Active Multiple blank IE windows pop up

[Active] Multiple blank IE windows pop up

Hello all,

I have an issue with IE. I use Firefox to browse the Internet. While browsing, multiple IE windows start popping up blank. I have to get into Task Manager and kill the iexplorer.exe process for it to stop. Can you guys help?!?!?! This is driving me nuts!! Here is the HijackThis log:

 

Thanks PeteC. I think i have a larger problem here! I downloaded what you suggested, but can't install it. Same thing with Spybot.

 

I also have a "free virus scan" that keeps popping up in Firefox wanting to scan my system.

 

Thanks PeteC. Here is the DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Mom and Dad at 8:27:26.10 on Thu 03/19/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.493 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
F:\WINDOWS\system32\svchost -k rpcss
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k NetworkService
F:\WINDOWS\system32\svchost.exe -k LocalService
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\wdfmgr.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
F:\WINDOWS\system32\hphmon05.exe
F:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
F:\Program Files\My Lockbox\flockbox.exe
F:\PROGRA~1\Comodo\CBOClean\BOC427.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Screen Doodle PhotoArtMaster\scrdoodl.exe
F:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Documents and Settings\Mom and Dad\Desktop\dds.scr
F:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mStart Page = about:blank
mWinlogon: Userinit=f:\windows\system32\userinit.exe,f:\windows\system32\sdra64.exe,f:\windows\system32\twex.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\program files\spybot - search & destroy1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: {49df6cab-abde-c3fb-1ee4-d9a0fb44830e}: {e03844bf-0a9d-4ee1-bf3c-edbabac6fd94} - f:\windows\system32\fwalsn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe "
mRun: [avgnt] "f:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [HPDJ Taskbar Utility] f:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] f:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "f:\program files\hp\hpcoretech\hpcmpmgr.exe "
mRun: [HP Software Update] "f:\program files\hewlett-packard\hp software update\HPWuSchd2.exe "
mRun: [HPHmon05] f:\windows\system32\hphmon05.exe
mRun: [Lexmark 4200 Series] "f:\program files\lexmark 4200 series\lxbmbmgr.exe "
mRun: [CPM8b5d17e7] Rundll32.exe "f:\windows\system32\jisanifu.dll ",a
mRun: [flockbox] f:\program files\my lockbox\flockbox.exe /a
mRun: [BOC-427] f:\progra~1\comodo\cboclean\BOC427.exe
StartupFolder: f:\docume~1\momand~1\startm~1\programs\startup\scrdoodl.lnk - f:\program files\screen doodle photoartmaster\scrdoodl.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - f:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\program files\spybot - search & destroy1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - f:\program files\hp\hpcoretech\comp\hpuiprot.dll
AppInit_DLLs: f:\windows\system32\vehanabu.dll aweism.dll zzyjjg.dll fwalsn.dll f:\windows\system32\jisanifu.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - f:\windows\system32\jisanifu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - f:\windows\system32\jisanifu.dll
LSA: Notification Packages = scecli f:\windows\system32\vehanabu.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\momand~1\applic~1\mozilla\firefox\profiles\jrkfu4bi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.profootballtalk.com/rumormill.htm

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 MPRIFL;MPRIFL;f:\windows\system32\drivers\mprifl.sys [2009-3-10 17264]
R0 xfilt;VIA SATA IDE Hot-plug Driver;f:\windows\system32\drivers\xfilt.sys [2008-12-18 11264]
R1 avgio;avgio;f:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-18 11840]
R1 BIOS;BIOS;f:\windows\system32\drivers\BIOS.sys [2008-12-18 13696]
R2 aawservice;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;f:\program files\avira\antivir personaledition classic\sched.exe [2008-12-18 68865]
R2 BOCore;BOCore;f:\program files\comodo\cboclean\BOCore.exe [2009-3-18 73464]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;f:\program files\avira\antivir personaledition classic\avguard.exe [2008-12-18 151297]
S3 avgntflt;avgntflt;f:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-18 52032]
S3 SQTECH9052;Disney Micro;f:\windows\system32\drivers\Capt9052.sys [2008-12-19 38656]

=============== Created Last 30 ================

2009-03-18 11:37 22,528 a------- f:\windows\system32\wsock32.dlb
2009-03-18 11:37 205,560 a------- f:\windows\UNBOC.EXE
2009-03-18 11:37 212,728 a------- f:\windows\CMDLIC.DLL
2009-03-18 11:37 <DIR> --d----- f:\docume~1\alluse~1\applic~1\BOC427
2009-03-18 11:37 9,288 a------- f:\windows\BOC427.INI
2009-03-18 11:36 <DIR> --d----- f:\program files\Comodo
2009-03-11 13:50 <DIR> --d----- f:\program files\Screen Doodle PhotoArtMaster
2009-03-10 14:55 17,264 a------- f:\windows\system32\drivers\mprifl.sys
2009-03-10 14:55 <DIR> --d----- f:\program files\My Lockbox
2009-03-07 09:51 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SITEguard
2009-03-07 09:50 <DIR> --d----- f:\program files\common files\iS3
2009-03-07 09:50 <DIR> --d----- f:\docume~1\alluse~1\applic~1\STOPzilla!
2009-03-05 09:56 <DIR> --dsh--- f:\windows\system32\lowsec
2009-03-02 11:07 <DIR> --d----- f:\docume~1\momand~1\applic~1\Auslogics
2009-03-02 11:04 <DIR> --d----- f:\program files\Auslogics
2009-03-02 11:01 <DIR> --d----- f:\program files\CCleaner
2009-03-02 10:57 <DIR> --d----- f:\program files\SpywareBlaster
2009-03-01 17:33 44,544 -------- f:\windows\system32\GIF89.DLL
2009-03-01 17:33 11,104 -------- f:\windows\system32\Snwvalid.hlp
2009-03-01 17:33 1,204,224 -------- f:\windows\system32\SierraNW.DLL
2009-03-01 17:33 233,472 -------- f:\windows\system32\SNWValid.dll
2009-03-01 17:30 <DIR> --d----- F:\Sierra
2009-03-01 17:29 229 a------- f:\windows\Sierra.ini
2009-03-01 17:29 <DIR> --d----- f:\program files\Sierra On-Line
2009-03-01 17:27 <DIR> --d----- f:\program files\prodocs
2009-02-28 19:00 7,040 a------- f:\windows\system32\ntsim.sys
2009-02-28 12:07 2,713 ---sh--- f:\windows\system32\tidowove.exe
2009-02-27 18:06 129,024 a--sh--- f:\windows\system32\fwalsn.dll
2009-02-27 06:05 2,713 ---sh--- f:\windows\system32\kepidaha.exe
2009-02-25 09:14 <DIR> --d----- f:\program files\Spybot - Search & Destroy1
2009-02-24 07:54 2,713 ---sh--- f:\windows\system32\weyofase.exe
2009-02-23 13:53 1,763,472 ---sh--- f:\windows\system32\edupulal.ini
2009-02-23 13:46 <DIR> --dsh--- f:\windows\system32\twain32
2009-02-17 19:34 21,504 ac------ f:\windows\system32\dllcache\hidserv.dll
2009-02-17 19:34 21,504 a------- f:\windows\system32\hidserv.dll

==================== Find3M ====================

2009-02-27 18:06 84,992 a--sh--- f:\windows\system32\jisanifu.dll
2009-02-27 18:06 129,024 a--sh--- f:\windows\system32\joritini.dll
2009-02-26 20:44 107,132 a------- f:\windows\UninstallFirefox.exe
2009-02-26 20:44 2,856 a------- f:\windows\mozver.dat
2009-02-14 11:21 69,632 a------- f:\windows\system32\Clifford Uninstall.exe
2009-01-10 16:50 4,096 a------- f:\windows\d3dx.dat
2008-12-22 10:00 19,791 a------- f:\windows\HPHins02.dat
2008-12-20 19:15 826,368 a------- f:\windows\system32\wininet.dll
2008-12-19 12:14 49,152 a------- f:\windows\system32\NCRFixPst.dll

============= FINISH: 8:30:51.12 ===============

 

Hi jf45159
Lets see if we can get this on your system. If you can't download it. Do you have access to another computer and a means to transfer it (Thumb Drive...) to the infected machine?

Download ComboFix from Here

Before saving it rename it to Mobofcix.exe then download it to your Desktop.

Please run it this way.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Note - It's recommended to disable realtime protection applications, such as your antivirus program, while running ComboFix. They can sometimes interfere with the tool. Check this link for your applicable programs.

Thanks
Geri

 

Hi Geri,

Thanks for posting. I followed your advice. Here is the log:


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
f:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
F:\win.txt
f:\windows\system32\drivers\UAChitmbyke.sys
f:\windows\system32\edupulal.ini
f:\windows\system32\fwalsn.dll
f:\windows\system32\joritini.dll
f:\windows\system32\lowsec
f:\windows\system32\lowsec\local.ds
f:\windows\system32\lowsec\user.ds
f:\windows\system32\sdra64.exe
f:\windows\system32\twain32
f:\windows\system32\twain32\local.ds
f:\windows\system32\twain32\user.ds
f:\windows\system32\twex.exe
f:\windows\system32\UACdbtfhqye.dll
f:\windows\system32\UACexbnfnqq.dll
f:\windows\system32\UACfkbwaqlb.log
f:\windows\system32\UACgqoeejdp.dat
f:\windows\system32\UACgswjfkka.dll
f:\windows\system32\uacinit.dll
f:\windows\system32\UACisvnwckw.log
f:\windows\system32\UAClxiawcvo.dll
f:\windows\system32\UACqkewysjp.log
f:\windows\system32\UACwosvtysi.dll

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-18 11:37 . 2009-03-18 11:39 <DIR> d-------- f:\documents and settings\All Users\Application Data\BOC427
2009-03-18 11:37 . 2008-07-14 05:09 212,728 --a------ f:\windows\CMDLIC.DLL
2009-03-18 11:37 . 2008-07-14 05:09 205,560 --a------ f:\windows\UNBOC.EXE
2009-03-18 11:37 . 2008-04-13 20:12 22,528 --a------ f:\windows\system32\wsock32.dlb
2009-03-18 11:37 . 2009-03-22 14:41 9,310 --a------ f:\windows\BOC427.INI
2009-03-18 11:36 . 2009-03-18 11:36 <DIR> d-------- f:\program files\Comodo
2009-03-11 13:50 . 2009-03-11 13:50 <DIR> d-------- f:\program files\Screen Doodle PhotoArtMaster
2009-03-10 14:55 . 2009-03-10 14:55 <DIR> d-------- f:\program files\My Lockbox
2009-03-10 14:55 . 2007-12-13 20:13 17,264 --a------ f:\windows\system32\drivers\mprifl.sys
2009-03-07 09:51 . 2009-03-07 09:51 <DIR> d-------- f:\documents and settings\All Users\Application Data\SITEguard
2009-03-07 09:50 . 2009-03-07 09:50 <DIR> d-------- f:\program files\Common Files\iS3
2009-03-07 09:50 . 2009-03-07 09:55 <DIR> d-------- f:\documents and settings\All Users\Application Data\STOPzilla!
2009-03-02 11:07 . 2009-03-02 11:07 <DIR> d-------- f:\documents and settings\Mom and Dad\Application Data\Auslogics
2009-03-02 11:04 . 2009-03-02 11:04 <DIR> d-------- f:\program files\Auslogics
2009-03-02 11:01 . 2009-03-02 11:02 <DIR> d-------- f:\program files\CCleaner
2009-03-02 10:57 . 2009-03-10 10:28 <DIR> d-------- f:\program files\SpywareBlaster
2009-03-01 17:33 . 1999-07-01 17:24 1,204,224 --------- f:\windows\system32\SierraNW.DLL
2009-03-01 17:33 . 1999-07-01 17:24 233,472 --------- f:\windows\system32\SNWValid.dll
2009-03-01 17:33 . 1999-07-01 17:23 44,544 --------- f:\windows\system32\GIF89.DLL
2009-03-01 17:33 . 1997-07-14 15:57 11,104 --------- f:\windows\system32\Snwvalid.hlp
2009-03-01 17:30 . 2009-03-01 17:30 <DIR> d-------- F:\Sierra
2009-03-01 17:29 . 2009-03-01 17:33 <DIR> d-------- f:\program files\Sierra On-Line
2009-03-01 17:29 . 2009-03-01 17:33 229 --a------ f:\windows\Sierra.ini
2009-03-01 17:27 . 2009-03-01 17:27 <DIR> d-------- f:\program files\prodocs
2009-02-28 19:00 . 2009-02-28 19:00 <DIR> d-------- F:\winsetup
2009-02-28 12:07 . 2009-02-28 12:07 2,713 ---hs---- f:\windows\system32\tidowove.exe
2009-02-27 06:05 . 2009-02-27 06:05 2,713 ---hs---- f:\windows\system32\kepidaha.exe
2009-02-25 09:14 . 2009-02-25 09:14 <DIR> d-------- f:\program files\Spybot - Search & Destroy1
2009-02-24 07:54 . 2009-02-24 07:54 2,713 ---hs---- f:\windows\system32\weyofase.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 17:59 --------- d-----w f:\program files\PokerStars.NET
2009-03-10 14:29 --------- d---a-w f:\documents and settings\All Users\Application Data\TEMP
2009-03-05 02:48 --------- d-----w f:\documents and settings\Mom and Dad\Application Data\LimeWire
2009-02-27 22:06 84,992 --sha-w f:\windows\system32\jisanifu.dll
2009-02-27 00:44 107,132 ----a-w f:\windows\UninstallFirefox.exe
2009-02-25 13:21 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-25 12:59 --------- d-----w f:\program files\Spybot - Search & Destroy
2009-02-23 21:31 --------- d-----w f:\documents and settings\Mom and Dad\Application Data\DivX
2009-02-14 17:07 --------- d--h--w f:\program files\InstallShield Installation Information
2009-02-14 17:07 --------- d-----w f:\program files\Infogrames Interactive
2009-02-14 16:53 --------- d-----w f:\program files\Busytown
2009-02-14 15:21 69,632 ----a-w f:\windows\system32\Clifford Uninstall.exe
2009-02-14 15:21 --------- d-----w f:\program files\Scholastic's Clifford
2009-02-04 19:51 --------- d-----w f:\documents and settings\Mom and Dad\Application Data\World-LooM
2009-01-31 23:24 --------- d-----w f:\program files\Disney Interactive
2009-01-28 00:43 --------- d-----w f:\program files\Disney Micro
2009-01-24 02:00 --------- d-----w f:\program files\Motorsims
2009-01-24 01:48 --------- d-----w f:\documents and settings\All Users\Application Data\Disney Interactive
2009-01-24 00:50 --------- d-----w f:\documents and settings\Mom and Dad\Application Data\Leadertech
2009-01-24 00:49 --------- d-----w f:\program files\Common Files\InstallShield
2009-01-24 00:49 --------- d-----w f:\program files\Atari
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "f:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe "= "f:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-18 180269]
"SunJavaUpdateSched "= "f:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"avgnt "= "f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"HPDJ Taskbar Utility "= "f:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HPHUPD05 "= "f:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager "= "f:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update "= "f:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05 "= "f:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"Lexmark 4200 Series "= "f:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"CPM8b5d17e7 "= "f:\windows\system32\jisanifu.dll" [2009-02-27 84992]
"flockbox "= "f:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"BOC-427 "= "f:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"SoundMan "= "SOUNDMAN.EXE" [2006-08-03 f:\windows\soundman.exe]

f:\documents and settings\Mom and Dad\Start Menu\Programs\Startup\
scrdoodl.lnk - f:\program files\Screen Doodle PhotoArtMaster\scrdoodl.exe [2009-03-11 208967]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} "= "f:\windows\system32\jisanifu.dll" [2009-02-27 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL "= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - f:\windows\system32\jisanifu.dll [2009-02-27 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=f:\windows\system32\jisanifu.dll
"LoadAppInit_DLLs "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"f:\\Program Files\\LimeWire\\LimeWire.exe "=
"f:\\Program Files\\iTunes\\iTunes.exe "=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe "=

R0 MPRIFL;MPRIFL;f:\windows\system32\drivers\mprifl.sys [2009-03-10 17264]
R0 xfilt;VIA SATA IDE Hot-plug Driver;f:\windows\system32\drivers\xfilt.sys [2008-12-18 11264]
R1 BIOS;BIOS;f:\windows\system32\drivers\BIOS.sys [2008-12-18 13696]
R2 BOCore;BOCore;f:\program files\Comodo\CBOClean\BOCore.exe [2009-03-18 73464]
S3 SQTECH9052;Disney Micro;f:\windows\system32\drivers\Capt9052.sys [2008-12-19 38656]
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-22 f:\windows\Tasks\HP Usg Daily.job
- f:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-08 00:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e03844bf-0a9d-4ee1-bf3c-edbabac6fd94} - f:\windows\system32\fwalsn.dll


.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - f:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - f:\documents and settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\jrkfu4bi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.profootballtalk.com/rumormill.htm

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 14:42:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Lavasoft\Ad-Aware\aawservice.exe
f:\windows\system32\LEXBCES.EXE
f:\windows\system32\LEXPPS.EXE
f:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\system32\wdfmgr.exe
f:\program files\Lexmark 4200 Series\lxbmbmon.exe
f:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-22 14:45:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 18:45:22

Pre-Run: 65,687,601,152 bytes free
Post-Run: 65,651,552,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

197 --- E O F --- 2009-02-14 13:54:36

 

Hi

Please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time
  
  • f:\windows\system32\tidowove.exe
    f:\windows\system32\kepidaha.exe
    f:\windows\system32\weyofase.exe
    f:\windows\system32\jisanifu.dll
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Geri,

Thank you for the suggestion. The file f:\windows\system32\jisanifu.dll was a virus. I was able to use HijackThis to remove the file during a reboot since I couldn't remove it manually. I think that might have solved the issue. I will monitor my PC and let you know. Thank you for all your help!!

 

Hi
I would like to see the Jotti results. I don't think that was your only problem.

Thanks
Geri