Tech Support Forum - View Single Post

YuriG · 04-28-2009, 09:52 PM

Hi Everyone,
First off, I apologize for the redundancy of this post, I have so many similar issues as many on here have had. I am soon to begin working virtually for my employer, but am required to use my own personal laptop for the job. I recently have been experiencing issues with my Google searches being hijacked, as well as other pop-ups and general slowness. I have been running CCleaner and Malwarebytes' on my computer frequently, but everything seems to be coming back no matter what I do. I desperately need to have these issues fixed as soon as possible as I need to have my laptop outfitted with all of my work-required applications. I appreciate any help or advice that anyone has. I ran ComboFix and here is the log:

ComboFix 09-04-28.02 - Mark 04/28/2009 20:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.694 [GMT -7:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\Cpvff.stt
c:\documents and settings\Mark\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Mark\protect.dll
c:\documents and settings\Mark\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Mark\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\NetworkService\protect.dll
c:\temp\xOe
c:\temp\xOe\tOasF.log
c:\windows\system32\aaemtall.ini
c:\windows\system32\ainmwtdn.ini
c:\windows\system32\ak1.exe
c:\windows\system32\akepajib.ini
c:\windows\system32\aopxhvqy.ini
c:\windows\system32\ardobfpf.ini
c:\windows\system32\autochk.dll
c:\windows\system32\ayhibvak.ini
c:\windows\system32\bfvrndan.ini
c:\windows\system32\bhsabuij.ini
c:\windows\system32\bxtottqj.ini
c:\windows\system32\C2
c:\windows\system32\cjexgaoi.ini
c:\windows\system32\clijxwws.ini
c:\windows\system32\cojpmuoi.ini
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\cstbevlf.ini
c:\windows\system32\cuxqcptq.ini
c:\windows\system32\cytnckyu.ini
c:\windows\system32\dbpycyxc.ini
c:\windows\system32\dgisobtr.ini
c:\windows\system32\dityxvvf.ini
c:\windows\system32\dlwnrdwu.ini
c:\windows\system32\drivers\ovfsthjpuvhqrdfrdtbnnwompxroylpspkjkla.sys
c:\windows\system32\dtnlpccl.ini
c:\windows\system32\dvyaloin.ini
c:\windows\system32\dxmpwknr.ini
c:\windows\system32\eoqqvyki.ini
c:\windows\system32\eqrxugcf.ini
c:\windows\system32\evfewpec.ini
c:\windows\system32\evvrvadr.ini
c:\windows\system32\fcsmtsba.ini
c:\windows\system32\fnqljdne.ini
c:\windows\system32\foheuiyb.ini
c:\windows\system32\gaccuwoa.ini
c:\windows\system32\gcmctscf.ini
c:\windows\system32\gkknmdek.ini
c:\windows\system32\gqggfwrr.ini
c:\windows\system32\hccdmyon.ini
c:\windows\system32\hclbjonr.ini
c:\windows\system32\heyxrsfx.ini
c:\windows\system32\htdkfotw.ini
c:\windows\system32\hvwdfxtj.ini
c:\windows\system32\ibenojed.ini
c:\windows\system32\idscekgy.ini
c:\windows\system32\ilfoxpgi.ini
c:\windows\system32\jbyyeptv.ini
c:\windows\system32\jshmsupj.ini
c:\windows\system32\jtaklwxo.ini
c:\windows\system32\kebmkkpx.ini
c:\windows\system32\kfcmbiwk.ini
c:\windows\system32\khwqyqmf.ini
c:\windows\system32\kklhddse.ini
c:\windows\system32\kkyevcli.ini
c:\windows\system32\kowpnwas.ini
c:\windows\system32\kyfphdav.ini
c:\windows\system32\kywbbotq.ini
c:\windows\system32\lcopvxyp.ini
