Spyware, malware windows XP

[eedwards40]

Hello,

I have several problems on my XP home laptop and could use some expert assistance in getting it removed. At the least, the system is infected with vundo, spyware guard 2008, and bannerstyles15. I have attached the zip file with attach.txt and ark.txt. Thanks for the assistance. Following is the dds output:

DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Administrator at 17:28:40.26 on Sat 03/28/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.162 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Bar = hxxp://www.toshiba.com/search
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Search_URL = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: Google plugin: {085e2757-f41d-42d1-b4cc-9dadf7113bbc} - aj32.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: BndBlock5 BHO Class: {82ea1a55-9cbc-404b-9d0c-e8bfb7eaae9b} - c:\program files\qdrdrive\QdrDrive10.dll
BHO: {8775f7f8-06b8-4427-8ddf-43712e972689} - c:\windows\system32\nukatojo.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: bannerstyles15 browser enhancer: {aab9a4f8-c283-473a-daf1-a2287d8263ea} - c:\windows\system32\axcqtbekekxnei.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Internet Speed Monitor: {1f2f95d9-bafd-4769-85a2-4169957db67e} - c:\program files\qdrdrive\QdrDrive10.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [<NO NAME>]
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TPSMain] TPSMain.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [UDC6_cw] "c:\program files\drivecleaner freeware\UDC6_cw.exe" -c
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [neyijageho] Rundll32.exe "c:\windows\system32\nobiwuna.dll",s
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\temp\ntdll64.dll
Filter: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - c:\program files\rcvsystem\httpdchk.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: jkkkhii - jkkkhii.dll
AppInit_DLLs: c:\windows\system32\jajulaze.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\vtstr
LSA: Notification Packages = ecli scecli c:\windows\system32\jajulaze.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\tz8jtq2n.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: XUL Cache: {DFB1FD95-2EF7-4F10-B193-B93B54BB6798} - c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}
FF - HiddenExtension: XUL Cache: {0EF2B761-2F26-4668-BD62-17F2C9E5236C} - c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\
FF - HiddenExtension: XUL Cache: {0D64D003-3020-4522-A8DA-9D908D355056} - c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-4 207656]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-4 34152]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-4 206096]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe --> c:\program files\mcafee.com\agent\mcdetect.exe [?]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-4 358736]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-4 144704]
S3 DCamUSBSTK014;STK014 Camera;c:\windows\system32\drivers\stk014w2.sys --> c:\windows\system32\drivers\STK014W2.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-4 605512]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-4 79240]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-4 35240]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-4 40488]

=============== Created Last 30 ================

2009-03-28 16:45 <DIR> --d----- c:\program files\Trend Micro
2009-03-28 15:29 0 a------- c:\windows\system32\drivers\seneka.sys
2009-03-27 16:57 <DIR> --d----- c:\windows\LastGood.Tmp
2009-03-27 14:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\You've Got Pictures Screensaver
2009-03-27 14:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intuit
2009-03-27 14:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intel
2009-03-27 14:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\AOL
2009-03-27 14:19 <DIR> --d----- c:\documents and settings\administrator\WINDOWS
2009-03-27 14:19 <DIR> --d----- c:\documents and settings\Administrator

==================== Find3M ====================

2009-03-28 16:19 20,568 a--sh--- c:\windows\system32\rtstv.ini2
2009-03-28 16:19 15,360 a------- c:\windows\system32\ctfmon.exe
2009-03-28 15:13 0 a------- c:\windows\system32\drivers\senekabxxrldyy.sys
2009-03-28 15:11 11,776 a------- c:\windows\system32\regsvr32.exe.tmp
2009-03-28 15:10 15,360 a------- c:\windows\system32\ctfmon.exe.tmp
2009-03-28 13:27 103,339 a------- c:\windows\system32\senekalog.dat
2009-03-27 13:30 15,360 a------- c:\windows\system32\ctfmon .exe
2009-03-27 12:53 69,431 a--sh--- c:\windows\system32\royetuki.dll
2009-01-15 13:02 11,776 a------- c:\windows\system32\regsvr32 .exe
2009-01-09 19:27 29,192 a------- c:\docume~1\alluse~1\applic~1\svhost.exe
2009-01-05 15:35 77,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 14:05 327,168 a------- c:\windows\system32\vtstr.dll
2009-01-05 13:20 118,784 a------- c:\windows\system32\igfxpers .exe
2009-01-05 13:20 98,304 a------- c:\windows\system32\igfxtray .exe
2009-01-05 13:20 77,824 a------- c:\windows\system32\hkcmd .exe
2009-01-04 15:58 18,941 a------- c:\windows\vmreg.dll
2009-01-04 15:58 50,620 a------- c:\windows\sys.com
2009-01-04 15:58 47,872 a------- c:\windows\syscert.exe
2009-01-04 15:58 134,149 a------- c:\windows\reged.exe
2009-01-04 15:58 51,197 a------- c:\windows\spoolsystem.exe
2009-01-04 13:46 47,593 a------- c:\windows\system32\rfotdbefgkat.exe
0000-00-00 00:00 69,431 a--sh--- c:\windows\system32\jajulaze.dll
0000-00-00 00:00 69,431 a--sh--- c:\windows\system32\nobiwuna.dll
0000-00-00 00:00 69,431 a--sh--- c:\windows\system32\nukatojo.dll

