Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Vundo got through


Recommended Posts

My neighbor's computer got infected with Vundo and other malware even though Malwarebytes Pro was installed (they let their kids use LimeWire). I guess I need to install a better firewall.

Although Malwarebytes repaired the items it found, the computer still appears to be infected.

The log files are posted below. Thanks for your help!

Malwarebytes' Anti-Malware 1.44

Database version: 3523

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/8/2010 7:11:32 PM

mbam-log-2010-01-08 (19-11-32).txt

Scan type: Quick Scan

Objects scanned: 151350

Time elapsed: 18 minute(s), 45 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 4

Registry Keys Infected: 2

Registry Values Infected: 5

Registry Data Items Infected: 15

Folders Infected: 0

Files Infected: 20

Memory Processes Infected:

C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\fetotava.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\hugimizu.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\SYSTEM32\vuvimuwe.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{66ca1269-d0e8-4647-b23b-850c72e5addd} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{009541a0-3b00-1f1c-00f3-040224001c01} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yizovaliv (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{66ca1269-d0e8-4647-b23b-850c72e5addd} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gifolosuf (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\swupdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: fetotava.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vuvimuwe.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vuvimuwe.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\dudetelo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\fetotava.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\fihiyota.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\hugimizu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\huvajolu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\pamatuma.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\vuvimuwe.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\wijidapa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\wiwijadu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\winlogon32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rdl5F.tmp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\omar\Local Settings\Temp\n.exn (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\omar\Local Settings\Temporary Internet Files\Content.IE5\966QKVG0\load[1].php (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\logon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\Local.dtd (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\Ui.dtd (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\UTemp.dtd (Malware.Trace) -> Quarantined and deleted successfully.

* * * * * * * * * *

DDS (Ver_09-12-01.01) - NTFSx86

Run by jay at 21:21:59.51 on Fri 01/08/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.516 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe

C:\WINDOWS\system32\lxdicoms.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe

C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\WINDOWS\system32\mrtMngr.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\Documents and Settings\jay\Desktop\Defogger.exe

C:\Documents and Settings\jay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe

mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"

mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"

mRun: [iPInSightMonitor 01] "c:\program files\sbc yahoo!\connection manager\ip insight\IPMon32.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\jay\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hawkin~1.lnk - c:\program files\hawking technologies\hawking_hwu54g_utility\HWU54G.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks pro\components\qbagent\QBDAgent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: musicmatch.com\online

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll

DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: hugimizu.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jay\applic~1\mozilla\firefox\profiles\jkx7w763.default\

FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ym

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-31 11608]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-31 56816]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-7-10 19160]

S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [2008-7-10 247296]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-01-09 03:19:47 0 ----a-w- c:\documents and settings\jay\defogger_reenable

2010-01-09 01:07:09 0 ----a-w- c:\windows\system32\8201.exe

2010-01-09 00:47:08 0 ----a-w- c:\windows\system32\1274.exe

2010-01-09 00:07:02 0 ----a-w- c:\windows\system32\15724.exe

2010-01-08 23:47:02 0 ----a-w- c:\windows\system32\19169.exe

2010-01-08 23:27:01 0 ----a-w- c:\windows\system32\26500.exe

2010-01-08 23:06:49 0 ----a-w- c:\windows\system32\6334.exe

2010-01-08 22:46:45 0 ----a-w- c:\windows\system32\18467.exe

2010-01-08 19:56:33 0 ----a-w- c:\windows\system32\IS15.exe

2010-01-08 19:56:16 2931 ----a-w- c:\windows\system32\warning.html

2009-12-13 05:04:44 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-30 20:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-21 00:40:16 1386 ----a-w- c:\docume~1\jay\applic~1\wklnhst.dat

2009-12-09 03:29:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-25 22:51:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll

2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2008-09-26 04:08:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092520080926\index.dat

============= FINISH: 21:28:20.31 ===============

Attach.zip

Link to post
Share on other sites

MAM honorary members are not allowed to post in this forum.

=======================================

pecosred Welcome to Malwarebytes forum.