c:\windows\system32\ldhvtoud.ini
c:\windows\system32\lffgisjs.ini
c:\windows\system32\lgudgayq.ini
c:\windows\system32\limbxudq.ini
c:\windows\system32\lkdtkmdl.ini
c:\windows\system32\lrikxadt.ini
c:\windows\system32\mdxdopwj.ini
c:\windows\system32\mecwmvfn.ini
c:\windows\system32\mejfitqm.ini
c:\windows\system32\mktflyrb.ini
c:\windows\system32\mqfmtxwg.ini
c:\windows\system32\mqpxvurd.ini
c:\windows\system32\namurelu.dll
c:\windows\system32\nbmqnyun.ini
c:\windows\system32\ncninktu.ini
c:\windows\system32\nipwdmhk.ini
c:\windows\system32\njkvgupc.ini
c:\windows\system32\nkoclfcd.ini
c:\windows\system32\nmvicnhh.ini
c:\windows\system32\nomejqvm.ini
c:\windows\system32\nongpgah.ini
c:\windows\system32\nqosigkq.ini
c:\windows\system32\nuknkrde.ini
c:\windows\system32\nvuiaicc.ini
c:\windows\system32\nwkoikpc.ini
c:\windows\system32\onmfvutm.ini
c:\windows\system32\oUCIknmp.ini2
c:\windows\system32\ouhqjbvw.ini
c:\windows\system32\ovfsthbuwqyvtuytdmenrmspvrlfqjcujypbcc.dat
c:\windows\system32\ovfsthnxmmxmnbgdfkdptgxpbcswmwlwfatcus.dat
c:\windows\system32\ovfsthqjpuojlrdqnmxkaqurujrxgtrjtqvcav.dll
c:\windows\system32\ovfsthvdpftqsmktewavwxdkmsyaoepujehcjs.dll
c:\windows\system32\ovfsthwaiyotjwpwjjxssysxxvholmuipriojq.dll
c:\windows\system32\pameeovb.ini
c:\windows\system32\pmmcipbv.ini
c:\windows\system32\pnprqhoy.ini
c:\windows\system32\qfddddxm.ini
c:\windows\system32\qstwa.ini2
c:\windows\system32\qstwa.tmp
c:\windows\system32\qwijmoum.ini
c:\windows\system32\rlfukcue.ini
c:\windows\system32\RtuEgMoq.ini2
c:\windows\system32\sceopbsd.ini
c:\windows\system32\sgyuwuem.ini
c:\windows\system32\sjymtdnr.ini
c:\windows\system32\sofijrpr.ini
c:\windows\system32\sowelysv.ini
c:\windows\system32\spodyuja.ini
c:\windows\system32\ssxwwjuc.ini
c:\windows\system32\stopqwxu.ini
c:\windows\system32\tazobogi.dll
c:\windows\system32\tgtyjqpi.ini
c:\windows\system32\tjrdgktp.ini
c:\windows\system32\ttbdksro.ini
c:\windows\system32\tujvuure.ini
c:\windows\system32\uckikabr.ini
c:\windows\system32\udroxptn.ini
c:\windows\system32\uniq.tll
c:\windows\system32\uybmcalw.ini
c:\windows\system32\vafxsmeu.ini
c:\windows\system32\vfqhefve.ini
c:\windows\system32\vjttshns.ini
c:\windows\system32\vmqapipg.ini
c:\windows\system32\vmriupkw.ini
c:\windows\system32\vqhtjxgl.ini
c:\windows\system32\wcxktrcv.ini
c:\windows\system32\wenifjew.ini
c:\windows\system32\wfspnlqt.ini
c:\windows\system32\whfbibbg.ini
c:\windows\system32\whxaagbm.ini
c:\windows\system32\win32hlp.cnf
c:\windows\system32\woyqmpsn.ini
c:\windows\system32\wxbflinc.ini
c:\windows\system32\xoodocdp.ini
c:\windows\system32\yfixpaea.ini
c:\windows\system32\yfsywdom.ini
c:\windows\system32\ymbols~1
c:\windows\system32\yujnsxir.ini
c:\windows\system32\Z1
c:\windows\system32\Z2
c:\windows\Tasks\ttkrvwap.job
c:\windows\Temp\103199782.exe
c:\windows\Temp\1166782940.exe
c:\windows\Temp\130910524.exe
c:\windows\Temp\1408588908.exe
c:\windows\Temp\1411433788.exe
c:\windows\Temp\1540975932.exe
c:\windows\Temp\1742429750.exe
c:\windows\Temp\1864522806.exe
c:\windows\Temp\1994064950.exe
c:\windows\Temp\260456682.exe
c:\windows\Temp\2636921048.exe
c:\windows\Temp\2821499196.exe
c:\windows\Temp\3003534394.exe
c:\windows\Temp\3022953014.exe
c:\windows\Temp\3145358570.exe
c:\windows\Temp\3274588214.exe
c:\windows\Temp\400612564.exe
c:\windows\Temp\460812780.exe
c:\windows\Temp\472687736.exe
c:\windows\Temp\517473392.exe
c:\windows\Temp\531382920.exe
c:\windows\Temp\583999542.exe
c:\windows\Temp\653341860.exe
c:\windows\Temp\685325844.exe
c:\windows\Temp\688538062.exe
c:\windows\Temp\787687736.exe
c:\windows\Temp\827858202.exe
c:\windows\Temp\8508982.exe
c:\windows\Temp\896212498.exe
c:\windows\Temp\913519876.exe
c:\windows\Temp\999849802.exe
C:\xcrashdump.dat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthveoclvoawqjealnelrtvdoykinardmgg

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 06:52 . 2009-04-29 01:39 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-28 06:37 . 2009-04-28 06:37 29696 ----a-w c:\windows\system32\loader100.exe
2009-04-27 22:52 . 2009-04-27 22:52 29696 ----a-w c:\windows\system32\loader49.exe
2009-04-27 17:06 . 2009-04-27 22:37 39936 ----a-w c:\windows\system32\winglsetup.exe
2009-04-27 14:44 . 2009-04-27 14:44 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-04-27 14:37 . 2009-04-27 14:37 24064 ----a-w c:\windows\system32\loader266.exe
2009-04-27 05:25 . 2009-04-28 17:36 -------- d-----w c:\documents and settings\Mark\Application Data\digifast
2009-04-27 05:20 . 2009-04-28 07:51 -------- d-----w c:\documents and settings\Mark\Application Data\Twain
2009-04-25 16:48 . 2009-04-25 16:49 4096 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-25 04:57 . 2009-04-25 04:57 -------- d-----w c:\documents and settings\Mark\Application Data\pidle
2009-04-12 01:37 . 2009-04-14 04:39 -------- d-----w C:\fixwareout
2009-04-04 19:55 . 2009-04-04 19:55 -------- d-----w c:\program files\Common Files\INCA Shared
2009-04-04 19:51 . 2009-04-04 19:51 -------- d-----w C:\GamesCampus
2009-04-02 02:30 . 2009-04-02 02:30 -------- d-----w c:\program files\CCleaner
2009-04-01 05:43 . 2009-04-01 16:06 -------- d--h--w C:\$AVG8.VAULT$
2009-04-01 04:53 . 2009-04-01 04:53 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-01 04:52 . 2009-04-01 04:52 -------- d-----w c:\program files\AVG
2009-04-01 04:52 . 2009-04-02 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-01 03:27 . 2009-04-01 03:27 -------- d-----w c:\documents and settings\Mark\Application Data\Malwarebytes
2009-04-01 03:27 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 03:27 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 03:27 . 2009-04-01 03:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 03:27 . 2009-04-14 04:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-31 04:35 . 2009-04-01 14:07 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-31 01:40 . 2009-03-31 01:40 -------- d-----w C:\VundoFix Backups
2009-03-31 01:30 . 2009-03-31 01:46 -------- d-----w c:\program files\SpyZooka
2009-03-31 01:29 . 2009-03-31 01:29 -------- d-----w c:\documents and settings\Mark\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 04:57 . 2009-01-25 04:57 52224 --sha-w c:\windows\system32\sirarida.exe
2009-04-25 04:57 . 2009-04-25 04:57 35328 ----a-w c:\windows\system32\prnet.tmp
