using Firefox but many IE popups, HELP

**jwayne73** · 2009-03-31, 06:37

thanks, I really appreciate your help.

1. file kmxcfg.u2k0 is clean:

Scan taken on 31 Mar 2009 02:22:30 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

2. CFscript/Combfix log:
ComboFix 09-03-27.02 - John 2009-03-30 22:51:04.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.796 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\rejijejo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Sm9obg
c:\windows\Sm9obg\asappsrv.dll
c:\windows\Sm9obg\command.exe
c:\windows\Sm9obg\mA6Cv0.vbs
c:\windows\SYSTEM32\rejijejo.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-28 20:48 . 2009-03-28 20:55 <DIR> d-------- c:\program files\TradeStation 8.5 (Build 2289)
2009-03-28 20:46 . 2009-03-28 20:46 <DIR> d-------- c:\documents and settings\John\Application Data\TradeStation Technologies
2009-03-28 11:45 . 2009-03-28 11:45 <DIR> d-------- c:\program files\AskBarDis
2009-03-28 11:44 . 2009-03-28 11:44 <DIR> d-------- c:\program files\Foxit Software
2009-03-28 11:44 . 2009-03-28 11:44 <DIR> d-------- c:\documents and settings\John\Application Data\Foxit
2009-03-28 11:36 . 2009-03-28 11:36 <DIR> d-------- c:\program files\Secunia
2009-03-25 23:37 . 2009-03-25 23:37 <DIR> d-------- c:\program files\ERUNT
2009-03-24 07:03 . 2009-03-24 07:03 7,808 --a------ c:\windows\SYSTEM32\DRIVERS\psi_mf.sys
2009-02-04 10:11 . 2009-02-04 10:11 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-04 10:11 . 2009-02-04 10:11 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-02-04 04:07 . 2009-02-04 04:07 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-03 16:41 . 2008-10-16 15:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-02-03 16:41 . 2008-10-16 15:06 208,744 --a------ c:\windows\SYSTEM32\muweb.dll
2009-02-03 16:41 . 2008-10-16 15:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-02-02 23:27 . 2009-03-01 23:07 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 06:11 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-03-30 06:11 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-03-30 06:11 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-03-30 06:11 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-03-30 06:11 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-03-30 06:11 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-03-30 06:11 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-03-30 06:11 466,134 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-03-29 00:42 --------- d-----w c:\documents and settings\John\Application Data\CallingID
2009-03-28 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-28 17:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 16:43 --------- d-----w c:\program files\TradeStation 8.3 (Build 1419)
2009-03-28 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-28 16:19 --------- d-----w c:\program files\Java
2009-03-28 16:17 --------- d-----w c:\program files\HOTALBUMMyBOX
2009-03-28 16:11 --------- d-----w c:\program files\THQ
2009-03-28 16:08 --------- d-----w c:\program files\Common Files\Adobe
2009-03-28 15:53 --------- d-----w c:\documents and settings\John\Application Data\Lavasoft
2009-03-27 15:16 61,440 --sha-w c:\windows\SYSTEM32\gedoyipi.exe
2009-03-27 03:15 61,440 --sha-w c:\windows\SYSTEM32\huforiti.exe
2009-03-15 13:56 --------- d-----w c:\documents and settings\Jean\Application Data\CallingID
2009-02-09 10:19 1,846,272 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 10:19 1,846,272 ----a-w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-12-20 23:15 63,488 ------w c:\windows\SYSTEM32\DLLCACHE\icardie.dll
2008-12-20 23:15 6,066,688 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-12-20 23:15 52,224 ------w c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-12-20 23:15 459,264 ------w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
2008-12-20 23:15 383,488 ------w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-12-20 23:15 267,776 ------w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-12 17:27 3,067,392 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-05 07:12 144,896 ----a-w c:\windows\SYSTEM32\schannel.dll
2008-12-05 07:12 144,896 ----a-w c:\windows\SYSTEM32\DLLCACHE\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-28_10.59.09.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-18 14:32:13 450,560 ----a-w c:\windows\$hf_mig$\KB944338-v2\SP2QFE\jscript.dll
+ 2007-12-18 14:32:13 417,792 ----a-w c:\windows\$hf_mig$\KB944338-v2\SP2QFE\vbscript.dll
+ 2007-03-06 01:22:36 14,048 ----a-w c:\windows\$hf_mig$\KB944338-v2\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w c:\windows\$hf_mig$\KB944338-v2\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\updspapi.dll
+ 2009-02-09 10:20:05 1,847,424 ----a-w c:\windows\$hf_mig$\KB958690\SP2QFE\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\$hf_mig$\KB958690\SP3GDR\win32k.sys
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:41:26 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP2QFE\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3GDR\schannel.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2005-10-20 16:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-28-2009\ERDNT.EXE
