Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: I hope I did this right and posted it to the right forum...

  1. #1
    Junior Member
    Join Date
    Sep 2009
    Posts
    21

    Default

    Don't yell at me if I didn't, I'm new at this...also, should I be allowing or denying "SpybotDeleting" registry entries? I currently have all of the resident stuff turned off.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:02:45 AM, on 9/19/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://communityhigh.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    F2 - REG:system.ini: UserInit=Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [fifetobuh] Rundll32.exe "c:\windows\system32\nutedemu.dll",a
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotDeletingA4338] command.com /c del "C:\WINDOWS\SYSTEM32\tayazuvo.dll.tmp_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC1753] cmd.exe /c del "C:\WINDOWS\SYSTEM32\tayazuvo.dll.tmp_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA6419] command.com /c del "C:\WINDOWS\SYSTEM32\zefigeji.dll.tmp_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC3162] cmd.exe /c del "C:\WINDOWS\SYSTEM32\zefigeji.dll.tmp_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA7956] command.com /c del "c:\windows\system32\megoroku.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC164] cmd.exe /c del "c:\windows\system32\megoroku.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8848] command.com /c del "C:\WINDOWS\SYSTEM32\sdra64.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC6078] cmd.exe /c del "C:\WINDOWS\SYSTEM32\sdra64.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA4362] command.com /c del "C:\WINDOWS\SYSTEM32\lowsec\local.ds"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC1991] cmd.exe /c del "C:\WINDOWS\SYSTEM32\lowsec\local.ds"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA5522] command.com /c del "C:\WINDOWS\SYSTEM32\lowsec\user.ds"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5883] cmd.exe /c del "C:\WINDOWS\SYSTEM32\lowsec\user.ds"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
    O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60...ad/ppcwebi.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/6...l/gtdownls.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup163.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: gosurike.dll c:\windows\system32\nutedemu.dll
    O21 - SSODL: wujadikan - {486bc59c-18af-4019-8d82-a5f32688a9c3} - (no file)
    O21 - SSODL: mowuzedub - {f2cd3904-1e52-434f-9c12-9a30052bdef7} - c:\windows\system32\nutedemu.dll
    O22 - SharedTaskScheduler: jugezatag - {f2cd3904-1e52-434f-9c12-9a30052bdef7} - c:\windows\system32\nutedemu.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe

    --
    End of file - 11819 bytes

    Teatime keeps finding the same problems over and over. The spybot scan produces the same results and takes over two hours.

    Teatime keeps finding the same problems over and over. The spybot scan produces the same results and takes over two hours.
    Last edited by tashi; 2009-09-20 at 22:57. Reason: Merged

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi RoniSutton

    You should allow them.

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    http://www.bleepingcomputer.com/comb...o-use-combofix

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    If you need help to disable your protection programs see here.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Sep 2009
    Posts
    21

    Default As requested...Combofix and new Hijack this logs

    ComboFix 09-09-22.01 - Roni 09/22/2009 16:43.1.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.647 [GMT -4:00]
    Running from: c:\documents and settings\Roni\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Microsoft Private Data
    c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
    c:\windows\system32\dinehowe.dll
    c:\windows\system32\funekopi.dll
    c:\windows\system32\gomakoju.dll
    c:\windows\system32\lowsec
    c:\windows\system32\mipasowu.dll
    c:\windows\system32\yorupota.dll
    c:\windows\wpd99.drv
    E:\autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
    .