2009-04-14 04:43 . 2006-04-19 00:43 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 05:48 . 2006-08-14 15:38 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-30 16:48 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\sabejaki.dll
2009-03-22 04:09 . 2009-03-22 04:09 -------- d-----w c:\program files\EA GAMES
2009-03-22 00:38 . 2009-03-22 00:38 -------- d-----w c:\program files\Daemon Tools
2009-03-19 14:04 . 2006-10-22 19:22 -------- d-----w c:\program files\Apple Software Update
2009-03-14 18:29 . 2007-12-31 22:51 -------- d-----w c:\program files\iTunes
2009-03-14 18:29 . 2006-05-28 20:07 -------- d-----w c:\program files\iPod
2009-03-14 18:29 . 2007-07-07 14:12 -------- d-----w c:\program files\Common Files\Apple
2009-03-14 18:27 . 2007-07-02 01:23 -------- d-----w c:\program files\QuickTime
2009-03-02 19:26 . 2009-02-22 22:11 -------- d-----w c:\program files\WorldOfGoo
2009-02-09 10:19 . 2005-08-16 09:18 1846272 ----a-w c:\windows\system32\win32k.sys
2009-04-27 05:26 . 2009-04-27 05:26 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
2008-02-25 08:14 . 2008-02-25 08:14 1079948 --sha-w c:\windows\system32\eqrxugcf.tmp
2009-01-25 04:57 . 2009-01-25 04:57 48640 --sha-w c:\windows\system32\feguzevi.dll.tmp
2009-01-21 02:25 . 2009-01-21 02:25 50688 --sha-w c:\windows\system32\janibela.dll.tmp
2009-01-25 04:57 . 2009-01-25 04:57 48640 --sha-w c:\windows\system32\kodupowe.dll.tmp
2009-01-21 02:25 . 2009-01-21 02:25 50688 --sha-w c:\windows\system32\lomehane.dll.tmp
2009-01-25 04:57 . 2009-01-25 04:57 48640 --sha-w c:\windows\system32\tizudijo.dll.tmp
2009-01-21 02:25 . 2009-01-21 02:25 50688 --sha-w c:\windows\system32\wedusoha.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"prnet"="c:\windows\system32\prnet.tmp" [2009-04-25 35328]
"pidle"="c:\documents and settings\Mark\Application Data\pidle\pidle.exe" [2009-04-25 56832]
"DigiFast"="c:\documents and settings\Mark\Application Data\digifast\digifast.exe" [2009-04-27 225792]
"SfKg6wIPuSpdc"="c:\documents and settings\Mark\Application Data\Microsoft\Windows\rthui.exe" [2009-04-27 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"prnet"="c:\windows\system32\prnet.tmp" [2009-04-25 35328]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-28 24064]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-18 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"TermService"=3 (0x3)
"SavRoam"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R4 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-08-18 153416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c81944dc-b114-11dc-bfd9-00130233e713}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\b6lyicdy8.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3145358570.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
Notify-xxyvstr - xxyvstr.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ielhle0z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 20:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\H* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(344)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\SoftwareDistribution\Download\3385b5e709509d6e2e40ffe6fcdd8ec9\update\update.exe
.
**************************************************************************
.
