Jump to content

Continued Cleanup


wrench

Recommended Posts

I have found the above problem after visiting a site where TV programs can be watched (alluc.org). My attempts to remedy were to try and start a virus/anti malware program. They would not run nor could I load new ones. Then a look at Windows Explorer to see what might be there, nada. A look at the System Configuration Utility let me in on the culpret, jobavito. Next, to the internet for advice on the preditor, I found at Geekstogo a program by George Danforth called Combo Fix, it did find some things and did a nice job. This I thought did the trick but not completely only the popups stopped. I still have the jobovito in sys config, unticking is useless as it rechecks itself when rebooted. Worse, I still cannot start or run any malware programs. I was now relying on Malwarebytes to save the day. I ran the Rootrepeal search for the listed .sys TDL2's known without any showing up. So I followed the Malwarebytes suggestion to run the report which is attached herein. I look forward to some kind soul assisting me with this. Thanks

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/02/18 15:01

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\system32\sdra64.exe

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\lowsec

Status: Invisible to the Windows API!

==EOF==

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

After you post that log, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

After you post that log, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Hello thanks for the help so far. I hope I am replying in the correct spot for you to find. I am totally unfamiliar with forums so I will attempt to work through it. I ran the DDS as requested and the results follow;

DDS (Ver_09-12-01.01) - NTFSx86

Run by Bill at 17:08:23.18 on Fri 02/19/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.348 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Amateur Radio\Ham Radio Deluxe\HamRadioDeluxe.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\ Firefox\firefox.exe

C:\Documents and Settings\Bill\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [nawosover] Rundll32.exe "c:\windows\system32\wekavube.dll",a

StartupFolder: c:\docume~1\bill\mydocu~1\startup\hamrad~1.lnk - c:\program files\amateur radio\ham radio deluxe\HamRadioDeluxe.exe

uPolicies-explorer: NoLogoff = 01000000

uPolicies-explorer: NoActiveDesktop = 01000000

uPolicies-explorer: NoWinKeys = 01000000

uPolicies-explorer: NoSMMyDocs = 01000000

uPolicies-explorer: NoSMMyPictures = 01000000

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264445555328

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

AppInit_DLLs: system32\fesureto.dll sipaneya.dll c:\windows\system32\wekavube.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: mobidahus - {a5a0f9f5-0225-4d5f-a939-a81667958ca0} - c:\windows\system32\fesureto.dll

SSODL: viwofudaz - {a6f4f4c0-3415-42b1-991c-e5c4aca43906} - c:\windows\system32\wekavube.dll

STS: jugezatag: {a5a0f9f5-0225-4d5f-a939-a81667958ca0} - c:\windows\system32\fesureto.dll

STS: gahurihor: {a6f4f4c0-3415-42b1-991c-e5c4aca43906} - c:\windows\system32\wekavube.dll

LSA: Notification Packages = disowowu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bill\applic~1\mozilla\firefox\profiles\vndapnzr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\ firefox\components\browserdirprovider.dll

FF - component: c:\program files\ firefox\components\brwsrcmp.dll

FF - plugin: c:\program files\ firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\ firefox\plugins\npnul32.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\ firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\ firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\ firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\ firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\ firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\ firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\ firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\ firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\ firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\ firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\ firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\ firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\ firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\ firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\ firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\ firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\ firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\ firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\ firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-23 135664]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-12-11 17149]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\wpn111.sys --> c:\windows\system32\drivers\WPN111.sys [?]

=============== Created Last 30 ================

2010-02-17 02:55:46 0 d-----w- c:\docume~1\bill\applic~1\Foxit Software

2010-02-16 19:00:23 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-02-16 19:00:23 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-02-16 19:00:14 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-02-16 19:00:14 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-02-16 04:13:07 0 d-----w- c:\docume~1\bill\applic~1\Foxit

2010-02-16 04:12:19 0 d-----w- c:\program files\Foxit Reader

2010-02-03 05:21:02 0 d-----w- c:\program files\common files\DivX Shared

2010-02-03 05:21:01 0 d-----w- c:\program files\DivX

2010-02-02 04:15:20 0 d-----w- c:\program files\VLC

2010-02-02 03:57:09 0 d-----w- c:\program files\ Firefox

2010-02-02 03:10:25 0 d-----w- c:\program files\VShaper

2010-02-01 21:43:19 32 ----a-w- C:\'WINDOWS'

2010-02-01 21:14:12 0 ----a-w- c:\documents and settings\bill\netstat

2010-01-31 05:11:40 0 d-sh--w- c:\documents and settings\bill\IECompatCache

2010-01-31 05:09:08 0 d-sh--w- c:\documents and settings\bill\PrivacIE

2010-01-31 05:07:47 0 d-sh--w- c:\documents and settings\bill\IETldCache

2010-01-31 05:04:38 0 d-----w- c:\windows\ie8updates

2010-01-31 05:00:33 0 dc-h--w- c:\windows\ie8

2010-01-31 04:58:20 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-01-31 04:58:12 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-31 04:58:12 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-01-26 22:48:37 754 ----a-w- c:\windows\WORDPAD.INI

2010-01-26 19:55:10 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-01-26 19:55:10 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-01-26 01:12:34 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat

2010-01-25 21:29:10 0 d-----w- c:\windows\system32\scripting

2010-01-25 21:29:08 0 d-----w- c:\windows\l2schemas

2010-01-25 21:29:07 0 d-----w- c:\windows\system32\en

2010-01-25 21:02:01 0 d-----w- c:\windows\ShellNew

2010-01-25 20:26:18 0 d-----w- c:\program files\common files\Windows Live

2010-01-25 20:19:12 0 d-----w- c:\windows\system32\XPSViewer

2010-01-25 20:18:16 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-01-25 20:18:16 117760 ------w- c:\windows\system32\prntvpt.dll

2010-01-25 20:18:15 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-01-25 20:18:15 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-01-25 20:18:15 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-01-25 20:18:15 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-01-25 20:18:15 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-01-25 20:18:14 0 d-----w- C:\8bdcbc8428be23d7996c05cf

2010-01-25 20:15:16 0 d-----w- c:\program files\MSXML 6.0

2010-01-25 20:12:44 0 d-----w- c:\program files\Windows Desktop Search

2010-01-25 20:12:43 0 d-----w- c:\windows\system32\GroupPolicy

2010-01-25 20:12:23 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2010-01-25 20:12:22 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2010-01-25 20:11:33 0 d-----w- c:\program files\Windows Media Connect 2

2010-01-25 20:05:36 0 d-----w- c:\windows\system32\URTTemp

2010-01-25 20:01:55 53248 ------w- c:\windows\system32\tsgqec.dll

2010-01-25 20:01:55 290304 ------w- c:\windows\system32\rhttpaa.dll

2010-01-25 20:01:55 136192 ------w- c:\windows\system32\aaclient.dll

2010-01-25 19:23:26 0 d-----w- c:\windows\network diagnostic

2010-01-25 19:22:47 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll

2010-01-25 19:19:16 69120 ------w- c:\windows\system32\wlanapi.dll

2010-01-25 19:19:06 50688 ------w- c:\windows\system32\tspkg.dll

2010-01-25 19:17:59 61440 ------w- c:\windows\system32\kmsvc.dll

2010-01-25 18:07:55 0 d-----w- c:\windows\system32\LogFiles

2010-01-25 17:45:20 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-01-25 17:45:20 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-01-25 17:45:09 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-25 17:42:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2010-01-25 17:40:51 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-01-25 17:40:45 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll

2010-01-25 17:37:42 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-01-25 17:37:21 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-01-25 17:37:11 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-01-25 17:37:07 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2010-01-25 17:36:36 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2010-01-25 17:36:09 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-01-25 17:36:04 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-01-25 17:21:48 0 d-----w- c:\program files\msn gaming zone

2010-01-25 17:21:06 0 d-----w- c:\windows\system32\wbem\AutoRecover

2010-01-25 16:51:10 316640 ----a-w- c:\windows\WMSysPr9.prx

2010-01-25 16:50:14 0 d-----w- c:\windows\peernet

2010-01-25 16:50:13 0 d-----w- c:\windows\provisioning

2010-01-25 16:48:24 0 d-----w- c:\windows\ServicePackFiles

2010-01-25 16:41:05 0 d-----w- c:\windows\EHome

2010-01-25 03:41:35 0 d-----w- c:\program files\Siber Systems

2010-01-23 20:15:54 0 d-----w- c:\windows\RegisteredPackages

2010-01-23 20:13:40 0 d--h--w- c:\windows\msdownld.tmp

2010-01-23 20:13:31 0 d-----w- c:\windows\Logs

2010-01-23 19:59:13 11264 ------w- c:\windows\system32\spnpinst.exe

2010-01-23 19:59:12 7208 ------w- c:\windows\system32\secupd.sig

2010-01-23 19:59:12 67866 ------w- c:\windows\system32\drivers\netwlan5.img

2010-01-23 19:59:12 4569 ------w- c:\windows\system32\secupd.dat

2010-01-22 05:12:34 0 d-----w- c:\program files\TrustedQSL

2010-01-22 05:06:26 0 d-----w- c:\docume~1\bill\applic~1\TrustedQSL

2010-01-22 02:36:06 0 d-----w- c:\docume~1\bill\applic~1\PeaZip

2010-01-22 02:29:37 0 d-----w- c:\program files\PeaZip

2010-01-22 01:53:33 0 d-----w- c:\program files\Amateur Radio

2010-01-22 00:43:16 512 ----a-w- c:\windows\ODBC.INI

2010-01-22 00:19:26 0 d-----w- c:\program files\common files\Software Update Utility

2010-01-22 00:19:20 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM

2010-01-22 00:19:19 0 d-----w- c:\program files\AIM Search

2010-01-22 00:19:14 0 d-----w- c:\program files\AIM

2010-01-22 00:19:13 0 d-----w- c:\program files\common files\AOL

2010-01-22 00:19:07 455 ---ha-w- C:\IPH.PH

2010-01-21 23:45:51 0 d-----w- c:\program files\K1RFD

2010-01-21 21:03:47 266360 ----a-w- c:\windows\system32\TweakUI.exe

2010-01-21 21:03:47 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf

2010-01-21 21:01:35 0 d-----w- c:\program files\Tools

2010-01-21 20:35:33 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-01-21 03:52:21 0 d-----w- c:\program files\Alarm Programing

