WiredWX Hobby Weather ToolsLog in

 


vosemuji.dll,tuvujuka.dll et al

2 posters

descriptionvosemuji.dll,tuvujuka.dll et al Emptyvosemuji.dll,tuvujuka.dll et al

more_horiz
Good Day All (I think)

My dearest son has presented me with a problem that "popped" up, literally, 5 days ago. Gotta love teenagers.

Massive pop-ups, there is a splash screen that is covering the desktop (desktop is available by drilling down through My Computer>Documents & Settings>User name). Malwarebyte's is not available because the mbam.exe is being blocked, I cannot access the Task Manager by right clicking the bar at the bottom of the page. AVG has been over-ridden. I cannot use System restore to roll back to clean save, states corrupted. Safe Mode is also unavailable. Unable to access/utilize MS Update and at this time I am concerned about updating or changing anything on his computer for fear of infection/corruption.

His computer has IE 8 installed however we do not use IE, we are using Firefox, current version is 3.6 I believe. I went into the internet options for IE 8 and cleared all the settings.

I had an issue similar to this on another computer in my home over a year ago and I really don't want to spend the next 6 days fumbling around trying to figure it out, again. Any assistance is greatly appreciated.

~The splash screen covering the DT states:

YOUR SYSTEM IS INFECTED!! System has been stopped sue to services malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer until all spyware removed.

~Main Ballloon pop-up: Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.

If you click the bubble and not the "X" it attempts to download Internet Security 10

~One on the main warnings I get:
Attention! System detected potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to update your current security software. Click ok to download official intrusion detection software (IDS software).

~Computer - XP Prof SP 2 build 2002, HP rebuild

~TOO may pop-ups to mention

~Here is the current HJT log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:39:27 AM, on 2/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [gijozifet] Rundll32.exe "c:\windows\system32\vosemuji.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internet-security10.com
O15 - Trusted Zone: http://*.is-soft-download.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1264996372609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1264997327828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\vosemuji.dll,tuvujuka.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: labapikef - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll
O22 - SharedTaskScheduler: tokatiluy - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 4179 bytes

With matters such as these, when the computer is not in use it is disconnected from the net, via removing the wire, I do not trust Disabling the NIC. I will check back in a few hours to see if anyone has found the time to assist me. I know you folks are busy. I am posting this from my personal computer so we don't need to turn his on again. Notepad is a wonderous thing.

When there is a reply, I will go turn on/log in to his computer for your fixes and to answer questions from his computer.

Thank you for any assistance you may be able to provide. I have a feeling reformatting the computer won't help. I really do not want to reload it and deal with MS CSRs, their computer intelligence seems to be less than mine. Smile...

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
    O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
    O4 - HKLM\..\Run: [gijozifet] Rundll32.exe "c:\windows\system32\vosemuji.dll",a
    O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
    O15 - Trusted Zone: http://*.buy-internet-security10.com
    O15 - Trusted Zone: http://*.is-soft-download.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://*.is-software-download25.com
    O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
    O20 - AppInit_DLLs: c:\windows\system32\vosemuji.dll,tuvujuka.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O21 - SSODL: labapikef - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll
    O22 - SharedTaskScheduler: tokatiluy - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Receved a lovely pop-up when I did the HJT removal

Application cannot be executed. The file is infected. Please activate your antivirus software.

Continuing with your instructions.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Malwarebye Install error

Unable to execute file:
C:\Program Files\Malwarebytes'Anti-Malware\mbam.exe

CreateProcess Failed; code 5.
Access is denied

Still the same issue I stated in the beginning of my email.

Will send new HJT per instructions.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
HJT File

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:19:06 AM, on 2/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Colin\My Documents\Downloads\mbam-setup.exe
C:\DOCUME~1\Colin\LOCALS~1\Temp\is-S2OSD.tmp\mbam-setup.tmp
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [gijozifet] Rundll32.exe "c:\windows\system32\yikiduta.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264996372609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264997327828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\yikiduta.dll,tuvujuka.dll
O21 - SSODL: mubivotow - {ec8d0ed0-ece7-4f64-96a5-28658afed7ab} - c:\windows\system32\yikiduta.dll
O22 - SharedTaskScheduler: kupuhivus - {ec8d0ed0-ece7-4f64-96a5-28658afed7ab} - c:\windows\system32\yikiduta.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 3852 bytes

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    vosemuji.dll,tuvujuka.dll et al CF_download_FF

    vosemuji.dll,tuvujuka.dll et al CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    vosemuji.dll,tuvujuka.dll et al Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    vosemuji.dll,tuvujuka.dll et al Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Unable to complete the instructions for stopping AVG - the required command is greyed out so that I cannot click on it.

I looked at the services and the AVG related services are stopped and disabled.

Not to sound redundant but I mentioned in my original post that AVG has been overridden and I cannot access it.

If I could get to the task manager I would stop the processes that way, however I cannot access Task Manager.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Received an interesting pop-up at boot up. It was a command line:

C:\WINDOWS\sys32\41.exe

Downloading combo-fix, cross your fingers the .exe will work properly.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Combo fix worked however a component of AVG gwas on and I still cannot turn the process off. I am willing to uninstall the program if it is necessary to clean up this mess here is the the Combo-fix log.


