Total Security won't stay deleted

psychoinhell · September 20, 2009

and now my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:55:38 PM, on 9/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\mace.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GM5072

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GM5072

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GM5072

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.206.201.8 winsecurepro.microsoft.com

O1 - Hosts: 91.206.201.8 winsecurepro.com

O1 - Hosts: 91.206.201.8 www.winsecurepro.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [realtecs] "C:\Documents and Settings\Owner\Application Data\Google\fbabj220320.exe" 2

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1253367623000

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O20 - AppInit_DLLs: c:\windows\system32\tebajovo.dll togehupe.dll c:\windows\system32\dowuvedo.dll

O21 - SSODL: zuverahov - {f82dad5d-2c83-4c4a-bf38-2e797c12bb85} - c:\windows\system32\tebajovo.dll (file missing)

O21 - SSODL: tuwamesip - {c2e90739-b38c-45db-9448-1096068310fb} - c:\windows\system32\dowuvedo.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {f82dad5d-2c83-4c4a-bf38-2e797c12bb85} - c:\windows\system32\tebajovo.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {c2e90739-b38c-45db-9448-1096068310fb} - c:\windows\system32\dowuvedo.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--

End of file - 7128 bytes

psychoinhell · September 20, 2009

combofix and new hijackThis logs

ComboFix 09-09-18.02 - Owner 09/20/2009 17:30.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1360 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\stb06759.tmp

c:\recycler\S-1-5-21-3576470876-2263381142-4000837777-500

c:\windows\ALCMTR.EXE

c:\windows\kb913800.exe

c:\windows\system32\41.exe

c:\windows\system32\bepikize.dll.tmp

c:\windows\system32\depopuho.dll

c:\windows\system32\hakakaga.dll.tmp

c:\windows\system32\jolalese.dll.tmp

c:\windows\system32\labazemi.dll.tmp

c:\windows\system32\likegene.dll

c:\windows\system32\lurapaso.dll

c:\windows\system32\nalayafi.dll.tmp

c:\windows\system32\sipaneya.dll

c:\windows\system32\togehupe.dll

c:\windows\system32\vamegeye.dll

c:\windows\system32\yususuro.dll.tmp

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))

.

2009-09-20 21:52 . 2009-09-20 21:52 -------- d-----w- c:\program files\Trend Micro

2009-09-17 22:51 . 2009-09-17 22:55 -------- d-----w- c:\windows\system32\Adobe

2009-09-14 17:33 . 2009-09-14 17:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Turbine

2009-09-14 17:33 . 2009-09-14 17:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Turbine

2009-09-14 03:51 . 2009-09-14 03:51 -------- d-----w- c:\program files\Turbine

2009-09-13 23:12 . 2009-09-18 04:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PMB Files

2009-09-13 23:12 . 2009-09-13 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-09-13 23:12 . 2009-09-13 23:12 -------- d-----w- c:\program files\Pando Networks

2009-09-12 16:45 . 2009-09-12 16:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo

2009-09-12 16:44 . 2009-09-12 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-09-12 16:44 . 2009-09-12 16:44 -------- d-----w- c:\program files\Yahoo!

2009-09-09 13:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-01 16:41 . 2009-09-08 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\BearShare

2009-09-01 16:41 . 2009-09-01 16:41 -------- d-----w- c:\program files\BearShare Applications

2009-08-22 22:39 . 2009-08-22 22:39 -------- d-----w- c:\program files\MSECache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-20 22:19 . 2009-05-22 23:59 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-20 02:01 . 2008-08-17 23:33 19938 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-09-19 16:20 . 2009-06-19 16:20 51200 --sha-w- c:\windows\system32\risusupo.dll

2009-09-19 13:27 . 2009-02-02 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 19:54 . 2009-02-02 22:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-02-02 22:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-05 22:21 . 2008-11-09 03:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer

2009-09-03 15:58 . 2009-08-09 00:26 -------- d-----w- c:\documents and settings\Owner\Application Data\CyberLink

2009-08-23 00:28 . 2005-01-10 01:26 38568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-11 00:32 . 2009-08-11 00:16 -------- d-----w- c:\program files\lmyqvr

2009-08-11 00:01 . 2009-08-10 20:43 -------- d-----w- c:\program files\PrivacyCenter

2009-08-10 23:26 . 2009-08-10 23:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue

2009-08-09 00:26 . 2009-08-09 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2009-08-05 09:01 . 2008-08-28 12:06 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2008-08-28 12:06 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-15 02:08 . 2009-07-15 02:08 295 ----a-w- c:\windows\EReg072.dat

2009-07-14 04:43 . 2008-03-16 02:55 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2008-03-16 02:55 915456 ----a-w- c:\windows\system32\wininet.dll

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-06-19 16:21 . 2009-06-19 16:21 51200 --sha-w- c:\windows\system32\zerejuhu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bf9b7b6-ca18-4410-8989-4685e618b5be}]

2009-06-19 16:21 51200 --sha-w- c:\windows\system32\zerejuhu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\WINDOWS\\ehome\\ehtray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"58013:TCP"= 58013:TCP:Pando Media Booster

"58013:UDP"= 58013:UDP:Pando Media Booster

S3 EraserUtilDrv10821;EraserUtilDrv10821;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\5stbqow2.default\

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

HKLM-Run-realtecs - c:\documents and settings\Owner\Application Data\Google\fbabj220320.exe

HKLM-Run-tosotijisi - gehesusu.dll

SharedTaskScheduler-{f82dad5d-2c83-4c4a-bf38-2e797c12bb85} - c:\windows\system32\tebajovo.dll

SharedTaskScheduler-{c2e90739-b38c-45db-9448-1096068310fb} - c:\windows\system32\dowuvedo.dll

SSODL-zuverahov-{f82dad5d-2c83-4c4a-bf38-2e797c12bb85} - c:\windows\system32\tebajovo.dll

SSODL-tuwamesip-{c2e90739-b38c-45db-9448-1096068310fb} - c:\windows\system32\dowuvedo.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-20 17:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2408)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\ehome\mcrdsvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\Mace.exe

c:\windows\ehome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2009-09-20 17:41 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-20 22:41

Pre-Run: 225,472,036,864 bytes free

Post-Run: 225,948,975,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

225 --- E O F --- 2009-09-09 15:03

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:51:54 PM, on 9/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\mace.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GM5072

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2bf9b7b6-ca18-4410-8989-4685e618b5be} - zerejuhu.dll (file missing)