+ 2009-03-28 16:35:59 11,169,792 ----a-w c:\windows\erdnt\AutoBackup\3-28-2009\Users\00000001\NTUSER.DAT
+ 2009-03-28 16:35:59 3,309,568 ----a-w c:\windows\erdnt\AutoBackup\3-28-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-29-2009\ERDNT.EXE
+ 2009-03-29 12:30:18 14,798,848 ----a-w c:\windows\erdnt\AutoBackup\3-29-2009\Users\00000001\NTUSER.DAT
+ 2009-03-29 12:30:18 3,317,760 ----a-w c:\windows\erdnt\AutoBackup\3-29-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-30-2009\ERDNT.EXE
+ 2009-03-30 22:57:34 14,798,848 ----a-w c:\windows\erdnt\AutoBackup\3-30-2009\Users\00000001\NTUSER.DAT
+ 2009-03-30 22:57:34 3,317,760 ----a-w c:\windows\erdnt\AutoBackup\3-30-2009\Users\00000002\UsrClass.dat
- 2005-03-20 00:58:13 29,232 ----a-w c:\windows\hpoins03.dat
+ 2009-03-30 22:58:16 29,232 ----a-w c:\windows\hpoins03.dat
- 2009-02-11 08:04:56 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-03-29 07:04:37 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-02-11 08:04:56 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-03-29 07:04:37 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-02-11 08:04:56 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-03-29 07:04:37 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-02-11 08:04:55 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-03-29 07:04:37 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-02-11 08:04:56 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-03-29 07:04:37 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-02-11 08:04:56 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-03-29 07:04:37 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-02-11 08:04:56 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-03-29 07:04:37 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-02-11 08:04:56 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-03-29 07:04:38 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-02-11 08:04:56 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-03-29 07:04:37 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-02-11 08:04:55 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-03-29 07:04:37 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-02-11 08:04:56 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-03-29 07:04:38 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-02-11 08:04:55 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-03-29 07:04:37 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-02-11 08:04:55 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-03-29 07:04:36 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-10-23 15:34:19 1,022,976 ----a-w c:\windows\SYSTEM32\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 ----a-w c:\windows\SYSTEM32\browseui.dll
- 2006-10-23 15:34:19 151,040 -c--a-w c:\windows\SYSTEM32\cdfview.dll
+ 2008-10-16 10:20:42 151,040 ----a-w c:\windows\SYSTEM32\cdfview.dll
- 2006-10-23 15:34:20 1,054,208 -c--a-w c:\windows\SYSTEM32\danim.dll
+ 2008-10-16 10:20:45 1,054,208 ----a-w c:\windows\SYSTEM32\danim.dll
- 2006-10-23 15:34:19 1,022,976 -c--a-w c:\windows\SYSTEM32\DLLCACHE\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 ----a-w c:\windows\SYSTEM32\DLLCACHE\browseui.dll
- 2006-10-23 15:34:19 151,040 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdfview.dll
+ 2008-10-16 10:20:42 151,040 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdfview.dll
- 2006-10-23 15:34:20 1,054,208 ----a-w c:\windows\SYSTEM32\DLLCACHE\danim.dll
+ 2008-10-16 10:20:45 1,054,208 ----a-w c:\windows\SYSTEM32\DLLCACHE\danim.dll
- 2006-10-23 15:34:20 357,888 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2006-10-23 15:34:20 205,312 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
- 2006-10-23 15:34:20 55,808 ----a-w c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-10-16 10:20:46 55,808 ----a-w c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
- 2006-10-23 11:02:37 18,432 ----a-w c:\windows\SYSTEM32\DLLCACHE\iedw.exe
+ 2008-10-15 14:18:21 18,432 ----a-w c:\windows\SYSTEM32\DLLCACHE\iedw.exe
- 2006-10-23 15:34:20 251,904 ----a-w c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2008-10-16 10:20:46 251,904 ----a-w c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
- 2006-10-23 15:34:20 96,256 ----a-w c:\windows\SYSTEM32\DLLCACHE\inseng.dll
+ 2008-10-16 10:20:46 96,256 ----a-w c:\windows\SYSTEM32\DLLCACHE\inseng.dll
- 2006-05-18 05:24:25 450,560 ----a-w c:\windows\SYSTEM32\DLLCACHE\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\SYSTEM32\DLLCACHE\jscript.dll
- 2006-10-23 15:34:20 15,872 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
- 2006-10-23 15:34:21 448,512 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
- 2006-10-23 15:34:21 146,432 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-10-16 10:20:46 146,432 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
- 2006-10-23 15:34:21 532,480 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-10-16 10:20:46 532,480 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2006-10-23 15:34:21 39,424 ----a-w c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 ----a-w c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
- 2006-10-23 15:34:22 1,497,600 -c--a-w c:\windows\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 ----a-w c:\windows\SYSTEM32\DLLCACHE\shdocvw.dll
- 2006-10-23 15:34:22 474,112 -c--a-w c:\windows\SYSTEM32\DLLCACHE\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 ----a-w c:\windows\SYSTEM32\DLLCACHE\shlwapi.dll
- 2006-10-23 15:34:22 615,936 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-10-16 10:20:53 619,008 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
- 2004-08-04 07:56:46 417,792 ----a-w c:\windows\SYSTEM32\DLLCACHE\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\SYSTEM32\DLLCACHE\vbscript.dll
- 2006-10-23 15:34:22 664,576 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-10-16 10:20:49 667,648 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2007-06-12 03:51:12 10,834,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 ----a-w c:\windows\SYSTEM32\DLLCACHE\wmp.dll
- 2006-10-23 15:34:20 357,888 ----a-w c:\windows\SYSTEM32\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 ----a-w c:\windows\SYSTEM32\dxtmsft.dll
- 2006-10-23 15:34:20 205,312 ----a-w c:\windows\SYSTEM32\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 ----a-w c:\windows\SYSTEM32\dxtrans.dll
- 2006-10-23 15:34:20 55,808 ----a-w c:\windows\SYSTEM32\extmgr.dll
+ 2008-10-16 10:20:46 55,808 ----a-w c:\windows\SYSTEM32\extmgr.dll
- 2009-02-04 08:14:54 283,720 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-03-29 07:12:28 284,520 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
- 2006-10-23 15:34:20 251,904 ----a-w c:\windows\SYSTEM32\iepeers.dll
+ 2008-10-16 10:20:46 251,904 ----a-w c:\windows\SYSTEM32\iepeers.dll
- 2006-10-23 15:34:20 96,256 ----a-w c:\windows\SYSTEM32\inseng.dll
+ 2008-10-16 10:20:46 96,256 ----a-w c:\windows\SYSTEM32\inseng.dll
- 2006-05-18 05:24:25 450,560 ----a-w c:\windows\SYSTEM32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\SYSTEM32\jscript.dll
- 2006-10-23 15:34:20 15,872 ----a-w c:\windows\SYSTEM32\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 ----a-w c:\windows\SYSTEM32\jsproxy.dll
- 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
- 2008-10-05 03:24:04 235,936 ----a-w c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-12-18 15:12:20 84,661 ----a-w c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2009-03-28 15:40:06 84,661 ----a-w c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2006-10-23 15:34:22 3,061,248 ----a-w c:\windows\SYSTEM32\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 ----a-w c:\windows\SYSTEM32\mshtml.dll
- 2006-10-23 15:34:21 448,512 ----a-w c:\windows\SYSTEM32\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 ----a-w c:\windows\SYSTEM32\mshtmled.dll
- 2006-10-23 15:34:21 146,432 ----a-w c:\windows\SYSTEM32\msrating.dll
+ 2008-10-16 10:20:46 146,432 ----a-w c:\windows\SYSTEM32\msrating.dll
- 2006-10-23 15:34:21 532,480 ----a-w c:\windows\SYSTEM32\mstime.dll
+ 2008-10-16 10:20:46 532,480 ----a-w c:\windows\SYSTEM32\mstime.dll
- 2006-10-23 15:34:21 39,424 ----a-w c:\windows\SYSTEM32\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 ----a-w c:\windows\SYSTEM32\pngfilt.dll
- 2006-10-23 15:34:22 1,497,600 ----a-w c:\windows\SYSTEM32\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 ----a-w c:\windows\SYSTEM32\shdocvw.dll
- 2006-10-23 15:34:22 474,112 ----a-w c:\windows\SYSTEM32\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 ----a-w c:\windows\SYSTEM32\shlwapi.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
- 2006-09-25 21:58:48 23,856 -c--a-w c:\windows\SYSTEM32\spupdsvc.exe
+ 2007-07-27 13:41:38 26,488 ----a-w c:\windows\SYSTEM32\spupdsvc.exe
- 2006-10-23 15:34:22 615,936 ----a-w c:\windows\SYSTEM32\urlmon.dll
+ 2008-10-16 10:20:53 619,008 ----a-w c:\windows\SYSTEM32\urlmon.dll
- 2004-08-04 07:56:46 417,792 ----a-w c:\windows\SYSTEM32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\SYSTEM32\vbscript.dll
- 2006-10-23 15:34:22 664,576 ----a-w c:\windows\SYSTEM32\wininet.dll
+ 2008-10-16 10:20:49 667,648 ----a-w c:\windows\SYSTEM32\wininet.dll
- 2007-06-12 03:51:12 10,834,944 ----a-w c:\windows\SYSTEM32\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 ----a-w c:\windows\SYSTEM32\wmp.dll
- 2008-02-15 09:06:21 351,744 ----a-w c:\windows\SYSTEM32\xpsp3res.dll
+ 2008-10-15 14:00:41 351,744 ----a-w c:\windows\SYSTEM32\xpsp3res.dll
+ 2009-03-30 14:18:38 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_634.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-01-19 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-23 181488]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-28 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-28 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-28 259312]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-08-30 234736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-04 136600]

c:\documents and settings\John\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-06-23 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Mtrader mIRC - v2\\mirc32.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\capfsem.exe"=
"c:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\cavrid.exe"=
"c:\\Program Files\\CA\\CA Internet Security Suite\\CA Website Inspector\\Light\\CAGlobalLight.exe"=
"c:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe"=
"c:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\capfasem.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=

R0 KmxStart;KmxStart;c:\windows\SYSTEM32\DRIVERS\KmxStart.sys [2008-03-19 93712]
R1 KmxAgent;KmxAgent;c:\windows\SYSTEM32\DRIVERS\KmxAgent.sys [2008-03-21 63504]
R1 KmxFile;KmxFile;c:\windows\SYSTEM32\DRIVERS\KmxFile.sys [2008-03-21 45584]
R1 KmxFw;KmxFw;c:\windows\SYSTEM32\DRIVERS\KmxFw.sys [2008-03-19 115216]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\SYSTEM32\DRIVERS\DLPORTIO.sys [2005-03-20 3584]
R2 KmxCF;KmxCF;c:\windows\SYSTEM32\DRIVERS\KmxCF.sys [2008-06-04 134648]
R2 KmxSbx;KmxSbx;c:\windows\SYSTEM32\DRIVERS\KmxSbx.sys [2008-03-21 66576]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [2007-07-09 46112]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-04-15 281104]
R3 KmxCfg;KmxCfg;c:\windows\SYSTEM32\DRIVERS\KmxCfg.sys [2008-05-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-10-27 185584]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [2009-03-24 7808]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - project
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\CAAntiSpywareScan_Daily as John at 5 03 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-08-27 18:44]

2004-09-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-08-04 03:56]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\windows\system32\VetRedir.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\5hbvpu1b.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 22:54:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(2024)
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2009-03-30 22:57:35
ComboFix-quarantined-files.txt 2009-03-31 02:57:32
ComboFix2.txt 2009-03-28 15:01:19
ComboFix3.txt 2008-03-22 03:55:24

Pre-Run: 9,481,732,096 bytes free
Post-Run: 9,560,748,032 bytes free

361 --- E O F --- 2009-03-29 07:05:39

3. mbam log:
Malwarebytes' Anti-Malware 1.35
Database version: 1922
Windows 5.1.2600 Service Pack 2

3/31/2009 12:12:29 AM
mbam-log-2009-03-31 (00-12-29).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 177927
Time elapsed: 40 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 7
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\elfwgps.bqxs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\elfwgps.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dr6 (Adware.Rabio) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ech5 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lows8 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sbc2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\typ2 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gawajaso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kjrsqx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\riwevito.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uwthqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zukumuha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gekujedo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP316\A0028518.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP319\A0028587.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0028748.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0028749.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0028759.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0028772.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0028781.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0028791.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\typ2\key89104.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

4. new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:02 AM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-21-3841567307-4091171729-3825519540-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jean')
O4 - HKUS\S-1-5-21-3841567307-4091171729-3825519540-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Jean')
O4 - HKUS\S-1-5-21-3841567307-4091171729-3825519540-1008\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Jean')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Syntek STK1150 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe (file missing)

--
End of file - 7018 bytes

5. It's running great. REALLY APPRECIATED. Question is how do I keep it this way? Thanks.

**pskelley** · 2009-03-31, 12:16

It's running great. REALLY APPRECIATED. Question is how do I keep it this way?

Let's try to wrap up, then I will post information from experts to help you.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update CA Anti-Virus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/m...oes/Links.html
http://www.microsoft.com/windows/ie/...rotection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/com.../browsing.mspx

**jwayne73** · 2009-04-02, 06:27

MBAM and CA anti-virus came back clean.

THANK YOU SO MUCH FOR YOUR HELP.

**pskelley** · 2009-04-02, 10:09

Thanks for taking the time to let me know

safe surfing.

Thread: using Firefox but many IE popups, HELP

Thread Tools

Display

Posting Permissions