Completion time: 2009-04-29 20:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 03:37

Pre-Run: 35,010,461,696 bytes free
Post-Run: 34,823,303,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

404 --- E O F --- 2009-03-14 17:07

04-28-2009, 09:52 PM	#1 (permalink)
YuriG Registered User Join Date: Apr 2009 Posts: 2 OS: Windows XP Media Center	Need to Clean PC ASAP for My Job Hi Everyone, First off, I apologize for the redundancy of this post, I have so many similar issues as many on here have had. I am soon to begin working virtually for my employer, but am required to use my own personal laptop for the job. I recently have been experiencing issues with my Google searches being hijacked, as well as other pop-ups and general slowness. I have been running CCleaner and Malwarebytes' on my computer frequently, but everything seems to be coming back no matter what I do. I desperately need to have these issues fixed as soon as possible as I need to have my laptop outfitted with all of my work-required applications. I appreciate any help or advice that anyone has. I ran ComboFix and here is the log: ComboFix 09-04-28.02 - Mark 04/28/2009 20:28.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.694 [GMT -7:00] Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning enabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\check_LSA7.txt c:\documents and settings\LocalService\protect.dll c:\documents and settings\Mark\Local Settings\Temporary Internet Files\Cpvff.stt c:\documents and settings\Mark\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Mark\protect.dll c:\documents and settings\Mark\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Mark\Start Menu\Programs\Startup\ChkDisk.lnk c:\documents and settings\NetworkService\protect.dll c:\temp\xOe c:\temp\xOe\tOasF.log c:\windows\system32\aaemtall.ini c:\windows\system32\ainmwtdn.ini c:\windows\system32\ak1.exe c:\windows\system32\akepajib.ini c:\windows\system32\aopxhvqy.ini c:\windows\system32\ardobfpf.ini c:\windows\system32\autochk.dll c:\windows\system32\ayhibvak.ini c:\windows\system32\bfvrndan.ini c:\windows\system32\bhsabuij.ini c:\windows\system32\bxtottqj.ini c:\windows\system32\C2 c:\windows\system32\cjexgaoi.ini c:\windows\system32\clijxwws.ini c:\windows\system32\cojpmuoi.ini c:\windows\system32\config\systemprofile\protect.dll c:\windows\system32\cstbevlf.ini c:\windows\system32\cuxqcptq.ini c:\windows\system32\cytnckyu.ini c:\windows\system32\dbpycyxc.ini c:\windows\system32\dgisobtr.ini c:\windows\system32\dityxvvf.ini c:\windows\system32\dlwnrdwu.ini c:\windows\system32\drivers\ovfsthjpuvhqrdfrdtbnnwompxroylpspkjkla.sys c:\windows\system32\dtnlpccl.ini c:\windows\system32\dvyaloin.ini c:\windows\system32\dxmpwknr.ini c:\windows\system32\eoqqvyki.ini c:\windows\system32\eqrxugcf.ini c:\windows\system32\evfewpec.ini c:\windows\system32\evvrvadr.ini c:\windows\system32\fcsmtsba.ini c:\windows\system32\fnqljdne.ini c:\windows\system32\foheuiyb.ini c:\windows\system32\gaccuwoa.ini c:\windows\system32\gcmctscf.ini c:\windows\system32\gkknmdek.ini c:\windows\system32\gqggfwrr.ini c:\windows\system32\hccdmyon.ini c:\windows\system32\hclbjonr.ini c:\windows\system32\heyxrsfx.ini c:\windows\system32\htdkfotw.ini c:\windows\system32\hvwdfxtj.ini c:\windows\system32\ibenojed.ini c:\windows\system32\idscekgy.ini c:\windows\system32\ilfoxpgi.ini c:\windows\system32\jbyyeptv.ini c:\windows\system32\jshmsupj.ini c:\windows\system32\jtaklwxo.ini c:\windows\system32\kebmkkpx.ini c:\windows\system32\kfcmbiwk.ini c:\windows\system32\khwqyqmf.ini c:\windows\system32\kklhddse.ini c:\windows\system32\kkyevcli.ini c:\windows\system32\kowpnwas.ini c:\windows\system32\kyfphdav.ini c:\windows\system32\kywbbotq.ini c:\windows\system32\lcopvxyp.ini c:\windows\system32\ldhvtoud.ini c:\windows\system32\lffgisjs.ini c:\windows\system32\lgudgayq.ini c:\windows\system32\limbxudq.ini c:\windows\system32\lkdtkmdl.ini c:\windows\system32\lrikxadt.ini c:\windows\system32\mdxdopwj.ini c:\windows\system32\mecwmvfn.ini c:\windows\system32\mejfitqm.ini c:\windows\system32\mktflyrb.ini c:\windows\system32\mqfmtxwg.ini c:\windows\system32\mqpxvurd.ini c:\windows\system32\namurelu.dll c:\windows\system32\nbmqnyun.ini c:\windows\system32\ncninktu.ini c:\windows\system32\nipwdmhk.ini c:\windows\system32\njkvgupc.ini c:\windows\system32\nkoclfcd.ini c:\windows\system32\nmvicnhh.ini c:\windows\system32\nomejqvm.ini c:\windows\system32\nongpgah.ini c:\windows\system32\nqosigkq.ini c:\windows\system32\nuknkrde.ini c:\windows\system32\nvuiaicc.ini c:\windows\system32\nwkoikpc.ini c:\windows\system32\onmfvutm.ini c:\windows\system32\oUCIknmp.ini2 c:\windows\system32\ouhqjbvw.ini c:\windows\system32\ovfsthbuwqyvtuytdmenrmspvrlfqjcujypbcc.dat c:\windows\system32\ovfsthnxmmxmnbgdfkdptgxpbcswmwlwfatcus.dat c:\windows\system32\ovfsthqjpuojlrdqnmxkaqurujrxgtrjtqvcav.dll c:\windows\system32\ovfsthvdpftqsmktewavwxdkmsyaoepujehcjs.dll c:\windows\system32\ovfsthwaiyotjwpwjjxssysxxvholmuipriojq.dll c:\windows\system32\pameeovb.ini c:\windows\system32\pmmcipbv.ini c:\windows\system32\pnprqhoy.ini c:\windows\system32\qfddddxm.ini c:\windows\system32\qstwa.ini2 c:\windows\system32\qstwa.tmp c:\windows\system32\qwijmoum.ini c:\windows\system32\rlfukcue.ini c:\windows\system32\RtuEgMoq.ini2 c:\windows\system32\sceopbsd.ini c:\windows\system32\sgyuwuem.ini c:\windows\system32\sjymtdnr.ini c:\windows\system32\sofijrpr.ini c:\windows\system32\sowelysv.ini c:\windows\system32\spodyuja.ini c:\windows\system32\ssxwwjuc.ini c:\windows\system32\stopqwxu.ini c:\windows\system32\tazobogi.dll c:\windows\system32\tgtyjqpi.ini c:\windows\system32\tjrdgktp.ini c:\windows\system32\ttbdksro.ini c:\windows\system32\tujvuure.ini c:\windows\system32\uckikabr.ini c:\windows\system32\udroxptn.ini c:\windows\system32\uniq.tll c:\windows\system32\uybmcalw.ini c:\windows\system32\vafxsmeu.ini c:\windows\system32\vfqhefve.ini c:\windows\system32\vjttshns.ini c:\windows\system32\vmqapipg.ini c:\windows\system32\vmriupkw.ini c:\windows\system32\vqhtjxgl.ini c:\windows\system32\wcxktrcv.ini c:\windows\system32\wenifjew.ini c:\windows\system32\wfspnlqt.ini c:\windows\system32\whfbibbg.ini c:\windows\system32\whxaagbm.ini c:\windows\system32\win32hlp.cnf c:\windows\system32\woyqmpsn.ini c:\windows\system32\wxbflinc.ini c:\windows\system32\xoodocdp.ini c:\windows\system32\yfixpaea.ini c:\windows\system32\yfsywdom.ini c:\windows\system32\ymbols~1 c:\windows\system32\yujnsxir.ini c:\windows\system32\Z1 c:\windows\system32\Z2 c:\windows\Tasks\ttkrvwap.job c:\windows\Temp\103199782.exe c:\windows\Temp\1166782940.exe c:\windows\Temp\130910524.exe c:\windows\Temp\1408588908.exe c:\windows\Temp\1411433788.exe c:\windows\Temp\1540975932.exe c:\windows\Temp\1742429750.exe c:\windows\Temp\1864522806.exe c:\windows\Temp\1994064950.exe c:\windows\Temp\260456682.exe c:\windows\Temp\2636921048.exe c:\windows\Temp\2821499196.exe c:\windows\Temp\3003534394.exe c:\windows\Temp\3022953014.exe c:\windows\Temp\3145358570.exe c:\windows\Temp\3274588214.exe c:\windows\Temp\400612564.exe c:\windows\Temp\460812780.exe c:\windows\Temp\472687736.exe c:\windows\Temp\517473392.exe c:\windows\Temp\531382920.exe c:\windows\Temp\583999542.exe c:\windows\Temp\653341860.exe c:\windows\Temp\685325844.exe c:\windows\Temp\688538062.exe c:\windows\Temp\787687736.exe c:\windows\Temp\827858202.exe c:\windows\Temp\8508982.exe c:\windows\Temp\896212498.exe c:\windows\Temp\913519876.exe c:\windows\Temp\999849802.exe C:\xcrashdump.dat Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\i386\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ovfsthveoclvoawqjealnelrtvdoykinardmgg ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 ))))))))))))))))))))))))))))))) . 