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites

Thank you for the swift reply, kahdah.

I was considering a reformat and reinstall. But I am told that the computer does not contain any sensitive information and is not used for online banking (and only rarely for making credit card purchases), so that approach might not be warranted. And since I'm pretty certain they will continue using P2P applications, it seems fairly likely that the computer will become reinfected before long.

I'm thinking maybe I should just go ahead and clean the machine. Do you have any advice or recommendations beyond the information in the links you provided? (If you'd prefer not to answer that, I understand, but I thought I would ask.)

Thanks.

Link to post
Share on other sites

ok other advice and recommendations will be given when we finish it up.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

OK, I got ComboFix to run, although a rogue was blocking it at first. I kept getting the following warning message: "Application cannot be executed. The file Combofix.exe is infected. Do you want to activate your antivirus software now?" (In fact, a similar message popped up while ComboFIx was preparing its log file.)

To get it to run, I tried renaming it ComboFix.scr and winlogon.exe, but it was blocked both times. Finally I tried running it as a different user (this computer has four user accounts). That worked.

Here is the log:

ComboFix 10-01-04.01 - jay 01/10/2010 17:48:23.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.714 [GMT -6:00]

Running from: c:\documents and settings\jay\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\omar\LOCALS~1\Temp\tmp2.tmp

C:\s

c:\windows\patch.exe

c:\windows\system32\11478.exe

c:\windows\system32\11538.exe

c:\windows\system32\11942.exe

c:\windows\system32\12316.exe

c:\windows\system32\12382.exe

c:\windows\system32\1274.exe

c:\windows\system32\12859.exe

c:\windows\system32\14604.exe

c:\windows\system32\14771.exe

c:\windows\system32\15141.exe

c:\windows\system32\153.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\17035.exe

c:\windows\system32\17421.exe

c:\windows\system32\17673.exe

c:\windows\system32\1842.exe

c:\windows\system32\18467.exe

c:\windows\system32\1869.exe

c:\windows\system32\18716.exe

c:\windows\system32\19169.exe

c:\windows\system32\19718.exe

c:\windows\system32\19895.exe

c:\windows\system32\19912.exe

c:\windows\system32\20037.exe

c:\windows\system32\21726.exe

c:\windows\system32\22190.exe

c:\windows\system32\23281.exe

c:\windows\system32\23811.exe

c:\windows\system32\24464.exe

c:\windows\system32\25547.exe

c:\windows\system32\25667.exe

c:\windows\system32\26299.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\27529.exe

c:\windows\system32\27644.exe

c:\windows\system32\28145.exe

c:\windows\system32\28253.exe

c:\windows\system32\28703.exe

c:\windows\system32\288.exe

c:\windows\system32\292.exe

c:\windows\system32\29358.exe

c:\windows\system32\2995.exe

c:\windows\system32\30106.exe

c:\windows\system32\30333.exe

c:\windows\system32\3035.exe

c:\windows\system32\31322.exe

c:\windows\system32\32391.exe

c:\windows\system32\32662.exe

c:\windows\system32\32757.exe

c:\windows\system32\3902.exe

c:\windows\system32\41.exe

c:\windows\system32\4664.exe

c:\windows\system32\4827.exe

c:\windows\system32\491.exe

c:\windows\system32\5436.exe

c:\windows\system32\5447.exe

c:\windows\system32\5705.exe

c:\windows\system32\6334.exe

c:\windows\system32\6868.exe

c:\windows\system32\7711.exe

c:\windows\system32\778.exe

c:\windows\system32\8201.exe

c:\windows\system32\8723.exe

c:\windows\system32\9040.exe

c:\windows\system32\9741.exe

c:\windows\system32\9894.exe

c:\windows\system32\9961.exe

c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\kjbmtl

c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\kjbmtl\hhkjsysguard.exe

c:\windows\system32\drivers\fad.sys

c:\windows\system32\fanudugu.dll

c:\windows\system32\helper32.dll

c:\windows\system32\jaduyodu.dll

c:\windows\system32\kadidika.dll

c:\windows\system32\kbdsock.dll

c:\windows\system32\mshlps.dll

c:\windows\Tasks\eknqyenl.job

c:\windows\Tasks\lmwcyaxx.job

c:\windows\Temp\0c3770fb.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it ;)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))

.