    2009-09-19 15:01 . 2009-09-19 15:01 -------- dc----w- c:\program files\Trend Micro
    2009-09-19 14:59 . 2009-09-19 14:59 -------- dc----w- c:\program files\ERUNT
    2009-09-18 22:33 . 2009-09-18 22:33 -------- dc----w- c:\documents and settings\Roni\Application Data\pdf995
    2009-09-18 22:28 . 2009-09-18 22:34 -------- dc----w- c:\documents and settings\All Users\Application Data\pdf995
    2009-09-18 22:28 . 2009-09-18 22:28 51716 ----a-w- c:\windows\system32\pdf995mon.dll
    2009-09-18 22:28 . 2009-09-18 22:28 249856 -c--a-w- c:\windows\system32\pdfmona.dll
    2009-09-18 22:28 . 2009-09-18 22:33 -------- dc----w- c:\program files\pdf995
    2009-09-18 01:41 . 2009-09-18 03:41 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-09-18 01:41 . 2009-09-18 02:44 -------- dc----w- c:\program files\Spybot - Search & Destroy
    2009-09-07 12:49 . 2009-07-16 16:32 120136 -c--a-w- c:\windows\system32\drivers\Mpfp.sys
    2009-09-07 12:47 . 2009-09-07 12:49 -------- dc----w- c:\program files\Common Files\McAfee
    2009-09-07 12:47 . 2009-09-07 12:48 -------- dc----w- c:\program files\McAfee.com
    2009-09-07 12:47 . 2009-09-18 17:56 -------- dc----w- c:\program files\McAfee

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-22 13:17 . 2009-06-22 13:17 88064 -csha-w- c:\windows\system32\geyanuva.dll
    2009-09-22 01:17 . 2009-06-22 01:17 88064 -csha-w- c:\windows\system32\zotapugi.dll
    2009-09-21 21:33 . 2008-09-05 22:11 -------- dc----w- c:\documents and settings\LocalService\Application Data\SACore
    2009-09-21 13:18 . 2009-06-21 13:17 50176 -csha-w- c:\windows\system32\yolopusu.dll
    2009-09-21 11:13 . 2005-01-22 14:38 -------- dc----w- c:\program files\Jasc Software Inc
    2009-09-14 21:49 . 2007-01-17 23:25 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-08-05 09:01 . 2004-08-04 11:00 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
    2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-13 14:08 . 2004-08-04 11:00 286720 -c--a-w- c:\windows\system32\wmpdxm.dll
    2009-07-08 17:44 . 2009-07-08 17:44 214024 -c--a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 40552 -c--a-w- c:\windows\system32\drivers\mfesmfk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 35272 -c--a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 79816 -c--a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-07-08 17:43 . 2007-01-19 11:37 34248 -c--a-w- c:\windows\system32\drivers\mferkdk.sys
    2009-06-29 16:12 . 2004-08-04 11:00 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2004-08-04 11:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2004-08-04 11:00 17408 -c----w- c:\windows\system32\corpol.dll
    2009-06-25 08:25 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-25 08:25 . 2004-08-04 11:00 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2004-08-04 11:00 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-25 08:25 . 2004-08-04 11:00 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2004-08-04 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-21 13:18 . 2009-06-21 13:18 50176 --sha-w- c:\windows\SYSTEM32\mejunewa.dll
    2009-06-19 22:17 . 2009-06-19 22:17 50176 --sha-w- c:\windows\SYSTEM32\wahewuvu.dll.tmp
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0d4af148-2081-4d98-b286-1c655776fd32}]
    2009-06-21 13:18 50176 --sha-w- c:\windows\SYSTEM32\mejunewa.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
    "fifetobuh"="c:\windows\system32\geyanuva.dll" [2009-09-22 88064]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{53abfdf4-813b-43d1-b67f-e97f0341a7a2}"= "c:\windows\system32\geyanuva.dll" [2009-09-22 88064]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "magikihaf"= {53abfdf4-813b-43d1-b67f-e97f0341a7a2} - c:\windows\system32\geyanuva.dll [2009-09-22 88064]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
    "c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/7/2009 8:52 AM 210216]
    R3 MusCDriverV32;MusCDriverV32;c:\windows\SYSTEM32\DRIVERS\MusCDriverV32.sys [2/8/2008 8:07 AM 513152]
    R3 MusCVideo32;MusCVideo32;c:\windows\SYSTEM32\DRIVERS\MusCVideo32.sys [1/20/2008 12:58 PM 3768]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
    S3 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [2/8/2008 8:07 AM 184320]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-09-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-07 01:26]

