Jump to content

malware won't delete on reboot, please help


jax

Recommended Posts

I am much impressed by the advice given on this forum, and now I'm hoping to receive some myself! I think I have some trojans, but other than that I don't know what's going on. Please see my logs below:

1) Panda

2) MABM

3) hijackthis!

1. Panda

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-30 22:10:25

PROTECTIONS: 2

MALWARE: 11

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee Internet Security Suite 2007 9.0 No Yes

McAfee VirusScan Plus 13.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Sabrina\Cookies\sabrina@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Cookies\anonymous_guest@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Samantha\Cookies\samantha@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Application Data\Mozilla\Firefox\Profiles\gf2o39nz.default\cookies.txt[.atdmt.com/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Cookies\anonymous_guest@atdmt[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Samantha\Cookies\samantha@mediaplex[1].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80rnzl8o.default\cookies.txt[.revenue.net/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Cookies\anonymous_guest@ad.yieldmanager[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Application Data\Mozilla\Firefox\Profiles\gf2o39nz.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Application Data\Mozilla\Firefox\Profiles\gf2o39nz.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Application Data\Mozilla\Firefox\Profiles\gf2o39nz.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Application Data\Mozilla\Firefox\Profiles\gf2o39nz.default\cookies.txt[.advertising.com/]

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Cookies\anonymous_guest@overture[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Application Data\Mozilla\Firefox\Profiles\gf2o39nz.default\cookies.txt[.questionmarket.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Cookies\anonymous_guest@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Anonymous Guest\Application Data\Mozilla\Firefox\Profiles\gf2o39nz.default\cookies.txt[.questionmarket.com/]

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80rnzl8o.default\cookies.txt[.searchportal.information.com/]

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80rnzl8o.default\cookies.txt[.searchportal.information.com/]

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80rnzl8o.default\cookies.txt[.searchportal.information.com/]

00278769 Application/PRScheduler HackTools No 0 Yes No C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP263\A0030147.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP264\A0030307.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP264\A0030352.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP263\A0030121.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP263\A0030058.sys

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location ,

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description ,

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

2. MABM

Malwarebytes' Anti-Malware 1.30

Database version: 1414

Windows 5.1.2600 Service Pack 3

12/1/2008 11:45:48 AM

mbam-log-2008-12-01 (11-45-48).txt

Scan type: Full Scan (C:\|)

Objects scanned: 175861

Time elapsed: 2 hour(s), 35 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm17ddd869 (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiromuzogi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP263\A0030058.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP263\A0030121.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP263\A0030147.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP264\A0030307.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP264\A0030352.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

3. Hijackthis!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:14:08 PM, on 11/30/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Money\System\Money Express.exe

C:\Program Files\Eraser\Eraser.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {937a0de7-1465-4dea-94b8-6571aebbec1d} - C:\WINDOWS\system32\gofikuwa.dll (file missing)

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"

O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"

O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"

O4 - HKLM\..\Run: [smoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"

O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" hwSetUP

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"

O4 - HKLM\..\Run: [sVPWUTIL] "C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" SVPwUTIL

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE" /P24 "EPSON PictureMate Deluxe" /O6 "USB003" /M "PictureMate Deluxe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

O4 - HKLM\..\Run: [tiromuzogi] Rundll32.exe "C:\WINDOWS\system32\rameleko.dll",s

O4 - HKLM\..\Run: [CPM17ddd869] Rundll32.exe "c:\windows\system32\loseteni.dll",a

O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide

O4 - HKCU\..\Run: [EPSON Stylus CX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE /FU "C:\WINDOWS\TEMP\E_S25A.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [tiromuzogi] Rundll32.exe "C:\WINDOWS\system32\rameleko.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [tiromuzogi] Rundll32.exe "C:\WINDOWS\system32\rameleko.dll",s (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll

O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\bikemisu.dll c:\windows\system32\loseteni.dll

O20 - Winlogon Notify: jkkll - C:\WINDOWS\

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\loseteni.dll (file missing)

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\loseteni.dll (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 11834 bytes

Link to post
Share on other sites

Thank you for responding! Here it is.