2010-01-10 23:29 . 2010-01-10 23:31 -------- d-----w- C:\32788R22FWJFW

2010-01-10 23:17 . 2010-01-10 23:17 34816 ----a-w- c:\windows\system32\IS15.exe

2010-01-10 23:02 . 2010-01-10 23:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-01-09 17:26 . 2010-01-09 17:25 33792 ----a-w- c:\windows\system32\winlogon32.exe

2010-01-09 17:26 . 2010-01-09 17:25 33792 ----a-w- c:\windows\system32\smss32.exe

2010-01-09 17:25 . 2010-01-09 17:25 33792 ----a-w- C:\khkil.exe

2010-01-09 17:25 . 2010-01-09 17:25 52224 ----a-w- C:\eujbmv.exe

2010-01-09 05:41 . 2010-01-09 05:43 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

2010-01-08 01:43 . 2010-01-08 01:43 -------- d-sh--w- c:\documents and settings\missy\PrivacIE

2010-01-07 23:49 . 2010-01-07 23:49 -------- d-sh--w- c:\documents and settings\omar\PrivacIE

2010-01-07 01:28 . 2010-01-07 01:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-29 05:06 . 2009-12-29 05:06 -------- d-----w- c:\documents and settings\jay\Local Settings\Application Data\Apple

2009-12-13 05:04 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-11 00:09 . 2010-01-11 00:09 0 ----a-w- c:\windows\system32\41.exe

2010-01-11 00:09 . 2010-01-11 00:09 0 ----a-w- c:\windows\system32\helper32.dll

2010-01-09 00:27 . 2008-07-10 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-08 03:53 . 2007-03-06 03:26 -------- d-----w- c:\documents and settings\jay\Application Data\LimeWire

2010-01-08 03:35 . 2004-12-28 20:01 14174 ----a-w- c:\documents and settings\marcie\Application Data\wklnhst.dat

2010-01-08 02:19 . 2008-04-04 17:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-08 01:41 . 2005-10-28 21:34 -------- d-----w- c:\documents and settings\missy\Application Data\LimeWire

2010-01-07 23:57 . 2007-03-06 03:32 -------- d-----w- c:\documents and settings\omar\Application Data\LimeWire

2009-12-31 23:00 . 2008-07-10 17:08 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-31 21:30 . 2004-12-11 06:49 -------- d-----w- c:\program files\Java

2009-12-31 21:28 . 2009-12-31 21:28 152576 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-31 21:27 . 2009-12-31 21:27 79488 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-30 20:55 . 2008-07-25 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54 . 2008-07-10 16:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-29 05:07 . 2009-12-07 00:34 -------- d-----w- c:\documents and settings\jay\Application Data\Apple Computer

2009-12-25 21:14 . 2009-08-05 01:03 -------- d-----w- c:\documents and settings\marcie\Application Data\Apple Computer

2009-12-21 00:40 . 2004-12-30 02:29 1386 ----a-w- c:\documents and settings\jay\Application Data\wklnhst.dat

2009-12-09 03:29 . 2009-08-01 04:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-05 19:28 . 2009-12-05 19:28 -------- d-----w- c:\program files\Microsoft Silverlight

2009-12-04 00:58 . 2008-12-28 03:12 -------- d-----w- c:\documents and settings\missy\Application Data\Apple Computer

2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-20 03:06 . 2004-12-28 02:04 10842 ----a-w- c:\documents and settings\missy\Application Data\wklnhst.dat

2009-11-17 16:24 . 2009-11-18 18:15 586108 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll

2009-11-17 16:24 . 2009-11-18 18:15 237943 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll

2009-11-17 03:17 . 2008-04-04 17:37 -------- d-----w- c:\program files\SpywareBlaster

2009-11-11 22:08 . 2009-11-18 18:15 364917 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll

2009-11-06 23:32 . 2009-11-18 18:15 2093432 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll

2009-11-05 21:21 . 2009-11-18 18:15 422261 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll

2009-11-05 21:21 . 2009-11-18 18:15 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll

2009-10-29 07:45 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-25 22:51 . 2009-10-25 22:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat

2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll

1601-01-01 00:00 . 1601-01-01 00:00 53248 --sha-w- c:\windows\SYSTEM32\diyukode.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\SYSTEM32\gerabuse.dll

1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\SYSTEM32\holuyibi.dll

1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\SYSTEM32\yemikome.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aee77b27-a0b7-494f-bda9-0f8a9055e7f4}]

1601-01-01 00:00 53248 --sha-w- c:\windows\SYSTEM32\diyukode.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-12-11 26112]

"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]

"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]

"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]

"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-30 429392]

"smss32.exe"="c:\windows\system32\smss32.exe" [2010-01-09 33792]

c:\documents and settings\missy\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456]

c:\documents and settings\jay\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-11 24576]

Hawking HWU54G Utility.lnk - c:\program files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2009-1-10 438272]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-9-13 118784]

ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\winlogon32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\WINDOWS\\SYSTEM32\\lxdicoms.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdipswx.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdijswx.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxditime.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdiwbgw.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\MMDiag.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2009 10:31 PM 108289]

R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]

R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdiserv.exe [9/17/2007 5:08 PM 99248]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [7/10/2008 10:35 AM 19160]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2008 10:35 AM 235344]

S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [7/10/2008 10:53 AM 247296]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

.

Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\jay\Application Data\Mozilla\Firefox\Profiles\jkx7w763.default\

FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ym

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-yizovaliv - c:\windows\system32\fanudugu.dll

HKLM-Run-bugivigafo - jaduyodu.dll

SharedTaskScheduler-{fd978867-51f5-4f8d-b953-129029c8dc68} - c:\windows\system32\fanudugu.dll

SSODL-dazunepim-{fd978867-51f5-4f8d-b953-129029c8dc68} - c:\windows\system32\fanudugu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-10 18:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2976)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\jscript.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxdicoms.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\windows\system32\mrtMngr.EXE

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-01-10 18:15:03 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-11 00:14

Pre-Run: 186,154,455,040 bytes free

Post-Run: 189,586,264,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - ACC5865EE8A17BA3CAF1B6EA615A10CE

Link to post
Share on other sites

Please uninstall Limewire first it is a part of the Hijackthis forum policy.

HiJack This! Forum Policy

1. Open notepad and copy/paste the text in the codebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=35943

KillAll:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

File::
c:\windows\system32\winlogon32.exe
c:\windows\system32\smss32.exe
c:\windows\system32\41.exe
c:\windows\system32\helper32.dll
c:\windows\SYSTEM32\diyukode.dll
c:\windows\SYSTEM32\gerabuse.dll
c:\windows\SYSTEM32\holuyibi.dll
c:\windows\SYSTEM32\yemikome.dll


Collect::[44]
c:\windows\system32\IS15.exe
C:\khkil.exe
C:\eujbmv.exe

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open.

With the above script, ComboFix will capture files to submit for analysis.

If it does not say that it uploaded the files sucessfully then please do the following below.

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[44]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

I uninstalled LimeWire as requested.

I did not see a message indicating that ComboFix had uploaded any files, so I submitted them to the link provided.

Here is the new log:

ComboFix 10-01-04.01 - jay 01/10/2010 20:29:03.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.577 [GMT -6:00]

Running from: c:\documents and settings\jay\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\jay\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\system32\41.exe"

"c:\windows\SYSTEM32\diyukode.dll"

"c:\windows\SYSTEM32\gerabuse.dll"

"c:\windows\system32\helper32.dll"

"c:\windows\SYSTEM32\holuyibi.dll"

"c:\windows\system32\smss32.exe"

"c:\windows\system32\winlogon32.exe"

"c:\windows\SYSTEM32\yemikome.dll"

file zipped: C:\eujbmv.exe

file zipped: C:\khkil.exe

file zipped: c:\windows\system32\IS15.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\eujbmv.exe

C:\khkil.exe

c:\windows\system32\11478.exe

c:\windows\system32\15724.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\26500.exe

c:\windows\system32\41.exe

c:\windows\system32\6334.exe

c:\windows\SYSTEM32\diyukode.dll

c:\windows\SYSTEM32\gerabuse.dll

c:\windows\system32\helper32.dll

c:\windows\SYSTEM32\holuyibi.dll

c:\windows\system32\IS15.exe

c:\windows\system32\smss32.exe

c:\windows\system32\winlogon32.exe

c:\windows\SYSTEM32\yemikome.dll

.

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))

.

2010-01-10 23:02 . 2010-01-10 23:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-01-09 05:41 . 2010-01-09 05:43 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

2010-01-08 01:43 . 2010-01-08 01:43 -------- d-sh--w- c:\documents and settings\missy\PrivacIE

2010-01-07 23:49 . 2010-01-07 23:49 -------- d-sh--w- c:\documents and settings\omar\PrivacIE

2010-01-07 01:28 . 2010-01-07 01:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-29 05:06 . 2009-12-29 05:06 -------- d-----w- c:\documents and settings\jay\Local Settings\Application Data\Apple

2009-12-13 05:04 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-11 02:13 . 2005-10-28 21:33 -------- d-----w- c:\program files\LimeWire

2010-01-09 00:27 . 2008-07-10 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-08 03:53 . 2007-03-06 03:26 -------- d-----w- c:\documents and settings\jay\Application Data\LimeWire

2010-01-08 03:35 . 2004-12-28 20:01 14174 ----a-w- c:\documents and settings\marcie\Application Data\wklnhst.dat

2010-01-08 02:19 . 2008-04-04 17:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-08 01:41 . 2005-10-28 21:34 -------- d-----w- c:\documents and settings\missy\Application Data\LimeWire

2010-01-07 23:57 . 2007-03-06 03:32 -------- d-----w- c:\documents and settings\omar\Application Data\LimeWire

2009-12-31 23:00 . 2008-07-10 17:08 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-31 21:30 . 2004-12-11 06:49 -------- d-----w- c:\program files\Java

2009-12-31 21:28 . 2009-12-31 21:28 152576 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-31 21:27 . 2009-12-31 21:27 79488 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-30 20:55 . 2008-07-25 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54 . 2008-07-10 16:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-29 05:07 . 2009-12-07 00:34 -------- d-----w- c:\documents and settings\jay\Application Data\Apple Computer

2009-12-25 21:14 . 2009-08-05 01:03 -------- d-----w- c:\documents and settings\marcie\Application Data\Apple Computer

2009-12-21 00:40 . 2004-12-30 02:29 1386 ----a-w- c:\documents and settings\jay\Application Data\wklnhst.dat

2009-12-09 03:29 . 2009-08-01 04:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-05 19:28 . 2009-12-05 19:28 -------- d-----w- c:\program files\Microsoft Silverlight

2009-12-04 00:58 . 2008-12-28 03:12 -------- d-----w- c:\documents and settings\missy\Application Data\Apple Computer

2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-20 03:06 . 2004-12-28 02:04 10842 ----a-w- c:\documents and settings\missy\Application Data\wklnhst.dat

2009-11-17 16:24 . 2009-11-18 18:15 586108 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll

2009-11-17 16:24 . 2009-11-18 18:15 237943 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll

2009-11-17 03:17 . 2008-04-04 17:37 -------- d-----w- c:\program files\SpywareBlaster

2009-11-11 22:08 . 2009-11-18 18:15 364917 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll

2009-11-06 23:32 . 2009-11-18 18:15 2093432 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll

2009-11-05 21:21 . 2009-11-18 18:15 422261 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll

2009-11-05 21:21 . 2009-11-18 18:15 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll

2009-10-29 07:45 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll

2009-10-25 22:51 . 2009-10-25 22:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat

2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-12-11 26112]

"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]

"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]

"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]

"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-30 429392]

"bugivigafo"="jaduyodu.dll" [bU]

c:\documents and settings\jay\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-11 24576]

Hawking HWU54G Utility.lnk - c:\program files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2009-1-10 438272]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-9-13 118784]

ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=

"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\WINDOWS\\SYSTEM32\\lxdicoms.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdipswx.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdijswx.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxditime.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdiwbgw.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\MMDiag.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2009 10:31 PM 108289]

R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]

R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdiserv.exe [9/17/2007 5:08 PM 99248]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [7/10/2008 10:35 AM 19160]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2008 10:35 AM 235344]

S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [7/10/2008 10:53 AM 247296]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

.

Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\jay\Application Data\Mozilla\Firefox\Profiles\jkx7w763.default\

FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ym

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{aee77b27-a0b7-494f-bda9-0f8a9055e7f4} - diyukode.dll

HKLM-Run-smss32.exe - c:\windows\system32\smss32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-10 21:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4040)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\jscript.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxdicoms.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\windows\system32\Rundll32.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\windows\system32\mrtMngr.EXE

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-01-10 21:18:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-11 03:18

ComboFix2.txt 2010-01-11 00:15

Pre-Run: 189,652,754,432 bytes free

Post-Run: 189,617,086,464 bytes free

- - End Of File - - C472FD53DA5F9E9199240E570417A9C6

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

ESET scanner would not run in IE--I probably need to reinstall Java. I downloaded the standalone scanner and ran it instead.

Logs are pasted below.

Malwarebytes' Anti-Malware 1.44

Database version: 3540

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/11/2010 10:12:53 AM

mbam-log-2010-01-11 (10-12-53).txt

Scan type: Quick Scan

Objects scanned: 138278

Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bugivigafo (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

* * * * * * * * * *

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=ba4e1da03b55d0479780348999eedee1

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-11 05:32:14

# local_time=2010-01-11 11:32:14 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 47860912 47860912 0 0

# compatibility_mode=1792 16777191 100 0 13204837 13204837 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=196675

# found=20

# cleaned=20

# scan_time=3599

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\diyukode.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fanudugu.dll.vir a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gerabuse.dll.vir a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\holuyibi.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jaduyodu.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kadidika.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbdsock.dll.vir Win32/Agent.QPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\smss32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.SJ virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000004.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000179.dll a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000181.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000182.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000183.dll Win32/Agent.QPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000202.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000311.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000312.dll a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000313.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000314.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Avira started a scheduled scan shortly after I made my previous post, so I've included that log file below.

A new DDS log is attached.

Avira AntiVir Personal

Report file date: Monday, January 11, 2010 12:00

Scanning for 1512108 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : MICELLA

Version information:

BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 12/9/2009 03:29:27

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 03:11:02

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:11:05

VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 03:11:05

VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 03:11:06

VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 03:11:06

VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 03:11:06

VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 03:11:06

VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 03:11:06

VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 03:11:06

VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 03:11:06

VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 03:11:07

VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 03:11:07

VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 03:11:07

VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 20:34:57

VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 03:26:51

VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 03:27:06

VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 02:46:37

VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 01:43:12

VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 00:01:37

VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 21:41:04

VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 16:03:03

VBASE021.VDF : 7.10.2.131 201216 Bytes 1/7/2010 01:40:22

VBASE022.VDF : 7.10.2.132 2048 Bytes 1/7/2010 01:40:22

VBASE023.VDF : 7.10.2.133 2048 Bytes 1/7/2010 01:40:22

VBASE024.VDF : 7.10.2.134 2048 Bytes 1/7/2010 01:40:23

VBASE025.VDF : 7.10.2.135 2048 Bytes 1/7/2010 01:40:23

VBASE026.VDF : 7.10.2.136 2048 Bytes 1/7/2010 01:40:23

VBASE027.VDF : 7.10.2.137 2048 Bytes 1/7/2010 01:40:24

VBASE028.VDF : 7.10.2.138 2048 Bytes 1/7/2010 01:40:24

VBASE029.VDF : 7.10.2.139 2048 Bytes 1/7/2010 01:40:24

VBASE030.VDF : 7.10.2.140 2048 Bytes 1/7/2010 01:40:25

VBASE031.VDF : 7.10.2.151 146944 Bytes 1/8/2010 01:41:02

Engineversion : 8.2.1.134

AEVDF.DLL : 8.1.1.2 106867 Bytes 9/15/2009 22:58:02

AESCRIPT.DLL : 8.1.3.7 594296 Bytes 1/5/2010 01:19:44

AESCN.DLL : 8.1.3.0 127348 Bytes 12/11/2009 16:12:14

AESBX.DLL : 8.1.1.1 246132 Bytes 11/20/2009 03:11:10

AERDL.DLL : 8.1.3.4 479605 Bytes 12/1/2009 03:26:47

AEPACK.DLL : 8.2.0.4 422263 Bytes 1/5/2010 01:19:43

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/17/2009 21:32:46

AEHEUR.DLL : 8.1.0.194 2228599 Bytes 1/9/2010 01:41:08

AEHELP.DLL : 8.1.9.0 237943 Bytes 12/17/2009 01:43:17

AEGEN.DLL : 8.1.1.83 369014 Bytes 1/5/2010 01:19:36

AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 05:15:48

AECORE.DLL : 8.1.9.1 180598 Bytes 12/11/2009 16:12:14

AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 17:49:34

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 11/18/2009 18:16:53

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 12/9/2009 03:29:24

Configuration settings for the scan:

Jobname.............................: Local Hard Disks

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Monday, January 11, 2010 12:00

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'Na2he17GJ.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'mrtmngr.exe' - '1' Module(s) have been scanned

Scan process 'soffice.bin' - '1' Module(s) have been scanned

Scan process 'soffice.exe' - '1' Module(s) have been scanned

Scan process 'ymetray.exe' - '1' Module(s) have been scanned

Scan process 'QBDAgent.exe' - '1' Module(s) have been scanned

Scan process 'HWU54G.exe' - '1' Module(s) have been scanned

Scan process 'DLG.exe' - '1' Module(s) have been scanned

Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'QTTask.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'mim.exe' - '1' Module(s) have been scanned

Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned

Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned

Scan process 'ycommon.exe' - '1' Module(s) have been scanned

Scan process 'MMDiag.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'lxdiamon.exe' - '1' Module(s) have been scanned

Scan process 'lxdimon.exe' - '1' Module(s) have been scanned

Scan process 'WkUFind.exe' - '1' Module(s) have been scanned

Scan process 'realplay.exe' - '1' Module(s) have been scanned

Scan process 'ybrwicon.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned

Scan process 'lxdicoms.exe' - '1' Module(s) have been scanned

Scan process 'lxdiserv.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

56 processes with 56 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '75' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Qoobox\Quarantine\C\eujbmv.exe.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

C:\Recovery\072109\missy\Local Settings\Temp\ymsgr.Id_32118.yim

[0] Archive type: CAB (Microsoft)

--> ymsgr.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\Recovery\072109\missy\Local Settings\Temp\ymsgr.yim

[0] Archive type: CAB (Microsoft)

--> ymsgr.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000309.exe

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

Beginning disinfection:

C:\Qoobox\Quarantine\C\eujbmv.exe.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

[NOTE] The file was moved to '4bb57b88.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000309.exe

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

[NOTE] The file was moved to '4b7b7b43.qua'!

End of the scan: Monday, January 11, 2010 13:25

Used time: 1:13:14 Hour(s)

The scan has been done completely.

23183 Scanned directories

729266 Files were scanned

2 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

2 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

729262 Files not concerned

6467 Archives were scanned

6 Warnings

4 Notes

Attach_2.zip

Link to post
Share on other sites

Looks good Avira only removed what we did already.

The files it found are in the Combofix quarantine folder.

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

======Next======

  • Download OTC to your desktop and run it
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.