Jump to content

pecosred

Members
  • Posts

    32
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I did not see anything about a file being downloaded, and the cleanup seemed to only remove OTL. So I manually removed the other tools. Thanks a lot for your help!
  2. Yes, I agree. I have already uninstalled it. Yes, they seem to be. Do you think the machine is clean now?
  3. OK, here are the requested logs. It seemed as if you wanted the Combofix log as an attachment; I apologize if I misunderstood. It looks like the ESET log includes all the scans I have run with it for the past several weeks. Most of the items found by Dr. Web were in the Trend Micro quarantine, so I left them there. The other item looked like a false positive, but I had it moved to quarantine anyway. ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=f020951a351f9b408bf2274acd68d70c # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-01-13 01:17:35 # local_time=2010-01-12 07:17:35 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777191 100 0 62565005 62565005 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=107958 # found=6 # cleaned=6 # scan_time=2024 C:\Documents and Settings\Devin\Local Settings\Temp\p2psetup.exe Win32/Adware.P2PNet application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\IS9513AI\DAUninstaller.test.v120000.14jul2009.exe[1].90ce3ed227b7de5a62cbb2ee533dfb4 0 probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\Devin\My Documents\My Music\MediaPlayerUpgrade.exe probably a variant of Win32/TrojanDownloader.Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Incomplete\Preview-T-3545428-Lostprophets - To Hell We Ride.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C C:\Program Files\Incomplete\T-3877629-papa roach-hollywood ######.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C C:\Program Files\Incomplete\T-3877629-sippin tha barre paul wall - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=f020951a351f9b408bf2274acd68d70c # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-01-17 05:18:24 # local_time=2010-01-16 11:18:24 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777191 100 0 62924737 62924737 0 0 # compatibility_mode=8192 67108863 100 0 277100 277100 0 0 # scanned=85227 # found=0 # cleaned=0 # scan_time=2342 # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=f020951a351f9b408bf2274acd68d70c # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-01-21 04:39:26 # local_time=2010-01-20 10:39:26 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777175 100 0 63266444 63266444 0 0 # compatibility_mode=8192 67108863 100 0 618807 618807 0 0 # scanned=96582 # found=2 # cleaned=2 # scan_time=3896 C:\Documents and Settings\Nat\Local Settings\Temp\_addon.exe Win32/BHO.NEB trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\Nat\My Documents\LimeWire\Saved\el parajillo baranqueno bittorrent downloader.zip probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=f020951a351f9b408bf2274acd68d70c # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-01-22 05:20:41 # local_time=2010-01-22 11:20:41 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777191 100 0 63400069 63400069 0 0 # compatibility_mode=8192 67108863 100 0 752432 752432 0 0 # scanned=85552 # found=0 # cleaned=0 # scan_time=2347 # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=f020951a351f9b408bf2274acd68d70c # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-02-13 12:41:54 # local_time=2010-02-12 06:41:54 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777175 100 0 65239129 65239129 0 0 # compatibility_mode=8192 67108863 100 0 2591492 2591492 0 0 # scanned=86298 # found=0 # cleaned=0 # scan_time=4160 # version=7 # IEXPLORE.EXE=7.00.6000.16981 (vista_gdr.091215-2244) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=f020951a351f9b408bf2274acd68d70c # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-02-18 11:17:49 # local_time=2010-02-18 05:17:49 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777191 100 0 65754749 65754749 0 0 # compatibility_mode=8192 67108863 100 0 3107112 3107112 0 0 # scanned=92534 # found=0 # cleaned=0 # scan_time=1895 ********************************************** Dr. Web: gfiagent.exe;c:\program files\gfi\gfi backup 2009 - home edition;Probably DLOADER.Trojan;Incurable.Moved.; 23.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 29.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad.44763;; 2A9.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 2BB.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 2C.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Packed.2936;; 2D5.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 2DF.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 2E.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad.42396;; 42.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;BackDoor.Tdss.1365;; 49.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Botnetlog.11;; 5B.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Siggen.21760;; 7D.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad.42396;; 7F.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Siggen.21760;; 80.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 81.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 82.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 83.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; 84.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;; ************************************************ HJT: Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 8:52:34 PM, on 2/18/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\dlcxcoms.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe C:\Program Files\Dell Photo AIO Printer 926\memcard.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\msiexec.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo!