ComboFix 10-02-04.01 - Colin 02/04/2010 15:48:31.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1089 [GMT -7:00]
Running from: c:\documents and settings\Colin\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Colin\Desktop\Internet Security 2010.lnk
c:\windows\system32\41.exe
c:\windows\system32\dutuhabe.dll
c:\windows\system32\hafedeku.dll
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\numisufe.dll
c:\windows\system32\smss32.exe
c:\windows\system32\tahalopu.dll
c:\windows\system32\tasasifu.dll
c:\windows\system32\tuvujuka.dll
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\system32\yikiduta.dll
c:\windows\system32\zodatibo.dll
c:\windows\Tasks\tdpbvaik.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-04 17:15 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 17:15 . 2010-02-04 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 17:15 . 2010-02-04 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 17:15 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 17:38 . 2010-02-03 17:38 -------- d-sh--w- c:\documents and settings\Colin\IECompatCache
2010-02-01 04:28 . 2010-02-01 04:28 -------- d-----w- c:\windows\Sun
2010-02-01 04:27 . 2010-02-01 04:27 -------- d-----w- c:\program files\Common Files\Java
2010-02-01 04:27 . 2010-02-01 04:27 -------- d-----w- c:\program files\Java
2010-02-01 04:24 . 2010-02-01 04:24 503808 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3753eed7-n\msvcp71.dll
2010-02-01 04:24 . 2010-02-01 04:24 499712 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3753eed7-n\jmc.dll
2010-02-01 04:24 . 2010-02-01 04:24 348160 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3753eed7-n\msvcr71.dll
2010-02-01 04:23 . 2010-02-01 04:23 61440 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12f9502c-n\decora-sse.dll
2010-02-01 04:23 . 2010-02-01 04:23 12800 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12f9502c-n\decora-d3d.dll
2010-02-01 04:23 . 2010-02-01 04:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 04:15 . 2010-02-01 04:15 -------- d-----w- c:\documents and settings\Colin\Application Data\Malwarebytes
2010-02-01 02:25 . 2010-02-01 02:25 388096 ----a-r- c:\documents and settings\Colin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-01 02:25 . 2010-02-01 02:25 -------- d-----w- c:\program files\TrendMicro
2010-02-01 00:01 . 2010-02-01 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-31 23:05 . 2010-01-31 23:05 -------- d-----w- c:\documents and settings\Momi-Justincase\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 05:49 . 2009-07-12 00:59 -------- d-----w- c:\program files\IObit
2010-01-03 01:30 . 2009-07-12 00:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-02 23:44 . 2010-01-02 22:56 -------- d-----w- c:\program files\Sony Online Entertainment
2009-12-14 17:42 . 2009-07-12 00:46 20896 ----a-w- c:\documents and settings\Momi-Justincase\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-11 16:16 . 2009-12-11 16:17 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-29 02:13 . 2009-10-04 01:13 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-27 23:18 . 2009-11-27 23:18 78848 ----a-w- c:\windows\system32\drivers\SSHDRV85.sys
1601-01-01 00:00 . 1601-01-01 00:00 53248 --sha-w- c:\windows\system32\ginuzefa.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\system32\kelinepe.dll
1601-01-01 00:03 . 1601-01-01 00:03 60928 --sha-w- c:\windows\system32\kevidobi.dll
1601-01-01 00:03 . 1601-01-01 00:03 96256 --sha-w- c:\windows\system32\vosemuji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d9a284f6-c87f-4599-bffe-59a1bf088a28}]
1601-01-01 00:00 53248 --sha-w- c:\windows\system32\ginuzefa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="e:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-11-20 2335880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\explorer.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/11/2009 6:13 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/11/2009 6:19 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/11/2009 6:19 PM 108552]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [11/27/2009 4:18 PM 78848]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/11/2009 6:19 PM 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/11/2009 6:19 PM 297752]
.
Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:13]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
Trusted Zone: buy-internet-security10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: buy-internet-security10.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\9a2jhh1m.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/_ylt=A9G_erRCKSVLDZEA2wCbvZx4/SIG=10ptb89tu/**http%3A//my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Sony Online Entertainment\Station Launcher\npsoe.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
HKLM-Run-gijozifet - c:\windows\system32\yikiduta.dll
HKLM-Run-darulozufa - tasasifu.dll
SharedTaskScheduler-{ec8d0ed0-ece7-4f64-96a5-28658afed7ab} - c:\windows\system32\yikiduta.dll
SSODL-mubivotow-{ec8d0ed0-ece7-4f64-96a5-28658afed7ab} - c:\windows\system32\yikiduta.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 15:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(444)
c:\windows\system32\WININET.dll
c:\windows\system32\ginuzefa.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\AVG\AVG8\avgui.exe
.
**************************************************************************
.
Completion time: 2010-02-04 15:59:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-04 22:58