    2009-09-07 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-07 01:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://communityhigh.net/
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: communityhigh.net\www
    DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    FF - ProfilePath - c:\documents and settings\Roni\Application Data\Mozilla\Firefox\Profiles\1l9llah6.default\
    FF - prefs.js: browser.startup.homepage - hxxp://communityhigh.net/
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-tiyazuwode - dinehowe.dll
    SharedTaskScheduler-{7e964820-dabe-4b5e-923e-e56669a489c1} - c:\windows\system32\begadosi.dll
    SSODL-wujadikan-{486bc59c-18af-4019-8d82-a5f32688a9c3} - (no file)
    AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-22 16:57
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1968)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\geyanuva.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SYSTEM32\LEXBCES.EXE
    c:\windows\SYSTEM32\LEXPPS.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\Common Files\McAfee\MNA\McNASvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
    c:\program files\McAfee\MPF\MpfSrv.exe
    c:\windows\SYSTEM32\wdfmgr.exe
    c:\program files\Lexmark 1200 Series\lxczbmon.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-09-22 17:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-09-22 21:03

    Pre-Run: 6,850,347,008 bytes free
    Post-Run: 7,029,825,536 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    201 --- E O F --- 2009-09-15 05:57



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:24:59 PM, on 9/22/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://communityhigh.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0d4af148-2081-4d98-b286-1c655776fd32} - mejunewa.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [fifetobuh] Rundll32.exe "c:\windows\system32\geyanuva.dll",a
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
    O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60...ad/ppcwebi.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/6...l/gtdownls.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup163.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: c:\windows\system32\geyanuva.dll,funekopi.dll
    O21 - SSODL: magikihaf - {53abfdf4-813b-43d1-b67f-e97f0341a7a2} - c:\windows\system32\geyanuva.dll
    O22 - SharedTaskScheduler: tokatiluy - {53abfdf4-813b-43d1-b67f-e97f0341a7a2} - c:\windows\system32\geyanuva.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe

    --
    End of file - 9321 bytes

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

    1. Run Spybot-S&D in Advanced Mode.
    2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    3. On the left hand side, Click on Tools
    4. Then click on the Resident Icon in the List
    5. Uncheck "Resident TeaTimer" and OK any prompts.
    6. Restart your computer.

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      c:\windows\system32\geyanuva.dll
      c:\windows\system32\zotapugi.dll
      c:\windows\system32\yolopusu.dll
      c:\windows\SYSTEM32\mejunewa.dll
      c:\windows\SYSTEM32\wahewuvu.dll.tmp
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Sep 2009
    Posts
    21

    Default New ComboFix log

    I have followed your instructions. I really appreciate your time and help. I have a few questions, please. When you read these logs, what are you seeing? When you have me run ComboFix, what is it really doing? Finally, every time I reboot my machine, Spybot runs a scan which takes over two hours. When I began these instructions and dragged the code into ComboFix, Spybot started up. I had to cntrl-alt-delete to get it to stop. Clicking on the stop button did no good. Is this normal?


    ComboFix 09-09-22.01 - Roni 09/23/2009 16:30.2.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.653 [GMT -4:00]
    Running from: c:\documents and settings\Roni\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Roni\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    FILE ::
    "c:\windows\system32\geyanuva.dll"
    "c:\windows\SYSTEM32\mejunewa.dll"
    "c:\windows\SYSTEM32\wahewuvu.dll.tmp"
    "c:\windows\system32\yolopusu.dll"
    "c:\windows\system32\zotapugi.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\SYSTEM32\mejunewa.dll
    c:\windows\system32\pegunake.dll
    c:\windows\system32\yolopusu.dll
    c:\windows\system32\zotapugi.dll
    E:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
    .