  4. Thanks a lot, Maurice, I appreciate it! I also have a ComboFix log I can post if you need it. (I ran combofix /u thinking I was uninstalling it, but apparently the command has been changed to /uninstall.) MBAM log: Malwarebytes' Anti-Malware 1.44 Database version: 3754 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/17/2010 10:24:08 PM mbam-log-2010-02-17 (22-24-08).txt Scan type: Quick Scan Objects scanned: 137696 Time elapsed: 15 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) *********************************************************** DDS: DDS (Ver_09-12-01.01) - NTFSx86 Run by Devin at 22:31:57.78 on Wed 02/17/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1162 [GMT -6:00] AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\dlcxcoms.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe C:\Program Files\Dell Photo AIO Printer 926\memcard.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe C:\Program Files\BearShare Applications\Personalization\BearSharePersonalization.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIAgent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Devin\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q= uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109 uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Yahoo!
  5. I love MBAM and the forums, but it seems that the queuing system for new threads in the HijackThis Logs forum could be improved. The approach used here seems like a pretty good idea. Thank you, and keep up the good work!
  6. Any chance of getting some help with this? Thank you.
  7. I went ahead and ran ComboFix since it seemed like you guys were pretty backed up. Unfortunately, I received a blue screen error while ComboFix was generating its log, so i have no ComboFix log to post. The computer seems to be running fine, and ComboFix has gotten rid of the search engine redirects, but I'm not convinced that it's completely clean. I've attached a newer set of DDS logs. I appreciate any help. Attach2.zip
  8. My neighbor brought me his sister's computer to clean. At first I thought that MBAM had taken care of all the problems, but then I noticed that search engine results were being redirected to other sites (the redirect sites were blocked by PC-Cillin). I ran GMER, DDS, and OTL, but I'm not sure how to interpret the results. I'm thinking maybe I should reinstall the OS. Here are the logs. First the original Malwarebytes log (they have come up clean after this one): Malwarebytes' Anti-Malware 1.44 Database version: 3550 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 1/12/2010 5:03:46 PM mbam-log-2010-01-12 (17-03-46).txt Scan type: Quick Scan Objects scanned: 154468 Time elapsed: 1 hour(s), 24 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 73 Registry Values Infected: 8 Registry Data Items Infected: 2 Folders Infected: 22 Files Infected: 37 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\cablerouting.cablerouting (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\cablerouting.cablerouting.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{b96ee4ff-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b96ee4ff-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b96ee4ff-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dealassistant (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\sbusa (Adware.Hotbar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalsec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\winuid.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\winuid.dll -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\res1 (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\SpamBlockerUtility_Icons (Adware.Hotbar) -> Quarantined and deleted successfully. C:\Program Files\CableRouting (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Program Files\Common Files\PersonalSecUninstall (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\WeatherDPA (Adware.Hotbar) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather (Adware.Hotbar) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather\WeatherDPA (Adware.Hotbar) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML (Adware.Hotbar) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\CableRouting\CableRouting.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\system32\win6c78.dll (Adware.Mirar) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winuid.dll (Spyware.Passwords) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Local Settings\Temp\ShprInstaller.exe (Adware.Shopper) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Local Settings\Temp\76993.exe (Adware.Mirar) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\7S4L8ON5\install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\CCESFSSH\MediaPlayerUpgrade[1].exe (Adware.Mirar) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\SAQ6K5HL\setup[1].exe (Malware.Packer) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080706115709593.log (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080707162802109.log (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080708163547468.log (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709110343421.log (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\DealAssistant\config.cfg (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\DealAssistant\DAUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\SpamBlockerUtility_Icons\Repair+System+Registry.ico (Adware.Hotbar) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico (Adware.Hotbar) -> Quarantined and deleted successfully. C:\Program Files\CableRouting\uninstall.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\CableRouting\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PersonalSec\psecurity.exe (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec\Computer Scan.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec\Help.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec\Personal Security.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec\Registration.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec\Security Center.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec\Settings.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalSec\Update.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Program Files\Common Files\PersonalSecUninstall\Uninstall.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather\WeatherStartup.xml (Adware.Hotbar) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Desktop\Personal Security.lnk (Rogue.PSecurity) -> Quarantined and deleted successfully. C:\Documents and Settings\Devin\Application Data\Microsoft\Internet Explorer\Quick Launch\PersonalSec.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully. ================================== DDS: DDS (Ver_09-12-01.01) - NTFSx86 Run by Devin at 23:14:46.01 on Tue 01/12/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1185 [GMT -6:00] AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\dlcxcoms.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BearShare Applications\Personalization\BearSharePersonalization.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Devin\Desktop\dds.scr ============== Pseudo HJT Report =============== uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109 uSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q= uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q= uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109 uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Yahoo! Attach.zip
  9. Avira started a scheduled scan shortly after I made my previous post, so I've included that log file below. A new DDS log is attached. Avira AntiVir Personal Report file date: Monday, January 11, 2010 12:00 Scanning for 1512108 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : MICELLA Version information: BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00 AVSCAN.EXE : 9.0.3.10 466689 Bytes 12/9/2009 03:29:27 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 03:11:02 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:11:05 VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 03:11:05 VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 03:11:06 VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 03:11:06 VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 03:11:06 VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 03:11:06 VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 03:11:06 VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 03:11:06 VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 03:11:06 VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 03:11:07 VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 03:11:07 VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 03:11:07 VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 20:34:57 VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 03:26:51 VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 03:27:06 VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 02:46:37 VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 01:43:12 VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 00:01:37 VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 21:41:04 VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 16:03:03 VBASE021.VDF : 7.10.2.131 201216 Bytes 1/7/2010 01:40:22 VBASE022.VDF : 7.10.2.132 2048 Bytes 1/7/2010 01:40:22 VBASE023.VDF : 7.10.2.133 2048 Bytes 1/7/2010 01:40:22 VBASE024.VDF : 7.10.2.134 2048 Bytes 1/7/2010 01:40:23 VBASE025.VDF : 7.10.2.135 2048 Bytes 1/7/2010 01:40:23 VBASE026.VDF : 7.10.2.136 2048 Bytes 1/7/2010 01:40:23 VBASE027.VDF : 7.10.2.137 2048 Bytes 1/7/2010 01:40:24 VBASE028.VDF : 7.10.2.138 2048 Bytes 1/7/2010 01:40:24 VBASE029.VDF : 7.10.2.139 2048 Bytes 1/7/2010 01:40:24 VBASE030.VDF : 7.10.2.140 2048 Bytes 1/7/2010 01:40:25 VBASE031.VDF : 7.10.2.151 146944 Bytes 1/8/2010 01:41:02 Engineversion : 8.2.1.134 AEVDF.DLL : 8.1.1.2 106867 Bytes 9/15/2009 22:58:02 AESCRIPT.DLL : 8.1.3.7 594296 Bytes 1/5/2010 01:19:44 AESCN.DLL : 8.1.3.0 127348 Bytes 12/11/2009 16:12:14 AESBX.DLL : 8.1.1.1 246132 Bytes 11/20/2009 03:11:10 AERDL.DLL : 8.1.3.4 479605 Bytes 12/1/2009 03:26:47 AEPACK.DLL : 8.2.0.4 422263 Bytes 1/5/2010 01:19:43 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/17/2009 21:32:46 AEHEUR.DLL : 8.1.0.194 2228599 Bytes 1/9/2010 01:41:08 AEHELP.DLL : 8.1.9.0 237943 Bytes 12/17/2009 01:43:17 AEGEN.DLL : 8.1.1.83 369014 Bytes 1/5/2010 01:19:36 AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 05:15:48 AECORE.DLL : 8.1.9.1 180598 Bytes 12/11/2009 16:12:14 AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 17:49:34 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59 AVPREF.DLL : 9.0.3.0 44289 Bytes 11/18/2009 18:16:53 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58 RCTEXT.DLL : 9.0.73.0 86785 Bytes 12/9/2009 03:29:24 Configuration settings for the scan: Jobname.............................: Local Hard Disks Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: off Integrity checking of system files..: off Scan all files......................: Intelligent file selection Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Monday, January 11, 2010 12:00 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'Na2he17GJ.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'mrtmngr.exe' - '1' Module(s) have been scanned Scan process 'soffice.bin' - '1' Module(s) have been scanned Scan process 'soffice.exe' - '1' Module(s) have been scanned Scan process 'ymetray.exe' - '1' Module(s) have been scanned Scan process 'QBDAgent.exe' - '1' Module(s) have been scanned Scan process 'HWU54G.exe' - '1' Module(s) have been scanned Scan process 'DLG.exe' - '1' Module(s) have been scanned Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned Scan process 'msmsgs.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'QTTask.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'mim.exe' - '1' Module(s) have been scanned Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned Scan process 'ycommon.exe' - '1' Module(s) have been scanned Scan process 'MMDiag.exe' - '1' Module(s) have been scanned Scan process 'hkcmd.exe' - '1' Module(s) have been scanned Scan process 'lxdiamon.exe' - '1' Module(s) have been scanned Scan process 'lxdimon.exe' - '1' Module(s) have been scanned Scan process 'WkUFind.exe' - '1' Module(s) have been scanned Scan process 'realplay.exe' - '1' Module(s) have been scanned Scan process 'ybrwicon.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned Scan process 'lxdicoms.exe' - '1' Module(s) have been scanned Scan process 'lxdiserv.exe' - '1' Module(s) have been scanned Scan process 'jqs.exe' - '1' Module(s) have been scanned Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 56 processes with 56 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '75' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Qoobox\Quarantine\C\eujbmv.exe.vir [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit C:\Recovery\072109\missy\Local Settings\Temp\ymsgr.Id_32118.yim [0] Archive type: CAB (Microsoft) --> ymsgr.exe [WARNING] No further files can be extracted from this archive. The archive will be closed [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Recovery\072109\missy\Local Settings\Temp\ymsgr.yim [0] Archive type: CAB (Microsoft) --> ymsgr.exe [WARNING] No further files can be extracted from this archive. The archive will be closed [WARNING] No further files can be extracted from this archive. The archive will be closed C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000309.exe [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit Beginning disinfection: C:\Qoobox\Quarantine\C\eujbmv.exe.vir [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit [NOTE] The file was moved to '4bb57b88.qua'! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000309.exe [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit [NOTE] The file was moved to '4b7b7b43.qua'! End of the scan: Monday, January 11, 2010 13:25 Used time: 1:13:14 Hour(s) The scan has been done completely. 23183 Scanned directories 729266 Files were scanned 2 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 2 Files were moved to quarantine 0 Files were renamed 2 Files cannot be scanned 729262 Files not concerned 6467 Archives were scanned 6 Warnings 4 Notes Attach_2.zip
  10. ESET scanner would not run in IE--I probably need to reinstall Java. I downloaded the standalone scanner and ran it instead. Logs are pasted below. Malwarebytes' Anti-Malware 1.44 Database version: 3540 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/11/2010 10:12:53 AM mbam-log-2010-01-11 (10-12-53).txt Scan type: Quick Scan Objects scanned: 138278 Time elapsed: 7 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bugivigafo (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully. * * * * * * * * * * ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=ba4e1da03b55d0479780348999eedee1 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-01-11 05:32:14 # local_time=2010-01-11 11:32:14 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 47860912 47860912 0 0 # compatibility_mode=1792 16777191 100 0 13204837 13204837 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=196675 # found=20 # cleaned=20 # scan_time=3599 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\diyukode.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fanudugu.dll.vir a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gerabuse.dll.vir a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\holuyibi.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jaduyodu.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kadidika.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbdsock.dll.vir Win32/Agent.QPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\smss32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.SJ virus (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000004.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000179.dll a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000181.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000182.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000183.dll Win32/Agent.QPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000202.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000311.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000312.dll a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000313.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000314.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  11. I uninstalled LimeWire as requested. I did not see a message indicating that ComboFix had uploaded any files, so I submitted them to the link provided. Here is the new log: ComboFix 10-01-04.01 - jay 01/10/2010 20:29:03.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.577 [GMT -6:00] Running from: c:\documents and settings\jay\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\jay\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FILE :: "c:\windows\system32\41.exe" "c:\windows\SYSTEM32\diyukode.dll" "c:\windows\SYSTEM32\gerabuse.dll" "c:\windows\system32\helper32.dll" "c:\windows\SYSTEM32\holuyibi.dll" "c:\windows\system32\smss32.exe" "c:\windows\system32\winlogon32.exe" "c:\windows\SYSTEM32\yemikome.dll" file zipped: C:\eujbmv.exe file zipped: C:\khkil.exe file zipped: c:\windows\system32\IS15.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\eujbmv.exe C:\khkil.exe c:\windows\system32\11478.exe c:\windows\system32\15724.exe c:\windows\system32\18467.exe c:\windows\system32\19169.exe c:\windows\system32\26500.exe c:\windows\system32\41.exe c:\windows\system32\6334.exe c:\windows\SYSTEM32\diyukode.dll c:\windows\SYSTEM32\gerabuse.dll c:\windows\system32\helper32.dll c:\windows\SYSTEM32\holuyibi.dll c:\windows\system32\IS15.exe c:\windows\system32\smss32.exe c:\windows\system32\winlogon32.exe c:\windows\SYSTEM32\yemikome.dll . ((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 ))))))))))))))))))))))))))))))) . 2010-01-10 23:02 . 2010-01-10 23:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-01-09 05:41 . 2010-01-09 05:43 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe 2010-01-08 01:43 . 2010-01-08 01:43 -------- d-sh--w- c:\documents and settings\missy\PrivacIE 2010-01-07 23:49 . 2010-01-07 23:49 -------- d-sh--w- c:\documents and settings\omar\PrivacIE 2010-01-07 01:28 . 2010-01-07 01:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-12-29 05:06 . 2009-12-29 05:06 -------- d-----w- c:\documents and settings\jay\Local Settings\Application Data\Apple 2009-12-13 05:04 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-11 02:13 . 2005-10-28 21:33 -------- d-----w- c:\program files\LimeWire 2010-01-09 00:27 . 2008-07-10 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-08 03:53 . 2007-03-06 03:26 -------- d-----w- c:\documents and settings\jay\Application Data\LimeWire 2010-01-08 03:35 . 2004-12-28 20:01 14174 ----a-w- c:\documents and settings\marcie\Application Data\wklnhst.dat 2010-01-08 02:19 . 2008-04-04 17:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-01-08 01:41 . 2005-10-28 21:34 -------- d-----w- c:\documents and settings\missy\Application Data\LimeWire 2010-01-07 23:57 . 2007-03-06 03:32 -------- d-----w- c:\documents and settings\omar\Application Data\LimeWire 2009-12-31 23:00 . 2008-07-10 17:08 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-31 21:30 . 2004-12-11 06:49 -------- d-----w- c:\program files\Java 2009-12-31 21:28 . 2009-12-31 21:28 152576 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-12-31 21:27 . 2009-12-31 21:27 79488 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-12-30 20:55 . 2008-07-25 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-30 20:54 . 2008-07-10 16:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-29 05:07 . 2009-12-07 00:34 -------- d-----w- c:\documents and settings\jay\Application Data\Apple Computer 2009-12-25 21:14 . 2009-08-05 01:03 -------- d-----w- c:\documents and settings\marcie\Application Data\Apple Computer 2009-12-21 00:40 . 2004-12-30 02:29 1386 ----a-w- c:\documents and settings\jay\Application Data\wklnhst.dat 2009-12-09 03:29 . 2009-08-01 04:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-05 19:28 . 2009-12-05 19:28 -------- d-----w- c:\program files\Microsoft Silverlight 2009-12-04 00:58 . 2008-12-28 03:12 -------- d-----w- c:\documents and settings\missy\Application Data\Apple Computer 2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-20 03:06 . 2004-12-28 02:04 10842 ----a-w- c:\documents and settings\missy\Application Data\wklnhst.dat 2009-11-17 16:24 . 2009-11-18 18:15 586108 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll 2009-11-17 16:24 . 2009-11-18 18:15 237943 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll 2009-11-17 03:17 . 2008-04-04 17:37 -------- d-----w- c:\program files\SpywareBlaster 2009-11-11 22:08 . 2009-11-18 18:15 364917 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll 2009-11-06 23:32 . 2009-11-18 18:15 2093432 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll 2009-11-05 21:21 . 2009-11-18 18:15 422261 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll 2009-11-05 21:21 . 2009-11-18 18:15 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll 2009-10-29 07:45 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll 2009-10-25 22:51 . 2009-10-25 22:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat 2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-12-11 26112] "NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688] "lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120] "lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480] "IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976] "FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-30 429392] "bugivigafo"="jaduyodu.dll" [bU] c:\documents and settings\jay\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-11 24576] Hawking HWU54G Utility.lnk - c:\program files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2009-1-10 438272] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-9-13 118784] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"= "c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"= "c:\\WINDOWS\\SYSTEM32\\lxdicoms.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdipswx.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdijswx.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxditime.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdiwbgw.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\MMDiag.exe"= "c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2009 10:31 PM 108289] R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?] R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdiserv.exe [9/17/2007 5:08 PM 99248] R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [7/10/2008 10:35 AM 19160] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2008 10:35 AM 235344] S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [7/10/2008 10:53 AM 247296] --- Other Services/Drivers In Memory --- *Deregistered* - IPVNMon . Contents of the 'Scheduled Tasks' folder 2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://att.yahoo.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com Trusted Zone: musicmatch.com\online FF - ProfilePath - c:\documents and settings\jay\Application Data\Mozilla\Firefox\Profiles\jkx7w763.default\ FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ym FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - BHO-{aee77b27-a0b7-494f-bda9-0f8a9055e7f4} - diyukode.dll HKLM-Run-smss32.exe - c:\windows\system32\smss32.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-10 21:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(4040) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\jscript.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\lxdicoms.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\progra~1\Yahoo!\browser\ycommon.exe c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe c:\windows\system32\Rundll32.exe c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe c:\program files\OpenOffice.org 3\program\soffice.exe c:\windows\system32\mrtMngr.EXE c:\program files\OpenOffice.org 3\program\soffice.bin c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-01-10 21:18:52 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-11 03:18 ComboFix2.txt 2010-01-11 00:15 Pre-Run: 189,652,754,432 bytes free Post-Run: 189,617,086,464 bytes free - - End Of File - - C472FD53DA5F9E9199240E570417A9C6
  12. OK, I got ComboFix to run, although a rogue was blocking it at first. I kept getting the following warning message: "Application cannot be executed. The file Combofix.exe is infected. Do you want to activate your antivirus software now?" (In fact, a similar message popped up while ComboFIx was preparing its log file.) To get it to run, I tried renaming it ComboFix.scr and winlogon.exe, but it was blocked both times. Finally I tried running it as a different user (this computer has four user accounts). That worked. Here is the log: ComboFix 10-01-04.01 - jay 01/10/2010 17:48:23.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.714 [GMT -6:00] Running from: c:\documents and settings\jay\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\omar\LOCALS~1\Temp\tmp2.tmp C:\s c:\windows\patch.exe c:\windows\system32\11478.exe c:\windows\system32\11538.exe c:\windows\system32\11942.exe c:\windows\system32\12316.exe c:\windows\system32\12382.exe c:\windows\system32\1274.exe c:\windows\system32\12859.exe c:\windows\system32\14604.exe c:\windows\system32\14771.exe c:\windows\system32\15141.exe c:\windows\system32\153.exe c:\windows\system32\15724.exe c:\windows\system32\16827.exe c:\windows\system32\17035.exe c:\windows\system32\17421.exe c:\windows\system32\17673.exe c:\windows\system32\1842.exe c:\windows\system32\18467.exe c:\windows\system32\1869.exe c:\windows\system32\18716.exe c:\windows\system32\19169.exe c:\windows\system32\19718.exe c:\windows\system32\19895.exe c:\windows\system32\19912.exe c:\windows\system32\20037.exe c:\windows\system32\21726.exe c:\windows\system32\22190.exe c:\windows\system32\23281.exe c:\windows\system32\23811.exe c:\windows\system32\24464.exe c:\windows\system32\25547.exe c:\windows\system32\25667.exe c:\windows\system32\26299.exe c:\windows\system32\26500.exe c:\windows\system32\26962.exe c:\windows\system32\27529.exe c:\windows\system32\27644.exe c:\windows\system32\28145.exe c:\windows\system32\28253.exe c:\windows\system32\28703.exe c:\windows\system32\288.exe c:\windows\system32\292.exe c:\windows\system32\29358.exe c:\windows\system32\2995.exe c:\windows\system32\30106.exe c:\windows\system32\30333.exe c:\windows\system32\3035.exe c:\windows\system32\31322.exe c:\windows\system32\32391.exe c:\windows\system32\32662.exe c:\windows\system32\32757.exe c:\windows\system32\3902.exe c:\windows\system32\41.exe c:\windows\system32\4664.exe c:\windows\system32\4827.exe c:\windows\system32\491.exe c:\windows\system32\5436.exe c:\windows\system32\5447.exe c:\windows\system32\5705.exe c:\windows\system32\6334.exe c:\windows\system32\6868.exe c:\windows\system32\7711.exe c:\windows\system32\778.exe c:\windows\system32\8201.exe c:\windows\system32\8723.exe c:\windows\system32\9040.exe c:\windows\system32\9741.exe c:\windows\system32\9894.exe c:\windows\system32\9961.exe c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\kjbmtl c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\kjbmtl\hhkjsysguard.exe c:\windows\system32\drivers\fad.sys c:\windows\system32\fanudugu.dll c:\windows\system32\helper32.dll c:\windows\system32\jaduyodu.dll c:\windows\system32\kadidika.dll c:\windows\system32\kbdsock.dll c:\windows\system32\mshlps.dll c:\windows\Tasks\eknqyenl.job c:\windows\Tasks\lmwcyaxx.job c:\windows\Temp\0c3770fb.exe Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 ))))))))))))))))))))))))))))))) . 2010-01-10 23:29 . 2010-01-10 23:31 -------- d-----w- C:\32788R22FWJFW 2010-01-10 23:17 . 2010-01-10 23:17 34816 ----a-w- c:\windows\system32\IS15.exe 2010-01-10 23:02 . 2010-01-10 23:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-01-09 17:26 . 2010-01-09 17:25 33792 ----a-w- c:\windows\system32\winlogon32.exe 2010-01-09 17:26 . 2010-01-09 17:25 33792 ----a-w- c:\windows\system32\smss32.exe 2010-01-09 17:25 . 2010-01-09 17:25 33792 ----a-w- C:\khkil.exe 2010-01-09 17:25 . 2010-01-09 17:25 52224 ----a-w- C:\eujbmv.exe 2010-01-09 05:41 . 2010-01-09 05:43 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe 2010-01-08 01:43 . 2010-01-08 01:43 -------- d-sh--w- c:\documents and settings\missy\PrivacIE 2010-01-07 23:49 . 2010-01-07 23:49 -------- d-sh--w- c:\documents and settings\omar\PrivacIE 2010-01-07 01:28 . 2010-01-07 01:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-12-29 05:06 . 2009-12-29 05:06 -------- d-----w- c:\documents and settings\jay\Local Settings\Application Data\Apple 2009-12-13 05:04 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-11 00:09 . 2010-01-11 00:09 0 ----a-w- c:\windows\system32\41.exe 2010-01-11 00:09 . 2010-01-11 00:09 0 ----a-w- c:\windows\system32\helper32.dll 2010-01-09 00:27 . 2008-07-10 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-08 03:53 . 2007-03-06 03:26 -------- d-----w- c:\documents and settings\jay\Application Data\LimeWire 2010-01-08 03:35 . 2004-12-28 20:01 14174 ----a-w- c:\documents and settings\marcie\Application Data\wklnhst.dat 2010-01-08 02:19 . 2008-04-04 17:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-01-08 01:41 . 2005-10-28 21:34 -------- d-----w- c:\documents and settings\missy\Application Data\LimeWire 2010-01-07 23:57 . 2007-03-06 03:32 -------- d-----w- c:\documents and settings\omar\Application Data\LimeWire 2009-12-31 23:00 . 2008-07-10 17:08 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-31 21:30 . 2004-12-11 06:49 -------- d-----w- c:\program files\Java 2009-12-31 21:28 . 2009-12-31 21:28 152576 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-12-31 21:27 . 2009-12-31 21:27 79488 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-12-30 20:55 . 2008-07-25 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-30 20:54 . 2008-07-10 16:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-29 05:07 . 2009-12-07 00:34 -------- d-----w- c:\documents and settings\jay\Application Data\Apple Computer 2009-12-25 21:14 . 2009-08-05 01:03 -------- d-----w- c:\documents and settings\marcie\Application Data\Apple Computer 2009-12-21 00:40 . 2004-12-30 02:29 1386 ----a-w- c:\documents and settings\jay\Application Data\wklnhst.dat 2009-12-09 03:29 . 2009-08-01 04:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-05 19:28 . 2009-12-05 19:28 -------- d-----w- c:\program files\Microsoft Silverlight 2009-12-04 00:58 . 2008-12-28 03:12 -------- d-----w- c:\documents and settings\missy\Application Data\Apple Computer 2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-20 03:06 . 2004-12-28 02:04 10842 ----a-w- c:\documents and settings\missy\Application Data\wklnhst.dat 2009-11-17 16:24 . 2009-11-18 18:15 586108 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll 2009-11-17 16:24 . 2009-11-18 18:15 237943 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll 2009-11-17 03:17 . 2008-04-04 17:37 -------- d-----w- c:\program files\SpywareBlaster 2009-11-11 22:08 . 2009-11-18 18:15 364917 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll 2009-11-06 23:32 . 2009-11-18 18:15 2093432 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll 2009-11-05 21:21 . 2009-11-18 18:15 422261 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll 2009-11-05 21:21 . 2009-11-18 18:15 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll 2009-10-29 07:45 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-25 22:51 . 2009-10-25 22:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat 2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll 1601-01-01 00:00 . 1601-01-01 00:00 53248 --sha-w- c:\windows\SYSTEM32\diyukode.dll 1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\SYSTEM32\gerabuse.dll 1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\SYSTEM32\holuyibi.dll 1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\SYSTEM32\yemikome.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aee77b27-a0b7-494f-bda9-0f8a9055e7f4}] 1601-01-01 00:00 53248 --sha-w- c:\windows\SYSTEM32\diyukode.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-12-11 26112] "NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688] "lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120] "lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480] "IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976] "FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-30 429392] "smss32.exe"="c:\windows\system32\smss32.exe" [2010-01-09 33792] c:\documents and settings\missy\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456] c:\documents and settings\jay\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-11 24576] Hawking HWU54G Utility.lnk - c:\program files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2009-1-10 438272] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-9-13 118784] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\winlogon32.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"= "c:\\WINDOWS\\SYSTEM32\\lxdicoms.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdipswx.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdijswx.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxditime.exe"= "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdiwbgw.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\MMDiag.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2009 10:31 PM 108289] R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?] R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdiserv.exe [9/17/2007 5:08 PM 99248] R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [7/10/2008 10:35 AM 19160] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2008 10:35 AM 235344] S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [7/10/2008 10:53 AM 247296] --- Other Services/Drivers In Memory --- *Deregistered* - IPVNMon . Contents of the 'Scheduled Tasks' folder 2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://att.yahoo.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com Trusted Zone: musicmatch.com\online FF - ProfilePath - c:\documents and settings\jay\Application Data\Mozilla\Firefox\Profiles\jkx7w763.default\ FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ym FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKLM-Run-yizovaliv - c:\windows\system32\fanudugu.dll HKLM-Run-bugivigafo - jaduyodu.dll SharedTaskScheduler-{fd978867-51f5-4f8d-b953-129029c8dc68} - c:\windows\system32\fanudugu.dll SSODL-dazunepim-{fd978867-51f5-4f8d-b953-129029c8dc68} - c:\windows\system32\fanudugu.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-10 18:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2976) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\jscript.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\lxdicoms.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\progra~1\Yahoo!\browser\ycommon.exe c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin c:\windows\system32\mrtMngr.EXE c:\program files\iPod\bin\iPodService.exe c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe . ************************************************************************** . Completion time: 2010-01-10 18:15:03 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-11 00:14 Pre-Run: 186,154,455,040 bytes free Post-Run: 189,586,264,064 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - ACC5865EE8A17BA3CAF1B6EA615A10CE
  13. Sorry, I guess I was unclear. I meant advice and recommendations regarding the decision whether to reformat or clean the infection.
  14. Thank you for the swift reply, kahdah. I was considering a reformat and reinstall. But I am told that the computer does not contain any sensitive information and is not used for online banking (and only rarely for making credit card purchases), so that approach might not be warranted. And since I'm pretty certain they will continue using P2P applications, it seems fairly likely that the computer will become reinfected before long. I'm thinking maybe I should just go ahead and clean the machine. Do you have any advice or recommendations beyond the information in the links you provided? (If you'd prefer not to answer that, I understand, but I thought I would ask.) Thanks.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.