Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Internet Explorer Zero-Day Exploited in the Wild by APT Group

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Windows Police Pro, Anti Virus Pro 2010 & Security Tool

Started by TimeTurnsElastic , Oct 17 2009 09:05 PM

This topic is locked

41 replies to this topic

#1 TimeTurnsElastic

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 17 October 2009 - 09:05 PM

I have all three. Just when I thought I had everything as far as Malware/Spyware and Rootkits taken care of, with Shelf Life's help recently, now I have this to contend with. Many pop-ups claiming that my computer is seriously infected, wanting me to click and load "special anti-spyware programs".

Some symptoms that are occuring:
Occasionally disabling McAfee Security (I have to manually restore protection).

Malwarebytes disabled (will not start-up).

Ad Aware disabled (will not start-up).

Desktop and icons disappeared

Task Manager will not work.

Control Panel does not work. C:\WINDOWS\system32\rundll32.exe Application not found error message appears.

DDS log below. Other DDS & RootRepeal logs attached.

DDS (Ver_09-10-13.01) - NTFSx86
Run by Administrator at 17:14:50.39 on Sat 10/17/2009
Internet Explorer: 8.0.6001.18702

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\tz8htvyy2z.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\tz8htvyy2z.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [svchost] c:\documents and settings\administrator\application data\svcst.exe
uRun: [hivew] c:\windows\system32\rundll32.exe c:\docume~1\admini~1\locals~1\temp\382415461737999.dll,Set1
uRun: [calc] rundll32.exe c:\docume~1\admini~1\ntuser.dll,_IWMPEvents@0
uRun: [Login Software 2009] c:\docume~1\admini~1\locals~1\temp\v8uoi92aj.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [naduvajab] Rundll32.exe "c:\windows\system32\salugula.dll",a
uPolicies-system: disableregistrytools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238636355359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: zijodope.dll c:\windows\system32\salugula.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tuwaniyuf - {4fc09871-9969-47d1-a233-7f6da2f2bc4d} - No File
SSODL: vafeyivul - {eecb14b5-793c-4d6e-8a1b-1b92c0e98a68} - c:\windows\system32\salugula.dll
STS: c:\windows\system32\tz8htvyy2z.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\tz8htvyy2z.dll
STS: tokatiluy: {eecb14b5-793c-4d6e-8a1b-1b92c0e98a68} - c:\windows\system32\salugula.dll
LSA: Notification Packages = scecli sfatherc.dll mamapome.dll

============= SERVICES / DRIVERS ===============

============== File Associations ===============

exefile=c:\windows\system32\pump.exe "%1" %*

=============== Created Last 30 ================

2009-10-17 16:28 831 a------- c:\windows\system32\critical_warning.html
2009-10-17 14:30 14,918 a------- c:\docume~1\admini~1\applic~1\umyvata.sys
2009-10-17 14:30 13,165 a------- c:\docume~1\alluse~1\applic~1\wuqysuqoc.dat
2009-10-17 14:30 10,678 a------- c:\windows\lovacavezu.bin
2009-10-17 14:30 18,299 a------- c:\windows\alejo.inf
2009-10-17 14:30 18,254 a------- c:\windows\ovuqiquc.lib
2009-10-17 14:30 17,687 a------- c:\docume~1\alluse~1\applic~1\mejywa.bin
2009-10-17 14:30 16,529 a------- c:\windows\udicolype.dat
2009-10-17 14:30 15,380 a------- c:\program files\common files\uzowo.exe
2009-10-17 14:30 14,251 a------- c:\docume~1\admini~1\applic~1\notisyc.dll
2009-10-17 14:30 13,550 a------- c:\windows\system32\bodyjyvyr.lib
2009-10-17 14:30 11,655 a------- c:\windows\aler.lib
2009-10-17 14:30 11,641 a------- c:\docume~1\admini~1\applic~1\udeqymof.vbs
2009-10-17 14:30 10,792 a------- c:\windows\system32\uvupypon.dl
2009-10-17 14:30 10,373 a------- c:\windows\pofynywo.lib
2009-10-17 14:30 10,348 a------- c:\windows\toxenoger.bin
2009-10-17 14:30 17,505 a------- c:\windows\idymiwav.exe
2009-10-17 14:30 11,421 a------- c:\windows\aqunu.scr
2009-10-17 14:20 <DIR> --d----- c:\windows\system32\schtml
2009-10-17 14:18 36 a------- c:\windows\system32\skynet.dat
2009-10-17 14:18 9 a------- c:\windows\system32\nuar.old
2009-10-17 14:16 58 a------- c:\windows\wp4.dat
2009-10-17 14:16 2 a------- c:\windows\wp3.dat
2009-10-17 14:16 565,248 a------- c:\windows\system32\plugie.dll
2009-10-17 14:15 511,488 a------- c:\windows\system32\pump.exe
2009-10-17 14:15 34 a------- c:\windows\system32\wwp.htm
2009-10-17 14:15 2,041,856 a------- c:\windows\system32\AVR09.exe
2009-10-17 14:15 22,528 a------- c:\windows\system32\winhelper.dll
2009-10-17 14:15 168,960 a------- c:\windows\system32\_scui.cpl
2009-10-17 14:15 0 a------- c:\windows\Iguqevo.bin
2009-10-17 14:14 120 a------- c:\windows\Wzuxujika.dat
2009-10-17 14:14 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-10-17 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\72487533
2009-10-17 14:11 <DIR> --d----- c:\program files\Windows Police Pro
2009-10-17 14:10 160,880 a------- c:\docume~1\admini~1\applic~1\lizkavd.exe
2009-10-17 14:10 25,600 a--sh--- c:\documents and settings\administrator\ntuser.dll
2009-10-17 14:10 24,576 a------- c:\windows\system32\winupdate.exe
2009-10-17 14:09 25,600 a--sh--- c:\windows\system32\calc.dll
2009-10-17 14:08 30,208 a------- C:\iytcqy.exe
2009-10-17 14:08 24,576 a------- C:\jboy.exe
2009-10-17 14:08 15,000 a------- c:\windows\system32\tz8htvyy2z.dll
2009-10-17 14:08 49,152 a------- C:\bqefoh.exe
2009-10-17 14:08 247,808 a------- C:\lyqr.exe
2009-10-17 14:08 52,736 a------- C:\nmihj.exe
2009-10-17 14:07 44,544 a------- c:\docume~1\admini~1\applic~1\svcst.exe
2009-10-17 14:07 44,544 a------- c:\docume~1\admini~1\applic~1\seres.exe
2009-10-17 14:07 69,120 a------- c:\windows\system32\~.exe
2009-10-15 19:34 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-23 21:55 44,032 -------- c:\windows\system32\CTSVCCDA.EXE
2009-09-23 21:55 25,088 -------- c:\windows\system32\CTSVCCTL.EXE
2009-09-21 23:35 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-09-21 23:35 50,176 a------- c:\windows\system32\proquota.exe
2009-09-21 23:27 <DIR> a-dshr-- C:\cmdcons
2009-09-20 11:34 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-09-20 11:05 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-20 11:05 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-20 11:05 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-20 11:05 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-20 10:45 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-20 10:44 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-09-20 10:44 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-20 10:44 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-09-20 10:44 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-09-20 10:44 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-09-20 10:44 11,067,392 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-09-20 00:50 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-20 00:49 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 00:49 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-20 00:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-20 00:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 23:27 155,648 a------- c:\windows\system32\igfxres.dll
2009-09-19 23:13 79,360 ac------ c:\windows\system32\dllcache\phon.ime
2009-09-19 23:12 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-09-19 23:11 598,071 ac------ c:\windows\system32\dllcache\fpmmc.dll
2009-09-19 23:09 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-19 23:09 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-19 23:09 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-19 23:09 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-19 23:09 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-09-19 23:09 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-19 21:41 0 a------- c:\windows\sUBs

==================== Find3M ====================

2009-10-17 14:30 14,201 a------- c:\program files\common files\fuqyfawyg.inf
2009-09-19 23:07 26,352 a------- c:\windows\system32\emptyregdb.dat
2009-09-11 10:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-08 23:40 79,270 a------- c:\windows\hpfins05.dat
2009-09-04 16:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 04:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 10:00 2,180,352 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 09:13 2,057,728 -------- c:\windows\system32\ntkrnlpa.exe
2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll

============= FINISH: 17:22:47.34 ===============

Thank you for your help

Attached Files

RootRepeal_report_10_17_09__18_10_22_.txt 27.94KB 3 downloads
Attach.txt 4.84KB 1 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:11:29 PM

Posted 27 October 2009 - 05:43 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#3 TimeTurnsElastic

Topic Starter

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 27 October 2009 - 08:01 AM

Blade, thanks for the reply. I should be able to get you a new DDS later this evening. I'm currently at work right now.

Thanks

#4 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:11:29 PM

Posted 27 October 2009 - 10:49 AM

Ok. Shall wait for the logs

Microsoft Windows Insider MVP 2016-2017

#5 TimeTurnsElastic

Topic Starter

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 28 October 2009 - 08:59 PM

Blade,

Ran DDS and have attached the new logs. Thanks

DDS (Ver_09-10-13.01) - NTFSx86
Run by Administrator at 21:52:30.19 on Wed 10/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.167 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\FastNetSrv.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: c:\windows\system32\tz8htvyy2z.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\tz8htvyy2z.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [svchost] c:\documents and settings\administrator\application data\svcst.exe
uRun: [hivew] c:\windows\system32\rundll32.exe c:\docume~1\admini~1\locals~1\temp\382415461737999.dll,Set1
uRun: [calc] rundll32.exe c:\docume~1\admini~1\ntuser.dll,_IWMPEvents@0
uRun: [Login Software 2009] c:\docume~1\admini~1\locals~1\temp\v8uoi92aj.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [Kpoza] rundll32.exe "c:\windows\emevumejabi.dll",Startup
mRun: [naduvajab] Rundll32.exe "c:\windows\system32\gisitiwi.dll",a
dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: disableregistrytools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238636355359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: rawijihe.dll c:\windows\system32\yemuhiya.dll c:\windows\system32\gisitiwi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tuwaniyuf - {4fc09871-9969-47d1-a233-7f6da2f2bc4d} - No File
SSODL: zefiyeday - {e97c314e-1763-4a24-9920-9eaa66f36e54} - c:\windows\system32\gisitiwi.dll
STS: c:\windows\system32\tz8htvyy2z.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\tz8htvyy2z.dll
STS: mujuzedij: {e97c314e-1763-4a24-9920-9eaa66f36e54} - c:\windows\system32\gisitiwi.dll
LSA: Notification Packages = scecli sfatherc.dll nosunilo.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-10 64160]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-4 47104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-27 210216]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 0249061256660784mcinstcleanup;McAfee Application Installer Cleanup (0249061256660784);c:\windows\temp\024906~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\024906~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 isapeep;isapeep;c:\windows\system32\isapeep.sys [2004-8-4 2304]

============== File Associations ===============

exefile=c:\windows\system32\pump.exe "%1" %*

=============== Created Last 30 ================

2009-10-21 05:34 2,713 ---sh--- c:\windows\system32\tisitora.exe
2009-10-20 11:54 0 a------- c:\windows\system32\18467.exe
2009-10-20 11:33 0 a------- c:\windows\system32\41.exe
2009-10-20 11:33 22,528 a------- c:\windows\system32\winhelper.dll
2009-10-18 02:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\62382930
2009-10-17 14:30 14,918 a------- c:\docume~1\admini~1\applic~1\umyvata.sys
2009-10-17 14:30 13,165 a------- c:\docume~1\alluse~1\applic~1\wuqysuqoc.dat
2009-10-17 14:30 10,678 a------- c:\windows\lovacavezu.bin
2009-10-17 14:30 18,299 a------- c:\windows\alejo.inf
2009-10-17 14:30 18,254 a------- c:\windows\ovuqiquc.lib
2009-10-17 14:30 17,687 a------- c:\docume~1\alluse~1\applic~1\mejywa.bin
2009-10-17 14:30 16,529 a------- c:\windows\udicolype.dat
2009-10-17 14:30 15,380 a------- c:\program files\common files\uzowo.exe
2009-10-17 14:30 14,251 a------- c:\docume~1\admini~1\applic~1\notisyc.dll
2009-10-17 14:30 13,550 a------- c:\windows\system32\bodyjyvyr.lib
2009-10-17 14:30 11,655 a------- c:\windows\aler.lib
2009-10-17 14:30 11,641 a------- c:\docume~1\admini~1\applic~1\udeqymof.vbs
2009-10-17 14:30 10,792 a------- c:\windows\system32\uvupypon.dl
2009-10-17 14:30 10,373 a------- c:\windows\pofynywo.lib
2009-10-17 14:30 10,348 a------- c:\windows\toxenoger.bin
2009-10-17 14:30 17,505 a------- c:\windows\idymiwav.exe
2009-10-17 14:30 11,421 a------- c:\windows\aqunu.scr
2009-10-17 14:20 <DIR> --d----- c:\windows\system32\schtml
2009-10-17 14:18 36 a------- c:\windows\system32\skynet.dat
2009-10-17 14:18 9 a------- c:\windows\system32\nuar.old
2009-10-17 14:16 58 a------- c:\windows\wp4.dat
2009-10-17 14:16 2 a------- c:\windows\wp3.dat
2009-10-17 14:15 34 a------- c:\windows\system32\wwp.htm
2009-10-17 14:15 0 a------- c:\windows\Iguqevo.bin
2009-10-17 14:14 120 a------- c:\windows\Wzuxujika.dat
2009-10-17 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\72487533
2009-10-17 14:10 27,136 a--sh--- c:\windows\system32\winupdate.exe
2009-10-17 14:07 44,544 a------- c:\docume~1\admini~1\applic~1\svcst.exe
2009-10-17 14:07 44,544 a------- c:\docume~1\admini~1\applic~1\seres.exe
2009-10-17 14:07 69,120 a------- c:\windows\system32\~.exe
2009-10-15 19:34 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-10-17 14:30 14,201 a------- c:\program files\common files\fuqyfawyg.inf
2009-09-19 23:07 26,352 a------- c:\windows\system32\emptyregdb.dat
2009-09-16 10:22 214,664 a------- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 10:22 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 10:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 10:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 10:22 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 10:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 23:40 79,270 a------- c:\windows\hpfins05.dat
2009-09-04 16:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 04:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 10:00 2,180,352 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 09:13 2,057,728 -------- c:\windows\system32\ntkrnlpa.exe
2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll

============= FINISH: 21:54:11.05 ===============

Attached Files

Attach.txt 6.75KB 1 downloads

#6 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:11:29 PM

Posted 29 October 2009 - 01:04 AM

Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

#7 TimeTurnsElastic

Topic Starter

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 29 October 2009 - 07:01 PM

Hey Blade,

Recovery console is installed.

I cannot open McAfee Security Center, so I will be unable to disable my anti-virus program before I run ComboFix. Any suggestions?

#8 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:11:29 PM

Posted 30 October 2009 - 01:44 AM

See if you're able to run ComboFix despite of that. If not, try to run it in safe mode.

Microsoft Windows Insider MVP 2016-2017

#9 TimeTurnsElastic

Topic Starter

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 31 October 2009 - 01:15 PM

Blade,

Successfully ran ComboFix, plus ran DDS, as requested. Please see below and attached.

ComboFix 09-10-28.08 - Administrator 10/31/2009 10:33.5.1 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\ficaqamati.exe
c:\documents and settings\Administrator\Application Data\joliw.lib
c:\documents and settings\Administrator\Application Data\lizkavd.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Administrator\Application Data\notisyc.dll
c:\documents and settings\Administrator\Application Data\udeqymof.vbs
c:\documents and settings\Administrator\Application Data\umyvata.sys
c:\documents and settings\Administrator\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Administrator\Desktop\Windows Police Pro.lnk
c:\documents and settings\Administrator\Local Settings\Application Data\heji.dl
c:\documents and settings\Administrator\Local Settings\Application Data\tanur.pif
c:\documents and settings\Administrator\Local Settings\Application Data\xihohike.inf
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\alanutala.reg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\duhasy.com
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\pobu.dat
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\wapucabaqa.lib
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\wicase.scr
c:\documents and settings\Administrator\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Administrator\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Administrator\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Administrator\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\documents and settings\All Users\Application Data\mejywa.bin
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\vyqax.lib
c:\documents and settings\All Users\Documents\qywerige.pif
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\byjun.pif
c:\program files\Common Files\cimo.scr
c:\program files\Common Files\fuqyfawyg.inf
c:\program files\Common Files\uravulega.pif
c:\program files\Common Files\uzowo.exe
c:\program files\Common Files\yrosif.scr
c:\windows\alejo.inf
c:\windows\aqunu.scr
c:\windows\bexajy.bat
c:\windows\emevumejabi.dll
c:\windows\idymiwav.exe
c:\windows\lovacavezu.bin
c:\windows\msa.exe
c:\windows\qamuzivisu.dl
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\18467.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\buju.reg
c:\windows\system32\certstore.dat
c:\windows\system32\dipamola.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\gimujewa.dll
c:\windows\system32\hahohetu.dll
c:\windows\system32\Install.txt
c:\windows\system32\isapeep.sys
c:\windows\system32\lupujuye.dll
c:\windows\system32\mibuviza.dll
c:\windows\system32\moluvedu.dll
c:\windows\system32\nosunilo.dll
c:\windows\system32\novomuzi.dll
c:\windows\system32\nuar.old
c:\windows\system32\papehehi.dll
c:\windows\system32\pofoyoru.dll
c:\windows\system32\qydewofo.pif
c:\windows\system32\rawijihe.dll
c:\windows\system32\rekomuzu.dll
c:\windows\system32\rohuzeta.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\skynet.dat
c:\windows\system32\sodolevu.dll
c:\windows\system32\tagiboja.dll
c:\windows\system32\tisitora.exe
c:\windows\system32\uvupypon.dl
c:\windows\system32\vizadapa.dll
c:\windows\system32\vudoyabi.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\xafi.pif
c:\windows\system32\zagebare.dll
c:\windows\TEMP\mta13187.dll
c:\windows\toxenoger.bin

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Legacy_isapeep
-------\Service_isapeep

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-30 11:30 . 2009-10-30 11:30 16845 ----a-w- c:\windows\system32\inezohal.dat
2009-10-30 11:11 . 2009-10-31 13:04 0 ----a-r- c:\windows\win32k.sys
2009-10-23 04:35 . 2009-10-23 04:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-10-23 04:35 . 2009-10-23 04:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-10-21 12:18 . 2009-10-21 12:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{1483BFAC-5771-4FE5-9714-6F79C3F44B6A}
2009-10-18 06:11 . 2009-10-23 08:35 -------- d-----w- c:\documents and settings\All Users\Application Data\62382930
2009-10-17 20:09 . 2009-10-17 20:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-17 18:30 . 2009-10-17 18:30 10362 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\lasale.dat
2009-10-17 18:30 . 2009-10-17 18:30 16529 ----a-w- c:\windows\udicolype.dat
2009-10-17 18:16 . 2009-10-17 21:01 58 ----a-w- c:\windows\wp4.dat
2009-10-17 18:16 . 2009-10-17 21:01 2 ----a-w- c:\windows\wp3.dat
2009-10-17 18:15 . 2009-10-31 05:25 0 ----a-r- c:\windows\Iguqevo.bin
2009-10-17 18:14 . 2009-10-31 05:25 120 ----a-w- c:\windows\Wzuxujika.dat
2009-10-17 18:12 . 2009-10-17 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\72487533

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 15:31 . 2009-05-27 15:30 -------- d-----w- c:\program files\McAfee
2009-10-30 11:30 . 2009-10-30 11:30 16718 ----a-w- c:\program files\Common Files\ohykotide.lib
2009-10-25 22:45 . 2009-02-23 00:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-17 18:30 . 2009-10-17 18:30 13165 ----a-w- c:\documents and settings\All Users\Application Data\wuqysuqoc.dat
2009-10-15 23:33 . 2009-03-01 05:39 -------- d-----w- c:\program files\Java
2009-09-24 07:08 . 2009-01-30 14:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 02:15 . 2009-02-23 02:28 -------- d-----w- c:\program files\FLAC
2009-09-24 01:57 . 2009-02-23 02:12 -------- d--h--w- c:\program files\Creative Installation Information
2009-09-24 01:56 . 2009-02-22 22:39 -------- d-----w- c:\program files\Creative
2009-09-24 01:15 . 2009-02-23 02:16 -------- d-----w- c:\program files\Audible
2009-09-22 04:28 . 2009-09-12 23:01 -------- d-----w- c:\program files\Runtime Software
2009-09-22 02:21 . 2009-02-23 01:40 -------- d-----w- c:\program files\BitTornado
2009-09-20 04:50 . 2009-09-20 04:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-20 04:49 . 2009-09-20 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 04:49 . 2009-09-20 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 03:07 . 2009-01-29 22:22 26352 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-18 01:56 . 2009-02-22 21:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-09-16 14:22 . 2009-05-27 16:12 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-05-27 16:12 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-05-27 16:12 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-03-25 15:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-05-27 15:12 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-12 22:13 . 2009-09-11 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:21 . 2009-09-11 03:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 01:25 . 2009-09-11 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 01:15 . 2009-09-11 01:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-11 01:13 . 2009-09-11 01:13 -------- d-----w- c:\program files\Lavasoft
2009-09-10 18:54 . 2009-09-20 04:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-20 04:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 04:35 . 2009-09-09 04:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2009-09-09 03:40 . 2009-02-21 22:02 79270 ----a-w- c:\windows\hpfins05.dat
2009-09-04 20:45 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 19:50 . 2009-02-21 22:01 47648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2009-01-29 22:23 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2009-01-29 22:23 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2009-01-29 22:23 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2009-01-29 22:23 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2009-01-29 22:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-01-29 22:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-08-04 12:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-20 15:32 . 2009-07-20 15:32 27136 --sha-w- c:\windows\system32\diyobela.exe
2009-07-28 21:38 . 2009-07-28 21:38 91648 --sha-w- c:\windows\system32\gisitiwi.dll
2009-07-26 21:38 . 2009-07-26 21:38 39424 --sha-w- c:\windows\system32\gobekiyo.dll
2009-07-26 21:38 . 2009-07-26 21:38 53248 --sha-w- c:\windows\system32\henivihe.dll
2009-07-27 21:38 . 2009-07-27 21:38 91136 --sha-w- c:\windows\system32\huwulita.dll
2009-07-27 09:37 . 2009-07-27 09:37 39424 --sha-w- c:\windows\system32\jisiponu.dll
2009-07-30 09:39 . 2009-07-30 09:39 92160 --sha-w- c:\windows\system32\jitajavo.dll
2009-07-29 21:39 . 2009-07-29 21:39 39424 --sha-w- c:\windows\system32\kesowojo.dll
2009-07-31 09:39 . 2009-07-31 09:39 39424 --sha-w- c:\windows\system32\luruvube.dll
2009-07-30 21:39 . 2009-07-30 21:39 92160 --sha-w- c:\windows\system32\matodife.dll
2009-07-27 21:38 . 2009-07-27 21:38 39424 --sha-w- c:\windows\system32\mejiyuwo.dll
2009-07-30 21:39 . 2009-07-30 21:39 39424 --sha-w- c:\windows\system32\nowowise.dll
2009-07-29 21:39 . 2009-07-29 21:39 91648 --sha-w- c:\windows\system32\palimode.dll
2009-07-28 09:38 . 2009-07-28 09:38 91648 --sha-w- c:\windows\system32\siteleki.dll
2009-07-29 09:39 . 2009-07-29 09:39 39424 --sha-w- c:\windows\system32\sokajuji.dll
2009-07-30 09:39 . 2009-07-30 09:39 39424 --sha-w- c:\windows\system32\sufiluba.dll
2009-07-28 21:38 . 2009-07-28 21:38 39424 --sha-w- c:\windows\system32\tizuguve.dll
2009-07-26 21:39 . 2009-07-26 21:39 53248 --sha-w- c:\windows\system32\vuzolike.dll
2009-07-17 18:11 . 2009-07-17 18:11 24576 --sha-w- c:\windows\system32\yukeheja.exe
.

------- Sigcheck -------

[-] 2008-04-14 10:42 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2008-04-14 10:42 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mspmsnsv.dll
[-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[7] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ERDNT\cache\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46cc19ee-a635-4dd9-992a-b5a3c8b7baec}]
2009-07-26 21:39 53248 --sha-w- c:\windows\system32\vuzolike.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-09-01 1200178]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcupdui.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpprop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Product Assistant\\bin\\hprblog.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcupdmgr.exe"=
"c:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/10/2009 9:26 PM 64160]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 8:00 AM 47616]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/27/2009 12:17 PM 210216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:25]

2009-10-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 16:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 16:22]

2009-10-31 c:\windows\Tasks\User_Feed_Synchronization-{1D897C43-4A84-463F-8FB7-F37BCDD2F837}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-naduvajab - c:\windows\system32\papehehi.dll
HKLM-Run-Kpoza - c:\windows\emevumejabi.dll
HKLM-Run-fosotafupo - nosunilo.dll
HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
SharedTaskScheduler-{aeaaae86-dfcb-4e3b-ab3b-5b7b28f37f91} - c:\windows\system32\papehehi.dll
SSODL-tuwaniyuf-{4fc09871-9969-47d1-a233-7f6da2f2bc4d} - (no file)
SSODL-vafeyivul-{eecb14b5-793c-4d6e-8a1b-1b92c0e98a68} - (no file)
SSODL-liputesip-{aeaaae86-dfcb-4e3b-ab3b-5b7b28f37f91} - c:\windows\system32\papehehi.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 10:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\BtwSrv.dllx 46592 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2588)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\msi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\opeia.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-10-31 11:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-31 15:13

Pre-Run: 134,868,992 bytes free
Post-Run: 134,279,168 bytes free

Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - A0746BADA7A7DC0852A32B4767138310

DDS log below:

DDS (Ver_09-10-13.01) - NTFSx86
Run by Administrator at 14:06:46.65 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.225 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\opeia.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\lsm32.sys
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {46cc19ee-a635-4dd9-992a-b5a3c8b7baec} - vuzolike.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238636355359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: rawijihe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli nosunilo.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-10 64160]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-4 47616]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-27 210216]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 0234961257011555mcinstcleanup;McAfee Application Installer Cleanup (0234961257011555);c:\windows\temp\023496~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\023496~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2009-10-31 10:28 236,544 a------- c:\windows\PEV.exe
2009-10-31 10:28 161,792 a------- c:\windows\SWREG.exe
2009-10-31 10:28 77,312 a------- c:\windows\MBR.exe
2009-10-31 10:28 98,816 a------- c:\windows\sed.exe
2009-10-31 00:02 0 a------- c:\windows\system32\t1p0_706886368055.b1k
2009-10-30 07:30 16,845 a------- c:\windows\system32\inezohal.dat
2009-10-30 07:11 0 a----r-- c:\windows\win32k.sys
2009-10-18 02:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\62382930
2009-10-17 14:30 13,165 a------- c:\docume~1\alluse~1\applic~1\wuqysuqoc.dat
2009-10-17 14:30 18,254 a------- c:\windows\ovuqiquc.lib
2009-10-17 14:30 16,529 a------- c:\windows\udicolype.dat
2009-10-17 14:30 13,550 a------- c:\windows\system32\bodyjyvyr.lib
2009-10-17 14:30 11,655 a------- c:\windows\aler.lib
2009-10-17 14:30 10,373 a------- c:\windows\pofynywo.lib
2009-10-17 14:16 58 a------- c:\windows\wp4.dat
2009-10-17 14:16 2 a------- c:\windows\wp3.dat
2009-10-17 14:15 34 a------- c:\windows\system32\wwp.htm
2009-10-17 14:15 0 a----r-- c:\windows\Iguqevo.bin
2009-10-17 14:14 120 a------- c:\windows\Wzuxujika.dat
2009-10-17 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\72487533
2009-10-15 19:34 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-10-30 07:30 16,718 a------- c:\program files\common files\ohykotide.lib
2009-09-19 23:07 26,352 a------- c:\windows\system32\emptyregdb.dat
2009-09-16 10:22 214,664 a------- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 10:22 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 10:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 10:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 10:22 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 10:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 23:40 79,270 a------- c:\windows\hpfins05.dat
2009-09-04 16:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 04:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 10:00 2,180,352 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 09:13 2,057,728 -------- c:\windows\system32\ntkrnlpa.exe
2009-07-20 11:32 27,136 a--sh--- c:\windows\system32\diyobela.exe
2009-07-28 17:38 91,648 a--sh--- c:\windows\system32\gisitiwi.dll
2009-07-26 17:38 39,424 a--sh--- c:\windows\system32\gobekiyo.dll
2009-07-26 17:38 53,248 a--sh--- c:\windows\system32\henivihe.dll
2009-07-27 17:38 91,136 a--sh--- c:\windows\system32\huwulita.dll
2009-07-27 05:37 39,424 a--sh--- c:\windows\system32\jisiponu.dll
2009-07-30 05:39 92,160 a--sh--- c:\windows\system32\jitajavo.dll
2009-07-29 17:39 39,424 a--sh--- c:\windows\system32\kesowojo.dll
2009-07-31 05:39 39,424 a--sh--- c:\windows\system32\luruvube.dll
2009-07-30 17:39 92,160 a--sh--- c:\windows\system32\matodife.dll
2009-07-27 17:38 39,424 a--sh--- c:\windows\system32\mejiyuwo.dll
2009-07-30 17:39 39,424 a--sh--- c:\windows\system32\nowowise.dll
2009-07-29 17:39 91,648 a--sh--- c:\windows\system32\palimode.dll
2009-07-28 05:38 91,648 a--sh--- c:\windows\system32\siteleki.dll
2009-07-29 05:39 39,424 a--sh--- c:\windows\system32\sokajuji.dll
2009-07-30 05:39 39,424 a--sh--- c:\windows\system32\sufiluba.dll
2009-07-28 17:38 39,424 a--sh--- c:\windows\system32\tizuguve.dll
2009-07-26 17:39 53,248 a--sh--- c:\windows\system32\vuzolike.dll
2009-07-17 14:11 24,576 a--sh--- c:\windows\system32\yukeheja.exe

============= FINISH: 14:08:12.64 ===============

Attached Files

Attach.txt 8.64KB 1 downloads

#10 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:11:29 PM

Posted 01 November 2009 - 05:53 AM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/265139/windows-police-pro-anti-virus-pro-2010-security-tool/?p=1479867
Collect::
c:\windows\system32\inezohal.dat
c:\documents and settings\Administrator\Local Settings\Application Data\lasale.dat
c:\windows\udicolype.dat
c:\windows\wp4.dat
c:\windows\wp3.dat
c:\windows\Iguqevo.bin
c:\windows\Wzuxujika.dat
c:\program files\Common Files\ohykotide.lib
c:\documents and settings\All Users\Application Data\wuqysuqoc.dat
c:\windows\system32\t1p0_706886368055.b1k
c:\windows\ovuqiquc.lib
c:\windows\system32\bodyjyvyr.lib
c:\windows\aler.lib
c:\windows\pofynywo.lib
c:\windows\system32\wwp.htm
c:\windows\system32\BtwSrv.dllx
Driver::
BtwSrv
fastnetsrv
NetSvc::
BtwSrv
File::
c:\windows\system32\diyobela.exe
c:\windows\system32\gisitiwi.dll
c:\windows\system32\gobekiyo.dll
c:\windows\system32\henivihe.dll
c:\windows\system32\huwulita.dll
c:\windows\system32\jisiponu.dll
c:\windows\system32\jitajavo.dll
c:\windows\system32\kesowojo.dll
c:\windows\system32\luruvube.dll
c:\windows\system32\matodife.dll
c:\windows\system32\mejiyuwo.dll
c:\windows\system32\nowowise.dll
c:\windows\system32\palimode.dll
c:\windows\system32\siteleki.dll
c:\windows\system32\sokajuji.dll
c:\windows\system32\sufiluba.dll
c:\windows\system32\tizuguve.dll
c:\windows\system32\vuzolike.dll
c:\windows\system32\yukeheja.exe
c:\windows\system32\FastNetSrv.exe
Folder::
c:\documents and settings\All Users\Application Data\62382930
c:\documents and settings\All Users\Application Data\72487533
Rootkit::
c:\windows\win32k.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46cc19ee-a635-4dd9-992a-b5a3c8b7baec}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

#11 TimeTurnsElastic

Topic Starter

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 01 November 2009 - 05:30 PM

Hey Blade, logs attached as requested. Thanks for your help.

ComboFix 09-10-28.08 - Administrator 11/01/2009 9:34.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.270 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\diyobela.exe"
"c:\windows\system32\FastNetSrv.exe"
"c:\windows\system32\gisitiwi.dll"
"c:\windows\system32\gobekiyo.dll"
"c:\windows\system32\henivihe.dll"
"c:\windows\system32\huwulita.dll"
"c:\windows\system32\jisiponu.dll"
"c:\windows\system32\jitajavo.dll"
"c:\windows\system32\kesowojo.dll"
"c:\windows\system32\luruvube.dll"
"c:\windows\system32\matodife.dll"
"c:\windows\system32\mejiyuwo.dll"
"c:\windows\system32\nowowise.dll"
"c:\windows\system32\palimode.dll"
"c:\windows\system32\siteleki.dll"
"c:\windows\system32\sokajuji.dll"
"c:\windows\system32\sufiluba.dll"
"c:\windows\system32\tizuguve.dll"
"c:\windows\system32\vuzolike.dll"
"c:\windows\system32\yukeheja.exe"

file zipped: c:\documents and settings\Administrator\Local Settings\Application Data\lasale.dat
file zipped: c:\documents and settings\All Users\Application Data\wuqysuqoc.dat
file zipped: c:\program files\Common Files\ohykotide.lib
file zipped: c:\windows\aler.lib
file zipped: c:\windows\Iguqevo.bin
file zipped: c:\windows\ovuqiquc.lib
file zipped: c:\windows\pofynywo.lib
file zipped: c:\windows\system32\bodyjyvyr.lib
file zipped: c:\windows\system32\inezohal.dat
file zipped: c:\windows\system32\t1p0_706886368055.b1k
file zipped: c:\windows\system32\wwp.htm
file zipped: c:\windows\udicolype.dat
file zipped: c:\windows\wp3.dat
file zipped: c:\windows\wp4.dat
file zipped: c:\windows\Wzuxujika.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\lasale.dat
c:\documents and settings\All Users\Application Data\62382930
c:\documents and settings\All Users\Application Data\62382930\62382930.bat
c:\documents and settings\All Users\Application Data\72487533
c:\documents and settings\All Users\Application Data\72487533\72487533.bat
c:\documents and settings\All Users\Application Data\wuqysuqoc.dat
c:\program files\Common Files\ohykotide.lib
c:\windows\aler.lib
c:\windows\Iguqevo.bin
c:\windows\ovuqiquc.lib
c:\windows\pofynywo.lib
c:\windows\system32\bodyjyvyr.lib
c:\windows\system32\diyobela.exe
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\gisitiwi.dll
c:\windows\system32\gobekiyo.dll
c:\windows\system32\henivihe.dll
c:\windows\system32\huwulita.dll
c:\windows\system32\inezohal.dat
c:\windows\system32\Install.txt
c:\windows\system32\jisiponu.dll
c:\windows\system32\jitajavo.dll
c:\windows\system32\kesowojo.dll
c:\windows\system32\luruvube.dll
c:\windows\system32\matodife.dll
c:\windows\system32\mejiyuwo.dll
c:\windows\system32\nowowise.dll
c:\windows\system32\palimode.dll
c:\windows\system32\siteleki.dll
c:\windows\system32\sokajuji.dll
c:\windows\system32\sufiluba.dll
c:\windows\system32\t1p0_706886368055.b1k
c:\windows\system32\tizuguve.dll
c:\windows\system32\vuzolike.dll
c:\windows\system32\wwp.htm
c:\windows\system32\yukeheja.exe
c:\windows\system32\zodogupe.dll
c:\windows\TEMP\mta13187.dll
c:\windows\udicolype.dat
c:\windows\wp3.dat
c:\windows\wp4.dat
c:\windows\Wzuxujika.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Service_BtwSrv
-------\Service_fastnetsrv

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-10-31 22:40 . 2009-10-31 22:40 -------- d-----w- c:\windows\LastGood.Tmp
2009-10-31 20:14 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 20:13 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-23 04:35 . 2009-10-23 04:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-10-23 04:35 . 2009-10-23 04:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-10-21 12:18 . 2009-10-21 12:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{1483BFAC-5771-4FE5-9714-6F79C3F44B6A}
2009-10-17 20:09 . 2009-10-17 20:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 12:19 . 2009-05-27 15:30 -------- d-----w- c:\program files\McAfee
2009-10-31 20:14 . 2009-09-20 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 22:45 . 2009-02-23 00:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-15 23:33 . 2009-03-01 05:39 -------- d-----w- c:\program files\Java
2009-09-24 07:08 . 2009-01-30 14:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 02:15 . 2009-02-23 02:28 -------- d-----w- c:\program files\FLAC
2009-09-24 01:57 . 2009-02-23 02:12 -------- d--h--w- c:\program files\Creative Installation Information
2009-09-24 01:56 . 2009-02-22 22:39 -------- d-----w- c:\program files\Creative
2009-09-24 01:15 . 2009-02-23 02:16 -------- d-----w- c:\program files\Audible
2009-09-22 04:28 . 2009-09-12 23:01 -------- d-----w- c:\program files\Runtime Software
2009-09-22 02:21 . 2009-02-23 01:40 -------- d-----w- c:\program files\BitTornado
2009-09-20 04:50 . 2009-09-20 04:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-20 04:49 . 2009-09-20 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 03:07 . 2009-01-29 22:22 26352 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-18 01:56 . 2009-02-22 21:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-09-16 14:22 . 2009-05-27 16:12 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-05-27 16:12 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-05-27 16:12 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-03-25 15:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-05-27 15:12 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-12 22:13 . 2009-09-11 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:21 . 2009-09-11 03:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 01:25 . 2009-09-11 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 01:15 . 2009-09-11 01:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-11 01:13 . 2009-09-11 01:13 -------- d-----w- c:\program files\Lavasoft
2009-09-09 04:35 . 2009-09-09 04:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2009-09-09 03:40 . 2009-02-21 22:02 79270 ----a-w- c:\windows\hpfins05.dat
2009-09-04 20:45 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 19:50 . 2009-02-21 22:01 47648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2009-01-29 22:23 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2009-01-29 22:23 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2009-01-29 22:23 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2009-01-29 22:23 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2009-01-29 22:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-01-29 22:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-08-04 12:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-01 09:40 . 2009-08-01 09:40 39424 --sha-w- c:\windows\system32\gosufido.dll
2009-07-31 21:40 . 2009-07-31 21:40 39424 --sha-w- c:\windows\system32\jeyiniyo.dll
2009-07-31 21:40 . 2009-07-31 21:40 92160 --sha-w- c:\windows\system32\jiwusomo.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-31_14.54.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-01 14:52 . 2009-11-01 14:52 16384 c:\windows\Temp\Perflib_Perfdata_4b8.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 88064 c:\windows\system32\wmdtc.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 88064 c:\windows\system32\opeia.exe
+ 2009-09-23 07:08 . 2009-11-01 12:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-23 07:08 . 2009-10-30 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-30 15:30 . 2009-11-01 12:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-30 15:30 . 2009-10-30 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-31 16:07 . 2009-10-31 16:07 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-10-31 16:07 . 2009-11-01 12:19 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-09-30 02:30 . 2009-10-30 11:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-31 16:07 . 2009-10-31 16:07 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{87669DE9-C637-11DE-9C62-000F1F7A216E}.dat
+ 2009-10-31 16:07 . 2009-10-31 16:07 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{87669DEA-C637-11DE-9C62-000F1F7A216E}.dat
+ 2009-09-09 03:18 . 2009-11-01 14:55 213293 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-09-01 1200178]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Kpoza"="c:\windows\emevumejabi.dll" [BU]
"naduvajab"="c:\windows\system32\zodogupe.dll" [BU]
"fosotafupo"="nosunilo.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcupdui.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpprop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Product Assistant\\bin\\hprblog.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcupdmgr.exe"=
"c:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/10/2009 8:26 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/27/2009 11:17 AM 210216]
S2 0144221257028845mcinstcleanup;McAfee Application Installer Cleanup (0144221257028845);c:\windows\TEMP\014422~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\014422~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0144221257028845MCINSTCLEANUP
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:25]

2009-11-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 16:22]

2009-11-01 c:\windows\Tasks\User_Feed_Synchronization-{1D897C43-4A84-463F-8FB7-F37BCDD2F837}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{6d03f7e8-f5e3-4232-9909-9b4c5d288c49} - c:\windows\system32\zodogupe.dll
SSODL-tuwaniyuf-{4fc09871-9969-47d1-a233-7f6da2f2bc4d} - (no file)
SSODL-vafeyivul-{eecb14b5-793c-4d6e-8a1b-1b92c0e98a68} - (no file)
SSODL-dudepuzig-{6d03f7e8-f5e3-4232-9909-9b4c5d288c49} - c:\windows\system32\zodogupe.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 09:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(504)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-01 10:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 15:08
ComboFix2.txt 2009-10-31 15:13

Pre-Run: 150,519,808 bytes free
Post-Run: 199,438,336 bytes free

Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 44B709690692D0EFAD7B10AF18CB0AF2

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 1, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 01, 2009 16:16:52
Records in database: 3112163
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 146945
Threats found: 8
Error Resource :getAppletResource('kosp.report.stat.infe'): 51
Suspicious objects found: 0
Error Resource :getAppletResource('kosp.report.stat.time'): 02:44:00

Error Resource :getAppletResource('kosp.report.infected_object') / Error Resource :getAppletResource('kosp.report.virus_name') / Error Resource :getAppletResource('kosp.report.count')
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\lizkavd.exe.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.Katusha.e 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR09.exe.vir Error Resource :getAppletResource('kosp.report.infected')Trojan.Win32.FraudPack.yoc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dipamola.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\diyobela.exe.vir Error Resource :getAppletResource('kosp.report.infected')Trojan.Win32.FraudPack.xcs 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Error Resource :getAppletResource('kosp.report.infected')Rootkit.Win32.PMax.h 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gimujewa.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gisitiwi.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gobekiyo.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hahohetu.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\henivihe.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\huwulita.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jisiponu.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jitajavo.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kesowojo.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lupujuye.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\luruvube.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\matodife.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mejiyuwo.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mibuviza.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\moluvedu.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nosunilo.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\novomuzi.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nowowise.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\palimode.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\papehehi.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pofoyoru.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rawijihe.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rekomuzu.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rohuzeta.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\siteleki.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sodolevu.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sokajuji.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sufiluba.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tagiboja.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tizuguve.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vizadapa.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vudoyabi.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vuzolike.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir Error Resource :getAppletResource('kosp.report.infected')Trojan.Win32.BHO.abqw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yukeheja.exe.vir Error Resource :getAppletResource('kosp.report.infected')Trojan-Downloader.Win32.FraudLoad.fva 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zagebare.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zodogupe.dll.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.Krap.ah 1
C:\WINDOWS\system32\gosufido.dll Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\WINDOWS\system32\jeyiniyo.dll Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1
C:\WINDOWS\system32\jiwusomo.dll Error Resource :getAppletResource('kosp.report.infected')Packed.Win32.TDSS.aa 1

Error Resource :getAppletResource('kosp.report.scan_complete')

DDS (Ver_09-10-13.01) - NTFSx86
Run by Administrator at 17:20:17.85 on Sun 11/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.251 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Kpoza] rundll32.exe "c:\windows\emevumejabi.dll",Startup
mRun: [fosotafupo] Rundll32.exe "nosunilo.dll",s
mRun: [naduvajab] Rundll32.exe "c:\windows\system32\zodogupe.dll",a
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238636355359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-10 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-27 210216]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 0157681257109532mcinstcleanup;McAfee Application Installer Cleanup (0157681257109532);c:\windows\temp\015768~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\015768~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]

=============== Created Last 30 ================

2009-10-31 15:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 15:13 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-31 09:28 236,544 a------- c:\windows\PEV.exe
2009-10-31 09:28 161,792 a------- c:\windows\SWREG.exe
2009-10-31 09:28 77,312 a------- c:\windows\MBR.exe
2009-10-31 09:28 98,816 a------- c:\windows\sed.exe
2009-10-15 18:34 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-09-19 22:07 26,352 a------- c:\windows\system32\emptyregdb.dat
2009-09-16 09:22 214,664 a------- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 09:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-08 22:40 79,270 a------- c:\windows\hpfins05.dat
2009-09-04 15:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 09:00 2,180,352 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 08:13 2,057,728 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-01 04:40 39,424 a--sh--- c:\windows\system32\gosufido.dll
2009-07-31 16:40 39,424 a--sh--- c:\windows\system32\jeyiniyo.dll
2009-07-31 16:40 92,160 a--sh--- c:\windows\system32\jiwusomo.dll

============= FINISH: 17:20:54.65 ===============

Attached Files

Attach.txt 8.87KB 0 downloads

#12 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:11:29 PM

Posted 02 November 2009 - 12:59 AM

Hi,

Please look for zip file that name begins as [4]-Submit in c:\qoobox\quarantine folder. Upload the file here. Kindly include a link to this topic. Let me know when that's been done.

Microsoft Windows Insider MVP 2016-2017

#13 TimeTurnsElastic

Topic Starter

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 02 November 2009 - 04:56 PM

OK Blade, file was submitted sucessfully.

Thanks

#14 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:11:29 PM

Posted 03 November 2009 - 01:40 AM

Thanks for the submission

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\gosufido.dll
c:\windows\system32\jeyiniyo.dll
c:\windows\system32\jiwusomo.dll
FixCSet::
DDS::
mRun: [Kpoza] rundll32.exe "c:\windows\emevumejabi.dll",Startup
mRun: [fosotafupo] Rundll32.exe "nosunilo.dll",s
mRun: [naduvajab] Rundll32.exe "c:\windows\system32\zodogupe.dll",a

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds log. How's the system running now?

Microsoft Windows Insider MVP 2016-2017

#15 TimeTurnsElastic

Topic Starter

Members
30 posts
OFFLINE

Gender:Male
Location:Middletown, Connecticut
Local time:04:29 PM

Posted 03 November 2009 - 01:32 PM

Wow, where do I begin?

Three DLL error messages appeared on restart after disabling S&D Tea Timer and computer restart. Error messages were not up long enough for me to get specific info, likely along the lines of Error loading "file name" The specified module could not be found. I went and doubled checked that S&D Tea Timer was disabled, which it was not, so I disabled it again, this time with out restarting the computer. Tea Timer was off when I reopened S&D.

When dragging notepad to combo fix icon I received another DLL error message. Once again, it was not on screen long enough for me to get the specific info that was displayed. Once the error message disappeared, ComboFix started and ran as normal.

I am certain of the following: 1) McAfee anit virus and spyware applications were off; 2)Tea Timer was disabled; 3) No other programs were running.

ComboFix did its thing and deleated files based on your code.

ComboFix rebooted computer. Prior to reboot an error message appeared. catchme.cfxxe - DLL initialization failed. Application failed because windows is shutting down. Ok, I though to myself, this might be normal because ComboFix is the only thing running and the computer is shutting down.

Computer restarted and log was created, see below.

I manually restarted the computer to see if the files causing the DLL error messages were gone. Upon restart, I received two DLL error messages, I was only able to get the specifics on one of them. Error loading C:\winddows\system 32\zodogupe.dll the specified module could not be found.

McAfee was disabled on restart also and it took a long time to load IE to get back to this forum to post the ComboFix and DDS logs.

Appreciate the help!

ComboFix 09-11-02.05 - Administrator 11/03/2009 12:12.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.294 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\gosufido.dll"
"c:\windows\system32\jeyiniyo.dll"
"c:\windows\system32\jiwusomo.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gosufido.dll
c:\windows\system32\jeyiniyo.dll
c:\windows\system32\jiwusomo.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 14:24 . 2009-11-03 14:24 -------- d-----w- c:\windows\LastGood.Tmp
2009-11-03 02:37 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 02:37 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 16:49 . 2009-11-01 16:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-11-01 16:48 . 2009-11-01 16:48 -------- d-----w- c:\program files\Google
2009-10-23 04:35 . 2009-10-23 04:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-10-23 04:35 . 2009-10-23 04:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-10-21 12:18 . 2009-10-21 12:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{1483BFAC-5771-4FE5-9714-6F79C3F44B6A}
2009-10-17 20:09 . 2009-10-17 20:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 14:24 . 2009-05-27 15:30 -------- d-----w- c:\program files\McAfee
2009-11-03 02:37 . 2009-09-20 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 22:45 . 2009-02-23 00:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-15 23:33 . 2009-03-01 05:39 -------- d-----w- c:\program files\Java
2009-09-24 07:08 . 2009-01-30 14:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 02:15 . 2009-02-23 02:28 -------- d-----w- c:\program files\FLAC
2009-09-24 01:57 . 2009-02-23 02:12 -------- d--h--w- c:\program files\Creative Installation Information
2009-09-24 01:56 . 2009-02-22 22:39 -------- d-----w- c:\program files\Creative
2009-09-24 01:15 . 2009-02-23 02:16 -------- d-----w- c:\program files\Audible
2009-09-22 04:28 . 2009-09-12 23:01 -------- d-----w- c:\program files\Runtime Software
2009-09-22 02:21 . 2009-02-23 01:40 -------- d-----w- c:\program files\BitTornado
2009-09-20 04:50 . 2009-09-20 04:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-20 04:49 . 2009-09-20 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 03:07 . 2009-01-29 22:22 26352 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-18 01:56 . 2009-02-22 21:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-09-16 14:22 . 2009-05-27 16:12 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-05-27 16:12 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-05-27 16:12 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-03-25 15:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-05-27 15:12 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-12 22:13 . 2009-09-11 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:21 . 2009-09-11 03:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 01:25 . 2009-09-11 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 01:15 . 2009-09-11 01:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-11 01:13 . 2009-09-11 01:13 -------- d-----w- c:\program files\Lavasoft
2009-09-09 04:35 . 2009-09-09 04:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2009-09-09 03:40 . 2009-02-21 22:02 79270 ----a-w- c:\windows\hpfins05.dat
2009-09-04 20:45 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 19:50 . 2009-02-21 22:01 47648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2009-01-29 22:23 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2009-01-29 22:23 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2009-01-29 22:23 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2009-01-29 22:23 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2009-01-29 22:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-01-29 22:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-31_14.54.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-03 17:24 . 2009-11-03 17:24 16384 c:\windows\Temp\Perflib_Perfdata_52c.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 88064 c:\windows\system32\wmdtc.exe
+ 2004-08-12 13:26 . 2009-11-01 14:57 89156 c:\windows\system32\perfc009.dat
- 2004-08-12 13:26 . 2009-10-17 07:13 89156 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 88064 c:\windows\system32\opeia.exe
+ 2009-11-01 16:59 . 2009-11-01 16:59 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-09-23 07:08 . 2009-11-03 14:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-23 07:08 . 2009-10-30 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-30 15:30 . 2009-10-30 11:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-30 15:30 . 2009-11-03 14:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-31 16:07 . 2009-10-31 16:07 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-11-01 16:57 . 2009-11-03 14:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-09-30 02:30 . 2009-10-30 11:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-01 16:48 . 2009-11-01 16:48 24064 c:\windows\Installer\6b6655.msi
+ 2009-10-31 16:07 . 2009-10-31 16:07 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{87669DE9-C637-11DE-9C62-000F1F7A216E}.dat
+ 2009-10-31 16:07 . 2009-10-31 16:07 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{87669DEA-C637-11DE-9C62-000F1F7A216E}.dat
- 2004-08-12 13:26 . 2009-10-17 07:13 492350 c:\windows\system32\perfh009.dat
+ 2004-08-12 13:26 . 2009-11-01 14:57 492350 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-09-09 03:18 . 2009-11-03 17:26 213294 c:\windows\system32\inetsrv\MetaBase.bin
- 2009-09-09 03:18 . 2009-10-31 14:56 213294 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-09-01 1200178]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcupdui.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpprop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Product Assistant\\bin\\hprblog.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcupdmgr.exe"=
"c:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/10/2009 8:26 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/27/2009 11:17 AM 210216]
S2 0099861257258277mcinstcleanup;McAfee Application Installer Cleanup (0099861257258277);c:\windows\TEMP\009986~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\009986~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0099861257258277MCINSTCLEANUP
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:25]

2009-11-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 16:22]

2009-11-03 c:\windows\Tasks\User_Feed_Synchronization-{1D897C43-4A84-463F-8FB7-F37BCDD2F837}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 12:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\mcafee_yQRKmctpUne2zD1

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1828)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-11-03 12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 17:38
ComboFix2.txt 2009-11-01 15:08
ComboFix3.txt 2009-10-31 15:13

Pre-Run: 9,904,660,480 bytes free
Post-Run: 9,977,077,760 bytes free

DDS (Ver_09-10-13.01) - NTFSx86
Run by Administrator at 12:48:41.45 on Tue 11/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.179 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
uRun: [PopRock] c:\docume~1\admini~1\locals~1\temp\b.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Kpoza] rundll32.exe "c:\windows\emevumejabi.dll",Startup
mRun: [naduvajab] Rundll32.exe "c:\windows\system32\zodogupe.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238636355359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-10 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-27 210216]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 0099861257258277mcinstcleanup;McAfee Application Installer Cleanup (0099861257258277);c:\windows\temp\009986~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\009986~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2009-11-02 21:37 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:37 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-31 09:28 236,544 a------- c:\windows\PEV.exe
2009-10-31 09:28 161,792 a------- c:\windows\SWREG.exe
2009-10-31 09:28 77,312 a------- c:\windows\MBR.exe
2009-10-31 09:28 98,816 a------- c:\windows\sed.exe
2009-10-15 18:34 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-09-19 22:07 26,352 a------- c:\windows\system32\emptyregdb.dat
2009-09-16 09:22 214,664 a------- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 09:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-08 22:40 79,270 a------- c:\windows\hpfins05.dat
2009-09-04 15:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 12:49:54.34 ===============