Solved Weblinks redirected, system restore and windows update disabled

[Resolved]Weblinks redirected, system restore and windows update disabled

Hi. I am new to this forum and would greatly appreciate any help about my computer. I am being redirected to another site, mostly ads, after clicking on the link from the web search results. I tried dowloading and running combofix.exe as I saw similar posts but I guess what works for the others may have not worked for me. Also tried using system restore but unsucessfull.

Here's the DDS log report:

DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 14:14:12.42 on Wed 03/25/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.108 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {bc178d5c-fc00-40c0-81cd-b6ec0d6bb0e9} - c:\windows\system32\zutahuva.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe "
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Search Protection] "c:\program files\yahoo!\search protection\SearchProtection.exe "
uRun: [dll] rundll32 dll32,sm
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe "
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe "
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe "
mRun: [noluvavetu] Rundll32.exe "c:\windows\system32\jinujone.dll ",s
mRun: [3437ca3a] rundll32.exe "c:\windows\system32\zurunuhi.dll ",b
mRun: [CPM3704f9a6] Rundll32.exe "c:\windows\system32\yukufepo.dll ",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\yukufepo.dll,c:\windows\system32\foponiga.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yukufepo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\yukufepo.dll
LSA: Notification Packages = scecli c:\windows\system32\foponiga.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\lq97rtwq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-6 213640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-6 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-6 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-6 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-29 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-29 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-29 34216]

=============== Created Last 30 ================

2009-03-24 14:51 0 a------- c:\windows\system32\nfr.gpref
2009-03-24 11:15 0 a------- c:\windows\system32\nfr.assembly
2009-03-24 11:02 13,312 a------- c:\windows\system32\dll32.dll
2009-03-24 11:02 1 a------- c:\windows\9g234sdfdfgjf23
2009-03-24 11:02 2 ----h--- c:\windows\t55ft2808f44.dat
2009-03-24 09:35 2,098 ---sh--- c:\windows\system32\melumusa.dll
2009-03-24 09:35 2,098 ---sh--- c:\windows\system32\hezariza.dll
2009-03-18 16:55 623,851 a------- c:\windows\system32\rn.tmp
2009-03-09 16:25 50,176 a------- c:\windows\system32\drivers\UACd.sys
2009-03-06 17:00 8,961 a------- c:\windows\system32\Config.MPF
2009-03-06 16:52 213,640 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-06 16:51 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-06 16:50 <DIR> --d----- c:\program files\common files\McAfee
2009-03-06 16:50 <DIR> --d----- c:\program files\McAfee.com
2009-03-06 16:49 <DIR> --d----- c:\program files\McAfee

==================== Find3M ====================

2009-03-25 09:35 79,872 a--sh--- c:\windows\system32\zurunuhi.dll
2009-03-25 09:35 84,992 a--sh--- c:\windows\system32\yukufepo.dll
2009-03-24 21:34 84,992 a--sh--- c:\windows\system32\rayohupo.dll
2009-03-23 21:33 84,992 a--sh--- c:\windows\system32\vikewami.dll
2009-03-23 09:33 84,992 a--sh--- c:\windows\system32\nebazifi.dll
2009-03-20 12:33 79,872 a--sh--- c:\windows\system32\torayowo.dll
2009-03-20 12:33 84,992 a--sh--- c:\windows\system32\melihuvo.dll
2009-03-20 00:33 84,992 a--sh--- c:\windows\system32\yefizedo.dll
2009-03-19 12:33 84,992 a--sh--- c:\windows\system32\howivuti.dll
2009-03-19 12:33 79,872 -------- c:\windows\system32\wurigizu.dll
2009-02-17 17:51 164 a------- C:\install.dat
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-21 13:09 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-30 13:51 2,068 a------- c:\windows\system32\d3d9caps.dat
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\jinujone.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\zutahuva.dll

============= FINISH: 14:17:12.79 ===============

 

Hi denise82
Welcome to WindowsBBS

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks
Geri

 

Hi Geri. Thank you so much for taking the time to look at my computer situation. Here are series of events and the combofix log.
1. Upon starting combofix.exe, a window pop ups which says 'Error-win32 only'. Incompatible OS, works only for Windows 200n & XP. Since I have an XP, I didn't do anything and let the combofix runs.
2. After combofix creates the log report, another window pops up which says 'catchme.cfexe failed to initialize'. Again, I didn't do anything.
3. There are now windows instantly appearing that says 'virus scan in progress' , 'best virus protection'.

