Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Windows Insider RS5 Build 17650 Brings Firewall Rules for WSL

Featured Deal: Get 92% off a Microsoft Azure Mastery Bundle Deal

Browser still redirects after mbam and avira reports clean

Started by guglyman , Nov 29 2009 05:59 PM

This topic is locked

18 replies to this topic

#1 guglyman

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 29 November 2009 - 05:59 PM

Both Malwarebytes and Avira scans have been used to clean multiple infections. Browsers (Chrome and IE) are still redirecting. Tried HiJackThis, which reports problems with hosts file (logfile attached), but it cannot repair due to it being open/readonly. I tried to reboot into safe mode but received blue screen about a driver.

DDS.txt, Attach.txt, and HiJackThis_logfile.txt attached.

---------------

Update: I just ran TFC and now after rebooting, computer freezes after a minute (presumably, a startup service lost one of it's file in the TFC cleanup). Also, safe mode is still unavailable as mentioned before -- it stops here:

STOP: 0x0000007E (Oxc0000005, 0x8673cc21, 0x8673cc21, 0xF7c45c44, 0xF7c45940)

---------------

DDS (Ver_09-11-29.01) - NTFSx86
Run by David Norris at 14:36:06.51 on Sun 11/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.632 [GMT -8:00]

AV: System Defender *On-access scanning enabled* (Updated) {202B08C2-1131-4F93-B4DF-3184684295C0}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: System Defender *enabled* {27F57D55-D1E9-405E-A0DB-4A0001FF50DF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Norris\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223262157000
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
AppInit_DLLs: c:\windows\system32\miposaho.dll c:\windows\system32\pabewisa.dll worusego.dll c:\windows\system32\hibunevo.dll hutijezu.dll
SSODL: bavujolot - {e1c0920d-ba72-49e0-a4d2-de3495c817ea} - No File
SSODL: zadosuhih - {e78c16bc-327d-44b7-8ffe-47c796e504fd} - No File
SSODL: tetotezol - {0390ad1a-268f-4970-91a0-9b5c6402edc5} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: neluparut - {f6c3c148-ea4d-4cad-a8f7-b899384250e5} - No File
STS: {e1c0920d-ba72-49e0-a4d2-de3495c817ea} - No File
STS: {e78c16bc-327d-44b7-8ffe-47c796e504fd} - No File
STS: {0390ad1a-268f-4970-91a0-9b5c6402edc5} - No File
STS: {f6c3c148-ea4d-4cad-a8f7-b899384250e5} - No File
LSA: Notification Packages = scecli zukuyepu.dll yiyobuye.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-16 55656]
S2 cexpvfrcermqas;cexpvfrcermqas;\??\c:\windows\system32\drivers\yyfjbzywzljfir.sys --> c:\windows\system32\drivers\yyfjbzywzljfir.sys [?]

=============== Created Last 30 ================

2009-11-29 19:49:46 0 d-----w- c:\program files\Trend Micro
2009-11-29 19:47:03 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-29 19:47:03 0 d-----w- c:\documents and settings\david norris\log
2009-11-28 06:30:30 0 d-sh--w- c:\documents and settings\david norris\PrivacIE
2009-11-28 06:25:21 0 d-sh--w- c:\documents and settings\david norris\IETldCache
2009-11-28 06:21:36 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-28 06:21:14 0 d-----w- c:\windows\ie8updates
2009-11-28 06:20:59 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-28 06:20:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-28 06:18:48 0 dc-h--w- c:\windows\ie8
2009-11-28 04:24:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 04:24:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 04:24:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 03:13:40 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-22 03:11:50 0 d-----w- c:\windows\system32\LogFiles
2009-11-21 01:29:05 1962544 ----a-w- c:\windows\system32\install_flash_player_ax.exe
2009-11-21 01:14:49 1962544 ----a-w- c:\windows\install_flash_player_ax.exe
2009-11-21 01:10:23 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-11-17 00:53:37 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-17 00:53:34 0 d-----w- c:\program files\Avira
2009-11-17 00:53:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-17 00:43:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-16 15:02:01 0 d-sh--w- c:\docume~1\alluse~1\applic~1\3282c
2009-11-16 14:26:24 0 d-sh--w- c:\documents and settings\all users\76cb400
2009-11-16 04:51:32 0 d-----w- c:\docume~1\davidn~1\applic~1\Malwarebytes
2009-11-16 04:51:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-16 04:51:10 0 d-----w- c:\program files\M-ware_bytes
2009-11-16 04:28:57 0 d-----w- c:\program files\CCleaner
2009-11-16 04:11:23 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-16 04:11:23 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-16 04:08:57 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-16 04:08:57 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-13 03:48:06 148 ----a-w- c:\documents and settings\david norris\Video .lnk
2009-11-13 03:48:06 148 ----a-w- c:\documents and settings\david norris\Pictures .lnk
2009-11-13 03:48:06 148 ----a-w- c:\documents and settings\david norris\Passwords .lnk
2009-11-13 03:48:06 148 ----a-w- c:\documents and settings\david norris\New Folder .lnk
2009-11-13 03:48:06 148 ----a-w- c:\documents and settings\david norris\Music .lnk
2009-11-13 03:48:06 148 ----a-w- c:\documents and settings\david norris\Documents .lnk
2009-11-13 03:47:54 124 --sh--r- c:\documents and settings\david norris\autorun.inf
2009-11-12 06:55:16 468 ----a-w- c:\windows\system32\5834009.exe
2009-11-12 06:19:50 221 ----a-w- c:\documents and settings\david norris\SrdoBO.bat