Pre-Run: 3,766,165,504 bytes free
Post-Run: 3,673,190,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - ED791D3D03B4D8210302DDA57DB7730D

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Tried Malwarebytes again and the .exe file is missing. I do have the desktop back and I can access the task manager. AVG is disposable if required.

here is the new HJT run

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:10:58 PM, on 2/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {d9a284f6-c87f-4599-bffe-59a1bf088a28} - ginuzefa.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Advanced SystemCare 3] "E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.buy-internet-security10.com
O15 - Trusted Zone: http://*.is-soft-download.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264996372609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264997327828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: tuvujuka.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 3690 bytes

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\ginuzefa.dll
    c:\windows\system32\kelinepe.dll
    c:\windows\system32\kevidobi.dll
    c:\windows\system32\vosemuji.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d9a284f6-c87f-4599-bffe-59a1bf088a28}]

    Domains::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    vosemuji.dll,tuvujuka.dll et al Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Since I cannot disable the Antivirus software that is copy/pasted with each set of instructions I will gladly and hopefully uninstall this program. As I have stated before, I have no was to disable this program as the menu is "Greyed" out.

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
AVG uninstalled. No more issues.

ComboFix 10-02-04.01 - Colin 02/04/2010 16:59:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1193 [GMT -7:00]
Running from: c:\documents and settings\Colin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Colin\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\ginuzefa.dll"
"c:\windows\system32\kelinepe.dll"
"c:\windows\system32\kevidobi.dll"
"c:\windows\system32\vosemuji.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ginuzefa.dll
c:\windows\system32\kelinepe.dll
c:\windows\system32\kevidobi.dll
c:\windows\system32\vosemuji.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-04 17:15 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 17:15 . 2010-02-04 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 17:15 . 2010-02-04 23:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 17:15 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 17:38 . 2010-02-03 17:38 -------- d-sh--w- c:\documents and settings\Colin\IECompatCache
2010-02-01 04:28 . 2010-02-01 04:28 -------- d-----w- c:\windows\Sun
2010-02-01 04:27 . 2010-02-01 04:27 -------- d-----w- c:\program files\Common Files\Java
2010-02-01 04:27 . 2010-02-01 04:27 -------- d-----w- c:\program files\Java
2010-02-01 04:24 . 2010-02-01 04:24 503808 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3753eed7-n\msvcp71.dll
2010-02-01 04:24 . 2010-02-01 04:24 499712 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3753eed7-n\jmc.dll
2010-02-01 04:24 . 2010-02-01 04:24 348160 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3753eed7-n\msvcr71.dll
2010-02-01 04:23 . 2010-02-01 04:23 61440 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12f9502c-n\decora-sse.dll
2010-02-01 04:23 . 2010-02-01 04:23 12800 ----a-w- c:\documents and settings\Colin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12f9502c-n\decora-d3d.dll
2010-02-01 04:23 . 2010-02-01 04:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 04:15 . 2010-02-01 04:15 -------- d-----w- c:\documents and settings\Colin\Application Data\Malwarebytes
2010-02-01 02:25 . 2010-02-01 02:25 388096 ----a-r- c:\documents and settings\Colin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-01 02:25 . 2010-02-01 02:25 -------- d-----w- c:\program files\TrendMicro
2010-02-01 00:01 . 2010-02-01 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-31 23:05 . 2010-01-31 23:05 -------- d-----w- c:\documents and settings\Momi-Justincase\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 05:49 . 2009-07-12 00:59 -------- d-----w- c:\program files\IObit
2010-01-03 01:30 . 2009-07-12 00:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-02 23:44 . 2010-01-02 22:56 -------- d-----w- c:\program files\Sony Online Entertainment
2009-12-14 17:42 . 2009-07-12 00:46 20896 ----a-w- c:\documents and settings\Momi-Justincase\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-29 02:13 . 2009-10-04 01:13 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-27 23:18 . 2009-11-27 23:18 78848 ----a-w- c:\windows\system32\drivers\SSHDRV85.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="e:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-11-20 2335880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/11/2009 6:13 PM 64160]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [11/27/2009 4:18 PM 78848]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432]
.
Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:13]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\9a2jhh1m.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/_ylt=A9G_erRCKSVLDZEA2wCbvZx4/SIG=10ptb89tu/**http%3A//my.yahoo.com/
FF - plugin: c:\program files\Sony Online Entertainment\Station Launcher\npsoe.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 17:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\windows\system32\mucltui.dll 274288 bytes executable
c:\windows\system32\mucltui.dll.mui 16736 bytes executable

scan completed successfully
hȋdden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-02-04 17:09:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-05 00:09
ComboFix2.txt 2010-02-04 22:59

Pre-Run: 3,870,638,080 bytes free
Post-Run: 3,838,840,832 bytes free

- - End Of File - - AC3A6FB9A9161E4F1487F6EDEBCD6586

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
It looks great, thank you.

Any recommendations for Anti-virus software that doesn't get nullified as easy as AVG??

descriptionvosemuji.dll,tuvujuka.dll et al EmptyRe: vosemuji.dll,tuvujuka.dll et al

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum