 0, @, @, Z, ,, , _, _, _, 7, C, N, d, i, s, A, p, i, @, @, 6, B, @, ,, , _, _, _, C, @, _, 0, 6, N, K, H, A, @, N, D, I, S, R, D, _, $, A, A, @, ,, , _, _, _, F, C, N, d, i, s, A, p, i, @, @, Q, A, E, X, X, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, 2, 0, 0, 0, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, 9, x, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, N, T, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, D, e, v, i, c, e, I, o, C, o, n, t, r, o, l, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, K, P, A, X, H, 0, H, P, A, K, P, A, U, _, O, V, E, R, L, A, P, P, E, D, @, @, @, Z, ,, , _, F, l, u, s, h, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, A, D, A, P, T, E, R, _, M, O, D, E, @, @, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, S, i, z, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, K, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, S, A, K, X, Z, ,, , _, G, e, t, B, y, t, e, s, R, e, t, u, r, n, e, d, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, K, X, Z, ,, , _, G, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, K, @, Z, ,, , _, G, e, t, M, T, U, D, e, c, r, e, m, e, n, t, @, C, N, d, i, s, A, p, i, @, @, S, A, K, X, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, R, e, s, e, t, S, t, a, t, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, S, i, z, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, K, @, Z, ,, , _, G, e, t, R, a, s, L, i, n, k, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, U, _, R, A, S, _, L, I, N, K, S, @, @, @, Z, ,, , _, G, e, t, T, c, p, i, p, B, o, u, n, d, A, d, a, p, t, e, r, s, I, n, f, o, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, T, C, P, _, A, d, a, p, t, e, r, L, i, s, t, @, @, @, Z, ,, , _, G, e, t, V, e, r, s, i, o, n, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, K, X, Z, ,, , _, I, s, D, r, i, v, e, r, L, o, a, d, e, d, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, X, Z, ,, , _, N, d, i, s, r, d, R, e, q, u, e, s, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, P, A, C, K, E, T, _, O, I, D, _, D, A, T, A, @, @, H, @, Z, ,, , _, R, e, a, d, P, a, c, k, e, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, R, e, a, d, P, a, c, k, e, t, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, R, e, s, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, X, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, T, o, A, d, a, p, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, T, o, M, s, t, c, p, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, s, T, o, A, d, a, p, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, s, T, o, M, s, t, c, p, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, L, i, s, t, C, h, a, n, g, e, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, A, D, A, P, T, E, R, _, M, O, D, E, @, @, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, K, @, Z, ,, , _, S, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, K, @, Z, ,, , _, S, e, t, M, T, U, D, e, c, r, e, m, e, n, t, @, C, N, d, i, s, A, p, i, @, @, S, A, H, K, @, Z, ,, , _, S, e, t, P, a, c, k, e, t, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, 0, @, Z, ,, , _, S, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, S, e, t, W, A, N, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , C, l, o, s, e, F, i, l, t, e, r, D, r, i, v, e, r, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, 2, 0, 0, 0, A, d, a, p, t, e, r, N, a, m, e, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, 9, x, A, d, a, p, t, e, r, N, a, m, e, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, N, T, A, d, a, p, t, e, r, N, a, m, e, ,, , F, l, u, s, h, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, ,, , G, e, t, A, d, a, p, t, e, r, M, o, d, e, ,, , G, e, t, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, S, i, z, e, ,, , G, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, ,, , G, e, t, B, y, t, e, s, R, e, t, u, r, n, e, d, ,, , G, e, t, D, r, i, v, e, r, V, e, r, s, i, o, n, ,, , G, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, ,, , G, e, t, M, T, U, D, e, c, r, e, m, e, n, t, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, R, e, s, e, t, S, t, a, t, s, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, S, i, z, e, ,, , G, e, t, R, a, s, L, i, n, k, s, ,, , G, e, t, T, c, p, i, p, B, o, u, n, d, A, d, a, p, t, e, r, s, I, n, f, o, ,, , I, s, D, r, i, v, e, r, L, o, a, d, e, d, ,, , N, d, i, s, r, d, R, e, q, u, e, s, t, ,, , O, p, e, n, F, i, l, t, e, r, D, r, i, v, e, r, ,, , R, e, a, d, P, a, c, k, e, t, ,, , R, e, a, d, P, a, c, k, e, t, s, ,, , R, e, s, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , S, e, n, d, P, a, c, k, e, t, T, o, A, d, a, p, t, e, r, ,, , S, e, n, d, P, a, c, k, e, t, T, o, M, s, t, c, p, ,, , S, e, n, d, P, a, c, k, e, t, s, T, o, A, d, a, p, t, e, r, ,, , S, e, n, d, P, a, c, k, e, t, s, T, o, M, s, t, c, p, ,, , S, e, t, A, d, a, p, t, e, r, L, i, s, t, C, h, a, n, g, e, E, v, e, n, t, ,, , S, e, t, A, d, a, p, t, e, r, M, o, d, e, ,, , S, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, ,, , S, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, ,, , S, e, t, M, T, U, D, e, c, r, e, m, e, n, t, ,, , S, e, t, P, a, c, k, e, t, E, v, e, n, t, ,, , S, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , S, e, t, W, A, N, E, v, e, n, t

First seen by VirusTotal
2009-06-05 12:08:22 UTC ( 2 years, 8 months ago )
Last seen by VirusTotal
2012-02-13 01:45:53 UTC ( 6 minutes ago )
File names (max. 25)

ndisapi.dll.vir
FE4C4F2696C7EF01FB5FC87B3E71D639
ndisapi.dll

[oldman960]

Hi chiro.j.elliott,

How did you manage to get the file scanned?

Looks like a false positive so we'll restore the file.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

• Click the Start button, click run
• in the run box type notepad
• click ok
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\WINDOWS\SysWOW64\DpPwdFlt.dll.vir

QUIT::

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
• Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



A notepad will open called DeQuarantine.txt. Please post it's contents.

[chiro.j.elliott]

The file was in the syswow64 folder so i just clicked and drag to the scan bar on the website.

here is the latest Log!!

ComboFix 12-02-11.02 - Ryan 02/13/2012 11:31:40.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3393 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DpPwdFlt.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))
.
.
2012-02-13 17:38 . 2012-02-13 17:50 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-13 17:38 . 2012-02-13 17:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-13 17:38 . 2012-02-13 17:38 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-12 19:47 . 2012-02-12 19:47 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\programdata\Malwarebytes
2012-02-12 19:46 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 13:46 . 2012-02-11 21:22 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 21:22 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-01-13 1081416]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-13 11:55:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-13 17:55
ComboFix2.txt 2012-02-12 19:37
ComboFix3.txt 2012-02-11 14:04
.
Pre-Run: 217,579,298,816 bytes free
Post-Run: 217,559,085,056 bytes free
.
- - End Of File - - 655FE6BC24362D8248B22853071E5EE0

[oldman960]

Hi chiro.j.elliott,

Combofix should not have ran a full run with that CFScript.

Please post the contents of this file

C:\Qoobox\ComboFix-quarantined-files.txt