explorer.exe 0xc000022 error

chiro.j.elliott · Feb 9, 2012

I am trying to clean up and repair my Brother-in-laws laptop. I started deleting programs\toolbar and running antivirus\spy bot and others just to clean CRAP off aparently he said he tried online virus scans and such wich who know what they put in his system on top of what he already had. but anyways i did a windows update as well as tried a windows IE update and soon after on one of the reboots I got an error message (explorer.exe 0xc000022) click ok to terminate). when I clicked on any of the of in profiles. ofter hitting ok everything went black but my mouse. I can CNT ALT DEL to task manager and shutdown. I currently am able to run in safe mode with no problems.

here is the DDS file

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_30
Run by Ryan at 13:33:32 on 2012-02-09
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3191 [GMT -6:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Ryan\Desktop\HijackThis.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
mSearchAssistant =
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: &Crawler Toolbar Helper: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {90B49673-5506-483E-B92B-CA0265BD9CA8} - No File
TB: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No File
uRun: [avgsys] regedit /s "C:\ProgramData\de6342b\4455.reg"
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
StartupFolder: C:\Users\Ryan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\Ryan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\wkcalrem.LNK - C:\Program Files (x86)\Microsoft Works\WkCalRem.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2961302D-0820-4732-9602-FF83D5402027} : DhcpNameServer = 209.183.50.151 209.183.50.151
TCP: Interfaces\{3F989BEA-572A-4367-97B7-768ECC652223} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{FB2F24BD-7F6D-4397-9084-EBC202AA3EF3} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
LSA: Notification Packages = scecli DPPWDFLT
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: &Crawler Toolbar Helper: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: &Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {90B49673-5506-483E-B92B-CA0265BD9CA8} - No File
TB-X64: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No File
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IFEO-X64: image file execution options - svchost.exe
IFEO-X64: a.exe - svchost.exe
IFEO-X64: aAvgApi.exe - svchost.exe
IFEO-X64: AAWTray.exe - svchost.exe
IFEO-X64: About.exe - svchost.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2008-1-20 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;C:\Windows\system32\Drivers\ATSwpWDF.sys --> C:\Windows\system32\Drivers\ATSwpWDF.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA001Ufd.sys --> C:\Windows\system32\DRIVERS\OA001Ufd.sys [?]
S3 OA001Vid;Creative Camera OA001 Function Driver;C:\Windows\system32\DRIVERS\OA001Vid.sys --> C:\Windows\system32\DRIVERS\OA001Vid.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);C:\Windows\system32\DRIVERS\swnc8u80.sys --> C:\Windows\system32\DRIVERS\swnc8u80.sys [?]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);C:\Windows\system32\DRIVERS\swumx80.sys --> C:\Windows\system32\DRIVERS\swumx80.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [?]
S4 ATService;AuthenTec Fingerprint Service;C:\Program Files\Fingerprint Sensor\ATService.exe [2008-12-22 2479864]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-16 89920]
S4 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-22 135664]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-22 135664]
S4 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-1-2 1153368]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-02-09 19:08:52 283200 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2012-02-09 19:08:45 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite
2012-02-09 19:08:12 -------- d-----w- C:\Users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08:10 -------- d-----w- C:\ProgramData\DAEMON Tools Lite
2012-02-09 18:58:23 -------- d-----w- C:\Windows\pss
2012-02-07 17:19:23 0 ---ha-w- C:\Users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27:18 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00:17 -------- d-----w- C:\Users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00:17 -------- d-----w- C:\Users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00:11 -------- d-----w- C:\ProgramData\PC1Data
2012-02-02 03:05:16 -------- d-----w- C:\Users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46:24 -------- d-----w- C:\ProgramData\Uniblue
2012-02-01 22:46:19 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46:14 -------- d-----w- C:\Program Files (x86)\Uniblue
2012-01-30 21:30:40 -------- d-----w- C:\Windows\SysWow64\vi-VN
2012-01-30 21:30:40 -------- d-----w- C:\Windows\SysWow64\eu-ES
2012-01-30 21:30:40 -------- d-----w- C:\Windows\SysWow64\ca-ES
2012-01-30 21:30:40 -------- d-----w- C:\Windows\System32\vi-VN
2012-01-30 21:30:40 -------- d-----w- C:\Windows\System32\eu-ES
2012-01-30 21:30:40 -------- d-----w- C:\Windows\System32\ca-ES
2012-01-30 20:44:59 -------- d-----w- C:\Windows\System32\EventProviders
2012-01-30 20:42:10 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-01-30 20:36:22 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:31:48 -------- d-----w- C:\RebateInformer
.
==================== Find3M ====================
.
2011-12-07 16:39:10 279096 ----a-w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 13:35:19.79 ===============

Any help would be greatly appreciated to help get this computer back in tip top shape for my Sister and her husband.

Thanks

oldman960 · Feb 11, 2012

Hi chiro.j.elliott, welcome to the forum.

To make cleaning this machine easier

Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Since you can run normally in safe mode please download and run this tool in safe mode. If it asks to reboot allow it but let it boot back into safe mode and allow it to finish. Once the log is produced save it and boot back to normal windows and post the log.

Please note while you are in safe mode you will not be able disable your security programs. That's ok as they will not be running.

Please read through the instructions to familarize youself with what to expect when the tool runs.

Please download ComboFix from Link 1or Link 2 to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3 CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

How's the computer now?

Thanks

chiro.j.elliott · Feb 11, 2012

reply

Combofix run!!

Tried booting back to normal windows after saving the log. Got to the log in window but when clicked on any of the logons error occurred just as before.
so rebooted to safemode and here I am!!

Here is report.

ComboFix 12-02-11.02 - Ryan 02/11/2012 7:49.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3095 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\Uninstall
c:\program files (x86)\FilmFanaticEI
c:\program files (x86)\RegTool
c:\program files (x86)\TelevisionFanaticEI
c:\programdata\de6342b
c:\programdata\de6342b\6738.mof
c:\programdata\de6342b\BackUp\Bluetooth.lnk
c:\programdata\de6342b\BackUp\Dell Dock.lnk
c:\programdata\de6342b\BackUp\LimeWire On Startup.lnk
c:\programdata\de6342b\BackUp\QuickSet.lnk
c:\programdata\de6342b\BackUp\wkcalrem.LNK
c:\programdata\de6342b\CUde63.exe
c:\programdata\de6342b\SMAV.ico
c:\programdata\de6342b\SMAVSys\vd952342.bd
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\cb.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\CLSV.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\FS.exe
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\hymt.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\ppal.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\sld.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\sld.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
c:\users\Ryan\AppData\Roaming\RegTool
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-29 20-15-130.log
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 18-10-380.log
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 18-35-370.log
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 19-16-080.log
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\filelist.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-0.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-1.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-10.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-11.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-12.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-13.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-14.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-15.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-16.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-17.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-18.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-19.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-2.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-20.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-21.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-22.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-23.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-24.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-25.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-26.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-27.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-28.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-29.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-3.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-30.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-31.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-32.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-33.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-34.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-35.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-36.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-37.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-38.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-39.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-4.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-40.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-41.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-42.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-43.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-44.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-45.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-46.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-47.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-48.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-49.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-5.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-50.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-51.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-52.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-53.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-54.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-55.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-56.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-57.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-58.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-59.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-6.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-60.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-61.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-62.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-63.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-64.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-65.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-66.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-67.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-68.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-7.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-8.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-9.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Evidence.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Junk.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Registry.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Update.db
c:\windows\system32\DpPwdFlt.dll
c:\windows\SysWow64\drivers\snetcfg.exe
c:\windows\SysWow64\ndisapi.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 13:55 . 2012-02-11 13:59 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-11 13:55 . 2012-02-11 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 13:55 . 2012-02-11 13:55 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-11 13:46 . 2012-02-11 13:46 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 13:46 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\windows\LastGood.Tmp
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgsys"="regedit" [X]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-11 08:04:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 14:04
.
Pre-Run: 218,361,942,016 bytes free
Post-Run: 218,094,288,896 bytes free
.
- - End Of File - - 16E86EA5D9BBD022A7162A5BD1DA48E6

oldman960 · Feb 11, 2012

Hi chiro.j.elliott,

You said the problem occurred after one of the updates. These updates have been identified as a possible source of this problem. Try uninstalling them and see if you can boot to normal windows.

KB933566, KB929123, KB931213, KB905866, KB929762 & KB936825.

chiro.j.elliott · Feb 11, 2012

Hope I did this right! I went to control panel- prog-features - installed updates and then searched for each of those numbers KB905866 was the only one it found so I double clicked it and it supposedly uninstalled. rebooted to normal windows with no change in error so I'm back in safe mode!!

oldman960 · Feb 11, 2012

Hi chiro.j.elliott,

This appears to be a permissions issue. How far can you get in normal windows?

In an adminsitrator account are you able to open Task Manager and click on file > New task (run)

In the window type cmd then click browse . You should be now in the C:\Windows\system32 folder. Scroll down and locate cmd.exe right click it and click "Run as Administrator"

Let me know if a black command window opens. We may be able to run a couple of commands to try to restore permissions.

chiro.j.elliott · Feb 11, 2012

well thats one battle of the war we can win!! I can access task manager with cnt-alt-del and now have the cmd window up and running on the computer!!

Next??

oldman960 · Feb 11, 2012

Hi

Type each of these lines, hitting enter after each one.

Note there is a space after CACLS, a space after .dll, a space after /E, a space after /G

CACLS %systemroot%\System32\*.dll /E /G BUILTIN\Users:R

CACLS %systemroot%\System32\*.ocx /E /G BUILTIN\Users:R

Reboot the computer when done.

chiro.j.elliott · Feb 11, 2012

done with no change on reboot!!

oldman960 · Feb 12, 2012

Hi chiro.j.elliott,

Let's make sure combofix removed all of the rogue.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgsys"=-

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Next

You need to use safe mode with networking so the data base can be updated.

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

I need you to submit a file for analysis,

To submit a file to virustotal, please click on this link

VirusTotal

copy and paste the following into the choose file box (you can also use the choose file button to navigate to the file. Note the file path may look like 2 paths bit it is one path.

C:\Qoobox\Quarantine\C\WINDOWS\system32\DpPwdFlt.dll.vir

scroll down a bit and click "Scan it", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

Please post back with the

combofix log
MBAM log
VirusTotal results

chiro.j.elliott · Feb 12, 2012

2 of 2 accomplished

Task 1 completed:
However i noticed when i clicked and dragged file into combofix i was not able select "run as admin" but other than that it ran and said it deleted the file rebooted to safemode to get report here it is!

ComboFix 12-02-11.02 - Ryan 02/12/2012 13:21:39.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3361 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DpPwdFlt.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 19:28 . 2012-02-12 19:31 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-12 19:28 . 2012-02-12 19:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-12 19:28 . 2012-02-12 19:28 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-11 13:46 . 2012-02-11 21:22 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 21:22 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-12 13:37:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-12 19:37
ComboFix2.txt 2012-02-11 14:04
.
Pre-Run: 217,970,937,856 bytes free
Post-Run: 217,764,872,192 bytes free
.
- - End Of File - - 6CB009C7319ABC98610E80ADFECF89BC

Task #2 completed- dowloaded- run- and rebooted all in safemode!

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.12.05

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.19088
Ryan :: RYAN-PC [administrator]

2/12/2012 1:48:12 PM
mbam-log-2012-02-12 (13-48-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205216
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99b340f7-76e0-44ab-9948-b95a1b475d39} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d09094b3-b426-4f16-a6d9-e211fe222127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\Environment|AVAPP (Rogue.PersonalAntiVirus) -> Data: C:\Program Files (x86)\PersonalAV -> Quarantined and deleted successfully.
HKCU\Environment|AVUNINST (Rogue.PersonalAntiVirus) -> Data: C:\Program Files (x86)\Common Files\Uninstall\PersonalAV\Uninstall.lnk -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

TASK #3- unable to perform

Tried to copy file name into site and never would let me past it i couldnt even click in the search box. nor would it let me click on browse!! does it have to do with me being in safemode??? I tryed searching my computer for that file just to see if i could find it and drag it but my computer search didnt find that name!!!

Hope I did everything right and i just want to say thank you sooo much for your help sooo far!!

