Combofix seems to have done the trick. Everything is running smoothly.
But here is what I went through for future reference:
I had to download combofix and the recovery console ISO onto a jumpdrive on my other PC and then copy it to my desktop because the virus did not let me access the bleepingcomputer site and the microsoft site for the recover console ISO (or this site either). Then I dragged the files over to my desktop. I followed the directions to drag the recovery console over and drop it on the combofix.exe icon and then run it - but nothing happened! I checked in the task manager and it showed that is was running combofix.exe under SYSTEM, but no windows appeared to start or run the program. So, I read up on some other posts that the virus actually DISABLES malware removal programs so you have to rename it before you save it. I renamed it on my desktop but it still didn't work and said the CF script was named wrong. So I deleted the combofix.exe file from my desktop completely and end tasked it on the task manager as well. I THEN RENAMED THE FILE ON MY JUMP DRIVE TO Dweebs.exe before copying it to my desktop. Then I dragged over the renamed file "dweebs.exe" onto my desktop and dragged the recovery console ISO over it and it worked. I was able to run it with no problem.
(BTW: During the last reboot, before it prepared the log I received this error message:
Error loading - I:\PROGRA~I/MYWEBS~\bar\2.bin\m3plugin.dll
The specified module could not be found.)
Here is my combofix log:
ComboFix 08-12-24.01 - user 2008-12-25 13:07:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1616 [GMT -5:00]
Running from: i:\documents and settings\user\Desktop\dweebles.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
i:\documents and settings\user\Application Data\FunWebProducts
i:\documents and settings\user\Application Data\FunWebProducts\Data\user\avatar.dat
i:\documents and settings\user\Application Data\FunWebProducts\Data\user\outfit.dat
i:\documents and settings\user\Application Data\FunWebProducts\Data\user\zbucks.dat
i:\program files\FunWebProducts
i:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
i:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
i:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
i:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
i:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
i:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
i:\program files\Internet Explorer\msimg32.dll
i:\program files\MyWebSearch
i:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
i:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
i:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
i:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
i:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
i:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
i:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
i:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
i:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
i:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
i:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
i:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
i:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
i:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
i:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
i:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
i:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
i:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
i:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
i:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
i:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
i:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
i:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
i:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
i:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
i:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
i:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
i:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
i:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
i:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
i:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
i:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
i:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
i:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
i:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
i:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
i:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
i:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
i:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
i:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
i:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
i:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
i:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
i:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
i:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
i:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
i:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
i:\program files\MyWebSearch\bar\Cache\
000416FF
i:\program files\MyWebSearch\bar\Cache\
0004B33F
i:\program files\MyWebSearch\bar\Cache\
0005EA67
i:\program files\MyWebSearch\bar\Cache\
0006933A
i:\program files\MyWebSearch\bar\Cache\
001ABB14
i:\program files\MyWebSearch\bar\Cache\
00306392
i:\program files\MyWebSearch\bar\Cache\
0059F8C6.bin
i:\program files\MyWebSearch\bar\Cache\
0059FA1E.bin
i:\program files\MyWebSearch\bar\Cache\
0059FB18.bin
i:\program files\MyWebSearch\bar\Cache\
0059FBC4.bin
i:\program files\MyWebSearch\bar\Cache\
0059FCAE
i:\program files\MyWebSearch\bar\Cache\
00831A9F.bin
i:\program files\MyWebSearch\bar\Cache\
00831B1C.bin
i:\program files\MyWebSearch\bar\Cache\
00831C83.bin
i:\program files\MyWebSearch\bar\Cache\
00831D4E.bin
i:\program files\MyWebSearch\bar\Cache\
00831DFA.bin
i:\program files\MyWebSearch\bar\Cache\
008E94FA.bin
i:\program files\MyWebSearch\bar\Cache\
008E95D4.bin
i:\program files\MyWebSearch\bar\Cache\
008E9651.bin
i:\program files\MyWebSearch\bar\Cache\
00B3E623
i:\program files\MyWebSearch\bar\Cache\
0133485E
i:\program files\MyWebSearch\bar\Cache\files.ini
i:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
i:\program files\MyWebSearch\bar\Game\CHESS.F3S
i:\program files\MyWebSearch\bar\Game\REVERSI.F3S
i:\program files\MyWebSearch\bar\History\search3
i:\program files\MyWebSearch\bar\icons\CM.ICO
i:\program files\MyWebSearch\bar\icons\MFC.ICO
i:\program files\MyWebSearch\bar\icons\PSS.ICO
i:\program files\MyWebSearch\bar\icons\SMILEY.ICO
i:\program files\MyWebSearch\bar\icons\WB.ICO
i:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
i:\program files\MyWebSearch\bar\Message\COMMON.F3S
i:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
i:\program files\MyWebSearch\bar\Notifier\DOG.F3S
i:\program files\MyWebSearch\bar\Notifier\FISH.F3S
i:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
i:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
i:\program files\MyWebSearch\bar\Notifier\MAID.F3S
i:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
i:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
i:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
i:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
i:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
i:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
i:\program files\MyWebSearch\bar\Settings\s_pid.dat
i:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
i:\program files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
i:\windows\a3kebook.ini
i:\windows\akebook.ini
i:\windows\ANS2000.INI
i:\windows\jestertb.dll
i:\windows\system32\~.exe
i:\windows\system32\drivers\TDSSmqct.sys
i:\windows\system32\f3PSSavr.scr
i:\windows\system32\hiQBHRqr.ini
i:\windows\system32\hiQBHRqr.ini2
i:\windows\system32\hngrquuy.ini
i:\windows\system32\irezasos.ini
i:\windows\system32\jlbkng.dll
i:\windows\system32\jwgjjpkm.dll
i:\windows\system32\ljJabaAt.dll
i:\windows\system32\mcrh.tmp
i:\windows\system32\opnolICT.dll
i:\windows\system32\oreminop.ini
i:\windows\system32\prunnet.exe
i:\windows\system32\rqRHBQih.dll
i:\windows\system32\saguyeba.dll
i:\windows\system32\TDSSarxx.dll
i:\windows\system32\TDSScfmm.dll
i:\windows\system32\TDSSkkai.log
i:\windows\system32\TDSSlicn.dll
i:\windows\system32\TDSSmtye.dat
i:\windows\system32\TDSSnmxh.log
i:\windows\system32\TDSSotuh.dll
i:\windows\system32\TDSSsahc.dll
i:\windows\system32\TDSSvoql.dll
i:\windows\system32\TDSSxhyf.log
i:\windows\system32\tyshb36rfjdf.dll
i:\windows\system32\usayojis.ini
i:\windows\system32\vtUoMCUK.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.
2008-12-24 23:11 . 2008-04-13 20:12 159,232 --a------ i:\windows\system32\ptpusd.dll
2008-12-24 23:11 . 2001-08-17 22:36 5,632 --a------ i:\windows\system32\ptpusb.dll
2008-12-19 22:23 . 2008-12-19 22:23 <DIR> d-------- i:\documents and settings\user\Application Data\AdwareAlert
2008-12-19 22:09 . 2008-12-19 22:09 <DIR> d-------- i:\program files\Uniblue
2008-12-19 22:09 . 2008-12-19 22:09 <DIR> d-------- i:\documents and settings\user\Application Data\Uniblue
2008-12-19 21:37 . 2008-12-19 21:37 <DIR> d-------- i:\program files\Trend Micro
2008-12-19 20:59 . 2008-12-19 21:05 1,661,900 --ahs---- i:\windows\system32\hngrquuy.tmp
2008-12-18 11:49 . 2008-12-18 11:49 <DIR> d-------- I:\VundoFix Backups
2008-12-17 21:12 . 2008-12-17 21:12 1 --a------ i:\windows\system32\edl.dat
2008-12-17 19:07 . 2008-12-17 19:07 <DIR> d-------- i:\documents and settings\Administrator
2008-12-14 11:19 . 2008-12-14 11:19 <DIR> d-------- i:\program files\iTunes
2008-12-14 11:19 . 2008-12-14 11:19 <DIR> d-------- i:\program files\iPod
2008-12-14 11:19 . 2008-12-14 11:19 <DIR> d-------- i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 11:18 . 2008-12-14 11:18 <DIR> d-------- i:\program files\QuickTime
2008-12-05 17:42 . 2008-12-09 17:04 <DIR> d-------- i:\documents and settings\user\Application Data\SPORE
2008-12-05 17:42 . 2008-12-05 17:42 <DIR> dr-h----- i:\documents and settings\user\Application Data\SecuROM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 18:01 --------- d-----w i:\documents and settings\user\Application Data\Tunebite
2008-12-25 17:48 85,269 --sha-w i:\windows\system32\sijoyasu.dll
2008-12-25 17:17 --------- d-----w i:\documents and settings\All Users\Application Data\Google Updater
2008-12-25 16:48 60,211 --sha-w i:\windows\system32\yupohote.dll
2008-12-24 17:06 84,102 ----a-w i:\windows\system32\ponimero.dll
2008-12-18 04:15 --------- d-----w i:\program files\Coupons
2008-12-18 04:14 --------- d-----w i:\program files\MSN Messenger
2008-12-18 04:13 --------- d-----w i:\program files\Yahoo!
2008-12-18 04:13 --------- d-----w i:\documents and settings\user\Application Data\Yahoo!
2008-12-18 04:13 --------- d-----w i:\documents and settings\All Users\Application Data\Yahoo!
2008-12-14 16:48 --------- d-----w i:\documents and settings\user\Application Data\Apple Computer
2008-12-14 16:19 --------- d-----w i:\program files\Common Files\Apple
2008-12-14 16:14 --------- d-----w i:\program files\Safari
2008-12-05 22:42 107,888 ----a-w i:\windows\system32\CmdLineExt.dll
2008-12-05 22:41 1,522 ----a-w i:\windows\system32\ealregsnapshot1.reg
2008-12-05 22:11 --------- d-----w i:\program files\Electronic Arts
2008-12-05 22:10 --------- d--h--w i:\program files\InstallShield Installation Information
2008-11-26 13:07 --------- d-----w i:\program files\DivX
2008-11-25 02:38 --------- d-----w i:\program files\Microsoft ActiveSync
2008-11-25 02:34 --------- d-----w i:\program files\Windows Media Components
2008-11-25 01:39 --------- d-----w i:\documents and settings\user\Application Data\DVD Catalyst3
2008-11-24 23:07 --------- d-----w i:\program files\DVD Catalyst
2008-11-21 13:57 --------- d-----w i:\documents and settings\LocalService\Application Data\SACore
2008-11-18 03:10 --------- d-----w i:\documents and settings\All Users\Application Data\McAfee
2008-11-18 01:27 --------- d---a-w i:\documents and settings\All Users\Application Data\TEMP
2008-11-18 01:26 --------- d-----w i:\program files\SCRABBLE
2008-11-18 01:26 --------- d-----w i:\documents and settings\user\Application Data\SpinTop
2008-11-14 02:23 --------- d-----w i:\program files\McAfee
2008-11-11 21:54 --------- d-----w i:\program files\House Beautiful
2008-11-08 19:29 --------- d-----w i:\documents and settings\user\Application Data\HP
2008-11-07 23:51 --------- d-----w i:\documents and settings\All Users\Application Data\HP Product Assistant
2008-11-07 19:23 32,000 ----a-w i:\windows\system32\drivers\usbaapl.sys
2008-10-23 12:36 286,720 ----a-w i:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w i:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w i:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w i:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w i:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w i:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w i:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w i:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w i:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w i:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w i:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w i:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w i:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w i:\windows\system32\msxml4.dll
2008-09-25 16:48 60,211 --sha-w i:\windows\system32\waluyelo.dll
2008-09-25 16:48 60,211 --sha-w i:\windows\system32\gomuzidi.dll
2008-09-25 16:48 33,792 --sha-w i:\windows\system32\guromome.dll
2008-07-05 15:47 0 -c--a-w i:\program files\temp01
2007-02-12 23:10 2,682,880 -c--a-w i:\documents and settings\All Users\VCREDI~3.EXE
2008-10-22 23:22 122,880 ----a-w i:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"= "i:\program files\AOL\AIM Toolbar 5.0\aoltb.dll" [2008-03-07 1090912]
[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54125f14-9193-4fd1-965e-7353d1ed29eb}]
2008-09-25 11:48 60211 --ahs---- i:\windows\system32\waluyelo.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="i:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Tunebite"="i:\program files\RapidSolution\Tunebite\Tunebite.exe" [2008-04-24 6366512]
"MSMSGS"="i:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"WMPNSCFG"="i:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"HP Software Update"="i:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"mcagent_exe"="i:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PWRISOVM.EXE"="i:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"AppleSyncNotifier"="i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Google Desktop Search"="i:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-22 29744]
"QuickTime Task"="i:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"bipoyopeja"="i:\windows\system32\gomuzidi.dll" [2008-09-25 60211]
"000000af"="i:\windows\system32\sijoyasu.dll" [2008-12-25 85269]
i:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - i:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
HP Digital Imaging Monitor.lnk - i:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli i:\windows\system32\saguyeba.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 i:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 i:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 i:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 i:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 00:41 8523776 i:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-12-05 00:41 81920 i:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 03:00 132496 i:\program files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2007-12-05 00:41 1626112 i:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-12-14 20:06 577536 i:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\program files\Microsoft ActiveSync\rapimgr.exe"= i:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"i:\program files\Microsoft ActiveSync\wcescomm.exe"= i:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"i:\program files\Microsoft ActiveSync\WCESMgr.exe"= i:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"i:\\Program Files\\Messenger\\msmsgs.exe"=
"i:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\WINDOWS\\system32\\rundll32.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"i:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-03 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"i:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-11 24652]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"i:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-22 29744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
i:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 i:\windows\Tasks\AdwareAlert Scheduled Scan.job
- i:\program files\AdwareAlert\AdwareAlert.exe []
2008-12-20 i:\windows\Tasks\AdwareAlert Scheduled Scan.job
- i:\program files\AdwareAlert []
2008-12-15 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-10-15 i:\windows\Tasks\McDefragTask.job
- i:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
2008-09-01 i:\windows\Tasks\McQcTask.job
- i:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -
BHO-{4ADB39BE-39E0-41C1-8AB6-0B098B3E0E8E} - i:\windows\system32\rqRHBQih.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - i:\windows\system32\vtUoMCUK.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - i:\windows\system32\tyshb36rfjdf.dll
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - i:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
WebBrowser-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - i:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
HKCU-Run-MsnMsgr - i:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-prunnet - i:\windows\system32\prunnet.exe
HKCU-Run-AdwareAlert - i:\program files\AdwareAlert\AdwareAlert.exe
HKLM-Run-MyWebSearch Plugin - i:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - i:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
HKLM-Run-prunnet - i:\windows\system32\prunnet.exe
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - i:\windows\system32\tyshb36rfjdf.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - i:\windows\system32\vtUoMCUK.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://google.com/uSearchMigratedDefaultURL =
hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/def ... earch.htmluInternet Settings,ProxyOverride = *.local
IE: &AIM Search - i:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Search -
http://edits.mywebsearch.com/toolbaredi ... p=ZJfox000IE: &Windows Live Search - i:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - i:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
i:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///I:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
i:\windows\Downloaded Program Files\CpnMgr.dll - O16 -: {549F957E-2F89-11D6-8CFE-00C04F52B225}
hxxp://coupons.smartsource.com/download/cscmv5X.cabi:\windows\Downloaded Program Files\CpnMgr.inf
i:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///I:/Program%20Files/SCRABBLE/Images/armhelper.ocx
FF - ProfilePath - i:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\k6ohz4co.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://slirsredirect.search.aol.com/red ... 706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL -
hxxp://search.aol.com/aolcom/search?inv ... rab&query=FF - component: i:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: i:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: i:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\k6ohz4co.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: i:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: i:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: i:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: i:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: i:\program files\Picasa2\npPicasa2.dll
FF - plugin: i:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-25 13:11:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
i:\windows\system32\usayojis.ini 1603449 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
i:\program files\Bonjour\mDNSResponder.exe
i:\windows\ehome\ehrecvr.exe
i:\windows\ehome\ehSched.exe
i:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
i:\progra~1\McAfee\MSC\mcmscsvc.exe
i:\program files\Common Files\McAfee\MNA\McNASvc.exe
i:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
i:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
i:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
i:\windows\system32\nvsvc32.exe
i:\windows\system32\HPZipm12.exe
i:\windows\ehome\RMSvc.exe
i:\windows\system32\rundll32.exe
i:\progra~1\MI3AA1~1\rapimgr.exe
i:\windows\ehome\McrdSvc.exe
i:\program files\Windows Media Player\wmpnetwk.exe
i:\program files\HP\Digital Imaging\bin\hpqste08.exe
i:\windows\system32\dllhost.exe
i:\program files\iPod\bin\iPodService.exe
i:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2008-12-25 13:18:46 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-12-25 18:18:43
Pre-Run: 197,526,634,496 bytes free
Post-Run: 197,708,759,040 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
470 --- E O F --- 2008-12-10 04:19:19
What next?
Thanx and Happy Holidays!
Kats