2009-04-28 06:52 . 2009-04-29 01:39 27648 ----a-w c:\windows\system32\lmppcsetup.exe 2009-04-28 06:37 . 2009-04-28 06:37 29696 ----a-w c:\windows\system32\loader100.exe 2009-04-27 22:52 . 2009-04-27 22:52 29696 ----a-w c:\windows\system32\loader49.exe 2009-04-27 17:06 . 2009-04-27 22:37 39936 ----a-w c:\windows\system32\winglsetup.exe 2009-04-27 14:44 . 2009-04-27 14:44 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla 2009-04-27 14:37 . 2009-04-27 14:37 24064 ----a-w c:\windows\system32\loader266.exe 2009-04-27 05:25 . 2009-04-28 17:36 -------- d-----w c:\documents and settings\Mark\Application Data\digifast 2009-04-27 05:20 . 2009-04-28 07:51 -------- d-----w c:\documents and settings\Mark\Application Data\Twain 2009-04-25 16:48 . 2009-04-25 16:49 4096 ----a-w c:\windows\system32\ftp_non_crp.exe 2009-04-25 04:57 . 2009-04-25 04:57 -------- d-----w c:\documents and settings\Mark\Application Data\pidle 2009-04-12 01:37 . 2009-04-14 04:39 -------- d-----w C:\fixwareout 2009-04-04 19:55 . 2009-04-04 19:55 -------- d-----w c:\program files\Common Files\INCA Shared 2009-04-04 19:51 . 2009-04-04 19:51 -------- d-----w C:\GamesCampus 2009-04-02 02:30 . 2009-04-02 02:30 -------- d-----w c:\program files\CCleaner 2009-04-01 05:43 . 2009-04-01 16:06 -------- d--h--w C:\$AVG8.VAULT$ 2009-04-01 04:53 . 2009-04-01 04:53 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations 2009-04-01 04:52 . 2009-04-01 04:52 -------- d-----w c:\program files\AVG 2009-04-01 04:52 . 2009-04-02 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-04-01 03:27 . 2009-04-01 03:27 -------- d-----w c:\documents and settings\Mark\Application Data\Malwarebytes 2009-04-01 03:27 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-01 03:27 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-01 03:27 . 2009-04-01 03:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-01 03:27 . 2009-04-14 04:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-03-31 04:35 . 2009-04-01 14:07 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-03-31 01:40 . 2009-03-31 01:40 -------- d-----w C:\VundoFix Backups 2009-03-31 01:30 . 2009-03-31 01:46 -------- d-----w c:\program files\SpyZooka 2009-03-31 01:29 . 2009-03-31 01:29 -------- d-----w c:\documents and settings\Mark\Application Data\GetRightToGo . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-25 04:57 . 2009-01-25 04:57 52224 --sha-w c:\windows\system32\sirarida.exe 2009-04-25 04:57 . 2009-04-25 04:57 35328 ----a-w c:\windows\system32\prnet.tmp 2009-04-14 04:43 . 2006-04-19 00:43 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-01 05:48 . 2006-08-14 15:38 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-30 16:48 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\sabejaki.dll 2009-03-22 04:09 . 2009-03-22 04:09 -------- d-----w c:\program files\EA GAMES 2009-03-22 00:38 . 2009-03-22 00:38 -------- d-----w c:\program files\Daemon Tools 2009-03-19 14:04 . 2006-10-22 19:22 -------- d-----w c:\program files\Apple Software Update 2009-03-14 18:29 . 2007-12-31 22:51 -------- d-----w c:\program files\iTunes 2009-03-14 18:29 . 2006-05-28 20:07 -------- d-----w c:\program files\iPod 2009-03-14 18:29 . 2007-07-07 14:12 -------- d-----w c:\program files\Common Files\Apple 2009-03-14 18:27 . 