==================== Find3M ====================

2009-11-12 07:51:14 31396352 ----a-w- c:\program files\eav_nt32_enu.msi
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 22:56:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-04-28 01:43:50 43083040 ----a-w- c:\program files\AdbeRdr910_en_US_Std.exe
2009-04-25 07:08:41 1047072 ----a-w- c:\program files\MoveMediaPlayer_071303000006.exe
2009-04-24 04:20:26 74302760 ----a-w- c:\program files\iTunesSetup.exe

============= FINISH: 14:37:47.93 ===============

Attached Files

Attach.txt 21.15KB 12 downloads
ark.txt 5.63KB 15 downloads
hijackthis_logfile.txt 7.7KB 12 downloads

Edited by guglyman, 29 November 2009 - 07:45 PM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:07:04 AM

Posted 04 December 2009 - 05:29 PM

Hi,

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log & fresh dds log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#3 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:07:04 AM

Posted 11 December 2009 - 04:27 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

#4 guglyman

Topic Starter

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 12 December 2009 - 11:25 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by David Norris at 20:09:07.57 on Sat 12/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.672 [GMT -8:00]

AV: System Defender *On-access scanning enabled* (Updated) {202B08C2-1131-4F93-B4DF-3184684295C0}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: System Defender *enabled* {27F57D55-D1E9-405E-A0DB-4A0001FF50DF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Norris\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\david norris\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\davidn~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223262157000
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
AppInit_DLLs: c:\windows\system32\miposaho.dll c:\windows\system32\pabewisa.dll worusego.dll c:\windows\system32\hibunevo.dll hutijezu.dll
SSODL: bavujolot - {e1c0920d-ba72-49e0-a4d2-de3495c817ea} - No File
SSODL: zadosuhih - {e78c16bc-327d-44b7-8ffe-47c796e504fd} - No File
SSODL: tetotezol - {0390ad1a-268f-4970-91a0-9b5c6402edc5} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: neluparut - {f6c3c148-ea4d-4cad-a8f7-b899384250e5} - No File
STS: {e1c0920d-ba72-49e0-a4d2-de3495c817ea} - No File
STS: {e78c16bc-327d-44b7-8ffe-47c796e504fd} - No File
STS: {0390ad1a-268f-4970-91a0-9b5c6402edc5} - No File
STS: {f6c3c148-ea4d-4cad-a8f7-b899384250e5} - No File
LSA: Notification Packages = scecli zukuyepu.dll yiyobuye.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-16 56816]
S2 cexpvfrcermqas;cexpvfrcermqas;\??\c:\windows\system32\drivers\yyfjbzywzljfir.sys --> c:\windows\system32\drivers\yyfjbzywzljfir.sys [?]