Chiro

oldman960 · Feb 12, 2012

Hichiro.j.elliott,

I'm not sure why safe mode would make any difference. Try submitting it to VirSCAN.org FREE on-line scan service

If that doesn't work:

The file should be in the combofix quarantine folder. Open windows explorer and navigate to the C:\ drive. Open the Qoobox folder and expand the paths untill you reach the file

C:\Qoobox\Quarantine\C\WINDOWS\system32\DpPwdFlt.dll.vir

If it's not to big try zipping it and attaching it to your reply. I'll submit it.

chiro.j.elliott · Feb 12, 2012

C:\Qoobox\Quarantine\C\WINDOWS\
is as far as i can get in your chain "SysWOW64" is the only folder in the windows folder. there is no system32 folder there!!!

chiro.j.elliott · Feb 12, 2012

and virSCAN.org does the same thing to me when I try to input anything into the scan box!! wont let me type anything and brows button wont open any new windows or anything

oldman960 · Feb 12, 2012

Hi

Have a look in the "SysWOW64" folder. If it's a 32bit file that's where it would be.

chiro.j.elliott · Feb 13, 2012

Antivirus Result Update
nProtect - 20120212
CAT-QuickHeal - 20120212
McAfee - 20120212
K7AntiVirus - 20120211
TheHacker - 20120212
VirusBuster - 20120212
NOD32 - 20120213
F-Prot - 20120213
Symantec - 20120213
Norman - 20120212
ByteHero - 20120211
TrendMicro-HouseCall - 20120213
Avast - 20120212
eSafe Win32.TrojanHorse 20120212
ClamAV - 20120212
Kaspersky - 20120213
BitDefender - 20120212
SUPERAntiSpyware - 20120206
Sophos - 20120212
Comodo - 20120212
F-Secure - 20120212
DrWeb - 20120213
VIPRE - 20120212
AntiVir - 20120212
TrendMicro - 20120212
McAfee-GW-Edition - 20120212
Emsisoft - 20120213
eTrust-Vet - 20120211
Jiangmin - 20120212
Antiy-AVL - 20120211
Microsoft - 20120212
ViRobot - 20120212
Prevx - 20120213
GData - 20120212
Commtouch - 20120213
AhnLab-V3 - 20120212
VBA32 - 20120210
PCTools - 20120207
Rising - 20120210
Ikarus - 20120212
Fortinet - 20120213
AVG - 20120213
Panda - 20120

chiro.j.elliott · Feb 13, 2012

dont know what all this is but it was under additional info. if you have any questions ill do my best to explain!!

ssdeep
768:eQlw1kB2Q553vAREHe+TMVGUcyIxz7BnNgIdloCo3Zj:eh1HQ55IavTmBIxH1CIXo3Zj
TrID
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEiD packer identifier
Armadillo v1.xx - v2.xx
ExifTool

CodeSize.................: 28672
FileDescription..........: ndisapi
Comments.................: NDISRD IOCTL wrapper DLL
InitializedDataSize......: 32768
ImageVersion.............: 0.0
ProductName..............: Windows Packet Filter Kit
FileVersionNumber........: 3.0.5.1
LanguageCode.............: Neutral
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: ndisapi.dll
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 3, 0, 5, 1
TimeStamp................: 2009:05:14 10:58:01+01:00
FileType.................: Win32 DLL
PEType...................: PE32
InternalName.............: ndisapi
SubsystemVersion.........: 4.0
ProductVersion...........: 3, 0, 5, 1
UninitializedDataSize....: 0
OSVersion................: 4.0
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright NT Kernel Resources 2000-2009
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: NT Kernel Resources
LegalTrademarks..........: WinpkFilter
FileSubtype..............: 0
ProductVersionNumber.....: 3.0.5.1
EntryPoint...............: 0x3957
ObjectFileType...........: Dynamic link library

Sigcheck

publisher................: NT Kernel Resources
product..................: Windows Packet Filter Kit
internal name............: ndisapi
copyright................: Copyright (c) NT Kernel Resources 2000-2009
original name............: ndisapi.dll
comments.................: NDISRD IOCTL wrapper DLL
file version.............: 3, 0, 5, 1
description..............: ndisapi

Portable Executable structural information

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 25546 28672 6.11 db375aa2e42d98e9e02228409aa678ac
.rdata 32768 6416 8192 4.83 492b2072f94cf3a8ae72ad4c4eb1ad3e
.data 40960 13196 12288 1.13 d7a59ed881b25743a8a59683569758ea
.rsrc 57344 1016 4096 1.06 8758de4a8955c8ed01cca3d3d59b817f
.reloc 61440 3502 4096 3.47 5aa43948033a15270f67e9bca1ff39e1