    2009-09-19 15:01 . 2009-09-19 15:01 -------- dc----w- c:\program files\Trend Micro
    2009-09-19 14:59 . 2009-09-19 14:59 -------- dc----w- c:\program files\ERUNT
    2009-09-18 22:33 . 2009-09-18 22:33 -------- dc----w- c:\documents and settings\Roni\Application Data\pdf995
    2009-09-18 22:28 . 2009-09-18 22:34 -------- dc----w- c:\documents and settings\All Users\Application Data\pdf995
    2009-09-18 22:28 . 2009-09-18 22:28 51716 ----a-w- c:\windows\system32\pdf995mon.dll
    2009-09-18 22:28 . 2009-09-18 22:28 249856 -c--a-w- c:\windows\system32\pdfmona.dll
    2009-09-18 22:28 . 2009-09-18 22:33 -------- dc----w- c:\program files\pdf995
    2009-09-18 01:41 . 2009-09-18 03:41 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-09-18 01:41 . 2009-09-18 02:44 -------- dc----w- c:\program files\Spybot - Search & Destroy
    2009-09-07 12:49 . 2009-07-16 16:32 120136 -c--a-w- c:\windows\system32\drivers\Mpfp.sys
    2009-09-07 12:47 . 2009-09-07 12:49 -------- dc----w- c:\program files\Common Files\McAfee
    2009-09-07 12:47 . 2009-09-07 12:48 -------- dc----w- c:\program files\McAfee.com
    2009-09-07 12:47 . 2009-09-18 17:56 -------- dc----w- c:\program files\McAfee

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-23 10:08 . 2009-06-23 10:08 87552 -csha-w- c:\windows\system32\jaguwuyi.dll
    2009-09-21 21:33 . 2008-09-05 22:11 -------- dc----w- c:\documents and settings\LocalService\Application Data\SACore
    2009-09-21 11:13 . 2005-01-22 14:38 -------- dc----w- c:\program files\Jasc Software Inc
    2009-09-14 21:49 . 2007-01-17 23:25 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-08-05 09:01 . 2004-08-04 11:00 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
    2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-13 14:08 . 2004-08-04 11:00 286720 -c--a-w- c:\windows\system32\wmpdxm.dll
    2009-07-08 17:44 . 2009-07-08 17:44 214024 -c--a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 40552 -c--a-w- c:\windows\system32\drivers\mfesmfk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 35272 -c--a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 79816 -c--a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-07-08 17:43 . 2007-01-19 11:37 34248 -c--a-w- c:\windows\system32\drivers\mferkdk.sys
    2009-06-29 16:12 . 2004-08-04 11:00 827392 ------w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2004-08-04 11:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2004-08-04 11:00 17408 -c----w- c:\windows\system32\corpol.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-09-22_20.57.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-09-23 20:42 . 2009-09-23 20:42 40960 c:\windows\Temp\rtdrvmon.exe
    - 2009-09-22 20:55 . 2009-09-22 20:55 40960 c:\windows\Temp\rtdrvmon.exe
    + 2005-02-05 13:44 . 2009-09-23 19:32 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2005-02-05 13:44 . 2009-09-22 17:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-09-22 21:35 . 2009-09-23 19:32 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    - 2005-02-05 13:44 . 2009-09-22 17:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
    "fifetobuh"="c:\windows\system32\jaguwuyi.dll" [2009-09-23 87552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{0d26bd0d-4af5-40d7-ab47-f00766adc6b6}"= "c:\windows\system32\jaguwuyi.dll" [2009-09-23 87552]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "jiforahag"= {0d26bd0d-4af5-40d7-ab47-f00766adc6b6} - c:\windows\system32\jaguwuyi.dll [2009-09-23 87552]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
    "c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/7/2009 8:52 AM 210216]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
    R3 MusCDriverV32;MusCDriverV32;c:\windows\SYSTEM32\DRIVERS\MusCDriverV32.sys [2/8/2008 8:07 AM 513152]
    R3 MusCVideo32;MusCVideo32;c:\windows\SYSTEM32\DRIVERS\MusCVideo32.sys [1/20/2008 12:58 PM 3768]
    S3 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [2/8/2008 8:07 AM 184320]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-09-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-07 01:26]