=============== Created Last 30 ================

2009-11-29 23:36:47 237600 ----a-w- c:\windows\system32\drivers\str.sys
2009-11-29 19:49:46 0 d-----w- c:\program files\Trend Micro
2009-11-29 19:47:03 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-29 19:47:03 0 d-----w- c:\documents and settings\david norris\log
2009-11-28 06:30:30 0 d-sh--w- c:\documents and settings\david norris\PrivacIE
2009-11-28 06:25:21 0 d-sh--w- c:\documents and settings\david norris\IETldCache
2009-11-28 06:21:36 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-28 06:21:14 0 d-----w- c:\windows\ie8updates
2009-11-28 06:20:59 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-28 06:20:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-28 06:18:48 0 dc-h--w- c:\windows\ie8
2009-11-28 04:24:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 04:24:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 04:24:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 03:13:40 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-22 03:11:50 0 d-----w- c:\windows\system32\LogFiles
2009-11-21 01:29:05 1962544 ----a-w- c:\windows\system32\install_flash_player_ax.exe
2009-11-21 01:14:49 1962544 ----a-w- c:\windows\install_flash_player_ax.exe
2009-11-21 01:10:23 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-11-17 00:53:37 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-17 00:53:34 0 d-----w- c:\program files\Avira
2009-11-17 00:53:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-17 00:43:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-16 15:02:01 0 d-sh--w- c:\docume~1\alluse~1\applic~1\3282c
2009-11-16 14:26:24 0 d-sh--w- c:\documents and settings\all users\76cb400
2009-11-16 04:51:32 0 d-----w- c:\docume~1\davidn~1\applic~1\Malwarebytes
2009-11-16 04:51:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-16 04:51:10 0 d-----w- c:\program files\M-ware_bytes
2009-11-16 04:28:57 0 d-----w- c:\program files\CCleaner
2009-11-16 04:11:23 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-16 04:11:23 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-16 04:08:57 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-16 04:08:57 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-11-12 07:51:14 31396352 ----a-w- c:\program files\eav_nt32_enu.msi
2009-11-12 06:19:50 221 ----a-w- c:\documents and settings\david norris\SrdoBO.bat
2009-04-28 01:43:50 43083040 ----a-w- c:\program files\AdbeRdr910_en_US_Std.exe
2009-04-25 07:08:41 1047072 ----a-w- c:\program files\MoveMediaPlayer_071303000006.exe
2009-04-24 04:20:26 74302760 ----a-w- c:\program files\iTunesSetup.exe

============= FINISH: 20:11:04.87 ===============

Attached Files

Attach.txt 12KB 2 downloads
ark.txt 3.54KB 11 downloads

#5 guglyman

Topic Starter

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 13 December 2009 - 01:28 AM

By reviewing similar posts, I took the liberty to run GMER and Combofix, in that order. The GMER log is attached, and the Combofix log follows. Combofix found and deleted a problem, and browser seems to be okay now. Let me know if you recommend any follow up activity as well.

----------------
ComboFix 09-12-11.05 - David Norris 12/12/2009 22:06:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.751 [GMT -8:00]
Running from: c:\documents and settings\David Norris\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David Norris\autorun.inf
c:\documents and settings\David Norris\Documents .lnk
c:\documents and settings\David Norris\Music .lnk
c:\documents and settings\David Norris\New Folder .lnk
c:\documents and settings\David Norris\Passwords .lnk
c:\documents and settings\David Norris\Pictures .lnk
c:\documents and settings\David Norris\Video .lnk
c:\windows\system32\5834009.exe
c:\windows\system32\config\systemprofile\Application Data\System Defender
c:\windows\system32\config\systemprofile\Desktop\Security Tool.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\drivers\str.sys
c:\windows\Tasks\igxszwha.job
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