Malwarebytes' Anti-Malware 1.31

Database version: 1463

Windows 5.1.2600 Service Pack 3

12/5/2008 6:34:41 PM

mbam-log-2008-12-05 (18-34-41).txt

Scan type: Full Scan (C:\|)

Objects scanned: 177727

Time elapsed: 6 hour(s), 7 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 4

Registry Keys Infected: 6

Registry Values Infected: 5

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\pugohawu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\lonadupa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\kamukufo.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\welilupo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{937a0de7-1465-4dea-94b8-6571aebbec1d} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{937a0de7-1465-4dea-94b8-6571aebbec1d} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{937a0de7-1465-4dea-94b8-6571aebbec1d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14eeebf5 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm17ddd869 (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiromuzogi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lonadupa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\lonadupa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\lonadupa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\welilupo.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\welilupo.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\pugohawu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\uwahogup.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\welilupo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\hahakege.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kamukufo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\lonadupa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP265\A0030415.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP265\A0030539.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kirudebo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bikemisu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yuvayudu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Here it is. Thanks!

Malwarebytes' Anti-Malware 1.31

Database version: 1463

Windows 5.1.2600 Service Pack 3

12/7/2008 10:57:37 AM

mbam-log-2008-12-07 (10-57-37).txt

Scan type: Full Scan (C:\|)

Objects scanned: 177119

Time elapsed: 3 hour(s), 14 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{937a0de7-1465-4dea-94b8-6571aebbec1d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm17ddd869 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14eeebf5 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Your Tea Timer registry protection feature is interfering:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

Run the mbam scan again. Thanks!

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.31

Database version: 1463

Windows 5.1.2600 Service Pack 3

12/8/2008 1:38:05 PM

mbam-log-2008-12-08 (13-38-05).txt

Scan type: Full Scan (C:\|)

Objects scanned: 177091

Time elapsed: 2 hour(s), 47 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm17ddd869 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14eeebf5 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ok here it is! should I "fix" any of those?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:17:59 PM, on 12/9/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Money\System\Money Express.exe

C:\Program Files\Eraser\Eraser.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"

O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"

O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"

O4 - HKLM\..\Run: [smoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"

O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" hwSetUP

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"

O4 - HKLM\..\Run: [sVPWUTIL] "C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" SVPwUTIL

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE" /P24 "EPSON PictureMate Deluxe" /O6 "USB003" /M "PictureMate Deluxe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide

O4 - HKCU\..\Run: [EPSON Stylus CX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE /FU "C:\WINDOWS\TEMP\E_S25A.tmp" /EF "HKCU"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll

O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: c:\windows\system32\loseteni.dll ,

O20 - Winlogon Notify: jkkll - C:\WINDOWS\

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 10622 bytes

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

  • 2 weeks later...

Here is my combo fix log. Thanks so much for your help!

ComboFix 08-12-21.01 - Katherine 2008-12-21 16:30:15.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.580 [GMT -5:00]

Running from: c:\documents and settings\Katherine\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Katherine\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\dipusujo.dll

c:\windows\system32\geravupe.dll

c:\windows\system32\gihizuba.dll

c:\windows\system32\jonotama.dll

c:\windows\system32\mipawefa.dll

c:\windows\system32\rayefeku.dll

c:\windows\system32\sarapujo.dll

c:\windows\system32\seyofogi.dll

c:\windows\system32\tiputoru.dll

c:\windows\system32\wafidite.dll

c:\windows\system32\zipowapu.dll

.

((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))

.

2008-11-30 22:12 . 2008-11-30 22:12 <DIR> d-------- c:\program files\Trend Micro

2008-11-30 14:56 . 2008-11-30 15:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-30 14:56 . 2008-11-30 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-30 13:50 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-30 13:47 . 2008-11-30 13:47 <DIR> d-------- c:\program files\Panda Security

2008-11-30 13:37 . 2008-11-30 13:37 1,298,668 ---hs---- c:\windows\system32\iluwakaz.ini

2008-11-27 14:36 . 2008-12-21 16:35 54,156 --ah----- c:\windows\QTFont.qfn

2008-11-27 14:36 . 2008-11-27 14:36 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-19 13:38 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-18 04:03 --------- d-----w c:\documents and settings\Katherine\Application Data\dvdcss

2008-12-15 02:30 --------- d-----w c:\program files\McAfee

2008-12-08 22:39 --------- d-----w c:\documents and settings\Katherine\Application Data\ZoomBrowser EX

2008-12-08 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2008-12-05 17:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-12-02 01:11 --------- d-----w c:\program files\KeyScrambler

2008-11-27 19:11 --------- d-----w c:\program files\UFile 2007

2008-11-27 18:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-27 18:53 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-27 18:52 --------- d-----w c:\program files\The Adventure Company

2008-11-27 18:52 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0

2008-11-27 18:49 --------- d-----w c:\program files\Java

2008-11-27 18:45 --------- d-----w c:\program files\ImpotExpert 2007

2008-11-27 18:43 --------- d-----w c:\program files\GlobalSCAPE

2008-11-21 02:35 --------- d-----w c:\documents and settings\Katherine\Application Data\Malwarebytes

2008-11-21 02:35 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-07 22:34 --------- d-----w c:\documents and settings\Mom\Application Data\Teleca

2008-11-07 22:32 --------- d-----w c:\documents and settings\Mom\Application Data\Sony Ericsson

2008-11-05 03:01 --------- d-----w c:\program files\SiteAdvisor

2008-10-25 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2008-10-25 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor

2008-10-25 22:30 --------- d-----w c:\program files\Common Files\McAfee

2008-10-25 22:29 --------- d-----w c:\program files\McAfee.com

2008-10-25 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-10-25 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller

2008-10-25 13:32 --------- d-----w c:\documents and settings\Katherine\Application Data\U3

2008-10-25 01:08 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2007-05-22 11:15 1,534 ---ha-w c:\documents and settings\Katherine\hpothb07.dat

2007-05-13 13:10 81,920 ----a-w c:\documents and settings\Samantha\Application Data\ezpinst.exe

2007-05-13 13:10 47,360 ----a-w c:\documents and settings\Samantha\Application Data\pcouffin.sys

2007-04-06 22:39 24,192 ----a-w c:\documents and settings\Katherine\usbsermptxp.sys

2007-04-06 22:39 22,768 ----a-w c:\documents and settings\Katherine\usbsermpt.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [1999-08-03 122940]

"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-07-28 277328]

"EPSON Stylus CX4400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE" [2007-01-25 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-25 671744]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]

"EPSON PictureMate Deluxe"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE" [2004-10-17 98304]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Samantha^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

path=c:\documents and settings\Samantha\Start Menu\Programs\Startup\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

--a------ 2004-03-23 09:40 196608 c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--a------ 2005-05-31 07:33 122941 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a------ 2005-07-18 22:06 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a------ 2005-07-18 22:10 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

--a------ 2005-07-18 22:09 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

--------- 2003-09-05 21:16 184320 c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

--a------ 1999-08-03 23:00 122940 c:\program files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]

--a------ 2005-09-15 01:49 520192 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-12-15 02:23 75520 c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

--a------ 2004-12-21 12:10 88358 c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

--a------ 2004-06-08 11:31 29696 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook]

--a------ 2005-08-22 16:49 28672 c:\windows\system32\TCtrlIOHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

--a------ 2005-05-31 19:16 282624 c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]

--a------ 2005-06-06 11:58 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"VundoFixSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\QuickTime\\QTTask.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-30 28544]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-25 206096]

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-08-31 14336]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-03-05 113896]

S3 SE2Fbus;Sony Ericsson Device 047 Driver driver (WDM);c:\windows\system32\DRIVERS\SE2Fbus.sys [2007-11-10 61600]

S3 SE2Fmdfl;Sony Ericsson Device 047 USB WMC Modem Filter;c:\windows\system32\DRIVERS\SE2Fmdfl.sys [2007-11-10 9360]

S3 SE2Fmdm;Sony Ericsson Device 047 USB WMC Modem Driver;c:\windows\system32\DRIVERS\SE2Fmdm.sys [2007-11-10 97184]

S3 SE2Fmgmt;Sony Ericsson Device 047 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\SE2Fmgmt.sys [2007-11-10 88688]

S3 se2Fnd5;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (NDIS);c:\windows\system32\DRIVERS\se2Fnd5.sys [2007-11-10 18704]

S3 SE2Fobex;Sony Ericsson Device 047 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\SE2Fobex.sys [2007-11-10 86560]

S3 se2Funic;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (WDM);c:\windows\system32\DRIVERS\se2Funic.sys [2007-11-10 90800]

S3 usb2vcom;USB Data Cable;c:\windows\system32\DRIVERS\usb2vcom.sys [2005-12-07 28704]

S4 VundoFixSvc;VundoFix Service;VundoFixSVC.exe []

.

Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2006-04-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1135304426.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]

2008-10-25 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2005-12-08 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]

2008-11-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-setup - c:\windows\system32\bynpmcbv.dll

MSConfigStartUp-CFSServ - CFSServ.exe

MSConfigStartUp-NDSTray - NDSTray.exe

MSConfigStartUp-TFncKy - TFncKy.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.yahoo.com/

uInternet Settings,ProxyOverride = localhost;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Katherine\Application Data\Mozilla\Firefox\Profiles\z2xyfk70.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - www.google.com/ig

FF - component: c:\documents and settings\Katherine\Application Data\Mozilla\Firefox\Profiles\z2xyfk70.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

ATTENTION: FIREFOX POLICES IS IN FORCE

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-21 16:34:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\McAfee\MSK\msksrver.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe

.

**************************************************************************

.

Completion time: 2008-12-21 16:39:18 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-21 21:39:14

Pre-Run: 54,514,495,488 bytes free

Post-Run: 54,847,627,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

309 --- E O F --- 2008-12-18 15:09:24

Link to post
Share on other sites

You have a number of items disabled from having used the msconfig utility. Please click start-->run

type:

msconfig

...then click "ok". When the System Configuration Utility opens, click the "Startup" tab. Please check the box next to every program that is listed there. Reboot the system and check the box "Do not show this again" that pops up on reboot.

Remove a failed Symantec installation or damaged product using their Removal Tool.

Uninstall these:

Java Out of date and exploited. We will install the latest version when you are clean

Adobe Reader 8 Out of date and exploited. Install the latest version Here.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\windows\system32\iluwakaz.ini

Link to post
Share on other sites

ok did all that, and here's the log, thanks!

ComboFix 08-12-21.01 - Katherine 2008-12-22 15:25:50.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.528 [GMT -5:00]

Running from: c:\documents and settings\Katherine\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Katherine\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))

.

2008-11-30 22:12 . 2008-11-30 22:12 <DIR> d-------- c:\program files\Trend Micro

2008-11-30 14:56 . 2008-11-30 15:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-30 14:56 . 2008-11-30 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-30 13:50 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-30 13:47 . 2008-11-30 13:47 <DIR> d-------- c:\program files\Panda Security

2008-11-30 13:37 . 2008-11-30 13:37 1,298,668 ---hs---- c:\windows\system32\iluwakaz.ini

2008-11-27 14:36 . 2008-12-22 15:09 54,156 --ah----- c:\windows\QTFont.qfn

2008-11-27 14:36 . 2008-11-27 14:36 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-22 19:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-22 14:56 --------- d-----w c:\documents and settings\Katherine\Application Data\ZoomBrowser EX

2008-12-22 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2008-12-19 13:38 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-18 04:03 --------- d-----w c:\documents and settings\Katherine\Application Data\dvdcss

2008-12-15 02:30 --------- d-----w c:\program files\McAfee

2008-12-05 17:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-12-02 01:11 --------- d-----w c:\program files\KeyScrambler

2008-11-27 19:11 --------- d-----w c:\program files\UFile 2007

2008-11-27 18:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-27 18:53 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-27 18:52 --------- d-----w c:\program files\The Adventure Company

2008-11-27 18:52 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0

2008-11-27 18:49 --------- d-----w c:\program files\Java

2008-11-27 18:45 --------- d-----w c:\program files\ImpotExpert 2007

2008-11-27 18:43 --------- d-----w c:\program files\GlobalSCAPE

2008-11-21 02:35 --------- d-----w c:\documents and settings\Katherine\Application Data\Malwarebytes

2008-11-21 02:35 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-07 22:34 --------- d-----w c:\documents and settings\Mom\Application Data\Teleca

2008-11-07 22:32 --------- d-----w c:\documents and settings\Mom\Application Data\Sony Ericsson

2008-11-05 03:01 --------- d-----w c:\program files\SiteAdvisor

2008-10-25 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2008-10-25 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor

2008-10-25 22:30 --------- d-----w c:\program files\Common Files\McAfee

2008-10-25 22:29 --------- d-----w c:\program files\McAfee.com

2008-10-25 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller

2008-10-25 13:32 --------- d-----w c:\documents and settings\Katherine\Application Data\U3

2008-10-25 01:08 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2007-05-22 11:15 1,534 ---ha-w c:\documents and settings\Katherine\hpothb07.dat

2007-05-13 13:10 81,920 ----a-w c:\documents and settings\Samantha\Application Data\ezpinst.exe

2007-05-13 13:10 47,360 ----a-w c:\documents and settings\Samantha\Application Data\pcouffin.sys

2007-04-06 22:39 24,192 ----a-w c:\documents and settings\Katherine\usbsermptxp.sys

2007-04-06 22:39 22,768 ----a-w c:\documents and settings\Katherine\usbsermpt.sys

.

((((((((((((((((((((((((((((( snapshot@2008-12-21_16.38.34.01 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-12-21 17:45:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-12-22 18:59:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-12-21 17:45:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-12-22 18:59:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-12-21 17:45:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-12-22 18:59:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [1999-08-03 122940]

"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-07-28 277328]

"EPSON Stylus CX4400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE" [2007-01-25 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-25 671744]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]

"EPSON PictureMate Deluxe"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE" [2004-10-17 98304]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-15 520192]

"LtMoh"="c:\\Program Files\\ltmoh\\Ltmoh.exe" [2003-09-05 184320]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-18 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-18 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-18 77824]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]

"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]

"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 c:\windows\KHALMNPR.Exe]

"AGRSMMSG"="AGRSMMSG.exe" [2004-12-21 c:\windows\agrsmmsg.exe]

c:\documents and settings\Samantha\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2006-02-23 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-21 110592]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 40960]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-26 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-04-14 581632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-08-31 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"VundoFixSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\QuickTime\\QTTask.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-30 28544]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-25 206096]

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-08-31 14336]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-03-05 113896]

S3 SE2Fbus;Sony Ericsson Device 047 Driver driver (WDM);c:\windows\system32\DRIVERS\SE2Fbus.sys [2007-11-10 61600]

S3 SE2Fmdfl;Sony Ericsson Device 047 USB WMC Modem Filter;c:\windows\system32\DRIVERS\SE2Fmdfl.sys [2007-11-10 9360]

S3 SE2Fmdm;Sony Ericsson Device 047 USB WMC Modem Driver;c:\windows\system32\DRIVERS\SE2Fmdm.sys [2007-11-10 97184]

S3 SE2Fmgmt;Sony Ericsson Device 047 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\SE2Fmgmt.sys [2007-11-10 88688]

S3 se2Fnd5;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (NDIS);c:\windows\system32\DRIVERS\se2Fnd5.sys [2007-11-10 18704]

S3 SE2Fobex;Sony Ericsson Device 047 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\SE2Fobex.sys [2007-11-10 86560]

S3 se2Funic;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (WDM);c:\windows\system32\DRIVERS\se2Funic.sys [2007-11-10 90800]

S3 usb2vcom;USB Data Cable;c:\windows\system32\DRIVERS\usb2vcom.sys [2005-12-07 28704]

S4 VundoFixSvc;VundoFix Service;VundoFixSVC.exe []

.

Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2006-04-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1135304426.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]

2008-10-25 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2005-12-08 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]

2008-11-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.yahoo.com/

uInternet Settings,ProxyOverride = localhost;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Katherine\Application Data\Mozilla\Firefox\Profiles\z2xyfk70.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - www.google.com/ig

FF - component: c:\documents and settings\Katherine\Application Data\Mozilla\Firefox\Profiles\z2xyfk70.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

ATTENTION: FIREFOX POLICES IS IN FORCE

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-22 15:30:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2008-12-22 15:32:10

ComboFix-quarantined-files.txt 2008-12-22 20:31:58

ComboFix2.txt 2008-12-21 21:39:21

Pre-Run: 54,104,616,960 bytes free

Post-Run: 54,104,223,744 bytes free

244 --- E O F --- 2008-12-18 15:09:24

Link to post
Share on other sites

Did you run the script properly? All security applications disabled? This file:

c:\windows\system32\iluwakaz.ini

...should have been deleted by the combofix utility but the log shows it's still there. Before we proceed I need to know the answer. Thanks!

Link to post
Share on other sites

Ooops, I didn't disable the security software, I ran it again, here's what I got

ComboFix 08-12-21.01 - Katherine 2008-12-22 21:43:03.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.465 [GMT -5:00]

Running from: c:\documents and settings\Katherine\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Katherine\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\system32\iluwakaz.ini

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\iluwakaz.ini

.

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))

.

2008-11-30 22:12 . 2008-11-30 22:12 <DIR> d-------- c:\program files\Trend Micro

2008-11-30 14:56 . 2008-11-30 15:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-30 14:56 . 2008-11-30 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-30 13:50 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-30 13:47 . 2008-11-30 13:47 <DIR> d-------- c:\program files\Panda Security

2008-11-27 14:36 . 2008-12-22 15:09 54,156 --ah----- c:\windows\QTFont.qfn

2008-11-27 14:36 . 2008-11-27 14:36 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-22 19:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-22 14:56 --------- d-----w c:\documents and settings\Katherine\Application Data\ZoomBrowser EX

2008-12-22 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2008-12-19 13:38 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-18 04:03 --------- d-----w c:\documents and settings\Katherine\Application Data\dvdcss

2008-12-15 02:30 --------- d-----w c:\program files\McAfee

2008-12-05 17:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-12-02 01:11 --------- d-----w c:\program files\KeyScrambler

2008-11-27 19:11 --------- d-----w c:\program files\UFile 2007

2008-11-27 18:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-27 18:53 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-27 18:52 --------- d-----w c:\program files\The Adventure Company

2008-11-27 18:52 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0

2008-11-27 18:49 --------- d-----w c:\program files\Java

2008-11-27 18:45 --------- d-----w c:\program files\ImpotExpert 2007

2008-11-27 18:43 --------- d-----w c:\program files\GlobalSCAPE

2008-11-21 02:35 --------- d-----w c:\documents and settings\Katherine\Application Data\Malwarebytes

2008-11-21 02:35 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-07 22:34 --------- d-----w c:\documents and settings\Mom\Application Data\Teleca

2008-11-07 22:32 --------- d-----w c:\documents and settings\Mom\Application Data\Sony Ericsson

2008-11-05 03:01 --------- d-----w c:\program files\SiteAdvisor

2008-10-25 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2008-10-25 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor

2008-10-25 22:30 --------- d-----w c:\program files\Common Files\McAfee

2008-10-25 22:29 --------- d-----w c:\program files\McAfee.com

2008-10-25 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller

2008-10-25 13:32 --------- d-----w c:\documents and settings\Katherine\Application Data\U3

2008-10-25 01:08 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2007-05-22 11:15 1,534 ---ha-w c:\documents and settings\Katherine\hpothb07.dat

2007-05-13 13:10 81,920 ----a-w c:\documents and settings\Samantha\Application Data\ezpinst.exe

2007-05-13 13:10 47,360 ----a-w c:\documents and settings\Samantha\Application Data\pcouffin.sys

2007-04-06 22:39 24,192 ----a-w c:\documents and settings\Katherine\usbsermptxp.sys

2007-04-06 22:39 22,768 ----a-w c:\documents and settings\Katherine\usbsermpt.sys

.

((((((((((((((((((((((((((((( snapshot@2008-12-21_16.38.34.01 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-12-21 17:45:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-12-23 02:29:30 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-12-21 17:45:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-12-23 02:29:30 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-12-21 17:45:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-12-23 02:29:30 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [1999-08-03 122940]

"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-07-28 277328]

"EPSON Stylus CX4400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE" [2007-01-25 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-25 671744]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]

"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]

"EPSON PictureMate Deluxe"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE" [2004-10-17 98304]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-15 520192]

"LtMoh"="c:\\Program Files\\ltmoh\\Ltmoh.exe" [2003-09-05 184320]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-18 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-18 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-18 77824]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]

"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]

"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 c:\windows\KHALMNPR.Exe]

"AGRSMMSG"="AGRSMMSG.exe" [2004-12-21 c:\windows\agrsmmsg.exe]

c:\documents and settings\Samantha\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2006-02-23 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-21 110592]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 40960]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-26 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-04-14 581632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-08-31 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"VundoFixSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\QuickTime\\QTTask.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-30 28544]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-25 206096]

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-08-31 14336]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-03-05 113896]

S3 SE2Fbus;Sony Ericsson Device 047 Driver driver (WDM);c:\windows\system32\DRIVERS\SE2Fbus.sys [2007-11-10 61600]

S3 SE2Fmdfl;Sony Ericsson Device 047 USB WMC Modem Filter;c:\windows\system32\DRIVERS\SE2Fmdfl.sys [2007-11-10 9360]

S3 SE2Fmdm;Sony Ericsson Device 047 USB WMC Modem Driver;c:\windows\system32\DRIVERS\SE2Fmdm.sys [2007-11-10 97184]

S3 SE2Fmgmt;Sony Ericsson Device 047 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\SE2Fmgmt.sys [2007-11-10 88688]

S3 se2Fnd5;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (NDIS);c:\windows\system32\DRIVERS\se2Fnd5.sys [2007-11-10 18704]

S3 SE2Fobex;Sony Ericsson Device 047 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\SE2Fobex.sys [2007-11-10 86560]

S3 se2Funic;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (WDM);c:\windows\system32\DRIVERS\se2Funic.sys [2007-11-10 90800]

S3 usb2vcom;USB Data Cable;c:\windows\system32\DRIVERS\usb2vcom.sys [2005-12-07 28704]

S4 VundoFixSvc;VundoFix Service;VundoFixSVC.exe []

.

Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2006-04-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1135304426.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]

2008-10-25 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2005-12-08 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]

2008-11-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.yahoo.com/

uInternet Settings,ProxyOverride = localhost;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Katherine\Application Data\Mozilla\Firefox\Profiles\z2xyfk70.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - www.google.com/ig

FF - component: c:\documents and settings\Katherine\Application Data\Mozilla\Firefox\Profiles\z2xyfk70.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

ATTENTION: FIREFOX POLICES IS IN FORCE

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");

c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-22 21:46:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2008-12-22 21:47:50

ComboFix-quarantined-files.txt 2008-12-23 02:47:16

ComboFix2.txt 2008-12-22 20:32:13

ComboFix3.txt 2008-12-21 21:39:21

Pre-Run: 54,085,681,152 bytes free

Post-Run: 54,070,300,672 bytes free

243 --- E O F --- 2008-12-18 15:09:24

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.