2007-07-02 01:23 -------- d-----w c:\program files\QuickTime 2009-03-02 19:26 . 2009-02-22 22:11 -------- d-----w c:\program files\WorldOfGoo 2009-02-09 10:19 . 2005-08-16 09:18 1846272 ----a-w c:\windows\system32\win32k.sys 2009-04-27 05:26 . 2009-04-27 05:26 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll 2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll 2008-02-25 08:14 . 2008-02-25 08:14 1079948 --sha-w c:\windows\system32\eqrxugcf.tmp 2009-01-25 04:57 . 2009-01-25 04:57 48640 --sha-w c:\windows\system32\feguzevi.dll.tmp 2009-01-21 02:25 . 2009-01-21 02:25 50688 --sha-w c:\windows\system32\janibela.dll.tmp 2009-01-25 04:57 . 2009-01-25 04:57 48640 --sha-w c:\windows\system32\kodupowe.dll.tmp 2009-01-21 02:25 . 2009-01-21 02:25 50688 --sha-w c:\windows\system32\lomehane.dll.tmp 2009-01-25 04:57 . 2009-01-25 04:57 48640 --sha-w c:\windows\system32\tizudijo.dll.tmp 2009-01-21 02:25 . 2009-01-21 02:25 50688 --sha-w c:\windows\system32\wedusoha.dll.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360] "prnet"="c:\windows\system32\prnet.tmp" [2009-04-25 35328] "pidle"="c:\documents and settings\Mark\Application Data\pidle\pidle.exe" [2009-04-25 56832] "DigiFast"="c:\documents and settings\Mark\Application Data\digifast\digifast.exe" [2009-04-27 225792] "SfKg6wIPuSpdc"="c:\documents and settings\Mark\Application Data\Microsoft\Windows\rthui.exe" [2009-04-27 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "prnet"="c:\windows\system32\prnet.tmp" [2009-04-25 35328] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312] c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ ChkDisk.dll [2009-4-28 24064] c:\documents and settings\Mark\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-18 24576] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "TermService"=3 (0x3) "SavRoam"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Adobe LM Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\BitTorrent_DNA\\dna.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R4 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-08-18 153416] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c81944dc-b114-11dc-bfd9-00130233e713}] \Shell\AutoRun\command - F:\InstallTomTomHOME.exe . Contents of the 'Scheduled Tasks' folder 2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34] . - - - - ORPHANS REMOVED - - - - BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file) WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) HKLM-Run-autochk - c:\windows\system32\autochk.dll HKU-Default-Run-Windows Resurections - c:\windows\TEMP\b6lyicdy8.exe HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3145358570.exe HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll Notify-xxyvstr - xxyvstr.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ielhle0z.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox FF - component: c:\program files\Mozilla Firefox\components\dfff.dll FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-28 20:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\H* 2] "Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(952) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(344) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\windows\system32\ati2evxx.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe c:\windows\SoftwareDistribution\Download\3385b5e709509d6e2e40ffe6fcdd8ec9\update\update.exe . ************************************************************************* . Completion time: 2009-04-29 20:37 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-29 03:37 Pre-Run: 35,010,461,696 bytes free Post-Run: 34,823,303,168 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 404 --- E O F --- 2009-03-14 17:07