Think there may be remnants of virus or malware. Would appreciate if you could look more further to eliminate these disturbing malicious pop-ups. Thanks again Geri.

*******************************************

ComboFix 09-03-26.03 - User 2009-03-27 10:48:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.148 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dll32.dll
c:\windows\system32\jkfaxf.dll
c:\windows\system32\kuvonitu.dll
c:\windows\system32\nrnmbx.dll
c:\windows\system32\yihovepe.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-27 10:43 . 2009-03-27 10:45 <DIR> d-------- C:\32788R22FWJFW
2009-03-25 11:15 . 2009-03-25 11:15 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-24 14:51 . 2009-03-24 14:51 0 --a------ c:\windows\system32\nfr.gpref
2009-03-24 11:15 . 2009-03-24 11:15 0 --a------ c:\windows\system32\nfr.assembly
2009-03-24 11:02 . 2009-03-24 11:02 2 ---h----- c:\windows\t55ft2808f44.dat
2009-03-24 11:02 . 2009-03-24 11:02 1 --a------ c:\windows\9g234sdfdfgjf23
2009-03-24 09:35 . 2009-03-24 09:35 2,098 ---hs---- c:\windows\system32\melumusa.dll
2009-03-24 09:35 . 2009-03-24 09:35 2,098 ---hs---- c:\windows\system32\hezariza.dll
2009-03-18 16:55 . 2009-03-18 16:55 623,851 --a------ c:\windows\system32\rn.tmp
2009-03-09 16:25 . 2009-03-09 16:25 50,176 --a------ c:\windows\system32\drivers\UACd.sys
2009-03-06 17:00 . 2009-03-27 10:52 9,649 --a------ c:\windows\system32\Config.MPF
2009-03-06 16:52 . 2009-01-09 13:03 213,640 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-06 16:51 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-06 16:50 . 2009-03-06 16:50 <DIR> d-------- c:\program files\McAfee.com
2009-03-06 16:50 . 2009-03-06 16:51 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-06 16:49 . 2009-03-24 11:28 <DIR> d-------- c:\program files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 16:35 84,992 --sha-w c:\windows\system32\vanegeha.dll
2009-03-27 16:35 79,872 --sha-w c:\windows\system32\nedusefi.dll
2009-03-27 04:35 84,992 --sha-w c:\windows\system32\fusonasu.dll
2009-03-27 04:35 79,872 ------w c:\windows\system32\hivetuse.dll
2009-03-27 04:35 61,440 --sha-w c:\windows\system32\dusetawi.exe
2009-03-26 20:48 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-26 16:35 84,992 --sha-w c:\windows\system32\sijizile.dll
2009-03-26 16:35 79,872 ------w c:\windows\system32\zewotuva.dll
2009-03-26 04:35 84,992 --sha-w c:\windows\system32\mapuvoju.dll
2009-03-26 04:35 79,872 ------w c:\windows\system32\kosanija.dll
2009-03-25 18:15 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-25 16:35 84,992 --sha-w c:\windows\system32\yukufepo.dll
2009-03-25 16:35 79,872 ------w c:\windows\system32\zurunuhi.dll
2009-03-25 04:34 84,992 --sha-w c:\windows\system32\rayohupo.dll
2009-03-24 04:33 84,992 --sha-w c:\windows\system32\vikewami.dll
2009-03-23 16:33 84,992 --sha-w c:\windows\system32\nebazifi.dll
2009-03-20 19:33 84,992 --sha-w c:\windows\system32\melihuvo.dll
2009-03-20 19:33 79,872 --sha-w c:\windows\system32\torayowo.dll
2009-03-20 07:33 84,992 --sha-w c:\windows\system32\yefizedo.dll
2009-03-19 19:33 84,992 --sha-w c:\windows\system32\howivuti.dll
2009-03-19 19:33 79,872 ------w c:\windows\system32\wurigizu.dll
2009-03-07 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-06 23:37 --------- d-----w c:\documents and settings\User\Application Data\Webroot
2009-02-18 00:57 --------- d-----w c:\program files\Webroot
2009-02-18 00:51 164 ----a-w C:\install.dat
2009-02-17 20:06 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-02-17 19:13 --------- d-----w c:\program files\SiteAdvisor
2009-02-10 00:51 --------- d-----w c:\documents and settings\User\Application Data\VirusRemover2008
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-30 17:47 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-30 17:47 --------- d-----w c:\program files\Symantec
2009-01-30 17:47 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-30 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-29 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-21 20:09 410,984 ----a-w c:\windows\system32\deploytk.dll
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\jinujone.dll
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\zutahuva.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc178d5c-fc00-40c0-81cd-b6ec0d6bb0e9}]
47616 --ahs---- c:\windows\system32\zutahuva.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dll "= "dll32" [X]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Search Protection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"McAfee Backup "= "c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-01-09 5134864]
"noluvavetu "= "c:\windows\system32\jinujone.dll" [ 47616]
"3437ca3a "= "c:\windows\system32\nedusefi.dll" [2009-03-27 79872]
"CPM3704f9a6 "= "c:\windows\system32\vanegeha.dll" [2009-03-27 84992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} "= "c:\windows\system32\vanegeha.dll" [2009-03-27 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL "= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanegeha.dll [2009-03-27 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=c:\windows\system32\vanegeha.dll,c:\windows\system32\foponiga.dll
"LoadAppInit_DLLs "=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\foponiga.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe "=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\QBMsgMgr.exe "=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe "=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe "=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe "=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP "= 80:TCP:dll32
"7171:TCP "= 7171:TCP:dll32