2009-11-29 20:18 . 2009-11-29 20:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-29 19:49 . 2009-11-29 19:49 -------- d-----w- c:\program files\Trend Micro
2009-11-29 19:47 . 2009-11-29 19:47 -------- d-----w- c:\documents and settings\David Norris\log
2009-11-29 19:47 . 2009-11-29 19:47 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-28 14:46 . 2009-11-28 14:46 -------- d-sh--w- c:\documents and settings\Mo\PrivacIE
2009-11-28 08:31 . 2009-11-28 08:31 -------- d-sh--w- c:\documents and settings\Mo\IETldCache
2009-11-28 06:30 . 2009-11-28 06:30 -------- d-sh--w- c:\documents and settings\David Norris\PrivacIE
2009-11-28 06:30 . 2009-11-28 06:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-28 06:25 . 2009-11-28 06:25 -------- d-sh--w- c:\documents and settings\David Norris\IETldCache
2009-11-28 06:21 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-28 06:21 . 2009-11-28 06:21 -------- d-----w- c:\windows\ie8updates
2009-11-28 06:20 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-28 06:20 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-28 06:18 . 2009-11-28 06:20 -------- dc-h--w- c:\windows\ie8
2009-11-28 04:24 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 04:24 . 2009-11-28 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 04:24 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 03:13 . 2009-11-22 03:13 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-22 03:11 . 2009-11-22 03:12 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-22 03:11 . 2009-11-22 03:11 -------- d-----w- c:\windows\system32\LogFiles
2009-11-21 02:57 . 2009-11-21 02:57 -------- d-----w- c:\program files\NOS
2009-11-21 01:29 . 2009-11-21 01:29 1962544 ----a-w- c:\windows\system32\install_flash_player_ax.exe
2009-11-21 01:14 . 2009-11-21 01:14 1962544 ----a-w- c:\windows\install_flash_player_ax.exe
2009-11-21 01:10 . 2009-11-21 01:10 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-11-20 22:33 . 2009-11-21 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-17 21:54 . 2009-11-17 21:54 -------- d-----w- c:\documents and settings\Mo\Application Data\Malwarebytes
2009-11-17 00:53 . 2009-12-13 00:36 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-17 00:53 . 2009-03-30 18:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-17 00:53 . 2009-02-13 20:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-17 00:53 . 2009-02-13 20:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-17 00:53 . 2009-11-17 00:53 -------- d-----w- c:\program files\Avira
2009-11-17 00:53 . 2009-11-17 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-17 00:43 . 2009-11-17 00:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-16 15:02 . 2009-11-16 18:49 -------- d-sh--w- c:\documents and settings\All Users\Application Data\3282c
2009-11-16 14:26 . 2009-11-16 18:49 -------- d-sh--w- c:\documents and settings\All Users\76cb400
2009-11-16 04:51 . 2009-11-16 04:51 -------- d-----w- c:\documents and settings\David Norris\Application Data\Malwarebytes
2009-11-16 04:51 . 2009-11-16 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-16 04:51 . 2009-11-28 04:17 -------- d-----w- c:\program files\M-ware_bytes
2009-11-16 04:28 . 2009-11-16 04:28 -------- d-----w- c:\program files\CCleaner
2009-11-16 04:21 . 2009-11-16 04:23 -------- d-----w- c:\documents and settings\David Norris\Local Settings\Application Data\Temp
2009-11-16 04:21 . 2009-11-16 04:23 -------- d-----w- c:\documents and settings\David Norris\Local Settings\Application Data\Google
2009-11-16 04:11 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-16 04:11 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-16 04:08 . 2008-04-13 19:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-16 04:08 . 2008-04-13 19:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 04:13 . 2008-10-06 03:54 42944 ----a-w- c:\documents and settings\David Norris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 02:58 . 2009-11-21 02:58 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-20 01:50 . 2009-04-24 03:37 42944 ----a-w- c:\documents and settings\Mo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 07:54 . 2009-11-12 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-12 07:51 . 2009-11-12 07:50 31396352 ----a-w- c:\program files\eav_nt32_enu.msi
2009-11-12 06:19 . 2009-11-12 06:19 221 ----a-w- c:\documents and settings\David Norris\SrdoBO.bat
2009-10-22 00:03 . 2009-05-14 17:56 -------- d-----w- c:\documents and settings\David Norris\Application Data\Image Zone Express
2009-10-04 19:59 . 2009-10-04 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-28 01:43 . 2009-04-28 01:43 43083040 ----a-w- c:\program files\AdbeRdr910_en_US_Std.exe
2009-04-25 07:08 . 2009-04-25 07:08 1047072 ----a-w- c:\program files\MoveMediaPlayer_071303000006.exe
2009-04-24 04:20 . 2009-04-24 04:19 74302760 ----a-w- c:\program files\iTunesSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\David Norris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-16 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-25 198160]

c:\documents and settings\David Norris\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-02-23 22:43 3026944 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-02-23 22:43 753664 ----a-w- c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/16/2009 4:53 PM 108289]
S2 cexpvfrcermqas;cexpvfrcermqas;\??\c:\windows\system32\drivers\yyfjbzywzljfir.sys --> c:\windows\system32\drivers\yyfjbzywzljfir.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{e1c0920d-ba72-49e0-a4d2-de3495c817ea} - (no file)
SharedTaskScheduler-{e78c16bc-327d-44b7-8ffe-47c796e504fd} - (no file)
SharedTaskScheduler-{0390ad1a-268f-4970-91a0-9b5c6402edc5} - (no file)
SharedTaskScheduler-{f6c3c148-ea4d-4cad-a8f7-b899384250e5} - (no file)
SSODL-bavujolot-{e1c0920d-ba72-49e0-a4d2-de3495c817ea} - (no file)
SSODL-zadosuhih-{e78c16bc-327d-44b7-8ffe-47c796e504fd} - (no file)
SSODL-tetotezol-{0390ad1a-268f-4970-91a0-9b5c6402edc5} - (no file)
SSODL-neluparut-{f6c3c148-ea4d-4cad-a8f7-b899384250e5} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-12 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
@DACL=(02 0000)
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
"Event"=dword:00000000
"InstallEvent"="1.8.0031.9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2688)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-12-12 22:21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-13 06:21

Pre-Run: 86,904,721,408 bytes free
Post-Run: 86,813,306,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 449CC283E286191DF2B2BE35BF4FA8C6

Attached Files

gmer.log 22.93KB 0 downloads

#6 guglyman

Topic Starter

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 13 December 2009 - 03:32 AM

I did an OTL cleanup and trying to get everything back in order. Almost everything seems to be okay now with the exception of one thing: ComboFix left behind a 'runonceex' registry entry that I cannot remove using regedit -- I get an "Error while deleting key" message. I also tried safe mode to remove it -- no luck. Any ideas?

#7 Orange Blossom

OBleepin Investigator

Moderator
36,801 posts
OFFLINE

Gender:Not Telling
Location:Bloomington, IN
Local time:12:04 AM

Posted 13 December 2009 - 02:12 PM

Hello guglyman,

I have merged your latest topic to your previously existing topic which Blade81 reopened at your request.

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere as this can cause confusion for the helper assisting you and could greatly complicate the malware removal process extending the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean. Also, bear in mind that just because symptoms are gone does not mean the infection is gone. Please stick with the topic until your helper declares you clean.

Please keep all posts regarding this issue to this topic to avoid confusion.

Back to you Blade81,

Orange Blossom

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:07:04 AM

Posted 13 December 2009 - 02:18 PM

Hi,

Post a fresh dds log (follow earlier instructions to create one).

Almost everything seems to be okay now with the exception of one thing: ComboFix left behind a 'runonceex' registry entry that I cannot remove using regedit -- I get an "Error while deleting key" message.

What is this entry you're referring to?

Thanks OB for merging the topics.

Edited by Blade81, 13 December 2009 - 02:18 PM.

Microsoft Windows Insider MVP 2016-2017

#9 guglyman

Topic Starter

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 13 December 2009 - 02:37 PM

A fresh DDS log follows. The new error message seems to be a remnant of ComboFix -- opon logging in, which takes noticeably longer than usual, I receive a dialog which states that, "Windows cannot find C:\ComboFix\CF25798.cfxxe". Pressing OK then resumes the login and everything is then "okay". When I review the registry, I see that there is a HKLM entry for runonceex that is calling for this. But when I tried to delete the key, regedit complains that there is an "Error deleting key".

Thanks for your help, and I apologize for my unsupervised efforts.

---------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by David Norris at 11:29:43.03 on Sun 12/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.655 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\David Norris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Norris\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\david norris\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\davidn~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223262157000
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-16 56816]
S2 cexpvfrcermqas;cexpvfrcermqas;\??\c:\windows\system32\drivers\yyfjbzywzljfir.sys --> c:\windows\system32\drivers\yyfjbzywzljfir.sys [?]

=============== Created Last 30 ================

2009-12-13 05:53:14 77312 ----a-w- c:\windows\MBR.exe
2009-12-13 05:53:14 261632 ----a-w- c:\windows\PEV.exe
2009-11-29 19:49:46 0 d-----w- c:\program files\Trend Micro
2009-11-29 19:47:03 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-29 19:47:03 0 d-----w- c:\documents and settings\david norris\log
2009-11-28 06:30:30 0 d-sh--w- c:\documents and settings\david norris\PrivacIE
2009-11-28 06:25:21 0 d-sh--w- c:\documents and settings\david norris\IETldCache
2009-11-28 06:21:36 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-28 06:21:14 0 d-----w- c:\windows\ie8updates
2009-11-28 06:20:59 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-28 06:20:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-28 06:18:48 0 dc-h--w- c:\windows\ie8
2009-11-28 04:24:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 04:24:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 04:24:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 03:13:40 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-22 03:11:50 0 d-----w- c:\windows\system32\LogFiles
2009-11-21 01:29:05 1962544 ----a-w- c:\windows\system32\install_flash_player_ax.exe
2009-11-21 01:14:49 1962544 ----a-w- c:\windows\install_flash_player_ax.exe
2009-11-21 01:10:23 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-11-17 00:53:37 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-17 00:53:34 0 d-----w- c:\program files\Avira
2009-11-17 00:53:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-17 00:43:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-16 15:02:01 0 d-sh--w- c:\docume~1\alluse~1\applic~1\3282c
2009-11-16 14:26:24 0 d-sh--w- c:\documents and settings\all users\76cb400
2009-11-16 04:51:32 0 d-----w- c:\docume~1\davidn~1\applic~1\Malwarebytes
2009-11-16 04:51:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-16 04:51:10 0 d-----w- c:\program files\M-ware_bytes
2009-11-16 04:28:57 0 d-----w- c:\program files\CCleaner
2009-11-16 04:11:23 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-16 04:11:23 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-16 04:08:57 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-16 04:08:57 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-11-12 07:51:14 31396352 ----a-w- c:\program files\eav_nt32_enu.msi
2009-11-12 06:19:50 221 ----a-w- c:\documents and settings\david norris\SrdoBO.bat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-04-28 01:43:50 43083040 ----a-w- c:\program files\AdbeRdr910_en_US_Std.exe
2009-04-25 07:08:41 1047072 ----a-w- c:\program files\MoveMediaPlayer_071303000006.exe
2009-04-24 04:20:26 74302760 ----a-w- c:\program files\iTunesSetup.exe

============= FINISH: 11:30:17.70 ===============

#10 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:07:04 AM

Posted 13 December 2009 - 04:03 PM

Hi,

You shouldn't attempt doing registry modifications by yourself. Wrong modification may render system non bootable. Same thing goes with following instructions provided for other user's case.

Download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter (on separate lines)

CF25798.cfxxe

Under Search, make sure only the Value box is checked in the first row of checkboxes. All other checkboxes should be checked.
& click Ok.
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply.

Microsoft Windows Insider MVP 2016-2017

#11 guglyman

Topic Starter

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 13 December 2009 - 04:12 PM

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 12/13/2009 1:10:42 PM for strings:
; 'cf25798.cfxxe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runonceex\1428]
"rdghixrd"="\"C:\\ComboFix\\CF25798.cfxxe\" /c \"C:\\ComboFix\\Combobatch.bat\""

; End Of The Log...

#12 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:07:04 AM

Posted 14 December 2009 - 09:44 AM

Hi,

We need to execute an OTM script

Please download OTM by OldTimer and save it to your desktop.
Double click the OTM icon on your desktop.

Paste the following code under the Paste Fix Here area. Do not include the word
Code
.

:files
c:\documents and settings\All Users\Application Data\3282c
c:\documents and settings\All Users\76cb400
c:\windows\system32\drivers\yyfjbzywzljfir.sys

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runonceex\1428]
"rdghixrd"=-

:services
cexpvfrcermqas

Push the large MoveIt button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the Results line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report & a fresh dds.txt log. Also, start MBAM, update definitions on update tab and run a quick scan letting MBAM delete its findings. Post back the report.

Microsoft Windows Insider MVP 2016-2017

#13 guglyman

Topic Starter

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 15 December 2009 - 11:05 AM

The following were completed:
OTM script run, log attached
Kaspersky scan run, log attached
DDS log attached
MBAM updated/run, log attached
Adobe Reader uninstalled/updated
Adobe Flash uninstalled/updated -- IE not allowing new install, but Chrome did okay

The error for installed Flash on IE was "Error: Failed to register". Several attempts and uninstalling (with and without "/clean"), rebooting, and retrying resulted in same, but as stated, Chrome Flash is running fine.

As for OTM fixes, the login symptom is gone.

Thank you *very* much for your help!

Attached Files

OTM.log 1.88KB 11 downloads
kaspersky.txt 1.19KB 11 downloads
DDS.txt 9.73KB 9 downloads
mbam_log_2009_12_15__07_56_44_.txt 869bytes 13 downloads

#14 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:07:04 AM

Posted 15 December 2009 - 01:12 PM

Hi,

1. Please download & extract this zip file to your desktop.
2. Close out all applications
3. Run the reset_minimal.cmd file.

See if you're able to install Flash after that.

Microsoft Windows Insider MVP 2016-2017

#15 guglyman

Topic Starter

Members
9 posts
OFFLINE

Local time:08:04 PM

Posted 15 December 2009 - 10:46 PM

That didn't work.

I decided to uninstall IE8, and when I did so I discovered that IE7 was still installed so I removed that as well -- hoping that might related. I then ran the reset_min once more before downloading and reinstalling IE8. Then I tried reinstalling Flash once more and still no luck. Again, Chrome is running flash just fine and this is probably okay -- all things considered...

Thanks again