PE Imports....................:

ADVAPI32.dll
RegEnumKeyExA, RegQueryValueExA, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA

KERNEL32.dll
DeviceIoControl, FreeLibrary, LoadLibraryA, CloseHandle, GetLastError, ResetEvent, CreateFileA, CreateEventA, GetVersionExA, GetModuleHandleA, GetProcAddress, WaitForSingleObject, GetCurrentProcess, HeapFree, HeapAlloc, GetCommandLineA, GetVersion, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, RtlUnwind, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, GetCPInfo, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetACP, GetOEMCP, GetStringTypeA, GetStringTypeW

PE Exports....................:

_, _, 0, C, N, d, i, s, A, p, i, @, @, Q, A, E, @, A, B, V, 0, @, @, Z, ,, , _, _, 0, C, N, d, i, s, A, p, i, @, @, Q, A, E, @, P, B, D, @, Z, ,, , _, _, 1, C, N, d, i, s, A, p, i, @, @, U, A, E, @, X, Z, ,, , _, _, 4, C, N, d, i, s, A, p, i, @, @, Q, A, E, A, A, V, 0, @, A, B, V, 0, @, @, Z, ,, , _, _, _, 7, C, N, d, i, s, A, p, i, @, @, 6, B, @, ,, , _, _, _, C, @, _, 0, 6, N, K, H, A, @, N, D, I, S, R, D, _, $, A, A, @, ,, , _, _, _, F, C, N, d, i, s, A, p, i, @, @, Q, A, E, X, X, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, 2, 0, 0, 0, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, 9, x, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, N, T, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, D, e, v, i, c, e, I, o, C, o, n, t, r, o, l, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, K, P, A, X, H, 0, H, P, A, K, P, A, U, _, O, V, E, R, L, A, P, P, E, D, @, @, @, Z, ,, , _, F, l, u, s, h, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, A, D, A, P, T, E, R, _, M, O, D, E, @, @, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, S, i, z, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, K, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, S, A, K, X, Z, ,, , _, G, e, t, B, y, t, e, s, R, e, t, u, r, n, e, d, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, K, X, Z, ,, , _, G, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, K, @, Z, ,, , _, G, e, t, M, T, U, D, e, c, r, e, m, e, n, t, @, C, N, d, i, s, A, p, i, @, @, S, A, K, X, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, R, e, s, e, t, S, t, a, t, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, S, i, z, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, K, @, Z, ,, , _, G, e, t, R, a, s, L, i, n, k, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, U, _, R, A, S, _, L, I, N, K, S, @, @, @, Z, ,, , _, G, e, t, T, c, p, i, p, B, o, u, n, d, A, d, a, p, t, e, r, s, I, n, f, o, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, T, C, P, _, A, d, a, p, t, e, r, L, i, s, t, @, @, @, Z, ,, , _, G, e, t, V, e, r, s, i, o, n, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, K, X, Z, ,, , _, I, s, D, r, i, v, e, r, L, o, a, d, e, d, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, X, Z, ,, , _, N, d, i, s, r, d, R, e, q, u, e, s, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, P, A, C, K, E, T, _, O, I, D, _, D, A, T, A, @, @, H, @, Z, ,, , _, R, e, a, d, P, a, c, k, e, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, R, e, a, d, P, a, c, k, e, t, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, R, e, s, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, X, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, T, o, A, d, a, p, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, T, o, M, s, t, c, p, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, s, T, o, A, d, a, p, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, s, T, o, M, s, t, c, p, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, L, i, s, t, C, h, a, n, g, e, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, A, D, A, P, T, E, R, _, M, O, D, E, @, @, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, K, @, Z, ,, , _, S, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, K, @, Z, ,, , _, S, e, t, M, T, U, D, e, c, r, e, m, e, n, t, @, C, N, d, i, s, A, p, i, @, @, S, A, H, K, @, Z, ,, , _, S, e, t, P, a, c, k, e, t, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, 0, @, Z, ,, , _, S, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, S, e, t, W, A, N, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , C, l, o, s, e, F, i, l, t, e, r, D, r, i, v, e, r, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, 2, 0, 0, 0, A, d, a, p, t, e, r, N, a, m, e, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, 9, x, A, d, a, p, t, e, r, N, a, m, e, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, N, T, A, d, a, p, t, e, r, N, a, m, e, ,, , F, l, u, s, h, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, ,, , G, e, t, A, d, a, p, t, e, r, M, o, d, e, ,, , G, e, t, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, S, i, z, e, ,, , G, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, ,, , G, e, t, B, y, t, e, s, R, e, t, u, r, n, e, d, ,, , G, e, t, D, r, i, v, e, r, V, e, r, s, i, o, n, ,, , G, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, ,, , G, e, t, M, T, U, D, e, c, r, e, m, e, n, t, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, R, e, s, e, t, S, t, a, t, s, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, S, i, z, e, ,, , G, e, t, R, a, s, L, i, n, k, s, ,, , G, e, t, T, c, p, i, p, B, o, u, n, d, A, d, a, p, t, e, r, s, I, n, f, o, ,, , I, s, D, r, i, v, e, r, L, o, a, d, e, d, ,, , N, d, i, s, r, d, R, e, q, u, e, s, t, ,, , O, p, e, n, F, i, l, t, e, r, D, r, i, v, e, r, ,, , R, e, a, d, P, a, c, k, e, t, ,, , R, e, a, d, P, a, c, k, e, t, s, ,, , R, e, s, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , S, e, n, d, P, a, c, k, e, t, T, o, A, d, a, p, t, e, r, ,, , S, e, n, d, P, a, c, k, e, t, T, o, M, s, t, c, p, ,, , S, e, n, d, P, a, c, k, e, t, s, T, o, A, d, a, p, t, e, r, ,, , S, e, n, d, P, a, c, k, e, t, s, T, o, M, s, t, c, p, ,, , S, e, t, A, d, a, p, t, e, r, L, i, s, t, C, h, a, n, g, e, E, v, e, n, t, ,, , S, e, t, A, d, a, p, t, e, r, M, o, d, e, ,, , S, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, ,, , S, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, ,, , S, e, t, M, T, U, D, e, c, r, e, m, e, n, t, ,, , S, e, t, P, a, c, k, e, t, E, v, e, n, t, ,, , S, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , S, e, t, W, A, N, E, v, e, n, t

First seen by VirusTotal
2009-06-05 12:08:22 UTC ( 2 years, 8 months ago )
Last seen by VirusTotal
2012-02-13 01:45:53 UTC ( 6 minutes ago )
File names (max. 25)

ndisapi.dll.vir
FE4C4F2696C7EF01FB5FC87B3E71D639
ndisapi.dll

oldman960 · Feb 13, 2012

Hi chiro.j.elliott,

How did you manage to get the file scanned?

Looks like a false positive so we'll restore the file.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\WINDOWS\SysWOW64\DpPwdFlt.dll.vir

QUIT::

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

A notepad will open called DeQuarantine.txt. Please post it's contents.

chiro.j.elliott · Feb 13, 2012

The file was in the syswow64 folder so i just clicked and drag to the scan bar on the website.

here is the latest Log!!

ComboFix 12-02-11.02 - Ryan 02/13/2012 11:31:40.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3393 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DpPwdFlt.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))
.
.
2012-02-13 17:38 . 2012-02-13 17:50 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-13 17:38 . 2012-02-13 17:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-13 17:38 . 2012-02-13 17:38 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-12 19:47 . 2012-02-12 19:47 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\programdata\Malwarebytes
2012-02-12 19:46 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 13:46 . 2012-02-11 21:22 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 21:22 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-01-13 1081416]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-13 11:55:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-13 17:55
ComboFix2.txt 2012-02-12 19:37
ComboFix3.txt 2012-02-11 14:04
.
Pre-Run: 217,579,298,816 bytes free
Post-Run: 217,559,085,056 bytes free
.
- - End Of File - - 655FE6BC24362D8248B22853071E5EE0

oldman960 · Feb 14, 2012

Hi chiro.j.elliott,

Combofix should not have ran a full run with that CFScript.

Please post the contents of this file

C:\Qoobox\ComboFix-quarantined-files.txt

explorer.exe 0xc000022 error

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member