no pics in browser, computer freezes, regenerating files.

**joshwg** · 2009-04-01, 00:20

no pics while browsing still. I had to remove the R3 item twice. removed as directed and when I produced a fresh HJT log it was there again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:58 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4766 bytes

ComboFix 09-03-31.01 - Administrator 2009-03-31 18:03:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.295 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\New Folder\cfscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Administrator\My Documents\InstallAVg_770522166350.exe
c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DER4TUV\inst[1].php
c:\windows\system32\sesombqe.dll
c:\windows\system32\xbjkib.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\My Documents\InstallAVg_770522166350.exe
c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DER4TUV\inst[1].php
c:\windows\system32\sesombqe.dll
c:\windows\system32\xbjkib.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-27 20:18 . 2009-03-27 20:18 <DIR> d-------- c:\program files\Java
2009-03-27 20:18 . 2009-03-27 20:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-27 20:18 . 2009-03-27 20:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-27 20:15 . 2009-03-27 20:15 0 --a------ c:\windows\system32\REN84.tmp
2009-03-27 20:15 . 2009-03-27 20:15 0 --a------ c:\windows\system32\REN83.tmp
2009-03-25 17:59 . 2009-03-25 18:00 1,374 --a------ c:\windows\imsins.BAK
2009-03-03 21:02 . 2009-03-03 21:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 21:02 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 21:01 . 2009-03-03 21:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 21:01 . 2009-03-03 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 21:01 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 04:45 . 2009-02-21 04:45 2,713 ---hs---- c:\windows\system32\mefuwoma.dll
2009-02-20 16:44 . 2009-02-20 16:44 2,713 ---hs---- c:\windows\system32\sukeweri.dll
2009-02-20 04:44 . 2009-02-20 04:44 2,713 ---hs---- c:\windows\system32\kisojaze.dll
2009-02-19 16:44 . 2009-02-19 16:44 2,713 ---hs---- c:\windows\system32\kuwiguri.dll
2009-02-19 03:19 . 2009-02-19 03:19 2,713 ---hs---- c:\windows\system32\sitevahi.dll
2009-02-18 15:20 . 2009-02-18 15:20 2,713 ---hs---- c:\windows\system32\zajifali.dll
2009-02-17 22:09 . 2009-02-17 22:09 2,713 ---hs---- c:\windows\system32\wohajulo.dll
2009-02-17 10:09 . 2009-02-17 10:09 2,713 ---hs---- c:\windows\system32\julakaso.dll
2009-02-16 22:09 . 2009-02-16 22:09 2,713 ---hs---- c:\windows\system32\dujosiye.dll
2009-02-16 10:08 . 2009-02-16 10:08 2,713 ---hs---- c:\windows\system32\nosefabi.dll
2009-02-15 22:08 . 2009-02-15 22:08 2,713 ---hs---- c:\windows\system32\vodujiku.dll
2009-02-14 22:08 . 2009-02-14 22:08 2,713 ---hs---- c:\windows\system32\kunisulu.dll
2009-02-13 19:30 . 2009-02-13 19:30 2,713 ---hs---- c:\windows\system32\rekemopi.dll
2009-02-13 07:30 . 2009-02-13 07:30 2,713 ---hs---- c:\windows\system32\towozoha.dll
2009-02-12 19:40 . 2009-02-12 19:40 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-12 19:40 . 2009-02-12 19:40 1,409 --a------ c:\windows\QTFont.for
2009-02-12 19:09 . 2009-02-12 19:09 2,713 ---hs---- c:\windows\system32\weyonoru.dll
2009-02-11 18:39 . 2009-02-11 18:39 <DIR> d-------- c:\program files\ERUNT
2009-02-11 18:27 . 2009-02-11 18:27 <DIR> d-------- c:\program files\Trend Micro
2009-02-10 16:51 . 2009-02-10 16:51 2,713 ---hs---- c:\windows\system32\rahupeke.dll
2009-02-07 17:06 . 2009-02-07 17:06 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2009-02-07 15:14 . 2009-02-07 15:14 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2009-02-07 13:30 . 2009-02-07 13:30 <DIR> d-------- c:\windows\RegCure
2009-02-07 13:30 . 2009-02-12 19:13 <DIR> d-------- c:\program files\RegCure
2009-02-07 10:38 . 2009-02-07 10:38 2,713 ---hs---- c:\windows\system32\guratayo.dll
2009-02-06 21:48 . 2009-02-06 21:48 2,713 ---hs---- c:\windows\system32\refurepo.dll
2009-02-05 16:53 . 2009-02-05 16:53 2,713 ---hs---- c:\windows\system32\towuvela.dll
2009-02-04 21:19 . 2009-02-04 21:19 2,713 ---hs---- c:\windows\system32\dugigidu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 21:58 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 01:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-28 01:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 22:56 --------- d-----w c:\program files\Google
2009-01-31 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-31 14:37 --------- d-----w c:\program files\Norton AntiVirus
2007-07-28 11:58 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-27_17.50.05.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 04:31:24 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\java.exe
- 2007-03-14 04:31:28 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-03-14 06:04:46 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-28 00:18:14 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2008-07-29 22:28:21 74,649 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-28 00:18:13 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-31 22:06:11 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6d0.dat
+ 2006-12-02 02:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}"= "c:\program files\Dallas Cowboys\Helper.dll" [2008-10-14 225280]

[HKEY_CLASSES_ROOT\clsid\{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{A79DCA30-7864-4B9E-9C6B-EBD5DBD015F2}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-07 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-27 148888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 13:38 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a--c--- 2004-12-31 17:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-07 18:41 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a--c--- 2003-11-06 09:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 17:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-03 16:03 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AVG Anti-Spyware Guard"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-13 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_01\bin\jusched.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://globaldiscoveryvacations.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZNxmk572YYUS
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 18:06:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WRLogonNTF.dll
c:\windows\System32\NETUI1.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-31 18:09:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 22:09:43
ComboFix2.txt 2009-03-27 21:51:04
ComboFix3.txt 2009-03-24 21:31:40

Pre-Run: 66,900,099,072 bytes free
Post-Run: 66,972,819,456 bytes free

212 --- E O F --- 2009-03-25 22:01:43

**Blade81** · 2009-04-01, 07:54

Hi again,

Are you using IE as your browser? If so, please check this

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\REN84.tmp
c:\windows\system32\REN83.tmp
c:\windows\system32\mefuwoma.dll
c:\windows\system32\sukeweri.dll
c:\windows\system32\kisojaze.dll
c:\windows\system32\kuwiguri.dll
c:\windows\system32\sitevahi.dll
c:\windows\system32\zajifali.dll
c:\windows\system32\wohajulo.dll
c:\windows\system32\julakaso.dll
c:\windows\system32\dujosiye.dll
c:\windows\system32\nosefabi.dll
c:\windows\system32\vodujiku.dll
c:\windows\system32\kunisulu.dll
c:\windows\system32\rekemopi.dll
c:\windows\system32\towozoha.dll
c:\windows\system32\weyonoru.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\guratayo.dll
c:\windows\system32\refurepo.dll
c:\windows\system32\towuvela.dll
c:\windows\system32\dugigidu.dll

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**joshwg** · 2009-04-02, 02:46

show pictures was off. thanks for that.

ComboFix 09-04-01.01 - Administrator 2009-04-01 20:39:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.288 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\New Folder\cfscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\dugigidu.dll
c:\windows\system32\dujosiye.dll
c:\windows\system32\guratayo.dll
c:\windows\system32\julakaso.dll
c:\windows\system32\kisojaze.dll
c:\windows\system32\kunisulu.dll
c:\windows\system32\kuwiguri.dll
c:\windows\system32\mefuwoma.dll
c:\windows\system32\nosefabi.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\refurepo.dll
c:\windows\system32\rekemopi.dll
c:\windows\system32\REN83.tmp
c:\windows\system32\REN84.tmp
c:\windows\system32\sitevahi.dll
c:\windows\system32\sukeweri.dll
c:\windows\system32\towozoha.dll
c:\windows\system32\towuvela.dll
c:\windows\system32\vodujiku.dll
c:\windows\system32\weyonoru.dll
c:\windows\system32\wohajulo.dll
c:\windows\system32\zajifali.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dugigidu.dll
c:\windows\system32\dujosiye.dll
c:\windows\system32\guratayo.dll
c:\windows\system32\julakaso.dll
c:\windows\system32\kisojaze.dll
c:\windows\system32\kunisulu.dll
c:\windows\system32\kuwiguri.dll
c:\windows\system32\mefuwoma.dll
c:\windows\system32\nosefabi.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\refurepo.dll
c:\windows\system32\rekemopi.dll
c:\windows\system32\REN83.tmp
c:\windows\system32\REN84.tmp
c:\windows\system32\sitevahi.dll
c:\windows\system32\sukeweri.dll
c:\windows\system32\towozoha.dll
c:\windows\system32\towuvela.dll
c:\windows\system32\vodujiku.dll
c:\windows\system32\weyonoru.dll
c:\windows\system32\wohajulo.dll
c:\windows\system32\zajifali.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-03-31 21:49 . 2009-03-31 21:49 <DIR> d-------- c:\windows\system32\KB905474
2009-03-31 21:49 . 2009-03-10 22:26 1,403,264 --a------ c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-31 21:49 . 2009-03-10 22:18 453,512 --a------ c:\windows\system32\KB905474\wgasetup.exe
2009-03-31 21:49 . 2009-02-09 18:51 12,490 --a------ c:\windows\system32\KB905474\wga_eula.txt
2009-03-27 20:18 . 2009-03-27 20:18 <DIR> d-------- c:\program files\Java
2009-03-27 20:18 . 2009-03-27 20:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-27 20:18 . 2009-03-27 20:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-25 17:59 . 2009-03-25 18:00 1,374 --a------ c:\windows\imsins.BAK
2009-03-03 21:02 . 2009-03-03 21:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 21:02 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 21:01 . 2009-03-03 21:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 21:01 . 2009-03-03 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 21:01 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 21:58 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 01:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-28 01:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 23:13 --------- d-----w c:\program files\RegCure
2009-02-11 22:39 --------- d-----w c:\program files\ERUNT
2009-02-11 22:27 --------- d-----w c:\program files\Trend Micro
2009-02-10 22:56 --------- d-----w c:\program files\Google
2009-02-07 21:06 --------- d-----w c:\documents and settings\NetworkService\Application Data\Webroot
2009-02-07 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\Webroot
2007-07-28 11:58 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-27_17.50.05.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 04:31:24 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\java.exe
- 2007-03-14 04:31:28 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-03-14 06:04:46 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-28 00:18:14 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2008-07-29 22:28:21 74,649 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-28 00:18:13 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-04-02 00:41:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
+ 2006-12-02 02:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}"= "c:\program files\Dallas Cowboys\Helper.dll" [2008-10-14 225280]

[HKEY_CLASSES_ROOT\clsid\{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{A79DCA30-7864-4B9E-9C6B-EBD5DBD015F2}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-07 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-27 148888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 13:38 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a--c--- 2004-12-31 17:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-07 18:41 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a--c--- 2003-11-06 09:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 17:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-03 16:03 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AVG Anti-Spyware Guard"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-13 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe []

2009-04-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://globaldiscoveryvacations.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZNxmk572YYUS
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 20:42:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-01 20:44:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 00:44:53
ComboFix2.txt 2009-03-31 22:09:46
ComboFix3.txt 2009-03-27 21:51:04
ComboFix4.txt 2009-03-24 21:31:40

Pre-Run: 66,924,503,040 bytes free
Post-Run: 66,914,172,928 bytes free

222 --- E O F --- 2009-04-01 01:49:13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:30 PM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4867 bytes

**Blade81** · 2009-04-02, 11:09

Hi again,

Start hjt, do a system scan, check (if found):
R3 - URLSearchHook: (no name) - - (no file)

Close all browsers and fix checked.

Post a fresh hjt log and let me know how's the system running

**joshwg** · 2009-04-03, 02:31

I removed it and it came back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:27 PM, on 4/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4827 bytes

**Blade81** · 2009-04-03, 15:08

Hi

We can leave that there if it won't stay away (nothing malicious)

How's the system running?

**joshwg** · 2009-04-03, 23:46

everything seems to be running just fine!

If there is nothing else you would have me do I can do the rest.

I have the prevention suggestions from the last computer I posted. Thank you for your help.

**Blade81** · 2009-04-03, 23:52

You're welcome

Remember uninstall ComboFix.

Click START then RUN
Now type Combofix /u in the runbox and click OK

**joshwg** · 2009-04-04, 01:04

I installed avg, updated it. Left the computer sit and resident shield came up saying it found a trojan.

"Trojan horse Generic12.BFIO";"C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP28\A0004112.dll";"Moved to Virus Vault";"4/3/2009, 6:49:07 PM";"File";"C:\WINDOWS\system32\svchost.exe"

**Blade81** · 2009-04-04, 01:08

Hi

That's in system restore and flushing will remove it.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Thread: no pics in browser, computer freezes, regenerating files.

Thread Tools

Display

Posting Permissions