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfee SiteAdvisor Service
*Deregistered* - mcmscsvc
*Deregistered* - McNASvc
*Deregistered* - McProxy
*Deregistered* - McShield
*Deregistered* - McSysmon
*Deregistered* - MDM
*Deregistered* - MpfService
*Deregistered* - MSK80Service
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - QBCFMonitorService
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RimVSerPort
*Deregistered* - Roxio Upnp Server 9
*Deregistered* - RoxLiveShare9
*Deregistered* - RoxWatch9
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 11:45]

2009-03-06 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-06 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d08861b6-3453-411f-bb57-685753b22a0a} - c:\windows\system32\nrnmbx.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lq97rtwq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 10:56:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1056)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\nedusefi.dll
c:\windows\system32\jinujone.dll
c:\windows\system32\vanegeha.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-03-27 11:05:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-27 18:05:19

Pre-Run: 26,563,518,464 bytes free
Post-Run: 26,559,172,608 bytes free

302 --- E O F --- 2009-03-11 10:01:31

 

Hi denise82

Please do the following.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

http://www.windowsbbs.com/malware-virus-removal/82718-active-weblinks-redirected-system-restore-windows-update-disabled.html
Collect::
c:\windows\system32\nfr.gpref
c:\windows\system32\nfr.assembly
c:\windows\t55ft2808f44.dat
c:\windows\9g234sdfdfgjf23
c:\windows\system32\melumusa.dll
c:\windows\system32\hezariza.dll
c:\windows\system32\rn.tmp
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\hivetuse.dll
c:\windows\system32\dusetawi.exe
c:\windows\system32\sijizile.dll
c:\windows\system32\zewotuva.dll
c:\windows\system32\mapuvoju.dll
c:\windows\system32\kosanija.dll
c:\windows\system32\yukufepo.dll
c:\windows\system32\zurunuhi.dll
c:\windows\system32\rayohupo.dll
c:\windows\system32\vikewami.dll
c:\windows\system32\nebazifi.dll
c:\windows\system32\melihuvo.dll
c:\windows\system32\torayowo.dll
c:\windows\system32\yefizedo.dll
c:\windows\system32\howivuti.dll
c:\windows\system32\wurigizu.dll
c:\windows\system32\jinujone.dll
c:\windows\system32\zutahuva.dll
c:\windows\system32\foponiga.dll
c:\windows\system32\vanegeha.dll 

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc178d5c-fc00-40c0-81cd-b6ec0d6bb0e9}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "dll "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "noluvavetu "=-
 "3437ca3a "=-
 "CPM3704f9a6 "=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
 "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "=" " 

Please post the combofix log.

Thanks
Geri

 

Hi Geri. Everything seems to be working fine now. Below is the combofix log. Kindly check if there is anything that I need to do. You're the best! Thanks again.

***********************
ComboFix 09-03-29.04 - User 2009-03-30 11:21:55.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.177 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9g234sdfdfgjf23
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\dusetawi.exe
c:\windows\system32\hezariza.dll
c:\windows\system32\hivetuse.dll
c:\windows\system32\howivuti.dll
c:\windows\system32\jinujone.dll
c:\windows\system32\kosanija.dll
c:\windows\system32\mapuvoju.dll
c:\windows\system32\melihuvo.dll
c:\windows\system32\melumusa.dll
c:\windows\system32\nebazifi.dll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\rayohupo.dll
c:\windows\system32\rn.tmp
c:\windows\system32\sijizile.dll
c:\windows\system32\vanegeha.dll
c:\windows\system32\vikewami.dll
c:\windows\system32\yefizedo.dll
c:\windows\system32\yukufepo.dll
c:\windows\system32\zewotuva.dll
c:\windows\system32\zurunuhi.dll
c:\windows\system32\zutahuva.dll
c:\windows\t55ft2808f44.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-25 11:15 . 2009-03-25 11:15 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-06 17:00 . 2009-03-30 11:30 10,263 --a------ c:\windows\system32\Config.MPF
2009-03-06 16:52 . 2009-01-09 13:03 213,640 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-06 16:51 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-06 16:50 . 2009-03-06 16:50 <DIR> d-------- c:\program files\McAfee.com
2009-03-06 16:50 . 2009-03-06 16:51 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-06 16:49 . 2009-03-24 11:28 <DIR> d-------- c:\program files\McAfee
2009-02-18 15:31 . 2009-02-18 15:32 <DIR> d-------- c:\windows\ERUNT
2009-02-17 17:58 . 2009-02-17 17:58 <DIR> d-------- C:\Binaries
2009-02-17 17:57 . 2009-02-17 17:57 <DIR> d-------- c:\program files\Webroot
2009-02-17 17:57 . 2009-03-06 16:37 <DIR> d-------- c:\documents and settings\User\Application Data\Webroot
2009-02-17 17:51 . 2009-02-17 17:51 164 --a------ C:\install.dat
2009-02-17 13:06 . 2009-02-17 13:06 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-02-09 17:51 . 2009-02-09 17:51 <DIR> d-------- c:\temp\sTMP3
2009-02-09 17:51 . 2009-02-09 17:51 <DIR> d-------- c:\documents and settings\User\Application Data\VirusRemover2008
2009-02-05 12:54 . 2008-04-04 16:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-02-05 12:54 . 2009-02-05 12:55 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 10:45 . 2009-02-03 10:45 48 --a------ c:\windows\wininit.ini
2009-02-02 11:56 . 2009-02-02 11:56 230 --a------ c:\windows\system32\spupdsvc.inf
2009-02-02 11:52 . 2007-08-13 19:52 66,048 --a------ c:\windows\ieResetIcons.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 16:36 84,992 --sha-w c:\windows\system32\komabagi.dll
2009-03-30 16:36 79,872 --sha-w c:\windows\system32\zifewiba.dll
2009-03-30 16:36 61,440 --sha-w c:\windows\system32\fanesohu.exe
2009-03-30 04:36 84,992 --sha-w c:\windows\system32\moduwigo.dll
2009-03-30 04:36 79,872 --sha-w c:\windows\system32\minewuda.dll
2009-03-30 04:36 61,440 --sha-w c:\windows\system32\rafedote.exe
2009-03-29 23:51 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-29 16:37 84,992 --sha-w c:\windows\system32\somajize.dll
2009-03-29 16:37 79,872 --sha-w c:\windows\system32\hunawaze.dll
2009-03-29 16:37 61,440 --sha-w c:\windows\system32\fegamive.exe
2009-03-29 04:36 84,992 --sha-w c:\windows\system32\yebidaza.dll
2009-03-29 04:36 79,872 --sha-w c:\windows\system32\bofakape.dll
2009-03-29 04:36 61,440 --sha-w c:\windows\system32\humugege.exe
2009-03-28 16:35 84,992 --sha-w c:\windows\system32\rewokita.dll
2009-03-28 16:35 79,872 --sha-w c:\windows\system32\zosufasu.dll
2009-03-28 16:35 61,440 --sha-w c:\windows\system32\rumepopo.exe
2009-03-28 04:35 84,992 --sha-w c:\windows\system32\jalezada.dll
2009-03-28 04:35 79,872 --sha-w c:\windows\system32\hutijezu.dll
2009-03-28 04:35 61,440 --sha-w c:\windows\system32\lugozeji.exe
2009-03-27 04:35 84,992 --sha-w c:\windows\system32\fusonasu.dll
2009-03-25 18:15 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-07 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-17 19:13 --------- d-----w c:\program files\SiteAdvisor
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-30 17:47 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-30 17:47 --------- d-----w c:\program files\Symantec
2009-01-30 17:47 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-30 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-29 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-21 20:09 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-12 17:33 3,060,224 ----a-w c:\windows\system32\SET58.tmp
2008-12-05 07:12 144,896 ----a-w c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_11.02.35.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-27 17:05:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-30 17:10:13 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-27 17:05:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-30 17:10:13 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-30 17:10:13 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-30 18:28:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_69c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Search Protection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"McAfee Backup "= "c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-01-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe "=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\QBMsgMgr.exe "=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe "=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe "=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe "=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe "=
"c:\\Program Files\\iTunes\\iTunesHelper.exe "=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-06 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-06-06 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 11:45]

2009-03-06 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-06 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lq97rtwq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 11:30:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1856)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-30 11:45:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 18:43:36
ComboFix2.txt 2009-03-27 18:05:57

Pre-Run: 25,725,448,192 bytes free
Post-Run: 25,901,871,104 bytes free

225 --- E O F --- 2009-03-11 10:01:31

 

Hi
OK still some problems here.

Please delete the CFScript you have on your Desktop.

Now do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

KillAll::
File::
c:\windows\system32\komabagi.dll
c:\windows\system32\zifewiba.dll
c:\windows\system32\fanesohu.exe
c:\windows\system32\moduwigo.dll
c:\windows\system32\minewuda.dll
c:\windows\system32\rafedote.exe
c:\windows\system32\somajize.dll
c:\windows\system32\hunawaze.dll
c:\windows\system32\fegamive.exe
c:\windows\system32\yebidaza.dll
c:\windows\system32\bofakape.dll
c:\windows\system32\humugege.exe
c:\windows\system32\rewokita.dll
c:\windows\system32\zosufasu.dll
c:\windows\system32\rumepopo.exe
c:\windows\system32\jalezada.dll
c:\windows\system32\hutijezu.dll
c:\windows\system32\lugozeji.exe
c:\windows\system32\fusonasu.dll

Folder::
c:\documents and settings\User\Application Data\VirusRemover2008

Please post the Combofix log.

Thanks
Geri

 

Hi Geri. So far so good...2 days of no pop ups and redirecting links..whew! I have done what you asked me to do and here's the combofix log. Let me know if there's anything else that I shld be doing to totally eliminate these malware and spyware.

All the best.
denise82

******************
ComboFix 09-03-30.04 - User 2009-03-31 10:42:52.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.178 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\bofakape.dll
c:\windows\system32\fanesohu.exe
c:\windows\system32\fegamive.exe
c:\windows\system32\fusonasu.dll
c:\windows\system32\humugege.exe
c:\windows\system32\hunawaze.dll
c:\windows\system32\hutijezu.dll
c:\windows\system32\jalezada.dll
c:\windows\system32\komabagi.dll
c:\windows\system32\lugozeji.exe
c:\windows\system32\minewuda.dll
c:\windows\system32\moduwigo.dll
c:\windows\system32\rafedote.exe
c:\windows\system32\rewokita.dll
c:\windows\system32\rumepopo.exe
c:\windows\system32\somajize.dll
c:\windows\system32\yebidaza.dll
c:\windows\system32\zifewiba.dll
c:\windows\system32\zosufasu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\VirusRemover2008
c:\documents and settings\User\Application Data\VirusRemover2008\Logs\scns.log
c:\windows\system32\bofakape.dll
c:\windows\system32\fanesohu.exe
c:\windows\system32\fegamive.exe
c:\windows\system32\fusonasu.dll
c:\windows\system32\humugege.exe
c:\windows\system32\hunawaze.dll
c:\windows\system32\hutijezu.dll
c:\windows\system32\jalezada.dll
c:\windows\system32\komabagi.dll
c:\windows\system32\lugozeji.exe
c:\windows\system32\minewuda.dll
c:\windows\system32\moduwigo.dll
c:\windows\system32\rafedote.exe
c:\windows\system32\rewokita.dll
c:\windows\system32\rumepopo.exe
c:\windows\system32\somajize.dll
c:\windows\system32\yebidaza.dll
c:\windows\system32\zifewiba.dll
c:\windows\system32\zosufasu.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-25 11:15 . 2009-03-25 11:15 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-06 17:00 . 2009-03-31 10:53 10,263 --a------ c:\windows\system32\Config.MPF
2009-03-06 16:52 . 2009-01-09 13:03 213,640 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-06 16:51 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-06 16:50 . 2009-03-06 16:50 <DIR> d-------- c:\program files\McAfee.com
2009-03-06 16:50 . 2009-03-06 16:51 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-06 16:49 . 2009-03-24 11:28 <DIR> d-------- c:\program files\McAfee
2009-02-18 15:31 . 2009-02-18 15:32 <DIR> d-------- c:\windows\ERUNT
2009-02-17 17:58 . 2009-02-17 17:58 <DIR> d-------- C:\Binaries
2009-02-17 17:57 . 2009-02-17 17:57 <DIR> d-------- c:\program files\Webroot
2009-02-17 17:57 . 2009-03-06 16:37 <DIR> d-------- c:\documents and settings\User\Application Data\Webroot
2009-02-17 17:51 . 2009-02-17 17:51 164 --a------ C:\install.dat
2009-02-17 13:06 . 2009-02-17 13:06 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-02-09 17:51 . 2009-02-09 17:51 <DIR> d-------- c:\temp\sTMP3
2009-02-05 12:54 . 2008-04-04 16:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-02-05 12:54 . 2009-02-05 12:55 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 10:45 . 2009-02-03 10:45 48 --a------ c:\windows\wininit.ini
2009-02-02 11:56 . 2009-02-02 11:56 230 --a------ c:\windows\system32\spupdsvc.inf
2009-02-02 11:52 . 2007-08-13 19:52 66,048 --a------ c:\windows\ieResetIcons.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 00:52 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-25 18:15 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-07 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-17 19:13 --------- d-----w c:\program files\SiteAdvisor
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-30 17:47 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-30 17:47 --------- d-----w c:\program files\Symantec
2009-01-30 17:47 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-30 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-29 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-21 20:09 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-12 17:33 3,060,224 ----a-w c:\windows\system32\SET58.tmp
2008-12-05 07:12 144,896 ----a-w c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_11.02.35.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-27 17:05:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-31 16:25:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-27 17:05:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-31 16:25:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-25 19:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
+ 2009-03-31 17:50:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Search Protection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"McAfee Backup "= "c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-01-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe "=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\QBMsgMgr.exe "=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe "=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe "=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe "=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe "=
"c:\\Program Files\\iTunes\\iTunesHelper.exe "=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-06 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-06-06 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 11:45]

2009-03-06 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-06 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lq97rtwq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 10:54:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1972)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-31 11:03:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 18:02:42
ComboFix2.txt 2009-03-30 18:45:46
ComboFix3.txt 2009-03-27 18:05:57

Pre-Run: 26,239,225,856 bytes free
Post-Run: 26,234,605,568 bytes free

224 --- E O F --- 2009-03-30 18:57:26

 

Hi
OK that looks much better.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on line scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Hi Geri. Here's the Kaspersky report. I don't know why my McAfee cannot detect these.

**********
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, April 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, April 02, 2009 19:41:37
Records in database: 2001071
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 52095
Threat name: 3
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 03:58:14


File name / Threat name / Threats count
C:\Documents and Settings\User\Local Settings\Application Data\Identities\{14C81F50-B22C-4B0E-8698-6993F74BC518}\Microsoft\Outlook Express\1258 Highland.dbx Infected: Email-Worm.Win32.NetSky.q 1
C:\Documents and Settings\User\My Documents\Outlook Express\1258 Highland.dbx Infected: Email-Worm.Win32.NetSky.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fanesohu.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fegamive.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\humugege.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lugozeji.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rafedote.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rumepopo.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\[4]-Submit_2009-03-30@11.20.zip Infected: Trojan.Win32.AntiAV.aug 1

The selected area was scanned.

 

Hi Denise

Please open Outlook Express and delete these emails.
1258 Highland.dbx

Delete everything in your sent email box and delete everything in your Deleted email box.

Let me know that you found them and delete them.

Thanks
Geri

 

Dearest Geri, I have deleted my 1258 Highland.dbx and emptied my sent and deleted folders. Let me know how to move forward. And shall I keep the combofix.exe in my desktop as well as the Qoobox in my hard drive?

All the best,
denise82

 

Hi
OK please do this.

Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

Delete DDS from your Desktop.

Let me know how things are running.

Thanks
Geri

 

Dearest Geri, sorry for the long lull...I was able to uninstall combofix and its corresponding folders and files. Everything seems to be working great..thanks to your expertise. Hope it continues to be this smooth.

My best regards,
denise82

 

Hi Denise
That's good to hear. You're welcome.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

I'll mark this one resolved.

Surf Safely
Geri