    2009-09-07 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-07 01:26]

    2009-09-23 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://communityhigh.net/
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: communityhigh.net\www
    DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    FF - ProfilePath - c:\documents and settings\Roni\Application Data\Mozilla\Firefox\Profiles\1l9llah6.default\
    FF - prefs.js: browser.startup.homepage - hxxp://communityhigh.net/
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{0d4af148-2081-4d98-b286-1c655776fd32} - mejunewa.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-23 16:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(784)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\jaguwuyi.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SYSTEM32\LEXBCES.EXE
    c:\windows\SYSTEM32\LEXPPS.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\Common Files\McAfee\MNA\McNASvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
    c:\program files\McAfee\MPF\MpfSrv.exe
    c:\windows\SYSTEM32\wdfmgr.exe
    c:\program files\Lexmark 1200 Series\lxczbmon.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-09-23 16:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-09-23 20:50
    ComboFix2.txt 2009-09-22 21:03

    Pre-Run: 6,945,349,632 bytes free
    Post-Run: 6,904,754,176 bytes free

    190 --- E O F --- 2009-09-23 20:48

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Logs list recently created files/folders and typical malware loading points.

    Combofix removes malware

    That is due to TeaTimer. Did you have problems disabling it? I still see it running.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Sep 2009
    Posts
    21

    Default Teatimer

    Yes, I've clicked in the box you told me to in Spybot S&D Advanced, but every time I reboot, teatimer comes back on in my system tray. Then it and windows defender have an argument until I can get it turned off. I'm toying with the idea of un-installing Spybot and then reinstalling it without teatimer. I've looked in my startup files folder and it is empty, so I'm not sure where in the computer it's getting loadedd. Let me know if that's a good or bad idea and then we can move onwards and upwards. By the way, the pop ups are still happening, but my machine is working more efficiently now. I do believe the pop up program is resident to my computer because they are 'weird' looking popups. The windows are an odd size, with a strange looking border and they are directly related to whatever website I am visiting. If I go to Lowes (a home improvement store) I get a pop up for a lumber company. When I go to Spybot, I get a pop up for Registry cleaners etc.

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please then uninstall spybot and reinstall it without teatimer.

    Rerun combofix and post back fresh log, please.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Sep 2009
    Posts
    21

    Default Here you go...

    After I uninstalled and re-installed Spybot without Teatimer, I simply ran ComboFix. I didn't drag the txt file this time. If I should do it that way, let me know.

    ComboFix 09-09-22.01 - Roni 09/24/2009 20:21.3.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.447 [GMT -4:00]
    Running from: c:\documents and settings\Roni\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    E:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
    .

    2009-09-24 23:41 . 2009-09-24 23:41 -------- dc----w- c:\program files\Spybot - Search & Destroy
    2009-09-19 15:01 . 2009-09-19 15:01 -------- dc----w- c:\program files\Trend Micro
    2009-09-19 14:59 . 2009-09-19 14:59 -------- dc----w- c:\program files\ERUNT
    2009-09-18 22:33 . 2009-09-18 22:33 -------- dc----w- c:\documents and settings\Roni\Application Data\pdf995
    2009-09-18 22:28 . 2009-09-18 22:34 -------- dc----w- c:\documents and settings\All Users\Application Data\pdf995
    2009-09-18 22:28 . 2009-09-18 22:28 51716 ----a-w- c:\windows\system32\pdf995mon.dll
    2009-09-18 22:28 . 2009-09-18 22:28 249856 -c--a-w- c:\windows\system32\pdfmona.dll
    2009-09-18 22:28 . 2009-09-18 22:33 -------- dc----w- c:\program files\pdf995
    2009-09-18 01:41 . 2009-09-24 23:41 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-09-07 12:49 . 2009-07-16 16:32 120136 -c--a-w- c:\windows\system32\drivers\Mpfp.sys
    2009-09-07 12:47 . 2009-09-07 12:49 -------- dc----w- c:\program files\Common Files\McAfee
    2009-09-07 12:47 . 2009-09-07 12:48 -------- dc----w- c:\program files\McAfee.com
    2009-09-07 12:47 . 2009-09-18 17:56 -------- dc----w- c:\program files\McAfee

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-24 22:59 . 2009-04-02 22:02 -------- dc----w- c:\program files\Applet Effects Factory
    2009-09-21 21:33 . 2008-09-05 22:11 -------- dc----w- c:\documents and settings\LocalService\Application Data\SACore
    2009-09-21 11:13 . 2005-01-22 14:38 -------- dc----w- c:\program files\Jasc Software Inc
    2009-09-14 21:49 . 2007-01-17 23:25 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-08-05 09:01 . 2004-08-04 11:00 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
    2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-13 14:08 . 2004-08-04 11:00 286720 -c--a-w- c:\windows\system32\wmpdxm.dll
    2009-07-08 17:44 . 2009-07-08 17:44 214024 -c--a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 40552 -c--a-w- c:\windows\system32\drivers\mfesmfk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 35272 -c--a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-07-08 17:44 . 2007-01-19 11:37 79816 -c--a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-07-08 17:43 . 2007-01-19 11:37 34248 -c--a-w- c:\windows\system32\drivers\mferkdk.sys
    2009-06-29 16:12 . 2004-08-04 11:00 827392 ------w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2004-08-04 11:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2004-08-04 11:00 17408 -c----w- c:\windows\system32\corpol.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-09-22_20.57.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-02-05 13:44 . 2009-09-24 23:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2005-02-05 13:44 . 2009-09-22 17:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-09-24 00:17 . 2009-09-24 23:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    - 2005-02-05 13:44 . 2009-09-22 17:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
    "c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/7/2009 8:52 AM 210216]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
    R3 MusCDriverV32;MusCDriverV32;c:\windows\SYSTEM32\DRIVERS\MusCDriverV32.sys [2/8/2008 8:07 AM 513152]
    R3 MusCVideo32;MusCVideo32;c:\windows\SYSTEM32\DRIVERS\MusCVideo32.sys [1/20/2008 12:58 PM 3768]
    S3 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [2/8/2008 8:07 AM 184320]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-09-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-07 01:26]

    2009-09-07 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-07 01:26]

    2009-09-24 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://communityhigh.net/
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: communityhigh.net\www
    DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    FF - ProfilePath - c:\documents and settings\Roni\Application Data\Mozilla\Firefox\Profiles\1l9llah6.default\
    FF - prefs.js: browser.startup.homepage - hxxp://communityhigh.net/
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{0d4af148-2081-4d98-b286-1c655776fd32} - (no file)
    HKLM-Run-fifetobuh - c:\windows\system32\jaguwuyi.dll
    SharedTaskScheduler-{0d26bd0d-4af5-40d7-ab47-f00766adc6b6} - c:\windows\system32\jaguwuyi.dll
    SSODL-jiforahag-{0d26bd0d-4af5-40d7-ab47-f00766adc6b6} - c:\windows\system32\jaguwuyi.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-24 20:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP00000092B0E77315C2696B2D 524288 bytes


    **************************************************************************
    .
    Completion time: 2009-09-25 20:34
    ComboFix-quarantined-files.txt 2009-09-25 00:33
    ComboFix2.txt 2009-09-23 20:50
    ComboFix3.txt 2009-09-22 21:03

    Pre-Run: 6,824,628,224 bytes free
    Post-Run: 6,821,576,704 bytes free

    150 --- E O F --- 2009-09-24 16:26

  10. #10
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    That looks better

    Please post next fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •