Jump to content

Security Center won't let AV load or run


dBrett
 Share

Recommended Posts

It started with the Security Center pop ups. (I wasn't smart enough to clean or research)

Then the computer started locking up, more pop ups. It is a Dell desktop with Windows XP.

I attempted to reload a new version of Mcafee (thinking the old one was out of date and the new install would take care of the problem). It allowed the process to remove the old version, then knocked the pc offline and rebooted.

It has gottem progressively worse since. Normal starts lock up immediately. I can run in Safe mode. I have attempted to install Malware, Avira and HiJack both to the machine and to a flash. The virus stops the download. I changed the load file to a different name, with no luck.

I am able to run sysinternals.exe (loaded as winlogon.exe) from a flash. There is a file "ctfmon.exe" that loads. If i kill this file I am able to work longer in safe, think this is part of the virus. In time it will lock up the machine regardless if that file is running. During the last attempt to load Hijack I noticed when it locked up the machine a file "net.exe" loaded momentarily, knocked the inernet off and locked the machine up.

By running sysinternals and killing the ctfmon.exe file I was able to get Malware to load by naming the .exe file a different name. It rain for 3 seconds and stopped. Now the file is blocked. I reloaded using the same method and a different .exe name with the same results.

I can get to the internet in Safe mode and using sysinternals, just can't do much.

I have no log files as I can't get anything loaded or running.

Any help is appreciated. I am on a different PC now.

Link to post
Share on other sites

Welcome to Malwarebytes!!!! :huh:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Link to post
Share on other sites

So far So Good. I will wait to hear before doing anything. Hope this is what you wanted me to post.

Hijack This Log is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:39:12 PM, on 9/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: (no name) - {7b219a14-89a5-4576-8f2c-5ffa67034341} - C:\WINDOWS\system32\gamibuyo.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [newahisore] Rundll32.exe "C:\WINDOWS\system32\hemokelu.dll",s

O4 - HKLM\..\Run: [dedafonin] Rundll32.exe "c:\windows\system32\visefiti.dll",a

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: I-News.lnk = C:\Program Files\Common Files\I-News\TrueWeather.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212904530769

O20 - AppInit_DLLs: C:\WINDOWS\system32\vimopihu.dll c:\windows\system32\visefiti.dll

O21 - SSODL: nuwapazef - {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll

O21 - SSODL: muhelivuy - {de03c493-f3c9-4354-9748-6c87929343cd} - c:\windows\system32\visefiti.dll

O22 - SharedTaskScheduler: kupuhivus - {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll

O22 - SharedTaskScheduler: kupuhivus - {de03c493-f3c9-4354-9748-6c87929343cd} - c:\windows\system32\visefiti.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 9925 bytes

ComboFix.txt file is:

ComboFix 09-09-09.04 - Mom & Dad 09/09/2009 18:20.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1690 [GMT -5:00]

Running from: c:\documents and settings\Mom & Dad\Desktop\Combo-Fix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\blyuwrjl.exe

c:\documents and settings\All Users\Application Data\11091564

c:\documents and settings\All Users\Application Data\11091564\11091564

c:\documents and settings\All Users\Application Data\11091564\11091564.exe

c:\documents and settings\All Users\Application Data\11091564\pc11091564ins

C:\fyblb.exe

c:\program files\AdvancedVirusRemover

c:\program files\AdvancedVirusRemover\PAVRM.exe

c:\program files\Protection System

c:\program files\Protection System\xcoreext.xxx

c:\windows\braviax.exe

c:\windows\cru629.dat

c:\windows\Installer\59bedb7.msp

c:\windows\Installer\WinRMSrv.msi

c:\windows\msa.exe

c:\windows\run.log

c:\windows\system32\~.exe

c:\windows\system32\besenije.dll

c:\windows\system32\braviax.exe

c:\windows\system32\cru629.dat

c:\windows\system32\Data

c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\fad.sys

c:\windows\system32\drivers\UACyvyxumoqbo.sys

c:\windows\system32\dutimode.dll

c:\windows\system32\hupabubi.exe

c:\windows\system32\letuyami.dll

c:\windows\system32\lovebudo.exe

c:\windows\system32\msxml71.dll

c:\windows\system32\net.net

c:\windows\system32\UACabwrrtlrqn.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjupfaqutlp.dll

c:\windows\system32\UACoewndptltx.dat

c:\windows\system32\UACoinwvcrdyi.dll

c:\windows\system32\UACrgomhfuxdu.dll

c:\windows\system32\vimopihu.dll

c:\windows\system32\voyuwuzo.dll

c:\windows\system32\wingenocx.dll

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\system32\wisdstr.exe

C:\xvhu.exe

F:\winlogon.exe

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected

Restored copy from - c:\i386\BEEP.SYS

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))

.

2009-09-08 23:31 . 2009-09-08 23:31 -------- d-----w- c:\program files\Trend Micro

2009-09-08 01:43 . 2009-09-08 01:43 -------- d-----w- C:\dbsII

2009-09-08 01:05 . 2009-09-08 01:05 -------- d-----w- c:\documents and settings\Mom & Dad\Application Data\Malwarebytes

2009-09-08 00:36 . 2009-09-08 00:40 -------- d-----w- C:\dbs

2009-09-08 00:05 . 2009-09-08 00:27 -------- d-----w- C:\dbsmalware

2009-09-07 18:28 . 2009-09-07 18:29 -------- d-----w- C:\Malwarebytes

2009-09-07 17:50 . 2009-09-07 18:25 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-06 23:09 . 2009-09-08 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-06 22:43 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 22:43 . 2009-09-07 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 22:43 . 2009-09-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 22:43 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-02 23:37 . 2009-07-08 18:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-01 22:04 . 2009-09-01 22:04 -------- d-----w- c:\documents and settings\Mom & Dad\.jagex_cache_32

2009-09-01 21:45 . 2009-09-01 21:45 -------- d-----w- C:\.jagex_cache_32

2009-09-01 21:40 . 2009-09-01 22:44 34 ----a-w- c:\documents and settings\Mom & Dad\jagex_runescape_preferences.dat

2009-09-01 21:40 . 2009-09-01 21:42 -------- d-----w- c:\windows\.jagex_cache_32

2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- C:\spoolerlogs

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- C:\1b59bdf808ae6faf0bfbe51c

2009-08-22 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-22 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-19 22:13 . 2009-08-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2009-08-11 21:02 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-09 23:15 . 2004-08-04 10:00 56320 ----a-w- c:\windows\system32\eventlog.dll

2009-09-08 23:53 . 2009-06-08 23:53 88576 --sha-w- c:\windows\system32\miluduri.dll

2009-09-07 16:34 . 2009-06-07 16:34 88576 --sha-w- c:\windows\system32\visefiti.dll

2009-09-06 22:33 . 2009-06-06 22:33 50176 --sha-w- c:\windows\system32\toyipugu.dll

2009-09-06 22:33 . 2009-06-06 22:33 88576 --sha-w- c:\windows\system32\nawodogi.dll

2009-09-02 23:36 . 2006-11-23 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-02 14:24 . 2009-06-02 14:24 89088 --sha-w- c:\windows\system32\firupifo.dll

2009-08-24 03:18 . 2007-05-29 12:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-23 16:22 . 2005-11-07 00:49 -------- d-----w- c:\program files\Google

2009-08-20 20:19 . 2008-08-29 20:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 23:47 . 2007-09-07 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-29 12:47 . 2007-09-07 22:42 -------- d-----w- c:\program files\Apple Software Update

2009-07-18 05:15 . 2008-08-04 02:52 -------- d-----w- c:\program files\Safari

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\program files\iTunes

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-18 05:12 . 2006-11-23 23:01 -------- d-----w- c:\program files\iPod

2009-07-18 05:12 . 2007-09-07 22:41 -------- d-----w- c:\program files\Common Files\Apple

2009-07-18 05:10 . 2009-07-18 05:09 -------- d-----w- c:\program files\QuickTime

2009-07-18 05:02 . 2009-07-18 05:02 -------- d-----w- c:\program files\Bonjour

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-18 05:05 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-09-07 22:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 18:44 . 2009-07-08 18:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-06-29 16:12 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\gamibuyo.dll

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\hemokelu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b219a14-89a5-4576-8f2c-5ffa67034341}]

2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\gamibuyo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-01 290816]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-31 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-31 53248]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"newahisore"="c:\windows\system32\hemokelu.dll" [2009-06-06 50176]

"dedafonin"="c:\windows\system32\visefiti.dll" [2009-09-07 88576]

"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

I-News.lnk - c:\program files\Common Files\I-News\TrueWeather.exe [2005-5-5 5785600]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-12-12 229376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{08d28c3b-63e2-4167-b1c8-151e82f69af4}"= "c:\windows\system32\visefiti.dll" [2009-09-07 88576]

"{de03c493-f3c9-4354-9748-6c87929343cd}"= "c:\windows\system32\visefiti.dll" [2009-09-07 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"nuwapazef"= {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll [2009-09-07 88576]

"muhelivuy"= {de03c493-f3c9-4354-9748-6c87929343cd} - c:\windows\system32\visefiti.dll [2009-09-07 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\I-News\\TrueWeather.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

"c:\\WINDOWS\\explorer.exe"=

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\DRIVERS\ScreamingBAudio.sys [3/27/2009 2:23 PM 23064]

S2 erazdbv;erazdbv;c:\windows\system32\drivers\brgpnhwn.sys --> c:\windows\system32\drivers\brgpnhwn.sys [?]

S2 oislzu;oislzu;c:\windows\system32\drivers\ixqjpuj.sys --> c:\windows\system32\drivers\ixqjpuj.sys [?]

S2 wscxjko;wscxjko;c:\windows\system32\drivers\dgbiczy.sys --> c:\windows\system32\drivers\dgbiczy.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-09 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: turbotax.com

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-net - c:\windows\system32\net.net

HKLM-Run-11091564 - c:\documents and settings\All Users\Application Data\11091564\11091564.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-09 18:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3404)

c:\windows\system32\WININET.dll

c:\windows\system32\hemokelu.dll

c:\windows\system32\visefiti.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\rundll32.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\SYSTEM32\BAsfIpM.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\SYSTEM32\MsPMSPSv.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Java\jre1.5.0_08\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-09-09 18:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-09 23:36

Pre-Run: 83,791,810,560 bytes free

Post-Run: 85,529,587,712 bytes free

273 --- E O F --- 2009-09-02 02:53

Link to post
Share on other sites

still infected unfortunately.

ComboFix will be prompted you to upload a file for analysis. Let me know if any issues come up. Thanks

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

CFScript.txt

Link to post
Share on other sites

I copied the CFScript.txt to my desktop. Dropped it on the ComboFix icon. It updated a file, open combofix, had a screen about a non affiliation with other combofix websites, opened a blue combofix box that reads "Please Wait Combofix is preparing to run". Then nothing happened. In the past there was a yellow blinking cursor in the blue box that let you know it was running, nothing there now. I waited for 90 minutes or so, then had to run back to work.

Let me know if I did something incorrect and I can try again. Thanks for the help.

Link to post
Share on other sites

...i tried one more time after I posted no success...and it started. It has not given me a message box after it ran. Here is the combofix file:

ComboFix 09-09-09.09 - Mom & Dad 09/10/2009 12:47.4.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1586 [GMT -5:00]

Running from: c:\documents and settings\Mom & Dad\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mom & Dad\Desktop\CFScript.txt.url

.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))

.

2009-09-08 23:31 . 2009-09-08 23:31 -------- d-----w- c:\program files\Trend Micro

2009-09-08 01:43 . 2009-09-08 01:43 -------- d-----w- C:\dbsII

2009-09-08 01:05 . 2009-09-08 01:05 -------- d-----w- c:\documents and settings\Mom & Dad\Application Data\Malwarebytes

2009-09-08 00:36 . 2009-09-08 00:40 -------- d-----w- C:\dbs

2009-09-08 00:05 . 2009-09-08 00:27 -------- d-----w- C:\dbsmalware

2009-09-07 18:28 . 2009-09-07 18:29 -------- d-----w- C:\Malwarebytes

2009-09-07 17:50 . 2009-09-07 18:25 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-06 23:09 . 2009-09-08 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-06 22:43 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 22:43 . 2009-09-07 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 22:43 . 2009-09-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 22:43 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-02 23:37 . 2009-07-08 18:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-01 22:04 . 2009-09-01 22:04 -------- d-----w- c:\documents and settings\Mom & Dad\.jagex_cache_32

2009-09-01 21:45 . 2009-09-01 21:45 -------- d-----w- C:\.jagex_cache_32

2009-09-01 21:40 . 2009-09-01 22:44 34 ----a-w- c:\documents and settings\Mom & Dad\jagex_runescape_preferences.dat

2009-09-01 21:40 . 2009-09-01 21:42 -------- d-----w- c:\windows\.jagex_cache_32

2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- C:\spoolerlogs

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- C:\1b59bdf808ae6faf0bfbe51c

2009-08-22 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-22 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-19 22:13 . 2009-08-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2009-08-11 21:02 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-10 16:47 . 2009-06-10 16:47 49664 --sha-w- c:\windows\system32\tigefeki.dll

2009-09-10 16:47 . 2009-06-10 16:47 89088 --sha-w- c:\windows\system32\tenugizu.dll

2009-09-09 23:15 . 2004-08-04 10:00 56320 ------w- c:\windows\system32\eventlog.dll

2009-09-08 23:53 . 2009-06-08 23:53 88576 --sha-w- c:\windows\system32\miluduri.dll

2009-09-07 16:34 . 2009-06-07 16:34 88576 --sha-w- c:\windows\system32\visefiti.dll

2009-09-06 22:33 . 2009-06-06 22:33 50176 --sha-w- c:\windows\system32\toyipugu.dll

2009-09-06 22:33 . 2009-06-06 22:33 88576 --sha-w- c:\windows\system32\nawodogi.dll

2009-09-02 23:36 . 2006-11-23 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-02 14:24 . 2009-06-02 14:24 89088 --sha-w- c:\windows\system32\firupifo.dll

2009-08-24 03:18 . 2007-05-29 12:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-23 16:22 . 2005-11-07 00:49 -------- d-----w- c:\program files\Google

2009-08-20 20:19 . 2008-08-29 20:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 23:47 . 2007-09-07 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-29 12:47 . 2007-09-07 22:42 -------- d-----w- c:\program files\Apple Software Update

2009-07-18 05:15 . 2008-08-04 02:52 -------- d-----w- c:\program files\Safari

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\program files\iTunes

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-18 05:12 . 2006-11-23 23:01 -------- d-----w- c:\program files\iPod

2009-07-18 05:12 . 2007-09-07 22:41 -------- d-----w- c:\program files\Common Files\Apple

2009-07-18 05:10 . 2009-07-18 05:09 -------- d-----w- c:\program files\QuickTime

2009-07-18 05:02 . 2009-07-18 05:02 -------- d-----w- c:\program files\Bonjour

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-18 05:05 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-09-07 22:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 18:44 . 2009-07-08 18:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-06-29 16:12 . 2004-08-04 10:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\gamibuyo.dll.tmp

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\hemokelu.dll.tmp

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vimuvayo.dll

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vovugesi.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_23.32.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-10 16:47 . 2009-09-10 16:47 16384 c:\windows\Temp\Perflib_Perfdata_abc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b219a14-89a5-4576-8f2c-5ffa67034341}]

2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vimuvayo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-01 290816]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-31 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-31 53248]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"dedafonin"="c:\windows\system32\visefiti.dll" [2009-09-07 88576]

"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

"newahisore"="vovugesi.dll" - c:\windows\SYSTEM32\vovugesi.dll [2009-06-10 49664]

c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

I-News.lnk - c:\program files\Common Files\I-News\TrueWeather.exe [2005-5-5 5785600]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-12-12 229376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{08d28c3b-63e2-4167-b1c8-151e82f69af4}"= "c:\windows\system32\visefiti.dll" [2009-09-07 88576]

"{04dc3765-f487-46ed-8b0b-8340f0fd4e7a}"= "c:\windows\system32\visefiti.dll" [2009-09-07 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"nuwapazef"= {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll [2009-09-07 88576]

"zasezokik"= {04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\tenugizu.dll [2009-09-10 89088]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\I-News\\TrueWeather.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"=

"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=

"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\DRIVERS\ScreamingBAudio.sys [3/27/2009 2:23 PM 23064]

S2 erazdbv;erazdbv;c:\windows\system32\drivers\brgpnhwn.sys --> c:\windows\system32\drivers\brgpnhwn.sys [?]

S2 oislzu;oislzu;c:\windows\system32\drivers\ixqjpuj.sys --> c:\windows\system32\drivers\ixqjpuj.sys [?]

S2 wscxjko;wscxjko;c:\windows\system32\drivers\dgbiczy.sys --> c:\windows\system32\drivers\dgbiczy.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-10 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: turbotax.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-10 12:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)

c:\windows\system32\visefiti.dll

- - - - - - - > 'explorer.exe'(1116)

c:\windows\system32\WININET.dll

c:\windows\system32\visefiti.dll

c:\windows\system32\vimuvayo.dll

c:\windows\system32\tenugizu.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2009-09-10 12:52

ComboFix-quarantined-files.txt 2009-09-10 17:52

ComboFix2.txt 2009-09-10 17:45

ComboFix3.txt 2009-09-10 17:05

ComboFix4.txt 2009-09-09 23:36

Pre-Run: 85,492,432,896 bytes free

Post-Run: 85,477,957,632 bytes free

210 --- E O F --- 2009-09-02 02:53

and here is the Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:53:21 PM, on 9/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: (no name) - {7b219a14-89a5-4576-8f2c-5ffa67034341} - vimuvayo.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dedafonin] Rundll32.exe "c:\windows\system32\visefiti.dll",a

O4 - HKLM\..\Run: [newahisore] Rundll32.exe "vovugesi.dll",s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: I-News.lnk = C:\Program Files\Common Files\I-News\TrueWeather.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212904530769

O20 - AppInit_DLLs: c:\windows\system32\tenugizu.dll c:\windows\system32\visefiti.dll

O21 - SSODL: nuwapazef - {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll

O21 - SSODL: zasezokik - {04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\visefiti.dll

O22 - SharedTaskScheduler: kupuhivus - {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll

O22 - SharedTaskScheduler: tokatiluy - {04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\visefiti.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 9604 bytes

Link to post
Share on other sites

Last time I did a drag and drop (Sorry, didn't know that wouldn't work...) This time I clicked on the link. It opened a txt file. I saved this to desktop. Then dropped on the CF icon. CF started and ran a scan, below. Still no message box or browser opening. Let me know if I am missing something. Thanks

ComboFix 09-09-10.01 - Mom & Dad 09/10/2009 17:29.5.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1538 [GMT -5:00]

Running from: c:\documents and settings\Mom & Dad\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mom & Dad\Desktop\CFScript.txt

.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))

.

2009-09-08 23:31 . 2009-09-08 23:31 -------- d-----w- c:\program files\Trend Micro

2009-09-08 01:43 . 2009-09-08 01:43 -------- d-----w- C:\dbsII

2009-09-08 01:05 . 2009-09-08 01:05 -------- d-----w- c:\documents and settings\Mom & Dad\Application Data\Malwarebytes

2009-09-08 00:36 . 2009-09-08 00:40 -------- d-----w- C:\dbs

2009-09-08 00:05 . 2009-09-08 00:27 -------- d-----w- C:\dbsmalware

2009-09-07 18:28 . 2009-09-07 18:29 -------- d-----w- C:\Malwarebytes

2009-09-07 17:50 . 2009-09-07 18:25 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-06 23:09 . 2009-09-08 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-06 22:43 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 22:43 . 2009-09-07 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 22:43 . 2009-09-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 22:43 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-02 23:37 . 2009-07-08 18:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-01 22:04 . 2009-09-01 22:04 -------- d-----w- c:\documents and settings\Mom & Dad\.jagex_cache_32

2009-09-01 21:45 . 2009-09-01 21:45 -------- d-----w- C:\.jagex_cache_32

2009-09-01 21:40 . 2009-09-01 22:44 34 ----a-w- c:\documents and settings\Mom & Dad\jagex_runescape_preferences.dat

2009-09-01 21:40 . 2009-09-01 21:42 -------- d-----w- c:\windows\.jagex_cache_32

2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- C:\spoolerlogs

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- C:\1b59bdf808ae6faf0bfbe51c

2009-08-22 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-22 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-19 22:13 . 2009-08-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-10 16:47 . 2009-06-10 16:47 49664 --sha-w- c:\windows\system32\tigefeki.dll

2009-09-10 16:47 . 2009-06-10 16:47 89088 --sha-w- c:\windows\system32\tenugizu.dll

2009-09-09 23:15 . 2004-08-04 10:00 56320 ------w- c:\windows\system32\eventlog.dll

2009-09-08 23:53 . 2009-06-08 23:53 88576 --sha-w- c:\windows\system32\miluduri.dll

2009-09-07 16:34 . 2009-06-07 16:34 88576 --sha-w- c:\windows\system32\visefiti.dll

2009-09-06 22:33 . 2009-06-06 22:33 50176 --sha-w- c:\windows\system32\toyipugu.dll

2009-09-06 22:33 . 2009-06-06 22:33 88576 --sha-w- c:\windows\system32\nawodogi.dll

2009-09-02 23:36 . 2006-11-23 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-02 14:24 . 2009-06-02 14:24 89088 --sha-w- c:\windows\system32\firupifo.dll

2009-08-24 03:18 . 2007-05-29 12:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-23 16:22 . 2005-11-07 00:49 -------- d-----w- c:\program files\Google

2009-08-20 20:19 . 2008-08-29 20:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 23:47 . 2007-09-07 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-29 12:47 . 2007-09-07 22:42 -------- d-----w- c:\program files\Apple Software Update

2009-07-18 05:15 . 2008-08-04 02:52 -------- d-----w- c:\program files\Safari

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\program files\iTunes

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-18 05:12 . 2006-11-23 23:01 -------- d-----w- c:\program files\iPod

2009-07-18 05:12 . 2007-09-07 22:41 -------- d-----w- c:\program files\Common Files\Apple

2009-07-18 05:10 . 2009-07-18 05:09 -------- d-----w- c:\program files\QuickTime

2009-07-18 05:02 . 2009-07-18 05:02 -------- d-----w- c:\program files\Bonjour

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-18 05:05 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-09-07 22:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 18:44 . 2009-07-08 18:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-06-29 16:12 . 2004-08-04 10:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\gamibuyo.dll.tmp

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\hemokelu.dll.tmp

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vimuvayo.dll

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vovugesi.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_23.32.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-10 22:21 . 2009-09-10 22:21 16384 c:\windows\Temp\Perflib_Perfdata_cec.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b219a14-89a5-4576-8f2c-5ffa67034341}]

2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vimuvayo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-01 290816]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-31 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-31 53248]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"dedafonin"="c:\windows\system32\tenugizu.dll" [2009-09-10 89088]

"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

"newahisore"="vovugesi.dll" - c:\windows\SYSTEM32\vovugesi.dll [2009-06-10 49664]

c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

I-News.lnk - c:\program files\Common Files\I-News\TrueWeather.exe [2005-5-5 5785600]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-12-12 229376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{04dc3765-f487-46ed-8b0b-8340f0fd4e7a}"= "c:\windows\system32\visefiti.dll" [2009-09-07 88576]

"{840ef964-7d6c-440f-aef0-cd925430cfae}"= "c:\windows\system32\tenugizu.dll" [2009-09-10 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"nuwapazef"= {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll [2009-09-07 88576]

"zasezokik"= {04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\visefiti.dll [2009-09-07 88576]

"kofidinaz"= {840ef964-7d6c-440f-aef0-cd925430cfae} - c:\windows\system32\tenugizu.dll [2009-09-10 89088]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\I-News\\TrueWeather.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"=

"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=

"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=

"c:\\Program Files\\Thomson\\Lyra Jukebox\\LyraHDTrayApp\\LYRAHD2TrayApp.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\hpztsb09.exe"=

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\DRIVERS\ScreamingBAudio.sys [3/27/2009 2:23 PM 23064]

S2 erazdbv;erazdbv;c:\windows\system32\drivers\brgpnhwn.sys --> c:\windows\system32\drivers\brgpnhwn.sys [?]

S2 oislzu;oislzu;c:\windows\system32\drivers\ixqjpuj.sys --> c:\windows\system32\drivers\ixqjpuj.sys [?]

S2 wscxjko;wscxjko;c:\windows\system32\drivers\dgbiczy.sys --> c:\windows\system32\drivers\dgbiczy.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-10 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: turbotax.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-10 17:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)

c:\windows\system32\tenugizu.dll

c:\windows\system32\visefiti.dll

- - - - - - - > 'explorer.exe'(1008)

c:\windows\system32\WININET.dll

c:\windows\system32\vovugesi.dll

c:\windows\system32\vimuvayo.dll

c:\windows\system32\tenugizu.dll

c:\windows\system32\visefiti.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2009-09-10 17:38

ComboFix-quarantined-files.txt 2009-09-10 22:38

ComboFix2.txt 2009-09-10 17:52

ComboFix3.txt 2009-09-10 17:45

ComboFix4.txt 2009-09-10 17:05

ComboFix5.txt 2009-09-10 22:27

Pre-Run: 85,475,840,000 bytes free

Post-Run: 85,443,289,088 bytes free

215 --- E O F --- 2009-09-02 02:53

Here is the Hijack log after the CF scan.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:47:29 PM, on 9/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: (no name) - {7b219a14-89a5-4576-8f2c-5ffa67034341} - vimuvayo.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dedafonin] Rundll32.exe "c:\windows\system32\tenugizu.dll",a

O4 - HKLM\..\Run: [newahisore] Rundll32.exe "vovugesi.dll",s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: I-News.lnk = C:\Program Files\Common Files\I-News\TrueWeather.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212904530769

O20 - AppInit_DLLs: c:\windows\system32\tenugizu.dll c:\windows\system32\visefiti.dll

O21 - SSODL: nuwapazef - {08d28c3b-63e2-4167-b1c8-151e82f69af4} - c:\windows\system32\visefiti.dll

O21 - SSODL: zasezokik - {04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\visefiti.dll

O21 - SSODL: kofidinaz - {840ef964-7d6c-440f-aef0-cd925430cfae} - c:\windows\system32\tenugizu.dll

O22 - SharedTaskScheduler: tokatiluy - {04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\visefiti.dll

O22 - SharedTaskScheduler: jugezatag - {840ef964-7d6c-440f-aef0-cd925430cfae} - c:\windows\system32\tenugizu.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 9786 bytes

Link to post
Share on other sites

Sorry, no luck getting it to run. I copied it from the post and tried. Changed the names... no luck. I keep getting a error box that says {Windows cannont find 'Combo-Fix.exe. Make sure you typed the name correctly and then try again. To search for a flie click the Start button and then click Search.}

Link to post
Share on other sites

Added the path infront of the combo-fix.exe and cf ran again, but no browser afterwards. This is what I had in the run box "c:\Documents and Settings\Mom & Dad\Desktop\Combo-Fix.exe" "C:\Documents and Settings\Mom & Dad\Desktop\CFScript.txt". I tried moving the " " around with no luck.

Link to post
Share on other sites

Okay i think the problem is IE. Right-Click on the attachment and choose Save Target As and place it on your desktop. I tried opening up in IE and received a bad format. So i think that was the problem. Right-clicing on the attachment and choosing Save Target As fixed the format error.. Let me know if your still having issues. Thanks

Link to post
Share on other sites

Used the "Save Target as". CF ran through the process. Rebooted the machine. After the reboot gave a message it couldn't find a file, sat there for a while then finished and made the log:

ComboFix 09-09-11.01 - Mom & Dad 09/11/2009 17:24.10.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1605 [GMT -5:00]

Running from: c:\documents and settings\Mom & Dad\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mom & Dad\Desktop\CFScript.txt

* Created a new restore point

file zipped: c:\windows\system32\firupifo.dll

file zipped: c:\windows\system32\miluduri.dll

file zipped: c:\windows\system32\nawodogi.dll

file zipped: c:\windows\system32\toyipugu.dll

file zipped: c:\windows\system32\visefiti.dll

file zipped: c:\windows\SYSTEM32\mswebdvd.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\010112010146120114.xe

c:\windows\0101120101465049.xe

c:\windows\ld14.exe

c:\windows\pp12.exe

c:\windows\system32\firupifo.dll

c:\windows\system32\miluduri.dll

c:\windows\system32\nawodogi.dll

c:\windows\system32\toyipugu.dll

c:\windows\system32\vezurejo.dll

c:\windows\system32\visefiti.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ERAZDBV

-------\Legacy_OISLZU

-------\Legacy_WSCXJKO

-------\Service_erazdbv

-------\Service_oislzu

-------\Service_wscxjko

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))

.

2009-09-11 10:38 . 2009-09-11 10:38 173 ----a-w- c:\windows\dxxdv34567.bat

2009-09-08 23:31 . 2009-09-08 23:31 -------- d-----w- c:\program files\Trend Micro

2009-09-08 01:43 . 2009-09-08 01:43 -------- d-----w- C:\dbsII

2009-09-08 01:05 . 2009-09-08 01:05 -------- d-----w- c:\documents and settings\Mom & Dad\Application Data\Malwarebytes

2009-09-08 00:36 . 2009-09-08 00:40 -------- d-----w- C:\dbs

2009-09-08 00:05 . 2009-09-08 00:27 -------- d-----w- C:\dbsmalware

2009-09-07 18:28 . 2009-09-07 18:29 -------- d-----w- C:\Malwarebytes

2009-09-07 17:50 . 2009-09-07 18:25 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-06 23:09 . 2009-09-08 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-06 22:43 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 22:43 . 2009-09-07 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 22:43 . 2009-09-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 22:43 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-02 23:37 . 2009-07-08 18:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-01 22:04 . 2009-09-01 22:04 -------- d-----w- c:\documents and settings\Mom & Dad\.jagex_cache_32

2009-09-01 21:45 . 2009-09-01 21:45 -------- d-----w- C:\.jagex_cache_32

2009-09-01 21:40 . 2009-09-01 22:44 34 ----a-w- c:\documents and settings\Mom & Dad\jagex_runescape_preferences.dat

2009-09-01 21:40 . 2009-09-01 21:42 -------- d-----w- c:\windows\.jagex_cache_32

2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- C:\spoolerlogs

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- C:\1b59bdf808ae6faf0bfbe51c

2009-08-22 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-22 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-19 22:13 . 2009-08-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-11 10:38 . 2009-06-11 10:38 88576 --sha-w- c:\windows\system32\jizimuzi.dll

2009-09-11 10:38 . 2009-06-11 10:38 53248 --sha-w- c:\windows\system32\wukaripa.exe

2009-09-10 16:47 . 2009-06-10 16:47 49664 --sha-w- c:\windows\system32\tigefeki.dll

2009-09-10 16:47 . 2009-06-10 16:47 89088 --sha-w- c:\windows\system32\tenugizu.dll

2009-09-09 23:15 . 2004-08-04 10:00 56320 ------w- c:\windows\system32\eventlog.dll

2009-09-02 23:36 . 2006-11-23 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-08-24 03:18 . 2007-05-29 12:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-23 16:22 . 2005-11-07 00:49 -------- d-----w- c:\program files\Google

2009-08-20 20:19 . 2008-08-29 20:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 23:47 . 2007-09-07 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-29 12:47 . 2007-09-07 22:42 -------- d-----w- c:\program files\Apple Software Update

2009-07-18 05:15 . 2008-08-04 02:52 -------- d-----w- c:\program files\Safari

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\program files\iTunes

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-18 05:12 . 2006-11-23 23:01 -------- d-----w- c:\program files\iPod

2009-07-18 05:12 . 2007-09-07 22:41 -------- d-----w- c:\program files\Common Files\Apple

2009-07-18 05:10 . 2009-07-18 05:09 -------- d-----w- c:\program files\QuickTime

2009-07-18 05:02 . 2009-07-18 05:02 -------- d-----w- c:\program files\Bonjour

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-18 05:05 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-09-07 22:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 18:44 . 2009-07-08 18:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-06-29 16:12 . 2004-08-04 10:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\gamibuyo.dll.tmp

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\hemokelu.dll.tmp

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vimuvayo.dll

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vovugesi.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_23.32.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-11 22:33 . 2009-09-11 22:33 16384 c:\windows\Temp\Perflib_Perfdata_ea8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-01 290816]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-31 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-31 53248]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"dedafonin"="c:\windows\system32\tenugizu.dll" [2009-09-10 89088]

"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

I-News.lnk - c:\program files\Common Files\I-News\TrueWeather.exe [2005-5-5 5785600]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-12-12 229376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{37383626-1d87-40ae-b801-f7f609fd18b8}"= "c:\windows\system32\tenugizu.dll" [2009-09-10 89088]

"{687fb86f-5075-4b1b-b2c3-934050f4cc58}"= "c:\windows\system32\tenugizu.dll" [2009-09-10 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"polusenub"= {37383626-1d87-40ae-b801-f7f609fd18b8} - c:\windows\system32\tenugizu.dll [2009-09-10 89088]

"kutinojeg"= {687fb86f-5075-4b1b-b2c3-934050f4cc58} - c:\windows\system32\tenugizu.dll [2009-09-10 89088]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\I-News\\TrueWeather.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"=

"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=

"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=

"c:\\Program Files\\Thomson\\Lyra Jukebox\\LyraHDTrayApp\\LYRAHD2TrayApp.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\hpztsb09.exe"=

"c:\\Program Files\\palmOne\\Hotsync.exe"=

"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=

"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe"=

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\DRIVERS\ScreamingBAudio.sys [3/27/2009 2:23 PM 23064]

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-11 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: turbotax.com

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\visefiti.dll

SSODL-zasezokik-{04dc3765-f487-46ed-8b0b-8340f0fd4e7a} - c:\windows\system32\visefiti.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-11 17:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1892)

c:\windows\system32\WININET.dll

c:\windows\system32\tenugizu.dll

c:\windows\system32\jizimuzi.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\rundll32.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\SYSTEM32\BAsfIpM.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\SYSTEM32\MsPMSPSv.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Java\jre1.5.0_08\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-09-11 17:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-11 22:40

ComboFix2.txt 2009-09-11 02:48

ComboFix3.txt 2009-09-11 02:39

ComboFix4.txt 2009-09-11 02:28

ComboFix5.txt 2009-09-11 22:22

Pre-Run: 85,370,183,680 bytes free

Post-Run: 85,306,552,320 bytes free

252 --- E O F --- 2009-09-02 02:53

Hijack log :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:45:25 PM, on 9/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dedafonin] Rundll32.exe "c:\windows\system32\tenugizu.dll",a

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: I-News.lnk = C:\Program Files\Common Files\I-News\TrueWeather.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212904530769

O20 - AppInit_DLLs: c:\windows\system32\jizimuzi.dll c:\windows\system32\tenugizu.dll

O21 - SSODL: polusenub - {37383626-1d87-40ae-b801-f7f609fd18b8} - c:\windows\system32\tenugizu.dll

O21 - SSODL: kutinojeg - {687fb86f-5075-4b1b-b2c3-934050f4cc58} - c:\windows\system32\tenugizu.dll

O22 - SharedTaskScheduler: jugezatag - {37383626-1d87-40ae-b801-f7f609fd18b8} - c:\windows\system32\tenugizu.dll

O22 - SharedTaskScheduler: kupuhivus - {687fb86f-5075-4b1b-b2c3-934050f4cc58} - c:\windows\system32\tenugizu.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 9862 bytes

No browser opened after CF ran. There was a security ballon message that wanted to install a firewall, but no browser.

Also, each time CF starts after dropping the CFScript file on the icon a prompt to download a newer version of CF is available. I check yes each time.

Thanks for the patients.

Link to post
Share on other sites

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

Please update Malwarebytes, run a quick scan, and post the log along with a fresh HIjackthis and ComboFix log. Thanks for your patience.

CFScript.txt

Link to post
Share on other sites

Here are the CF log and the Hijack log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:05:51 AM, on 9/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: I-News.lnk = C:\Program Files\Common Files\I-News\TrueWeather.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212904530769

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 9218 bytes

ComboFix 09-09-11.01 - Mom & Dad 09/11/2009 23:38.11.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1632 [GMT -5:00]

Running from: c:\documents and settings\Mom & Dad\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mom & Dad\Desktop\CFScript.txt

FILE ::

"c:\windows\system32\jizimuzi.dll"

"c:\windows\system32\tenugizu.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\jizimuzi.dll

c:\windows\system32\tenugizu.dll

.

((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))

.

2009-09-11 22:40 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-11 10:38 . 2009-09-11 10:38 173 ----a-w- c:\windows\dxxdv34567.bat

2009-09-08 23:31 . 2009-09-08 23:31 -------- d-----w- c:\program files\Trend Micro

2009-09-08 01:43 . 2009-09-08 01:43 -------- d-----w- C:\dbsII

2009-09-08 01:05 . 2009-09-08 01:05 -------- d-----w- c:\documents and settings\Mom & Dad\Application Data\Malwarebytes

2009-09-08 00:36 . 2009-09-08 00:40 -------- d-----w- C:\dbs

2009-09-08 00:05 . 2009-09-08 00:27 -------- d-----w- C:\dbsmalware

2009-09-07 18:28 . 2009-09-07 18:29 -------- d-----w- C:\Malwarebytes

2009-09-07 17:50 . 2009-09-07 18:25 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-06 23:09 . 2009-09-08 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-06 22:43 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 22:43 . 2009-09-07 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 22:43 . 2009-09-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 22:43 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-02 23:37 . 2009-07-08 18:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-01 22:04 . 2009-09-01 22:04 -------- d-----w- c:\documents and settings\Mom & Dad\.jagex_cache_32

2009-09-01 21:45 . 2009-09-01 21:45 -------- d-----w- C:\.jagex_cache_32

2009-09-01 21:40 . 2009-09-01 22:44 34 ----a-w- c:\documents and settings\Mom & Dad\jagex_runescape_preferences.dat

2009-09-01 21:40 . 2009-09-01 21:42 -------- d-----w- c:\windows\.jagex_cache_32

2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- C:\spoolerlogs

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- C:\1b59bdf808ae6faf0bfbe51c

2009-08-22 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-22 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-19 22:13 . 2009-08-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-11 10:38 . 2009-06-11 10:38 53248 --sha-w- c:\windows\system32\wukaripa.exe

2009-09-10 16:47 . 2009-06-10 16:47 49664 --sha-w- c:\windows\system32\tigefeki.dll

2009-09-09 23:15 . 2004-08-04 10:00 56320 ------w- c:\windows\system32\eventlog.dll

2009-09-02 23:36 . 2006-11-23 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-08-24 03:18 . 2007-05-29 12:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-23 16:22 . 2005-11-07 00:49 -------- d-----w- c:\program files\Google

2009-08-20 20:19 . 2008-08-29 20:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 23:47 . 2007-09-07 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-29 12:47 . 2007-09-07 22:42 -------- d-----w- c:\program files\Apple Software Update

2009-07-18 05:15 . 2008-08-04 02:52 -------- d-----w- c:\program files\Safari

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\program files\iTunes

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-18 05:12 . 2006-11-23 23:01 -------- d-----w- c:\program files\iPod

2009-07-18 05:12 . 2007-09-07 22:41 -------- d-----w- c:\program files\Common Files\Apple

2009-07-18 05:10 . 2009-07-18 05:09 -------- d-----w- c:\program files\QuickTime

2009-07-18 05:02 . 2009-07-18 05:02 -------- d-----w- c:\program files\Bonjour

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-18 05:05 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-09-07 22:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 18:44 . 2009-07-08 18:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-06-29 16:12 . 2004-08-04 10:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\gamibuyo.dll.tmp

2009-06-06 22:34 . 2009-06-06 22:34 50176 --sha-w- c:\windows\SYSTEM32\hemokelu.dll.tmp

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vimuvayo.dll

2009-06-10 16:48 . 2009-06-10 16:48 49664 --sha-w- c:\windows\SYSTEM32\vovugesi.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_23.32.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-12 04:47 . 2009-09-12 04:47 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat

+ 2005-04-20 20:29 . 2007-07-27 15:41 16760 c:\windows\SYSTEM32\spmsg.dll

+ 2005-04-20 20:34 . 2009-09-11 22:52 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2004-08-04 10:00 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\jscript.dll

- 2004-08-04 10:00 . 2008-05-09 10:53 512000 c:\windows\SYSTEM32\jscript.dll

+ 2007-08-14 00:38 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\DLLCACHE\jscript.dll

- 2007-08-14 00:38 . 2008-05-09 10:53 512000 c:\windows\SYSTEM32\DLLCACHE\jscript.dll

+ 2005-04-20 20:34 . 2009-09-11 22:52 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2004-08-04 10:00 . 2009-05-20 17:44 2355200 c:\windows\SYSTEM32\WMVCore.dll

+ 2004-08-04 10:00 . 2009-05-20 17:44 2355200 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll

+ 2009-08-25 19:57 . 2009-08-25 19:57 5518336 c:\windows\Installer\11ed6e.msp

+ 2009-09-11 22:52 . 2009-08-28 19:38 24689600 c:\windows\SYSTEM32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-01 290816]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-31 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-31 53248]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

I-News.lnk - c:\program files\Common Files\I-News\TrueWeather.exe [2005-5-5 5785600]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-12-12 229376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\I-News\\TrueWeather.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"=

"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=

"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=

"c:\\Program Files\\Thomson\\Lyra Jukebox\\LyraHDTrayApp\\LYRAHD2TrayApp.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\hpztsb09.exe"=

"c:\\Program Files\\palmOne\\Hotsync.exe"=

"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=

"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe"=

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\DRIVERS\ScreamingBAudio.sys [3/27/2009 2:23 PM 23064]

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-12 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: turbotax.com

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{67ab4609-ad0d-4823-9ffc-311cf8ffe238} - c:\windows\system32\tenugizu.dll

SharedTaskScheduler-{1b835c41-e8b0-4498-a006-40830cbb5596} - c:\windows\system32\tenugizu.dll

SSODL-fakupoyuh-{67ab4609-ad0d-4823-9ffc-311cf8ffe238} - c:\windows\system32\tenugizu.dll

SSODL-newisuvuy-{1b835c41-e8b0-4498-a006-40830cbb5596} - c:\windows\system32\tenugizu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-11 23:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2224)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\SYSTEM32\BAsfIpM.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\SYSTEM32\MsPMSPSv.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\windows\SYSTEM32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\program files\Java\jre1.5.0_08\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-09-12 0:04 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-12 05:04

ComboFix2.txt 2009-09-11 22:40

ComboFix3.txt 2009-09-11 02:48

ComboFix4.txt 2009-09-11 02:39

ComboFix5.txt 2009-09-12 04:36

Pre-Run: 85,223,485,440 bytes free

Post-Run: 85,189,910,528 bytes free

257 --- E O F --- 2009-09-11 22:53

Link to post
Share on other sites

Here is hte Malware log file.

Malwarebytes' Anti-Malware 1.41

Database version: 2783

Windows 5.1.2600 Service Pack 3

9/12/2009 2:23:10 AM

mbam-log-2009-09-12 (02-23-10).txt

Scan type: Quick Scan

Objects scanned: 135141

Time elapsed: 26 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\wukaripa.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\dxxdv34567.bat (KoobFace.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
c:\windows\SYSTEM32\gamibuyo.dll.tmp
c:\windows\SYSTEM32\hemokelu.dll.tmp
c:\windows\SYSTEM32\vimuvayo.dll
c:\windows\SYSTEM32\vovugesi.dll
) do zip Files_for_submission %%g
del %0

Save this as grab.bat

Choose to "Save type as---All Files"

It should like like this bat_icon.gif

Double-Click on grab.bat and Allow it to run

A file, Files_for_submission.zip will be created on your desktop.

Please upload that file here ---> http://www.bleepingcomputer.com/submit-mal....php?channel=70

How is everything running??

Link to post
Share on other sites

File was uploaded to the link.

After ComboFix the computer runs fine. Until you say it is clean I am only getting on to check here. I have not loaded a firewall yet, Mcafee was zapped by the virus so it is gone. I didn't want to mess things up by loading other stuff. After it is clean I will probably go through the "how to stay clean" forum on here. It looked like a step by step post on what to run for AV.

Thanks

Link to post
Share on other sites

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

Thanks for those files. They are bad.

CFScript.txt

Link to post
Share on other sites

Here are the Hijack log and CF log after copying the latest CFScript.txt file and running CF.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:06:18 PM, on 9/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\palmOne\Hotsync.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\dbs\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: I-News.lnk = C:\Program Files\Common Files\I-News\TrueWeather.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212904530769

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 9011 bytes

ComboFix 09-09-12.A0 - Mom & Dad 09/13/2009 12:52.12.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1548 [GMT -5:00]

Running from: c:\documents and settings\Mom & Dad\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mom & Dad\Desktop\CFScript.txt

FILE ::

"c:\windows\SYSTEM32\gamibuyo.dll.tmp"

"c:\windows\SYSTEM32\hemokelu.dll.tmp"

"c:\windows\SYSTEM32\vimuvayo.dll"

"c:\windows\SYSTEM32\vovugesi.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\SYSTEM32\gamibuyo.dll.tmp

c:\windows\SYSTEM32\hemokelu.dll.tmp

c:\windows\SYSTEM32\vimuvayo.dll

c:\windows\SYSTEM32\vovugesi.dll

.

((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))

.

2009-09-13 17:50 . 2009-09-13 17:50 -------- d-----w- C:\Combo-Fix

2009-09-11 22:40 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-08 23:31 . 2009-09-08 23:31 -------- d-----w- c:\program files\Trend Micro

2009-09-08 01:43 . 2009-09-08 01:43 -------- d-----w- C:\dbsII

2009-09-08 01:05 . 2009-09-08 01:05 -------- d-----w- c:\documents and settings\Mom & Dad\Application Data\Malwarebytes

2009-09-08 00:36 . 2009-09-12 05:50 -------- d-----w- C:\dbs

2009-09-08 00:05 . 2009-09-08 00:27 -------- d-----w- C:\dbsmalware

2009-09-07 18:28 . 2009-09-07 18:29 -------- d-----w- C:\Malwarebytes

2009-09-07 17:50 . 2009-09-07 18:25 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-06 23:09 . 2009-09-08 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-06 22:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 22:43 . 2009-09-12 07:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 22:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-06 22:43 . 2009-09-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-02 23:37 . 2009-07-08 18:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-01 22:04 . 2009-09-01 22:04 -------- d-----w- c:\documents and settings\Mom & Dad\.jagex_cache_32

2009-09-01 21:45 . 2009-09-01 21:45 -------- d-----w- C:\.jagex_cache_32

2009-09-01 21:40 . 2009-09-01 22:44 34 ----a-w- c:\documents and settings\Mom & Dad\jagex_runescape_preferences.dat

2009-09-01 21:40 . 2009-09-01 21:42 -------- d-----w- c:\windows\.jagex_cache_32

2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- C:\spoolerlogs

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild

2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- C:\1b59bdf808ae6faf0bfbe51c

2009-08-22 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-22 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-22 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-19 22:13 . 2009-08-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-09 23:15 . 2004-08-04 10:00 56320 ------w- c:\windows\system32\eventlog.dll

2009-09-02 23:36 . 2006-11-23 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-08-24 03:18 . 2007-05-29 12:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-23 16:22 . 2005-11-07 00:49 -------- d-----w- c:\program files\Google

2009-08-20 20:19 . 2008-08-29 20:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 23:47 . 2007-09-07 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-29 12:47 . 2007-09-07 22:42 -------- d-----w- c:\program files\Apple Software Update

2009-07-18 05:15 . 2008-08-04 02:52 -------- d-----w- c:\program files\Safari

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\program files\iTunes

2009-07-18 05:13 . 2009-07-18 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-18 05:12 . 2006-11-23 23:01 -------- d-----w- c:\program files\iPod

2009-07-18 05:12 . 2007-09-07 22:41 -------- d-----w- c:\program files\Common Files\Apple

2009-07-18 05:10 . 2009-07-18 05:09 -------- d-----w- c:\program files\QuickTime

2009-07-18 05:02 . 2009-07-18 05:02 -------- d-----w- c:\program files\Bonjour

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-18 05:05 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-09-07 22:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 18:44 . 2009-07-08 18:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-06-29 16:12 . 2004-08-04 10:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_23.32.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-13 17:45 . 2009-09-13 17:45 16384 c:\windows\Temp\Perflib_Perfdata_10c.dat

+ 2005-04-20 20:29 . 2007-07-27 15:41 16760 c:\windows\SYSTEM32\spmsg.dll

+ 2005-04-20 20:34 . 2009-09-11 22:52 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2004-08-04 10:00 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\jscript.dll

- 2004-08-04 10:00 . 2008-05-09 10:53 512000 c:\windows\SYSTEM32\jscript.dll

+ 2007-08-14 00:38 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\DLLCACHE\jscript.dll

- 2007-08-14 00:38 . 2008-05-09 10:53 512000 c:\windows\SYSTEM32\DLLCACHE\jscript.dll

+ 2005-04-20 20:34 . 2009-09-11 22:52 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2005-04-20 20:34 . 2009-09-11 22:52 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2005-04-20 20:34 . 2009-08-12 08:09 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2004-08-04 10:00 . 2009-05-20 17:44 2355200 c:\windows\SYSTEM32\WMVCore.dll

+ 2004-08-04 10:00 . 2009-05-20 17:44 2355200 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll

+ 2009-08-25 19:57 . 2009-08-25 19:57 5518336 c:\windows\Installer\11ed6e.msp

+ 2009-09-11 22:52 . 2009-08-28 19:38 24689600 c:\windows\SYSTEM32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-01 290816]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-31 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-31 53248]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"Malwarebytes Anti-Malware (reboot)"="c:\dbs\mbam.exe" [2009-09-10 1312080]

"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

I-News.lnk - c:\program files\Common Files\I-News\TrueWeather.exe [2005-5-5 5785600]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-12-12 229376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\I-News\\TrueWeather.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"=

"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=

"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=

"c:\\Program Files\\Thomson\\Lyra Jukebox\\LyraHDTrayApp\\LYRAHD2TrayApp.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\hpztsb09.exe"=

"c:\\Program Files\\palmOne\\Hotsync.exe"=

"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=

"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe"=

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\DRIVERS\ScreamingBAudio.sys [3/27/2009 2:23 PM 23064]

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-13 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: turbotax.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-13 13:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-09-13 13:03

ComboFix-quarantined-files.txt 2009-09-13 18:03

ComboFix2.txt 2009-09-12 05:04

ComboFix3.txt 2009-09-11 22:40

ComboFix4.txt 2009-09-11 02:48

ComboFix5.txt 2009-09-13 17:51

Pre-Run: 85,091,958,784 bytes free

Post-Run: 85,191,151,616 bytes free

224 --- E O F --- 2009-09-11 22:53

Thanks

Link to post
Share on other sites

Computer is running good. I will download AV and spyware unless you want me to wait.

The only thing out of the ordinary was Windows did a 5 step update when shutting down. It didn't prompt for an ok, just did an update. I ran a scan on the next start up and didn't find anything.

Here are the MW and HJ logs:

Malwarebytes' Anti-Malware 1.41

Database version: 2794

Windows 5.1.2600 Service Pack 3

9/13/2009 10:35:03 PM

mbam-log-2009-09-13 (22-35-03).txt

Scan type: Quick Scan

Objects scanned: 121493

Time elapsed: 25 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:35:24 PM, on 9/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\dbs\mbam.exe" /runcleanupscript

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: I-News.lnk = C:\Program Files\Common Files\I-News\TrueWeather.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212904530769

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 9494 bytes

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.