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 02:47:32 9823205 ----a-w- c:\program files\WPN111_SW_v3.0_setup.exe

2009-12-11 16:18:47 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\disowowu.dll

1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\dogubina.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\gayusomi.dll

1601-01-01 00:03:28 96256 --sha-w- c:\windows\system32\jobavito.dll

1601-01-01 00:03:28 44032 --sha-w- c:\windows\system32\jotufafu.dll

1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\jutepeso.dll

1601-01-01 00:03:28 52736 --sha-w- c:\windows\system32\midegida.dll

1601-01-01 00:03:28 66560 --sha-w- c:\windows\system32\nijetiyi.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\puzesale.dll

1601-01-01 00:03:28 48128 --sha-w- c:\windows\system32\rosotuse.dll

1601-01-01 00:03:28 53760 --sha-w- c:\windows\system32\sevikuji.dll

1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\sipaneya.dll

1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\tevajoge.dll

1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\wegubeva.dll

1601-01-01 00:03:28 100864 --sha-w- c:\windows\system32\wekavube.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\zavidegu.dll

1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\zugahohe.dll

============= FINISH: 17:10:51.20 ===============

Link to post
Share on other sites

Hello thanks for the help so far. I hope I am replying in the correct spot for you to find. Screen 317 has been helping thusfar. I am totally unfamiliar with forums so I will attempt to work through it. I ran the DDS as requested and the results follow;

DDS (Ver_09-12-01.01) - NTFSx86

Run by Bill at 17:08:23.18 on Fri 02/19/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.348 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Amateur Radio\Ham Radio Deluxe\HamRadioDeluxe.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\ Firefox\firefox.exe

C:\Documents and Settings\Bill\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [nawosover] Rundll32.exe "c:\windows\system32\wekavube.dll",a

StartupFolder: c:\docume~1\bill\mydocu~1\startup\hamrad~1.lnk - c:\program files\amateur radio\ham radio deluxe\HamRadioDeluxe.exe

uPolicies-explorer: NoLogoff = 01000000

uPolicies-explorer: NoActiveDesktop = 01000000

uPolicies-explorer: NoWinKeys = 01000000

uPolicies-explorer: NoSMMyDocs = 01000000

uPolicies-explorer: NoSMMyPictures = 01000000

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264445555328

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

AppInit_DLLs: system32\fesureto.dll sipaneya.dll c:\windows\system32\wekavube.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: mobidahus - {a5a0f9f5-0225-4d5f-a939-a81667958ca0} - c:\windows\system32\fesureto.dll

SSODL: viwofudaz - {a6f4f4c0-3415-42b1-991c-e5c4aca43906} - c:\windows\system32\wekavube.dll

STS: jugezatag: {a5a0f9f5-0225-4d5f-a939-a81667958ca0} - c:\windows\system32\fesureto.dll

STS: gahurihor: {a6f4f4c0-3415-42b1-991c-e5c4aca43906} - c:\windows\system32\wekavube.dll

LSA: Notification Packages = disowowu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bill\applic~1\mozilla\firefox\profiles\vndapnzr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\ firefox\components\browserdirprovider.dll

FF - component: c:\program files\ firefox\components\brwsrcmp.dll

FF - plugin: c:\program files\ firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\ firefox\plugins\npnul32.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\ firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\ firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\ firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\ firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\ firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\ firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\ firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\ firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\ firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\ firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\ firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\ firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\ firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\ firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\ firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\ firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\ firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\ firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\ firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\ firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\ firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-23 135664]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-12-11 17149]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\wpn111.sys --> c:\windows\system32\drivers\WPN111.sys [?]

=============== Created Last 30 ================

2010-02-17 02:55:46 0 d-----w- c:\docume~1\bill\applic~1\Foxit Software

2010-02-16 19:00:23 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-02-16 19:00:23 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-02-16 19:00:14 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-02-16 19:00:14 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-02-16 04:13:07 0 d-----w- c:\docume~1\bill\applic~1\Foxit

2010-02-16 04:12:19 0 d-----w- c:\program files\Foxit Reader

2010-02-03 05:21:02 0 d-----w- c:\program files\common files\DivX Shared

2010-02-03 05:21:01 0 d-----w- c:\program files\DivX

2010-02-02 04:15:20 0 d-----w- c:\program files\VLC

2010-02-02 03:57:09 0 d-----w- c:\program files\ Firefox

2010-02-02 03:10:25 0 d-----w- c:\program files\VShaper

2010-02-01 21:43:19 32 ----a-w- C:\'WINDOWS'

2010-02-01 21:14:12 0 ----a-w- c:\documents and settings\bill\netstat

2010-01-31 05:11:40 0 d-sh--w- c:\documents and settings\bill\IECompatCache

2010-01-31 05:09:08 0 d-sh--w- c:\documents and settings\bill\PrivacIE

2010-01-31 05:07:47 0 d-sh--w- c:\documents and settings\bill\IETldCache

2010-01-31 05:04:38 0 d-----w- c:\windows\ie8updates

2010-01-31 05:00:33 0 dc-h--w- c:\windows\ie8

2010-01-31 04:58:20 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-01-31 04:58:12 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-31 04:58:12 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-01-26 22:48:37 754 ----a-w- c:\windows\WORDPAD.INI

2010-01-26 19:55:10 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-01-26 19:55:10 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-01-26 01:12:34 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat

2010-01-25 21:29:10 0 d-----w- c:\windows\system32\scripting

2010-01-25 21:29:08 0 d-----w- c:\windows\l2schemas

2010-01-25 21:29:07 0 d-----w- c:\windows\system32\en

2010-01-25 21:02:01 0 d-----w- c:\windows\ShellNew

2010-01-25 20:26:18 0 d-----w- c:\program files\common files\Windows Live

2010-01-25 20:19:12 0 d-----w- c:\windows\system32\XPSViewer

2010-01-25 20:18:16 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-01-25 20:18:16 117760 ------w- c:\windows\system32\prntvpt.dll

2010-01-25 20:18:15 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-01-25 20:18:15 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-01-25 20:18:15 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-01-25 20:18:15 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-01-25 20:18:15 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-01-25 20:18:14 0 d-----w- C:\8bdcbc8428be23d7996c05cf

2010-01-25 20:15:16 0 d-----w- c:\program files\MSXML 6.0

2010-01-25 20:12:44 0 d-----w- c:\program files\Windows Desktop Search

2010-01-25 20:12:43 0 d-----w- c:\windows\system32\GroupPolicy

2010-01-25 20:12:23 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2010-01-25 20:12:22 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2010-01-25 20:11:33 0 d-----w- c:\program files\Windows Media Connect 2

2010-01-25 20:05:36 0 d-----w- c:\windows\system32\URTTemp

2010-01-25 20:01:55 53248 ------w- c:\windows\system32\tsgqec.dll

2010-01-25 20:01:55 290304 ------w- c:\windows\system32\rhttpaa.dll

2010-01-25 20:01:55 136192 ------w- c:\windows\system32\aaclient.dll

2010-01-25 19:23:26 0 d-----w- c:\windows\network diagnostic

2010-01-25 19:22:47 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll

2010-01-25 19:19:16 69120 ------w- c:\windows\system32\wlanapi.dll

2010-01-25 19:19:06 50688 ------w- c:\windows\system32\tspkg.dll

2010-01-25 19:17:59 61440 ------w- c:\windows\system32\kmsvc.dll

2010-01-25 18:07:55 0 d-----w- c:\windows\system32\LogFiles

2010-01-25 17:45:20 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-01-25 17:45:20 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-01-25 17:45:09 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-25 17:42:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2010-01-25 17:40:51 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-01-25 17:40:45 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll

2010-01-25 17:37:42 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-01-25 17:37:21 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-01-25 17:37:11 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-01-25 17:37:07 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2010-01-25 17:36:36 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2010-01-25 17:36:09 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-01-25 17:36:04 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-01-25 17:21:48 0 d-----w- c:\program files\msn gaming zone

2010-01-25 17:21:06 0 d-----w- c:\windows\system32\wbem\AutoRecover

2010-01-25 16:51:10 316640 ----a-w- c:\windows\WMSysPr9.prx

2010-01-25 16:50:14 0 d-----w- c:\windows\peernet

2010-01-25 16:50:13 0 d-----w- c:\windows\provisioning

2010-01-25 16:48:24 0 d-----w- c:\windows\ServicePackFiles

2010-01-25 16:41:05 0 d-----w- c:\windows\EHome

2010-01-25 03:41:35 0 d-----w- c:\program files\Siber Systems

2010-01-23 20:15:54 0 d-----w- c:\windows\RegisteredPackages

2010-01-23 20:13:40 0 d--h--w- c:\windows\msdownld.tmp

2010-01-23 20:13:31 0 d-----w- c:\windows\Logs

2010-01-23 19:59:13 11264 ------w- c:\windows\system32\spnpinst.exe

2010-01-23 19:59:12 7208 ------w- c:\windows\system32\secupd.sig

2010-01-23 19:59:12 67866 ------w- c:\windows\system32\drivers\netwlan5.img

2010-01-23 19:59:12 4569 ------w- c:\windows\system32\secupd.dat

2010-01-22 05:12:34 0 d-----w- c:\program files\TrustedQSL

2010-01-22 05:06:26 0 d-----w- c:\docume~1\bill\applic~1\TrustedQSL

2010-01-22 02:36:06 0 d-----w- c:\docume~1\bill\applic~1\PeaZip

2010-01-22 02:29:37 0 d-----w- c:\program files\PeaZip

2010-01-22 01:53:33 0 d-----w- c:\program files\Amateur Radio

2010-01-22 00:43:16 512 ----a-w- c:\windows\ODBC.INI

2010-01-22 00:19:26 0 d-----w- c:\program files\common files\Software Update Utility

2010-01-22 00:19:20 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM

2010-01-22 00:19:19 0 d-----w- c:\program files\AIM Search

2010-01-22 00:19:14 0 d-----w- c:\program files\AIM

2010-01-22 00:19:13 0 d-----w- c:\program files\common files\AOL

2010-01-22 00:19:07 455 ---ha-w- C:\IPH.PH

2010-01-21 23:45:51 0 d-----w- c:\program files\K1RFD

2010-01-21 21:03:47 266360 ----a-w- c:\windows\system32\TweakUI.exe

2010-01-21 21:03:47 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf

2010-01-21 21:01:35 0 d-----w- c:\program files\Tools

2010-01-21 20:35:33 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-01-21 03:52:21 0 d-----w- c:\program files\Alarm Programing

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 02:47:32 9823205 ----a-w- c:\program files\WPN111_SW_v3.0_setup.exe

2009-12-11 16:18:47 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\disowowu.dll

1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\dogubina.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\gayusomi.dll

1601-01-01 00:03:28 96256 --sha-w- c:\windows\system32\jobavito.dll

1601-01-01 00:03:28 44032 --sha-w- c:\windows\system32\jotufafu.dll

1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\jutepeso.dll

1601-01-01 00:03:28 52736 --sha-w- c:\windows\system32\midegida.dll

1601-01-01 00:03:28 66560 --sha-w- c:\windows\system32\nijetiyi.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\puzesale.dll

1601-01-01 00:03:28 48128 --sha-w- c:\windows\system32\rosotuse.dll

1601-01-01 00:03:28 53760 --sha-w- c:\windows\system32\sevikuji.dll

1601-01-01 00:03:52 52736 --sha-w- c:\windows\system32\sipaneya.dll

1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\tevajoge.dll

1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\wegubeva.dll

1601-01-01 00:03:28 100864 --sha-w- c:\windows\system32\wekavube.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\zavidegu.dll

1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\zugahohe.dll

============= FINISH: 17:10:51.20 ===============

Link to post
Share on other sites

Please find within results of the ComboFix report. Screen 317 has been helping me thusfar and requested I post this report.

ComboFix 10-02-19.03 - Bill 02/19/2010 18:09:50.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.469 [GMT -5:00]

Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\disowowu.dll

c:\windows\system32\dogubina.dll

c:\windows\system32\jotufafu.dll

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\rosotuse.dll

c:\windows\system32\sdra64.exe

c:\windows\system32\sipaneya.dll

c:\windows\system32\tevajoge.dll

c:\windows\system32\wegubeva.dll

c:\windows\system32\wekavube.dll

c:\windows\system32\zugahohe.dll

c:\windows\Tasks\fsmcvmqs.job

c:\windows\Temp\tmp3.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))

.

2010-02-17 02:55 . 2010-02-17 02:55 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit Software

2010-02-16 19:00 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-02-16 19:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-02-16 19:00 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-02-16 19:00 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-02-16 04:13 . 2010-02-16 04:13 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit

2010-02-16 04:12 . 2010-02-16 04:13 -------- d-----w- c:\program files\Foxit Reader

2010-02-16 00:31 . 2010-02-16 00:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-02-02 04:16 . 2010-02-17 03:15 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc

2010-02-02 04:15 . 2010-02-02 04:15 -------- d-----w- c:\program files\VLC

2010-02-02 03:57 . 2010-02-02 03:57 0 ----a-w- c:\windows\nsreg.dat

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Mozilla

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\program files\ Firefox

2010-02-02 03:10 . 2010-02-02 03:23 -------- d-----w- c:\program files\VShaper

2010-01-31 05:11 . 2010-01-31 05:11 -------- d-sh--w- c:\documents and settings\Bill\IECompatCache

2010-01-31 05:09 . 2010-01-31 05:09 -------- d-sh--w- c:\documents and settings\Bill\PrivacIE

2010-01-31 05:08 . 2010-01-31 05:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-01-31 05:07 . 2010-01-31 05:07 -------- d-sh--w- c:\documents and settings\Bill\IETldCache

2010-01-31 05:04 . 2010-01-31 05:04 -------- d-----w- c:\windows\ie8updates

2010-01-31 05:00 . 2010-01-31 05:02 -------- dc-h--w- c:\windows\ie8

2010-01-31 04:58 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-01-31 04:58 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-01-31 04:58 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-26 19:55 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-01-26 03:09 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-01-26 01:19 . 2010-01-26 21:52 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\ApplicationHistory

2010-01-25 21:29 . 2010-01-25 21:29 -------- d-----w- c:\windows\system32\scripting

2010-01-25 21:29 . 2010-01-25 21:29 -------- d-----w- c:\windows\l2schemas

2010-01-25 21:29 . 2010-01-25 21:29 -------- d-----w- c:\windows\system32\en

2010-01-25 21:02 . 2010-01-25 21:02 -------- d-----w- c:\windows\ShellNew

2010-01-25 20:26 . 2010-01-25 20:26 -------- d-----w- c:\program files\Common Files\Windows Live

2010-01-25 20:19 . 2010-01-25 20:19 -------- d-----w- c:\windows\system32\XPSViewer

2010-01-25 20:19 . 2010-01-25 20:19 -------- d-----w- c:\program files\MSBuild

2010-01-25 20:18 . 2010-01-25 20:18 -------- d-----w- c:\program files\Reference Assemblies

2010-01-25 20:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-01-25 20:18 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-01-25 20:18 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-01-25 20:18 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-01-25 20:18 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-01-25 20:18 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-01-25 20:18 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-01-25 20:18 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-01-25 20:18 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-01-25 20:18 . 2010-01-25 20:18 -------- d-----w- C:\8bdcbc8428be23d7996c05cf

2010-01-25 20:15 . 2010-01-25 20:15 -------- d-----w- c:\program files\MSXML 6.0

2010-01-25 20:12 . 2010-01-25 20:35 -------- d-----w- c:\program files\Windows Desktop Search

2010-01-25 20:12 . 2010-01-25 20:12 -------- d-----w- c:\windows\system32\GroupPolicy

2010-01-25 20:12 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2010-01-25 20:12 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2010-01-25 20:11 . 2010-01-25 20:11 -------- d-----w- c:\program files\Windows Media Connect 2

2010-01-25 20:10 . 2010-01-25 20:10 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-01-25 20:05 . 2010-01-25 20:06 -------- d-----w- c:\windows\system32\URTTemp

2010-01-25 20:01 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll

2010-01-25 20:01 . 2008-04-14 00:12 290304 ------w- c:\windows\system32\rhttpaa.dll

2010-01-25 20:01 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll

2010-01-25 19:27 . 2009-12-31 15:33 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe

2010-01-25 19:27 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-01-25 19:27 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-01-25 19:27 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-01-25 19:27 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-01-25 19:27 . 2009-03-08 09:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll

2010-01-25 19:27 . 2009-03-08 09:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll

2010-01-25 19:27 . 2009-02-07 02:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat

2010-01-25 19:22 . 2007-08-13 23:54 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll

2010-01-25 19:19 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll

2010-01-25 19:19 . 2008-04-14 00:12 50688 ------w- c:\windows\system32\tspkg.dll

2010-01-25 19:17 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll

2010-01-25 18:07 . 2010-01-25 20:10 -------- d-----w- c:\windows\system32\LogFiles

2010-01-25 17:45 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-01-25 17:45 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-01-25 17:45 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-25 17:42 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2010-01-25 17:40 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-01-25 17:40 . 2009-06-10 14:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll

2010-01-25 17:37 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-01-25 17:37 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-01-25 17:37 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-01-25 17:37 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2010-01-25 17:36 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2010-01-25 17:36 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-01-25 17:36 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-01-25 17:21 . 2010-01-25 17:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-01-25 17:21 . 2010-01-25 21:30 -------- d-----w- c:\windows\system32\wbem\AutoRecover

2010-01-25 16:50 . 2010-01-25 21:29 -------- d-----w- c:\windows\peernet

2010-01-25 16:50 . 2010-01-25 16:50 -------- d-----w- c:\windows\provisioning

2010-01-25 16:48 . 2010-01-25 17:54 -------- d-----w- c:\windows\ServicePackFiles

2010-01-25 16:41 . 2010-01-25 21:14 -------- d-----w- c:\windows\EHome

2010-01-25 03:42 . 2010-01-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm

2010-01-25 03:41 . 2010-01-25 03:41 -------- d-----w- c:\program files\Siber Systems

2010-01-23 20:13 . 2010-01-23 20:14 -------- d--h--w- c:\windows\msdownld.tmp

2010-01-23 20:13 . 2010-01-23 20:13 -------- d-----w- c:\windows\Logs

2010-01-23 20:06 . 2010-02-09 04:33 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Temp

2010-01-23 20:06 . 2010-01-23 20:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-01-23 20:06 . 2010-02-09 04:35 -------- d-----w- c:\program files\Google

2010-01-23 20:06 . 2010-01-23 20:08 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Google

2010-01-23 19:59 . 2008-04-14 10:42 11264 ------w- c:\windows\system32\spnpinst.exe

2010-01-23 19:59 . 2004-08-02 19:20 4569 ------w- c:\windows\system32\secupd.dat

2010-01-22 05:12 . 2010-02-12 20:11 -------- d-----w- c:\program files\TrustedQSL

2010-01-22 05:06 . 2010-01-22 05:06 -------- d-----w- c:\documents and settings\Bill\Application Data\TrustedQSL

2010-01-22 02:36 . 2010-01-22 02:37 -------- d-----w- c:\documents and settings\Bill\Application Data\PeaZip

2010-01-22 02:29 . 2010-02-18 19:31 -------- d-----w- c:\program files\PeaZip

2010-01-22 01:53 . 2010-01-22 01:53 -------- d-----w- c:\program files\Amateur Radio

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\Bill\Application Data\acccore

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\AOL

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\Software Update Utility

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM Search

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\AOL

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 45056 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\ARPPRODUCTICON.exe

2010-01-21 23:45 . 2010-01-21 23:45 -------- d-----w- c:\program files\K1RFD

2010-01-21 21:03 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

2010-01-21 21:01 . 2010-02-18 18:10 -------- d-----w- c:\program files\Tools

2010-01-21 20:37 . 2008-04-14 00:11 1082368 ----a-w- c:\windows\system32\esent.dll

2010-01-21 20:37 . 2009-10-13 10:30 270336 ----a-w- c:\windows\system32\oakley.dll

2010-01-21 20:37 . 2008-04-14 00:12 32256 ----a-w- c:\windows\system32\winipsec.dll

2010-01-21 20:37 . 2008-04-14 00:12 105472 ----a-w- c:\windows\system32\polstore.dll

2010-01-21 20:37 . 2008-04-14 00:11 384000 ----a-w- c:\windows\system32\ipsmsnap.dll

2010-01-21 20:37 . 2008-04-14 00:11 349696 ----a-w- c:\windows\system32\ipsecsnp.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-15 16:54 . 2009-12-11 18:09 -------- d-----w- c:\documents and settings\Bill\Application Data\Simon Brown, HB9DRV

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\DivX

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-01-25 21:05 . 2009-12-22 00:39 15992 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-21 03:55 . 2009-12-11 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-21 03:52 . 2009-12-11 16:55 -------- d-----w- c:\program files\Common Files\InstallShield

2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-12-11 16:16 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 02:47 . 2009-12-14 02:47 9823205 ----a-w- c:\program files\WPN111_SW_v3.0_setup.exe

2009-12-11 17:53 . 2009-12-11 17:53 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-12-11 16:18 . 2009-12-11 16:18 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-08 19:27 . 2003-03-31 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2003-03-31 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2010-01-23 20:15 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11 . 2005-08-30 14:14 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07 . 2003-03-31 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2003-03-31 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\gayusomi.dll

1601-01-01 00:03 . 1601-01-01 00:03 52736 --sha-w- c:\windows\system32\jutepeso.dll

1601-01-01 00:03 . 1601-01-01 00:03 52736 --sha-w- c:\windows\system32\midegida.dll

1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\system32\nijetiyi.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\puzesale.dll

1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\sevikuji.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\zavidegu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5db1447d-5547-40e3-b075-6ade0b9e0d42}]

1601-01-01 00:03 52736 --sha-w- c:\windows\system32\jutepeso.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-25 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2007-04-10 53248]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 01000000

"NoWinKeys"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Rotator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Rotator.lnk

backup=c:\windows\pss\HRD Rotator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking DDE Server.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking DDE Server.lnk

backup=c:\windows\pss\HRD Satellite Tracking DDE Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking.lnk

backup=c:\windows\pss\HRD Satellite Tracking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Synchroniser.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Synchroniser.lnk

backup=c:\windows\pss\HRD Synchroniser.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mapper.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mapper.lnk

backup=c:\windows\pss\Mapper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall.lnk

backup=c:\windows\pss\Uninstall.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"idsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Outlook Express\\msimn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5200:UDP"= 5200:UDP:Echolink

"5198:TCP"= 5198:TCP:Echolink

"5199:TCP"= 5199:TCP:Echolink

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 3:06 PM 135664]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [12/11/2009 12:53 PM 17149]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\vndapnzr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\ Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\ Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\ Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\ Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\ Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\ Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll

HKLM-Run-nawosover - c:\windows\system32\wekavube.dll

HKLM-Run-hurajagora - disowowu.dll

SharedTaskScheduler-{a5a0f9f5-0225-4d5f-a939-a81667958ca0} - c:\windows\system32\fesureto.dll

SharedTaskScheduler-{a6f4f4c0-3415-42b1-991c-e5c4aca43906} - c:\windows\system32\wekavube.dll

SSODL-mobidahus-{a5a0f9f5-0225-4d5f-a939-a81667958ca0} - c:\windows\system32\fesureto.dll

SSODL-viwofudaz-{a6f4f4c0-3415-42b1-991c-e5c4aca43906} - c:\windows\system32\wekavube.dll

MSConfigStartUp-ClamWin - c:\program files\ClamWin\bin\ClamTray.exe

MSConfigStartUp-Mouse Suite 98 Daemon - PELMICED.EXE

MSConfigStartUp-nawosover - c:\windows\system32\jobavito.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-19 18:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1563985344-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1788)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\tcpsvcs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-02-19 18:24:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-19 23:24

Pre-Run: 24,260,476,928 bytes free

Post-Run: 26,022,162,432 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A6249ADD80A338A26157D7EAD5197353

Link to post
Share on other sites

Hi wrench,

I am now subscribed to this topic and will receive notifications of your replies.

Please grab a new copy of ComboFix (delete your current version), run it, post its log, and we'll take it from there.

-screen317

I do so much apologize if I am screwing things up, just unfamiliar and have no tutor. I have seen several things listed unrecognizable to me and they are dated 1601. Maybe the culprits?

Thanks again for your work, you must really enjoy doing this. Many folks are grateful! Results of scan;

ComboFix 10-02-21.02 - Bill 02/22/2010 4:33.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.384 [GMT -5:00]

Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\feyumaze.dll

c:\windows\system32\golosufu.dll

c:\windows\system32\libupune.dll

c:\windows\system32\saduyaya.dll

c:\windows\system32\yojonaso.dll

c:\windows\system32\zagodowi.dll

.

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))

.

2010-02-21 04:12 . 2010-02-21 04:12 -------- d-----w- c:\documents and settings\Bill\Application Data\ElevatedDiagnostics

2010-02-21 04:11 . 2010-02-21 04:11 -------- d-----w- c:\program files\Microsoft ATS

2010-02-20 20:29 . 2010-02-20 20:29 -------- d-----w- c:\windows\system32\NtmsData

2010-02-20 19:05 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-02-19 23:55 . 2010-02-19 23:55 -------- d-----w- c:\documents and settings\Bill\Application Data\AVG8

2010-02-17 02:55 . 2010-02-17 02:55 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit Software

2010-02-16 19:00 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-02-16 19:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-02-16 19:00 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-02-16 19:00 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-02-16 04:13 . 2010-02-16 04:13 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit

2010-02-16 04:12 . 2010-02-16 04:13 -------- d-----w- c:\program files\Foxit Reader

2010-02-16 00:31 . 2010-02-16 00:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-02-02 04:16 . 2010-02-20 19:37 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc

2010-02-02 04:15 . 2010-02-02 04:15 -------- d-----w- c:\program files\VLC

2010-02-02 03:57 . 2010-02-02 03:57 0 ----a-w- c:\windows\nsreg.dat

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Mozilla

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\program files\ Firefox

2010-02-02 03:10 . 2010-02-02 03:23 -------- d-----w- c:\program files\VShaper

2010-01-31 05:11 . 2010-01-31 05:11 -------- d-sh--w- c:\documents and settings\Bill\IECompatCache

2010-01-31 05:09 . 2010-01-31 05:09 -------- d-sh--w- c:\documents and settings\Bill\PrivacIE

2010-01-31 05:08 . 2010-01-31 05:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-01-31 05:07 . 2010-01-31 05:07 -------- d-sh--w- c:\documents and settings\Bill\IETldCache

2010-01-31 05:04 . 2010-01-31 05:04 -------- d-----w- c:\windows\ie8updates

2010-01-31 05:00 . 2010-01-31 05:02 -------- dc-h--w- c:\windows\ie8

2010-01-31 04:58 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-01-31 04:58 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-01-31 04:58 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-26 19:55 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-01-26 03:09 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-01-26 01:19 . 2010-01-26 21:52 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\ApplicationHistory

2010-01-25 21:29 . 2010-01-25 21:29 -------- d-----w- c:\windows\system32\scripting

2010-01-25 21:29 . 2010-01-25 21:29 -------- d-----w- c:\windows\l2schemas

2010-01-25 21:29 . 2010-01-25 21:29 -------- d-----w- c:\windows\system32\en

2010-01-25 21:02 . 2010-01-25 21:02 -------- d-----w- c:\windows\ShellNew

2010-01-25 20:26 . 2010-01-25 20:26 -------- d-----w- c:\program files\Common Files\Windows Live

2010-01-25 20:19 . 2010-01-25 20:19 -------- d-----w- c:\windows\system32\XPSViewer

2010-01-25 20:19 . 2010-01-25 20:19 -------- d-----w- c:\program files\MSBuild

2010-01-25 20:18 . 2010-01-25 20:18 -------- d-----w- c:\program files\Reference Assemblies

2010-01-25 20:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-01-25 20:18 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-01-25 20:18 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-01-25 20:18 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-01-25 20:18 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-01-25 20:18 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-01-25 20:18 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-01-25 20:18 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-01-25 20:18 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-01-25 20:18 . 2010-01-25 20:18 -------- d-----w- C:\8bdcbc8428be23d7996c05cf

2010-01-25 20:15 . 2010-01-25 20:15 -------- d-----w- c:\program files\MSXML 6.0

2010-01-25 20:12 . 2010-01-25 20:35 -------- d-----w- c:\program files\Windows Desktop Search

2010-01-25 20:12 . 2010-01-25 20:12 -------- d-----w- c:\windows\system32\GroupPolicy

2010-01-25 20:12 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2010-01-25 20:12 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2010-01-25 20:11 . 2010-01-25 20:11 -------- d-----w- c:\program files\Windows Media Connect 2

2010-01-25 20:10 . 2010-01-25 20:10 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-01-25 20:05 . 2010-01-25 20:06 -------- d-----w- c:\windows\system32\URTTemp

2010-01-25 20:01 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll

2010-01-25 20:01 . 2008-04-14 00:12 290304 ------w- c:\windows\system32\rhttpaa.dll

2010-01-25 20:01 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll

2010-01-25 19:27 . 2009-12-31 15:33 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe

2010-01-25 19:27 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-01-25 19:27 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-01-25 19:27 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-01-25 19:27 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-01-25 19:27 . 2009-03-08 09:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll

2010-01-25 19:27 . 2009-03-08 09:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll

2010-01-25 19:27 . 2009-02-07 02:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat

2010-01-25 19:22 . 2007-08-13 23:54 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll

2010-01-25 19:19 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll

2010-01-25 19:19 . 2008-04-14 00:12 50688 ------w- c:\windows\system32\tspkg.dll

2010-01-25 19:17 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll

2010-01-25 18:07 . 2010-01-25 20:10 -------- d-----w- c:\windows\system32\LogFiles

2010-01-25 17:45 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-01-25 17:45 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-01-25 17:45 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-25 17:42 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2010-01-25 17:40 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-01-25 17:40 . 2009-06-10 14:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll

2010-01-25 17:37 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-01-25 17:37 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-01-25 17:37 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-01-25 17:37 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2010-01-25 17:36 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2010-01-25 17:36 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-01-25 17:36 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-01-25 17:21 . 2010-01-25 17:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-01-25 17:21 . 2010-01-25 21:30 -------- d-----w- c:\windows\system32\wbem\AutoRecover

2010-01-25 16:50 . 2010-01-25 21:29 -------- d-----w- c:\windows\peernet

2010-01-25 16:50 . 2010-01-25 16:50 -------- d-----w- c:\windows\provisioning

2010-01-25 16:48 . 2010-01-25 17:54 -------- d-----w- c:\windows\ServicePackFiles

2010-01-25 16:41 . 2010-01-25 21:14 -------- d-----w- c:\windows\EHome

2010-01-25 03:42 . 2010-01-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm

2010-01-25 03:41 . 2010-01-25 03:41 -------- d-----w- c:\program files\Siber Systems

2010-01-23 20:13 . 2010-01-23 20:14 -------- d--h--w- c:\windows\msdownld.tmp

2010-01-23 20:13 . 2010-01-23 20:13 -------- d-----w- c:\windows\Logs

2010-01-23 20:06 . 2010-02-09 04:33 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Temp

2010-01-23 20:06 . 2010-01-23 20:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-01-23 20:06 . 2010-02-09 04:35 -------- d-----w- c:\program files\Google

2010-01-23 20:06 . 2010-01-23 20:08 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Google

2010-01-23 19:59 . 2008-04-14 10:42 11264 ------w- c:\windows\system32\spnpinst.exe

2010-01-23 19:59 . 2004-08-02 19:20 4569 ------w- c:\windows\system32\secupd.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-21 04:44 . 2009-12-11 18:09 -------- d-----w- c:\documents and settings\Bill\Application Data\Simon Brown, HB9DRV

2010-02-20 04:44 . 2010-01-21 21:01 -------- d-----w- c:\program files\Tools

2010-02-20 04:08 . 2010-01-22 05:12 -------- d-----w- c:\program files\TrustedQSL

2010-02-18 19:31 . 2010-01-22 02:29 -------- d-----w- c:\program files\PeaZip

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\DivX

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-01-25 21:05 . 2009-12-22 00:39 15992 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-22 05:06 . 2010-01-22 05:06 -------- d-----w- c:\documents and settings\Bill\Application Data\TrustedQSL

2010-01-22 02:37 . 2010-01-22 02:36 -------- d-----w- c:\documents and settings\Bill\Application Data\PeaZip

2010-01-22 01:53 . 2010-01-22 01:53 -------- d-----w- c:\program files\Amateur Radio

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\Bill\Application Data\acccore

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\Software Update Utility

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM Search

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\AOL

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 45056 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\ARPPRODUCTICON.exe

2010-01-21 23:45 . 2010-01-21 23:45 -------- d-----w- c:\program files\K1RFD

2010-01-21 03:55 . 2009-12-11 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-21 03:52 . 2009-12-11 16:55 -------- d-----w- c:\program files\Common Files\InstallShield

2010-01-21 03:52 . 2010-01-21 03:52 -------- d-----w- c:\program files\Alarm Programing

2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-12-11 16:16 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 02:47 . 2009-12-14 02:47 9823205 ----a-w- c:\program files\WPN111_SW_v3.0_setup.exe

2009-12-11 17:53 . 2009-12-11 17:53 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-12-11 16:18 . 2009-12-11 16:18 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-08 19:27 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2003-03-31 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2010-01-23 20:15 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11 . 2005-08-30 14:14 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07 . 2003-03-31 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2003-03-31 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\gayusomi.dll

1601-01-01 00:03 . 1601-01-01 00:03 52736 --sha-w- c:\windows\system32\jutepeso.dll

1601-01-01 00:03 . 1601-01-01 00:03 52736 --sha-w- c:\windows\system32\midegida.dll

1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\system32\nijetiyi.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\puzesale.dll

1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\sevikuji.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\zavidegu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5db1447d-5547-40e3-b075-6ade0b9e0d42}]

1601-01-01 00:03 52736 --sha-w- c:\windows\system32\jutepeso.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-25 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"SiSPower"="SiSPower.dll" [2007-04-10 53248]

"nawosover"="c:\windows\system32\saduyaya.dll" [bU]

"hurajagora"="disowowu.dll" [bU]

c:\documents and settings\Bill\My Documents\Startup\

Ham Radio Deluxe.lnk - c:\program files\Amateur Radio\Ham Radio Deluxe\HamRadioDeluxe.exe [2010-1-21 13369415]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 01000000

"NoWinKeys"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Rotator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Rotator.lnk

backup=c:\windows\pss\HRD Rotator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking DDE Server.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking DDE Server.lnk

backup=c:\windows\pss\HRD Satellite Tracking DDE Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking.lnk

backup=c:\windows\pss\HRD Satellite Tracking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Synchroniser.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Synchroniser.lnk

backup=c:\windows\pss\HRD Synchroniser.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mapper.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mapper.lnk

backup=c:\windows\pss\Mapper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall.lnk

backup=c:\windows\pss\Uninstall.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^My Documents^Startup^Ham Radio Deluxe.lnk]

path=c:\documents and settings\Bill\My Documents\Startup\Ham Radio Deluxe.lnk

backup=c:\windows\pss\Ham Radio Deluxe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nawosover]

c:\windows\system32\huhukuge.dll [bU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Outlook Express\\msimn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5200:UDP"= 5200:UDP:Echolink

"5198:TCP"= 5198:TCP:Echolink

"5199:TCP"= 5199:TCP:Echolink

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 3:06 PM 135664]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [12/11/2009 12:53 PM 17149]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\vndapnzr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\ Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\ Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\ Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\ Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\ Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\ Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

SharedTaskScheduler-{00467c9e-928a-4be9-b94a-678602e6e95c} - c:\windows\system32\saduyaya.dll

SSODL-vurevihan-{00467c9e-928a-4be9-b94a-678602e6e95c} - c:\windows\system32\saduyaya.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-22 04:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1563985344-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2584)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\netdde.exe

c:\windows\System32\tcpsvcs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-02-22 04:47:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-22 09:47

Pre-Run: 29,088,161,792 bytes free

Post-Run: 29,315,158,016 bytes free

- - End Of File - - 23B1D43227BF9DCD74E6FAE6979EA827

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=40747
Collect::
c:\windows\system32\gayusomi.dll
c:\windows\system32\jutepeso.dll
c:\windows\system32\midegida.dll
c:\windows\system32\nijetiyi.dll
c:\windows\system32\puzesale.dll
c:\windows\system32\sevikuji.dll
c:\windows\system32\zavidegu.dll
KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5db1447d-5547-40e3-b075-6ade0b9e0d42}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nawosover"=-
"hurajagora"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nawosover]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=40747
Collect::
c:\windows\system32\gayusomi.dll
c:\windows\system32\jutepeso.dll
c:\windows\system32\midegida.dll
c:\windows\system32\nijetiyi.dll
c:\windows\system32\puzesale.dll
c:\windows\system32\sevikuji.dll
c:\windows\system32\zavidegu.dll
KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5db1447d-5547-40e3-b075-6ade0b9e0d42}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nawosover"=-
"hurajagora"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nawosover]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

ComboFix 10-02-24.01 - Bill 02/24/2010 23:05:31.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.422 [GMT -5:00]

Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt

file zipped: c:\windows\system32\gayusomi.dll

file zipped: c:\windows\system32\jutepeso.dll

file zipped: c:\windows\system32\midegida.dll

file zipped: c:\windows\system32\nijetiyi.dll

file zipped: c:\windows\system32\puzesale.dll

file zipped: c:\windows\system32\sevikuji.dll

file zipped: c:\windows\system32\zavidegu.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gayusomi.dll

c:\windows\system32\gugatemi.dll

c:\windows\system32\jutepeso.dll

c:\windows\system32\midegida.dll

c:\windows\system32\nijetiyi.dll

c:\windows\system32\nominenu.dll

c:\windows\system32\puzesale.dll

c:\windows\system32\raritazu.dll

c:\windows\system32\sevikuji.dll

c:\windows\system32\tesifeke.dll

c:\windows\system32\tolataga.dll

c:\windows\system32\zavidegu.dll

.

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))

.

2010-02-22 11:06 . 2010-02-22 11:06 -------- d-----w- c:\windows\Time Stopper

2010-02-22 11:06 . 2010-02-22 11:06 -------- d-----w- c:\program files\Time Stopper

2010-02-21 04:12 . 2010-02-21 04:12 -------- d-----w- c:\documents and settings\Bill\Application Data\ElevatedDiagnostics

2010-02-21 04:11 . 2010-02-21 04:11 -------- d-----w- c:\program files\Microsoft ATS

2010-02-20 20:29 . 2010-02-20 20:29 -------- d-----w- c:\windows\system32\NtmsData

2010-02-20 19:05 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-02-19 23:55 . 2010-02-19 23:55 -------- d-----w- c:\documents and settings\Bill\Application Data\AVG8

2010-02-17 02:55 . 2010-02-17 02:55 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit Software

2010-02-16 19:00 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-02-16 19:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-02-16 19:00 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-02-16 19:00 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-02-16 04:13 . 2010-02-16 04:13 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit

2010-02-16 04:12 . 2010-02-16 04:13 -------- d-----w- c:\program files\Foxit Reader

2010-02-16 00:31 . 2010-02-16 00:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-02-02 04:16 . 2010-02-20 19:37 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc

2010-02-02 04:15 . 2010-02-02 04:15 -------- d-----w- c:\program files\VLC

2010-02-02 03:57 . 2010-02-02 03:57 0 ----a-w- c:\windows\nsreg.dat

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Mozilla

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\program files\ Firefox

2010-02-02 03:10 . 2010-02-02 03:23 -------- d-----w- c:\program files\VShaper

2010-01-31 05:11 . 2010-01-31 05:11 -------- d-sh--w- c:\documents and settings\Bill\IECompatCache

2010-01-31 05:09 . 2010-01-31 05:09 -------- d-sh--w- c:\documents and settings\Bill\PrivacIE

2010-01-31 05:08 . 2010-01-31 05:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-01-31 05:07 . 2010-01-31 05:07 -------- d-sh--w- c:\documents and settings\Bill\IETldCache

2010-01-31 05:04 . 2010-01-31 05:04 -------- d-----w- c:\windows\ie8updates

2010-01-31 05:00 . 2010-01-31 05:02 -------- dc-h--w- c:\windows\ie8

2010-01-31 04:58 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-01-31 04:58 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-01-31 04:58 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-26 19:55 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-23 12:30 . 2009-12-11 18:09 -------- d-----w- c:\documents and settings\Bill\Application Data\Simon Brown, HB9DRV

2010-02-23 06:15 . 2010-01-22 05:12 -------- d-----w- c:\program files\TrustedQSL

2010-02-23 05:27 . 2010-01-21 21:01 -------- d-----w- c:\program files\Tools

2010-02-18 19:31 . 2010-01-22 02:29 -------- d-----w- c:\program files\PeaZip

2010-02-09 04:35 . 2010-01-23 20:06 -------- d-----w- c:\program files\Google

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\DivX

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-01-25 21:05 . 2009-12-22 00:39 15992 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-25 20:35 . 2010-01-25 20:12 -------- d-----w- c:\program files\Windows Desktop Search

2010-01-25 20:26 . 2010-01-25 20:26 -------- d-----w- c:\program files\Common Files\Windows Live

2010-01-25 20:19 . 2010-01-25 20:19 -------- d-----w- c:\program files\MSBuild

2010-01-25 20:18 . 2010-01-25 20:18 -------- d-----w- c:\program files\Reference Assemblies

2010-01-25 20:15 . 2010-01-25 20:15 -------- d-----w- c:\program files\MSXML 6.0

2010-01-25 20:11 . 2010-01-25 20:11 -------- d-----w- c:\program files\Windows Media Connect 2

2010-01-25 03:42 . 2010-01-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm

2010-01-25 03:41 . 2010-01-25 03:41 -------- d-----w- c:\program files\Siber Systems

2010-01-22 05:06 . 2010-01-22 05:06 -------- d-----w- c:\documents and settings\Bill\Application Data\TrustedQSL

2010-01-22 02:37 . 2010-01-22 02:36 -------- d-----w- c:\documents and settings\Bill\Application Data\PeaZip

2010-01-22 01:53 . 2010-01-22 01:53 -------- d-----w- c:\program files\Amateur Radio

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\Bill\Application Data\acccore

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\Software Update Utility

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM Search

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\AOL

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 45056 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\ARPPRODUCTICON.exe

2010-01-21 23:45 . 2010-01-21 23:45 -------- d-----w- c:\program files\K1RFD

2010-01-21 03:55 . 2009-12-11 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-21 03:52 . 2009-12-11 16:55 -------- d-----w- c:\program files\Common Files\InstallShield

2010-01-21 03:52 . 2010-01-21 03:52 -------- d-----w- c:\program files\Alarm Programing

2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-12-11 16:16 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 02:47 . 2009-12-14 02:47 9823205 ----a-w- c:\program files\WPN111_SW_v3.0_setup.exe

2009-12-11 17:53 . 2009-12-11 17:53 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-12-11 16:18 . 2009-12-11 16:18 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-08 19:27 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2003-03-31 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2010-01-23 20:15 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11 . 2005-08-30 14:14 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07 . 2003-03-31 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2003-03-31 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll

1601-01-01 00:03 . 1601-01-01 00:03 101376 --sha-w- c:\windows\system32\dezogewi.dll

1601-01-01 00:03 . 1601-01-01 00:03 101376 --sha-w- c:\windows\system32\jajulaze.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-25 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"SiSPower"="SiSPower.dll" [2007-04-10 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Ham Radio Deluxe.lnk - c:\program files\Amateur Radio\Ham Radio Deluxe\HamRadioDeluxe.exe [2010-1-21 13484103]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 01000000

"NoWinKeys"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Master 780.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Master 780.lnk

backup=c:\windows\pss\Digital Master 780.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Logbook.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Logbook.lnk

backup=c:\windows\pss\HRD Logbook.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Rotator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Rotator.lnk

backup=c:\windows\pss\HRD Rotator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking DDE Server.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking DDE Server.lnk

backup=c:\windows\pss\HRD Satellite Tracking DDE Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking.lnk

backup=c:\windows\pss\HRD Satellite Tracking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Synchroniser.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Synchroniser.lnk

backup=c:\windows\pss\HRD Synchroniser.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mapper.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mapper.lnk

backup=c:\windows\pss\Mapper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall.lnk

backup=c:\windows\pss\Uninstall.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^My Documents^Startup^Ham Radio Deluxe.lnk]

path=c:\documents and settings\Bill\My Documents\Startup\Ham Radio Deluxe.lnk

backup=c:\windows\pss\Ham Radio Deluxe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Outlook Express\\msimn.exe"=

"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5200:UDP"= 5200:UDP:Echolink

"5198:TCP"= 5198:TCP:Echolink

"5199:TCP"= 5199:TCP:Echolink

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 3:06 PM 135664]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [12/11/2009 12:53 PM 17149]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\vndapnzr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\ Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\ Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\ Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\ Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\ Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\ Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

SharedTaskScheduler-{fa9acc2d-133d-4dc1-aa61-0d33101700aa} - c:\windows\system32\tesifeke.dll

SSODL-lejayejor-{fa9acc2d-133d-4dc1-aa61-0d33101700aa} - c:\windows\system32\tesifeke.dll

MSConfigStartUp-hurajagora - disowowu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-24 23:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1563985344-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1200)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\netdde.exe

c:\windows\System32\tcpsvcs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-02-24 23:20:18 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-25 04:20

Pre-Run: 29,070,479,360 bytes free

Post-Run: 29,039,595,520 bytes free

- - End Of File - - EBE6B5E89058BE5F1B3EA057F70247F7

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=40747
Collect::
c:\windows\system32\dezogewi.dll
c:\windows\system32\jajulaze.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=40747
Collect::
c:\windows\system32\dezogewi.dll
c:\windows\system32\jajulaze.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

All systems at this time seem to be operating quite well. I have only noticed one problem that being my wireless keyboard has intermittent dropouts, this maybe unrelated. I continue to be amazed at the diligence with which you work on these files. I cannot express my gratitude with simple thanks. the requested report follows:

ComboFix 10-03-04.02 - Bill 03/04/2010 19:56:13.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.354 [GMT -5:00]

Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt

file zipped: c:\windows\system32\dezogewi.dll

file zipped: c:\windows\system32\jajulaze.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\dezogewi.dll

c:\windows\system32\jajulaze.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))

.

2010-02-22 11:06 . 2010-02-22 11:06 -------- d-----w- c:\windows\Time Stopper

2010-02-22 11:06 . 2010-02-22 11:06 -------- d-----w- c:\program files\Time Stopper

2010-02-21 04:12 . 2010-02-21 04:12 -------- d-----w- c:\documents and settings\Bill\Application Data\ElevatedDiagnostics

2010-02-21 04:11 . 2010-02-21 04:11 -------- d-----w- c:\program files\Microsoft ATS

2010-02-20 20:29 . 2010-02-20 20:29 -------- d-----w- c:\windows\system32\NtmsData

2010-02-20 19:05 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-02-19 23:55 . 2010-02-19 23:55 -------- d-----w- c:\documents and settings\Bill\Application Data\AVG8

2010-02-17 02:55 . 2010-02-17 02:55 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit Software

2010-02-16 19:00 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-02-16 19:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-02-16 19:00 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-02-16 19:00 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-02-16 04:13 . 2010-02-16 04:13 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit

2010-02-16 04:12 . 2010-02-16 04:13 -------- d-----w- c:\program files\Foxit Reader

2010-02-16 00:31 . 2010-02-16 00:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-02 20:20 . 2010-01-22 05:12 -------- d-----w- c:\program files\TrustedQSL

2010-03-01 03:18 . 2010-02-02 04:16 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc

2010-02-23 12:30 . 2009-12-11 18:09 -------- d-----w- c:\documents and settings\Bill\Application Data\Simon Brown, HB9DRV

2010-02-23 05:27 . 2010-01-21 21:01 -------- d-----w- c:\program files\Tools

2010-02-18 19:31 . 2010-01-22 02:29 -------- d-----w- c:\program files\PeaZip

2010-02-09 04:35 . 2010-01-23 20:06 -------- d-----w- c:\program files\Google

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\DivX

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-02-02 04:15 . 2010-02-02 04:15 -------- d-----w- c:\program files\VLC

2010-02-02 03:57 . 2010-02-02 03:57 0 ----a-w- c:\windows\nsreg.dat

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\program files\ Firefox

2010-02-02 03:23 . 2010-02-02 03:10 -------- d-----w- c:\program files\VShaper

2010-01-25 21:32 . 2009-12-11 16:21 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2010-01-25 21:05 . 2009-12-22 00:39 15992 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-25 20:35 . 2010-01-25 20:12 -------- d-----w- c:\program files\Windows Desktop Search

2010-01-25 20:26 . 2010-01-25 20:26 -------- d-----w- c:\program files\Common Files\Windows Live

2010-01-25 20:19 . 2010-01-25 20:19 -------- d-----w- c:\program files\MSBuild

2010-01-25 20:18 . 2010-01-25 20:18 -------- d-----w- c:\program files\Reference Assemblies

2010-01-25 20:15 . 2010-01-25 20:15 -------- d-----w- c:\program files\MSXML 6.0

2010-01-25 20:11 . 2010-01-25 20:11 -------- d-----w- c:\program files\Windows Media Connect 2

2010-01-25 03:42 . 2010-01-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm

2010-01-25 03:41 . 2010-01-25 03:41 -------- d-----w- c:\program files\Siber Systems

2010-01-22 05:06 . 2010-01-22 05:06 -------- d-----w- c:\documents and settings\Bill\Application Data\TrustedQSL

2010-01-22 02:37 . 2010-01-22 02:36 -------- d-----w- c:\documents and settings\Bill\Application Data\PeaZip

2010-01-22 01:53 . 2010-01-22 01:53 -------- d-----w- c:\program files\Amateur Radio

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\Bill\Application Data\acccore

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\Software Update Utility

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM Search

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\AOL

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 45056 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\ARPPRODUCTICON.exe

2010-01-21 23:45 . 2010-01-21 23:45 -------- d-----w- c:\program files\K1RFD

2010-01-21 03:55 . 2009-12-11 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-21 03:52 . 2009-12-11 16:55 -------- d-----w- c:\program files\Common Files\InstallShield

2010-01-21 03:52 . 2010-01-21 03:52 -------- d-----w- c:\program files\Alarm Programing

2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-12-11 16:16 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 02:47 . 2009-12-14 02:47 9823205 ----a-w- c:\program files\WPN111_SW_v3.0_setup.exe

2009-12-11 17:53 . 2009-12-11 17:53 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-12-11 16:18 . 2009-12-11 16:18 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-08 19:27 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"SiSPower"="SiSPower.dll" [2007-04-10 53248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 01000000

"NoWinKeys"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Master 780.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Master 780.lnk

backup=c:\windows\pss\Digital Master 780.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ham Radio Deluxe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ham Radio Deluxe.lnk

backup=c:\windows\pss\Ham Radio Deluxe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Logbook.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Logbook.lnk

backup=c:\windows\pss\HRD Logbook.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Rotator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Rotator.lnk

backup=c:\windows\pss\HRD Rotator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking DDE Server.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking DDE Server.lnk

backup=c:\windows\pss\HRD Satellite Tracking DDE Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking.lnk

backup=c:\windows\pss\HRD Satellite Tracking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Synchroniser.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Synchroniser.lnk

backup=c:\windows\pss\HRD Synchroniser.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mapper.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mapper.lnk

backup=c:\windows\pss\Mapper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall.lnk

backup=c:\windows\pss\Uninstall.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^My Documents^Startup^Ham Radio Deluxe.lnk]

path=c:\documents and settings\Bill\My Documents\Startup\Ham Radio Deluxe.lnk

backup=c:\windows\pss\Ham Radio Deluxe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]

2010-01-25 03:41 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Outlook Express\\msimn.exe"=

"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5200:UDP"= 5200:UDP:Echolink

"5198:TCP"= 5198:TCP:Echolink

"5199:TCP"= 5199:TCP:Echolink

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 3:06 PM 135664]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [12/11/2009 12:53 PM 17149]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-23 20:06]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-23 20:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\vndapnzr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\ Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\ Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\ Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\ Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\ Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\ Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-04 20:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1563985344-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2010-03-04 20:04:31

ComboFix-quarantined-files.txt 2010-03-05 01:04

ComboFix2.txt 2010-02-25 04:20

Pre-Run: 28,757,164,032 bytes free

Post-Run: 28,942,958,592 bytes free

- - End Of File - - 89DFFB3BC04ADFBE95E5D23FCBC115A4

Upload was successful

Link to post
Share on other sites

All systems at this time seem to be operating quite well. I have only noticed one problem that being my wireless keyboard has intermittent dropouts, this maybe unrelated. I continue to be amazed at the diligence with which you work on these files. I cannot express my gratitude with simple thanks. the requested report follows:

ComboFix 10-03-04.02 - Bill 03/04/2010 19:56:13.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.354 [GMT -5:00]

Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt

file zipped: c:\windows\system32\dezogewi.dll

file zipped: c:\windows\system32\jajulaze.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\dezogewi.dll

c:\windows\system32\jajulaze.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))

.

2010-02-22 11:06 . 2010-02-22 11:06 -------- d-----w- c:\windows\Time Stopper

2010-02-22 11:06 . 2010-02-22 11:06 -------- d-----w- c:\program files\Time Stopper

2010-02-21 04:12 . 2010-02-21 04:12 -------- d-----w- c:\documents and settings\Bill\Application Data\ElevatedDiagnostics

2010-02-21 04:11 . 2010-02-21 04:11 -------- d-----w- c:\program files\Microsoft ATS

2010-02-20 20:29 . 2010-02-20 20:29 -------- d-----w- c:\windows\system32\NtmsData

2010-02-20 19:05 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-02-19 23:55 . 2010-02-19 23:55 -------- d-----w- c:\documents and settings\Bill\Application Data\AVG8

2010-02-17 02:55 . 2010-02-17 02:55 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit Software

2010-02-16 19:00 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-02-16 19:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-02-16 19:00 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-02-16 19:00 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-02-16 04:13 . 2010-02-16 04:13 -------- d-----w- c:\documents and settings\Bill\Application Data\Foxit

2010-02-16 04:12 . 2010-02-16 04:13 -------- d-----w- c:\program files\Foxit Reader

2010-02-16 00:31 . 2010-02-16 00:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-02 20:20 . 2010-01-22 05:12 -------- d-----w- c:\program files\TrustedQSL

2010-03-01 03:18 . 2010-02-02 04:16 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc

2010-02-23 12:30 . 2009-12-11 18:09 -------- d-----w- c:\documents and settings\Bill\Application Data\Simon Brown, HB9DRV

2010-02-23 05:27 . 2010-01-21 21:01 -------- d-----w- c:\program files\Tools

2010-02-18 19:31 . 2010-01-22 02:29 -------- d-----w- c:\program files\PeaZip

2010-02-09 04:35 . 2010-01-23 20:06 -------- d-----w- c:\program files\Google

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\DivX

2010-02-03 05:21 . 2010-02-03 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-02-02 04:15 . 2010-02-02 04:15 -------- d-----w- c:\program files\VLC

2010-02-02 03:57 . 2010-02-02 03:57 0 ----a-w- c:\windows\nsreg.dat

2010-02-02 03:57 . 2010-02-02 03:57 -------- d-----w- c:\program files\ Firefox

2010-02-02 03:23 . 2010-02-02 03:10 -------- d-----w- c:\program files\VShaper

2010-01-25 21:32 . 2009-12-11 16:21 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2010-01-25 21:05 . 2009-12-22 00:39 15992 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-25 20:35 . 2010-01-25 20:12 -------- d-----w- c:\program files\Windows Desktop Search

2010-01-25 20:26 . 2010-01-25 20:26 -------- d-----w- c:\program files\Common Files\Windows Live

2010-01-25 20:19 . 2010-01-25 20:19 -------- d-----w- c:\program files\MSBuild

2010-01-25 20:18 . 2010-01-25 20:18 -------- d-----w- c:\program files\Reference Assemblies

2010-01-25 20:15 . 2010-01-25 20:15 -------- d-----w- c:\program files\MSXML 6.0

2010-01-25 20:11 . 2010-01-25 20:11 -------- d-----w- c:\program files\Windows Media Connect 2

2010-01-25 03:42 . 2010-01-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm

2010-01-25 03:41 . 2010-01-25 03:41 -------- d-----w- c:\program files\Siber Systems

2010-01-22 05:06 . 2010-01-22 05:06 -------- d-----w- c:\documents and settings\Bill\Application Data\TrustedQSL

2010-01-22 02:37 . 2010-01-22 02:36 -------- d-----w- c:\documents and settings\Bill\Application Data\PeaZip

2010-01-22 01:53 . 2010-01-22 01:53 -------- d-----w- c:\program files\Amateur Radio

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\Bill\Application Data\acccore

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\Software Update Utility

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM Search

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\AIM

2010-01-22 00:19 . 2010-01-22 00:19 -------- d-----w- c:\program files\Common Files\AOL

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 53248 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 45056 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe

2010-01-21 23:45 . 2010-01-21 23:45 40960 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\ARPPRODUCTICON.exe

2010-01-21 23:45 . 2010-01-21 23:45 -------- d-----w- c:\program files\K1RFD

2010-01-21 03:55 . 2009-12-11 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-21 03:52 . 2009-12-11 16:55 -------- d-----w- c:\program files\Common Files\InstallShield

2010-01-21 03:52 . 2010-01-21 03:52 -------- d-----w- c:\program files\Alarm Programing

2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-12-11 16:16 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 02:47 . 2009-12-14 02:47 9823205 ----a-w- c:\program files\WPN111_SW_v3.0_setup.exe

2009-12-11 17:53 . 2009-12-11 17:53 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-12-11 16:18 . 2009-12-11 16:18 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-08 19:27 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"SiSPower"="SiSPower.dll" [2007-04-10 53248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 01000000

"NoWinKeys"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Master 780.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Master 780.lnk

backup=c:\windows\pss\Digital Master 780.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ham Radio Deluxe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ham Radio Deluxe.lnk

backup=c:\windows\pss\Ham Radio Deluxe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Logbook.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Logbook.lnk

backup=c:\windows\pss\HRD Logbook.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Rotator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Rotator.lnk

backup=c:\windows\pss\HRD Rotator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking DDE Server.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking DDE Server.lnk

backup=c:\windows\pss\HRD Satellite Tracking DDE Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Satellite Tracking.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Satellite Tracking.lnk

backup=c:\windows\pss\HRD Satellite Tracking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HRD Synchroniser.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HRD Synchroniser.lnk

backup=c:\windows\pss\HRD Synchroniser.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mapper.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mapper.lnk

backup=c:\windows\pss\Mapper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall.lnk

backup=c:\windows\pss\Uninstall.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^My Documents^Startup^Ham Radio Deluxe.lnk]

path=c:\documents and settings\Bill\My Documents\Startup\Ham Radio Deluxe.lnk

backup=c:\windows\pss\Ham Radio Deluxe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]

2010-01-25 03:41 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Outlook Express\\msimn.exe"=

"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5200:UDP"= 5200:UDP:Echolink

"5198:TCP"= 5198:TCP:Echolink

"5199:TCP"= 5199:TCP:Echolink

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 3:06 PM 135664]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [12/11/2009 12:53 PM 17149]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-23 20:06]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-23 20:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\vndapnzr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\ Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\ Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\ Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\ Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\ Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\ Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\ Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\ Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\ Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\ Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\ Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\ Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-04 20:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1563985344-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2010-03-04 20:04:31

ComboFix-quarantined-files.txt 2010-03-05 01:04

ComboFix2.txt 2010-02-25 04:20

Pre-Run: 28,757,164,032 bytes free

Post-Run: 28,942,958,592 bytes free

- - End Of File - - 89DFFB3BC04ADFBE95E5D23FCBC115A4

Upload was successful

Please find results of the requested F-Secure scan:

Scanning Report

Thursday, March 4, 2010 20:31:03 - 21:20:39

Computer name: BASEMENT

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

7 malware found

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 27413

* System: 2653

* Not scanned: 8

Actions:

* Disinfected: 7

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\DOCUMENTS AND SETTINGS\BILL\LOCAL SETTINGS\TEMP\HSPERFDATA_BILL\784

* C:\DOCUMENTS AND SETTINGS\BILL\LOCAL SETTINGS\TEMP\HSPERFDATA_BILL\2072

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

Copyright

Link to post
Share on other sites

Please find results of the requested F-Secure scan:

Scanning Report

Thursday, March 4, 2010 20:31:03 - 21:20:39

Computer name: BASEMENT

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

7 malware found

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 27413

* System: 2653

* Not scanned: 8

Actions:

* Disinfected: 7

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\DOCUMENTS AND SETTINGS\BILL\LOCAL SETTINGS\TEMP\HSPERFDATA_BILL\784

* C:\DOCUMENTS AND SETTINGS\BILL\LOCAL SETTINGS\TEMP\HSPERFDATA_BILL\2072

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

Copyright

Link to post
Share on other sites

  • Staff

wrench,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterwards. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

What sort of keyboard is this? Have you tried connected it to another computer? Does it still fail to respond when connected to another computer?

-screen317

Link to post
Share on other sites

wrench,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterwards. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

What sort of keyboard is this? Have you tried connected it to another computer? Does it still fail to respond when connected to another computer?

-screen317

We must be approaching the end of the process? I did find 5 text documents and can delete them separately if need be. Please see attached screen shot of the attempt to remove Combofix. I have been deleting the program as we went along and from Recycle Bin. Should there be remnants yet? What next?

Regarding the keyboard, I have been enlightened-I tried it on another PC and it worked well. I am a ham radio operator and the keyboard sets next to a radio and between keyboard and receiver is a CRT. Causes grief but OK, thanks though!No_Combofix.bmp

Link to post
Share on other sites

We must be approaching the end of the process? I did find 5 text documents and can delete them separately if need be. Please see attached screen shot of the attempt to remove Combofix. I have been deleting the program as we went along and from Recycle Bin. Should there be remnants yet? What next?

Regarding the keyboard, I have been enlightened-I tried it on another PC and it worked well. I am a ham radio operator and the keyboard sets next to a radio and between keyboard and receiver is a CRT. Causes grief but OK, thanks though!No_Combofix.bmp

Hello Screen 317,Newly noticed problem. I went to Windows Explorer to find a folder in the Application Data folder and the Application Data folder is gone. Also missing is the Local Settings folder. They also did not show up with a search. But, in reference to the above attempt to remove Combofix, I did find a folder named Qoobox in the same mentioned Windows Explorer tree under Documents and Settings. In looking through it I found two files named similar to the missing ones along with others. Is Qoobox related to Cobofix? I don't recognize it. What shall I do? Thanks again for your help!!!

Link to post
Share on other sites

Good thing you couldn't uninstall ComboFix.

Qoobox is ComboFix's quarantine folder. Specifically, which folders are you referring to?

See if this file exists:

C:\Qoobox\ComboFix-quarantined-files.txt

If so, open it and post its contents here.

The folders are attachments Sorry to duplicate but I want you to have all the information available to you. Hope this helps. Thanks, You still amaze me with your programs and diligence.

2010-03-05 00:56:08 . 2010-03-05 00:56:11 176,046 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-03-04_19.56.03.zip

2010-02-25 04:19:47 . 2010-02-25 04:19:47 568 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-hurajagora.reg.dat

2010-02-25 04:19:45 . 2010-02-25 04:19:45 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-lejayejor-{fa9acc2d-133d-4dc1-aa61-0d33101700aa}.reg.dat

2010-02-25 04:19:43 . 2010-02-25 04:19:43 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{fa9acc2d-133d-4dc1-aa61-0d33101700aa}.reg.dat

2010-02-25 04:05:26 . 2010-02-25 04:05:29 310,827 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-02-24_23.05.08.zip

2010-02-22 09:46:55 . 2010-02-22 09:46:55 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-vurevihan-{00467c9e-928a-4be9-b94a-678602e6e95c}.reg.dat

2010-02-22 09:46:53 . 2010-02-22 09:46:53 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{00467c9e-928a-4be9-b94a-678602e6e95c}.reg.dat

2010-02-19 23:23:55 . 2010-02-19 23:23:55 612 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-nawosover.reg.dat

2010-02-19 23:23:54 . 2010-02-19 23:23:54 552 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Mouse Suite 98 Daemon.reg.dat

2010-02-19 23:23:54 . 2010-02-19 23:23:54 614 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ClamWin.reg.dat

2010-02-19 23:23:52 . 2010-02-19 23:23:53 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-viwofudaz-{a6f4f4c0-3415-42b1-991c-e5c4aca43906}.reg.dat

2010-02-19 23:23:52 . 2010-02-19 23:23:52 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-mobidahus-{a5a0f9f5-0225-4d5f-a939-a81667958ca0}.reg.dat

2010-02-19 23:23:51 . 2010-02-19 23:23:51 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{a6f4f4c0-3415-42b1-991c-e5c4aca43906}.reg.dat

2010-02-19 23:23:51 . 2010-02-19 23:23:51 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{a5a0f9f5-0225-4d5f-a939-a81667958ca0}.reg.dat

2010-02-19 23:23:45 . 2010-02-19 23:23:45 128 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-hurajagora.reg.dat

2010-02-19 23:23:45 . 2010-02-19 23:23:45 150 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-nawosover.reg.dat

2010-02-19 23:23:44 . 2010-02-19 23:23:44 1,251 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98}.reg.dat

2010-02-19 23:23:44 . 2010-02-19 23:23:44 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat

2010-02-19 23:23:43 . 2010-02-19 23:23:43 1,196 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98}.reg.dat

2010-02-19 23:23:42 . 2010-02-19 23:23:42 627 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed}.reg.dat

2010-02-19 23:23:41 . 2010-03-05 01:03:31 320 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-Rank.reg.dat

2010-02-19 23:23:41 . 2010-03-05 01:03:30 428 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-HookURL.reg.dat

2010-02-19 23:14:40 . 2010-02-19 23:14:40 3,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Iprip.reg.dat

2010-02-19 23:14:40 . 2010-02-19 23:14:40 1,016 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_IPRIP.reg.dat

2010-02-19 23:14:34 . 2010-03-05 01:00:38 4,923 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-02-19 22:43:55 . 2010-03-05 00:54:50 451 ----a-w- C:\Qoobox\Quarantine\catchme.log

2010-02-16 17:42:59 . 2010-02-19 22:00:01 292 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\fsmcvmqs.job.vir

2010-02-16 00:31:30 . 2010-02-19 22:20:09 121,461 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\lowsec\local.ds.vir

2010-02-16 00:31:30 . 2010-02-19 22:26:50 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\lowsec\user.ds.vir

2003-03-31 12:00:00 . 2009-02-09 12:10:48 122,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sdra64.exe.vir

1601-01-01 00:03:52 . 1601-01-01 00:03:52 52,736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\disowowu.dll.vir

1601-01-01 00:03:52 . 1601-01-01 00:03:52 52,736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jutepeso.dll.vir

1601-01-01 00:03:52 . 1601-01-01 00:03:52 52,736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sipaneya.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 101,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dezogewi.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 43,520 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dogubina.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 48,128 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\feyumaze.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gayusomi.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\golosufu.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 48,128 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gugatemi.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 101,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jajulaze.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 44,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jotufafu.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\libupune.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 52,736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\midegida.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 66,560 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nijetiyi.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nominenu.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\puzesale.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\raritazu.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 48,128 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\rosotuse.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 100,864 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\saduyaya.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 53,760 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sevikuji.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 101,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tesifeke.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 43,520 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tevajoge.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tolataga.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 38,912 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wegubeva.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 100,864 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wekavube.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yojonaso.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 47,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\zagodowi.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\zavidegu.dll.vir

1601-01-01 00:03:28 . 1601-01-01 00:03:28 38,912 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\zugahohe.dll.vir

Registry_Backups.bmp

Link to post
Share on other sites

Hello again Screen 317, sorry for the confusion, I will attempt to explain. The screen shot, No ComboFix, was to show that I tried to remove ComboFix as you requested without success, and the resulting window that came up. The explaination of the difficulty I am experiencing is as Post #16 stated. I am missing two (that I know) files, and then I saw them referenced in the Qoobox folder and wonder if it was the folders that were missing. I have attached all 5 screen shots of the files I found under the Qoobox folder. My question, or reasoning has to do with Qoobox being part of ComboFix, and if the missing folders are the ones in the Qoobox folder. I hope that makes sense, I apologize if I am not conveying my message I have limited computer terminology. The computer seems to run OK now but if I ever have the need to access files under Application Data or Local Settings I cannot find them.

Link to post
Share on other sites

  • Staff

Ah okay now I know what you mean.

ComboFix didn't delete Application Data or Local Settings; normally those folders are hidden, and ComboFix set the default setting to rehide them. The reason why they appear in Qoobox (it's not actually them, but a copy), is that there was a malware file deleted from there, and that is how ComboFix catalogs what it has deleted.

To see them again:

Configure Windows XP to show hidden files:

Navigate to Start --> My Computer.

Select the Tools menu and click Folder Options. Select the View tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Click Yes to confirm. Click OK.

Can you see them now?

Link to post
Share on other sites

Ah okay now I know what you mean.

ComboFix didn't delete Application Data or Local Settings; normally those folders are hidden, and ComboFix set the default setting to rehide them. The reason why they appear in Qoobox (it's not actually them, but a copy), is that there was a malware file deleted from there, and that is how ComboFix catalogs what it has deleted.

To see them again:

Configure Windows XP to show hidden files:

Navigate to Start --> My Computer.

Select the Tools menu and click Folder Options. Select the View tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Click Yes to confirm. Click OK.

Can you see them now?

Wow do I feel stupid, I knew about the Hidden Folders option and had set it many times before, it just didn't register. I was totally looking for some sinister reason. Thank you for everything, I believe that to be all that was wrong. All seems to be working flawlessly. I can't say enough how much I appreciate your help, the site is a lifesaver. I hope not to have to come back but it is great to know you are there! BYE

Link to post
Share on other sites

  • Staff

Hah it happens to the best of us! :)

Let's do some housekeeping before I send you home.

Place a copy of ComboFix on your Desktop; make sure it is named ComboFix.exe

Navigate to Start --> Run, and type in this command:

"%userprofile%\desktop\Combofix.exe" /uninstall

Press OK.

Allow it to run. When you receive a confirmation message that it completes, restart your computer and let me know that it has completed.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.