============= FINISH: 17:29:36.48 ===============

[tetonbob]

Hello -

Is there a reason the DDS log was taken from Safe Mode? You don't mention if Normal Mode is not accessible, and a Safe Mode scan does not always show everything that might be running on the system. Also please note, Safe Mode with Networking is not a great place to be with an infected machine, as AntiVirus and AntiSpyware protection applications are not typically active.

If normal mode is accessible, please rescan with DDS and post it's main log, dds.txt

[eedwards40]

Hi tetonbob,

I have not been able to get it to come up except in safe mode so I am having to work it from here and then progress to normal.

Thanks,
Earl

[eedwards40]

Hi tetonbob,

I have to get some of the stuff taken care of just so that I can get it to function so anything that you can suggest would be great.

Thanks again,
Earl

[tetonbob]

Quote:

I have not been able to get it to come up except in safe mode so I am having to work it from here and then progress to normal.

I'm not exactly sure what you're saying here...is Normal Mode accessible?

[eedwards40]

No, if I try to bring it up in normal mode it usually hangs to the point that I have to turn it off (power off switch). The mouse will not even move.

[tetonbob]

Very well then, if Safe mode is all that's accessible, run this fix from safe mode with Networking. It's important to have an active internet connection.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------


Uninstall the following via the Add/Remove Panel (Start ->Control Panel->Add or Remove Programs) if they exist:

Enhancement Browser Tools Bannerstyles15
RON Tool Bannerstyles15

You may need to enter a code, that's fine. Do not reboot if requested.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations, but don't run it just yet.

Link 1
Link 2
Link 3

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

DDS::
LSP: c:\windows\temp\ntdll64.dll

Firefox::
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\tz8jtq2n.default\
FF - HiddenExtension: XUL Cache: {DFB1FD95-2EF7-4F10-B193-B93B54BB6798} - c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}
FF - HiddenExtension: XUL Cache: {0EF2B761-2F26-4668-BD62-17F2C9E5236C} - c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\
FF - HiddenExtension: XUL Cache: {0D64D003-3020-4522-A8DA-9D908D355056} - c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. If it does reboot the machine, reboot back into safe mode until ComboFix is done and has produced a log. At that time, try to reboot into normal mode.

Post that log, C:\ComboFix.txt, in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

[eedwards40]

OK, I will start this now and get back to you when completed.

Thanks,
Earl

[tetonbob]

Hi Earl -

I received another notification 9 minutes after your post #8, but I don't see a post#9 from you. Did you make another post? Have any questions?

[eedwards40]

Hello tetonbob,

I was not able to catch and get it to reboot back into safe mode, should I try it again or try to work it from normal mode? Will this hamper comboFix?

Thanks,
Earl

[tetonbob]

Just let ComboFix do it's thing if normal mode is loading. Don't close ComboFix, don't interrupt it now that it's already gone to normal mode.

[tetonbob]

How is it that you're communicating with me? On another computer?

[eedwards40]

OK, here is the log from combofix.

ComboFix 09-03-29.02 - Administrator 2009-03-29 21:02:30.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.209 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.
ADS - svchost.exe: deleted 32768 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\All Users\Application Data\salesmonitor
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\Kevin\Application Data\DriveCleaner Freeware
c:\documents and settings\Kevin\Application Data\DriveCleaner Freeware\Logs\update.log
c:\documents and settings\Kevin\Application Data\gadcom
c:\documents and settings\Kevin\err.log
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome.manifest
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome\content\_cfg.js
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome\content\c.js
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome\content\overlay.xul
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\install.rdf
c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Kevin\Start Menu\Programs\Internet Speed Monitor
c:\documents and settings\Kevin\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
c:\documents and settings\Kevin\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
c:\documents and settings\Kevin\Start Menu\Programs\Spyware Guard 2008
c:\documents and settings\Kevin\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk
c:\documents and settings\Taylor\Application Data\DriveCleaner Freeware
c:\documents and settings\Taylor\Application Data\DriveCleaner Freeware\Logs\update.log
c:\documents and settings\Taylor\err.log
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome.manifest
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome\content\_cfg.js
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome\content\c.js
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome\content\overlay.xul
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\install.rdf
c:\program files\Antivirus 2009
c:\program files\GetModule
c:\program files\GetModule\dicik.gz
c:\program files\GetModule\kwdik.gz
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\ISM
c:\program files\ISM\Uninstall.exe
c:\program files\Microsoft Common
c:\program files\ppatch~1
c:\program files\QdrDrive
c:\program files\QdrDrive\qdrloader.exe
c:\program files\QdrModule
c:\program files\QdrModule\dic.gz
c:\program files\QdrModule\kwd.gz
c:\program files\QdrPack
c:\program files\QdrPack\dicts.gz
c:\program files\QdrPack\trgts.gz
c:\program files\RcvSystem
c:\program files\RcvSystem\httpdchk.dll
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\license.key
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\vbase.vdb
c:\program files\VnrBlock
c:\windows\BM67ad99bc.txt
c:\windows\BM67ad99bc.xml
c:\windows\pskt.ini
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\system32\alog.txt
c:\windows\system32\bb1.dat
c:\windows\system32\bebowefo.dll.tmp
c:\windows\system32\cmds.txt
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome.manifest
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome\content\_cfg.js
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome\content\c.js
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome\content\overlay.xul
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\install.rdf
c:\windows\system32\cs.dat
c:\windows\system32\ctfmon.exe.tmp
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekabxxrldyy.sys
c:\windows\system32\jajulaze.dll
c:\windows\system32\jefizaya.dll.tmp
c:\windows\system32\lohasaru.dll
c:\windows\system32\nhser43uhjnefr.dll
c:\windows\system32\nobiwuna.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\nukatojo.dll
c:\windows\system32\porevujo.dll
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\royetuki.dll
c:\windows\system32\rtstv.ini
c:\windows\system32\rtstv.ini2
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamykteole.dat
c:\windows\system32\ssembl~1
c:\windows\system32\tb.dr
c:\windows\system32\test.ttt
c:\windows\system32\tukugave.dll.vir
c:\windows\system32\uniq.tll
c:\windows\system32\virinida.dll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wuniferi.dll.tmp
c:\windows\temp\ntdll64.dll
c:\windows\vmreg.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Service_ICF
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 21:12 . 2009-03-29 21:12 <DIR> d-------- c:\windows\LastGood
2009-03-29 13:54 . 2009-03-29 13:54 <DIR> d-------- c:\program files\RegCure
2009-03-29 12:31 . 2009-03-29 21:18 101,998 --a------ c:\windows\system32\drivers\glaide32.sys
2009-03-29 12:31 . 2009-03-29 12:31 98,304 --a------ C:\vaybq.exe
2009-03-29 12:30 . 2009-03-29 13:10 45,056 --a------ C:\liymwuq.exe
2009-03-29 12:30 . 2009-03-29 13:12 2 --a------ C:\1688119951
2009-03-29 12:29 . 2009-03-29 12:29 45,056 --a------ C:\dmsiacq.exe
2009-03-29 12:29 . 2009-03-29 12:29 9,216 --a------ c:\windows\instsp2.exe
2009-03-28 16:45 . 2009-03-28 16:45 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 14:19 . 2006-01-18 22:22 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-27 14:19 . 2006-01-18 22:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-03-27 14:19 . 2006-01-18 22:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-03-27 14:19 . 2006-02-06 18:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-03-27 14:19 . 2006-05-28 20:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-03-27 14:19 . 2008-02-02 15:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-03-27 14:19 . 2009-03-27 14:19 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 20:40 --------- d-----w c:\program files\Common Files\DriveCleaner Freeware
2009-03-27 22:01 --------- d-----w c:\program files\iTunes
2006-10-27 01:42 0 ----a-w c:\documents and settings\Kevin\Application Data\wklnhst.dat
2009-01-07 23:07 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-07 23:07 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-07 23:07 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-07 23:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-07 23:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59f3578e-841a-e7e5-d0bb-c5fd146cc5e8}]
2008-04-13 18:12 157696 --a------ c:\windows\enaxoxotumudivos.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-03-28 15360]
"PhotoShow Deluxe Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\MS872A~2.EXE" [2009-03-27 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-28 641208]
"Fmolixaxet"="c:\windows\enaxoxotumudivos.dll" [2008-04-13 157696]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-09 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-01-18 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ ecli scecli kbdlinu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFSServ.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-04 206096]
S2 0075521238382899mcinstcleanup;McAfee Application Installer Cleanup (0075521238382899);c:\windows\TEMP\007552~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\007552~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 DCamUSBSTK014;STK014 Camera;c:\windows\system32\DRIVERS\STK014W2.sys --> c:\windows\system32\DRIVERS\STK014W2.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe /autorun
\Shell\setup\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 13:15]

2009-01-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 19:10]

2009-01-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 19:10]

2009-03-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 11:58]

2009-03-30 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 11:58]

2006-05-29 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8775f7f8-06b8-4427-8ddf-43712e972689} - c:\windows\system32\nukatojo.dll
BHO-{AAB9A4F8-C283-473A-DAF1-A2287D8263EA} - c:\windows\system32\axcqtbekekxnei.dll
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-99434929349869593647778639979575 - c:\program files\Antivirus 2009\av2009.exe
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-TPSMain - TPSMain.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
Notify-jkkkhii - jkkkhii.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\18g0s5ta.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 21:18:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\glaide32]
"ImagePath"="\??\c:\windows\system32\drivers\glaide32.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(876)
c:\windows\kbdlinu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
.
**************************************************************************
.
Completion time: 2009-03-29 21:21:27 - machine was rebooted [Kevin]
ComboFix-quarantined-files.txt 2009-03-30 03:21:18

Pre-Run: 62,268,923,904 bytes free
Post-Run: 61,912,285,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

299 --- E O F --- 2009-01-05 21:41:05

[tetonbob]

That looks a good deal better, but there's still more work to do. Before we continue, will Normal Mode now load for you?

[eedwards40]

OK, here is the log from combofix.

ComboFix 09-03-29.02 - Administrator 2009-03-29 21:02:30.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.209 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.
ADS - svchost.exe: deleted 32768 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\All Users\Application Data\salesmonitor
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\Kevin\Application Data\DriveCleaner Freeware
c:\documents and settings\Kevin\Application Data\DriveCleaner Freeware\Logs\update.log
c:\documents and settings\Kevin\Application Data\gadcom
c:\documents and settings\Kevin\err.log
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome.manifest
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome\content\_cfg.js
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome\content\c.js
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\chrome\content\overlay.xul
c:\documents and settings\kevin\local settings\application data\{DFB1FD95-2EF7-4F10-B193-B93B54BB6798}\install.rdf
c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Kevin\Start Menu\Programs\Internet Speed Monitor
c:\documents and settings\Kevin\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
c:\documents and settings\Kevin\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
c:\documents and settings\Kevin\Start Menu\Programs\Spyware Guard 2008
c:\documents and settings\Kevin\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk
c:\documents and settings\Taylor\Application Data\DriveCleaner Freeware
c:\documents and settings\Taylor\Application Data\DriveCleaner Freeware\Logs\update.log
c:\documents and settings\Taylor\err.log
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome.manifest
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome\content\_cfg.js
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome\content\c.js
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\chrome\content\overlay.xul
c:\documents and settings\taylor\local settings\application data\{0D64D003-3020-4522-A8DA-9D908D355056}\install.rdf
c:\program files\Antivirus 2009
c:\program files\GetModule
c:\program files\GetModule\dicik.gz
c:\program files\GetModule\kwdik.gz
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\ISM
c:\program files\ISM\Uninstall.exe
c:\program files\Microsoft Common
c:\program files\ppatch~1
c:\program files\QdrDrive
c:\program files\QdrDrive\qdrloader.exe
c:\program files\QdrModule
c:\program files\QdrModule\dic.gz
c:\program files\QdrModule\kwd.gz
c:\program files\QdrPack
c:\program files\QdrPack\dicts.gz
c:\program files\QdrPack\trgts.gz
c:\program files\RcvSystem
c:\program files\RcvSystem\httpdchk.dll
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\license.key
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\vbase.vdb
c:\program files\VnrBlock
c:\windows\BM67ad99bc.txt
c:\windows\BM67ad99bc.xml
c:\windows\pskt.ini
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\system32\alog.txt
c:\windows\system32\bb1.dat
c:\windows\system32\bebowefo.dll.tmp
c:\windows\system32\cmds.txt
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome.manifest
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome\content\_cfg.js
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome\content\c.js
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\chrome\content\overlay.xul
c:\windows\system32\config\systemprofile\local settings\application data\{0ef2b761-2f26-4668-bd62-17f2c9e5236c}\\install.rdf
c:\windows\system32\cs.dat
c:\windows\system32\ctfmon.exe.tmp
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekabxxrldyy.sys
c:\windows\system32\jajulaze.dll
c:\windows\system32\jefizaya.dll.tmp
c:\windows\system32\lohasaru.dll
c:\windows\system32\nhser43uhjnefr.dll
c:\windows\system32\nobiwuna.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\nukatojo.dll
c:\windows\system32\porevujo.dll
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\royetuki.dll
c:\windows\system32\rtstv.ini
c:\windows\system32\rtstv.ini2
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamykteole.dat
c:\windows\system32\ssembl~1
c:\windows\system32\tb.dr
c:\windows\system32\test.ttt
c:\windows\system32\tukugave.dll.vir
c:\windows\system32\uniq.tll
c:\windows\system32\virinida.dll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wuniferi.dll.tmp
c:\windows\temp\ntdll64.dll
c:\windows\vmreg.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Service_ICF
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 21:12 . 2009-03-29 21:12 <DIR> d-------- c:\windows\LastGood
2009-03-29 13:54 . 2009-03-29 13:54 <DIR> d-------- c:\program files\RegCure
2009-03-29 12:31 . 2009-03-29 21:18 101,998 --a------ c:\windows\system32\drivers\glaide32.sys
2009-03-29 12:31 . 2009-03-29 12:31 98,304 --a------ C:\vaybq.exe
2009-03-29 12:30 . 2009-03-29 13:10 45,056 --a------ C:\liymwuq.exe
2009-03-29 12:30 . 2009-03-29 13:12 2 --a------ C:\1688119951
2009-03-29 12:29 . 2009-03-29 12:29 45,056 --a------ C:\dmsiacq.exe
2009-03-29 12:29 . 2009-03-29 12:29 9,216 --a------ c:\windows\instsp2.exe
2009-03-28 16:45 . 2009-03-28 16:45 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 14:19 . 2006-01-18 22:22 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-27 14:19 . 2006-01-18 22:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-03-27 14:19 . 2006-01-18 22:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-03-27 14:19 . 2006-02-06 18:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-03-27 14:19 . 2006-05-28 20:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-03-27 14:19 . 2008-02-02 15:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-03-27 14:19 . 2009-03-27 14:19 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 20:40 --------- d-----w c:\program files\Common Files\DriveCleaner Freeware
2009-03-27 22:01 --------- d-----w c:\program files\iTunes
2006-10-27 01:42 0 ----a-w c:\documents and settings\Kevin\Application Data\wklnhst.dat
2009-01-07 23:07 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-07 23:07 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-07 23:07 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-07 23:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-07 23:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59f3578e-841a-e7e5-d0bb-c5fd146cc5e8}]
2008-04-13 18:12 157696 --a------ c:\windows\enaxoxotumudivos.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-03-28 15360]
"PhotoShow Deluxe Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\MS872A~2.EXE" [2009-03-27 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-28 641208]
"Fmolixaxet"="c:\windows\enaxoxotumudivos.dll" [2008-04-13 157696]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-09 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-01-18 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ ecli scecli kbdlinu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFSServ.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-04 206096]
S2 0075521238382899mcinstcleanup;McAfee Application Installer Cleanup (0075521238382899);c:\windows\TEMP\007552~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\007552~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 DCamUSBSTK014;STK014 Camera;c:\windows\system32\DRIVERS\STK014W2.sys --> c:\windows\system32\DRIVERS\STK014W2.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe /autorun
\Shell\setup\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 13:15]

2009-01-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 19:10]

2009-01-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 19:10]

2009-03-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 11:58]

2009-03-30 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 11:58]

2006-05-29 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8775f7f8-06b8-4427-8ddf-43712e972689} - c:\windows\system32\nukatojo.dll
BHO-{AAB9A4F8-C283-473A-DAF1-A2287D8263EA} - c:\windows\system32\axcqtbekekxnei.dll
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-99434929349869593647778639979575 - c:\program files\Antivirus 2009\av2009.exe
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-TPSMain - TPSMain.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
Notify-jkkkhii - jkkkhii.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\18g0s5ta.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 21:18:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\glaide32]
"ImagePath"="\??\c:\windows\system32\drivers\glaide32.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(876)
c:\windows\kbdlinu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
.
**************************************************************************
.
Completion time: 2009-03-29 21:21:27 - machine was rebooted [Kevin]
ComboFix-quarantined-files.txt 2009-03-30 03:21:18

Pre-Run: 62,268,923,904 bytes free
Post-Run: 61,912,285,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

299 --- E O F --- 2009-01-05 21:41:05

[eedwards40]

Hi tetonbob,

Sorry, it looks like the log posted twice; it told me I did not wait long enough between posts.

I am restarting in normal mode and will let you know shortly.

Thanks,
Earl

[eedwards40]

Hi tetonbob,

Up and running in normal mode.

Earl

[tetonbob]

Great, I thought taking out so much trash would help.

Next steps...

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   McAfee:
   Double-click the taskbar icon to open the Security Center
   Click Advanced Menu (lower left)
   Click Configure (left)
   Click Computer & Files (upper left)
   VirusScan can be disabled on the right.
   
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/361032-spyware-malware-windows-xp-post2051360.html#post2051360
   
   Driver::
   glaide32
   
   Registry::
   [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
   "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
   [HKEY_LOCAL_MACHINE\software\microsoft\security center]
   "AntiVirusDisableNotify"=dword:00000000
   "UpdatesDisableNotify"=dword:00000000
   [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
   "DisableMonitoring"=dword:00000000
   [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
   "DisableMonitoring"=dword:00000000
   
   Collect::
   c:\windows\system32\drivers\glaide32.sys
   C:\vaybq.exe
   C:\liymwuq.exe
   C:\1688119951
   C:\dmsiacq.exe
   c:\windows\instsp2.exe
   c:\windows\enaxoxotumudivos.dll
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. Follow the prompts.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

[eedwards40]

Yes, taking out the "Trash" is always a good thing. Here is the next run.

ComboFix 09-03-29.02 - Kevin 2009-03-29 2243.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.230 [GMT -6:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1688119951
C:\dmsiacq.exe
C:\liymwuq.exe
C:\vaybq.exe
c:\windows\enaxoxotumudivos.dll
c:\windows\instsp2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_glaide32


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 21:41 . 2009-03-29 21:41 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-29 13:54 . 2009-03-29 13:54 <DIR> d-------- c:\program files\RegCure
2009-03-28 16:45 . 2009-03-28 16:45 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 14:19 . 2006-01-18 22:22 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-27 14:19 . 2006-01-18 22:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-03-27 14:19 . 2006-01-18 22:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-03-27 14:19 . 2006-02-06 18:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-03-27 14:19 . 2006-05-28 20:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-03-27 14:19 . 2008-02-02 15:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-03-27 14:19 . 2009-03-27 14:19 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 20:40 --------- d-----w c:\program files\Common Files\DriveCleaner Freeware
2009-03-27 22:01 --------- d-----w c:\program files\iTunes
2006-10-27 01:42 0 ----a-w c:\documents and settings\Kevin\Application Data\wklnhst.dat
2009-01-07 23:07 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-07 23:07 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-07 23:07 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-07 23:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-07 23:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-03-28 15360]
"PhotoShow Deluxe Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\MS872A~2.EXE" [2009-03-27 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-28 641208]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-09 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-01-18 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli kbdlinu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFSServ.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-04 210216]
S2 0075521238382899mcinstcleanup;McAfee Application Installer Cleanup (0075521238382899);c:\windows\TEMP\007552~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\007552~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 DCamUSBSTK014;STK014 Camera;c:\windows\system32\DRIVERS\STK014W2.sys --> c:\windows\system32\DRIVERS\STK014W2.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe /autorun
\Shell\setup\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 13:15]

2009-01-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 19:10]

2009-01-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 19:10]

2009-03-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 11:58]

2009-03-30 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 11:58]

2006-05-29 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{59f3578e-841a-e7e5-d0bb-c5fd146cc5e8} - c:\windows\enaxoxotumudivos.dll
HKLM-Run-Fmolixaxet - c:\windows\enaxoxotumudivos.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\18g0s5ta.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 22:12:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(864)
c:\windows\kbdlinu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-03-29 22:15:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 04:15:42
ComboFix2.txt 2009-03-30 03:21:28

Pre-Run: 61,908,013,056 bytes free
Post-Run: 61,889,265,664 bytes free

166 --- E O F --- 2009-01-05 21:41:05

[tetonbob]

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.