pecosred Posted January 9, 2010 ID:182030 Share Posted January 9, 2010 My neighbor's computer got infected with Vundo and other malware even though Malwarebytes Pro was installed (they let their kids use LimeWire). I guess I need to install a better firewall.Although Malwarebytes repaired the items it found, the computer still appears to be infected. The log files are posted below. Thanks for your help!Malwarebytes' Anti-Malware 1.44Database version: 3523Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/8/2010 7:11:32 PMmbam-log-2010-01-08 (19-11-32).txtScan type: Quick ScanObjects scanned: 151350Time elapsed: 18 minute(s), 45 second(s)Memory Processes Infected: 1Memory Modules Infected: 4Registry Keys Infected: 2Registry Values Infected: 5Registry Data Items Infected: 15Folders Infected: 0Files Infected: 20Memory Processes Infected:C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.Downloader) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\SYSTEM32\fetotava.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\hugimizu.dll (Trojan.Vundo.H) -> Delete on reboot.c:\WINDOWS\SYSTEM32\vuvimuwe.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{66ca1269-d0e8-4647-b23b-850c72e5addd} (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{009541a0-3b00-1f1c-00f3-040224001c01} (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yizovaliv (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{66ca1269-d0e8-4647-b23b-850c72e5addd} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gifolosuf (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\swupdate (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: fetotava.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vuvimuwe.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vuvimuwe.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\SYSTEM32\dudetelo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\fetotava.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\fihiyota.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\hugimizu.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\huvajolu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\pamatuma.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\vuvimuwe.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\wijidapa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\wiwijadu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\winlogon32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\rdl5F.tmp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\omar\Local Settings\Temp\n.exn (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\omar\Local Settings\Temporary Internet Files\Content.IE5\966QKVG0\load[1].php (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\SYSTEM32\logon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\Local.dtd (Malware.Trace) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\Ui.dtd (Malware.Trace) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\UTemp.dtd (Malware.Trace) -> Quarantined and deleted successfully.* * * * * * * * * *DDS (Ver_09-12-01.01) - NTFSx86 Run by jay at 21:21:59.51 on Fri 01/08/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.516 [GMT -6:00]AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exesvchost.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exeC:\WINDOWS\system32\lxdicoms.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\wscntfy.exeC:\PROGRA~1\Yahoo!\browser\ybrwicon.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Lexmark 3500-4500 Series\lxdimon.exeC:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exeC:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exeC:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\WINDOWS\system32\mrtMngr.EXEC:\Program Files\OpenOffice.org 3\program\soffice.binC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exeC:\Documents and Settings\jay\Desktop\Defogger.exeC:\Documents and Settings\jay\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://att.yahoo.comuSearch Page = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.comuDefault_Page_URL = hxxp://www.dell4me.com/mywayuSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.htmluSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywayuSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.comuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dllTB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileEB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dllEB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quietuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startupmRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exemRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERmRun: [NeroCheck] c:\windows\system32\\NeroCheck.exemRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exemRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exemRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"mRun: [iPInSightMonitor 01] "c:\program files\sbc yahoo!\connection manager\ip insight\IPMon32.exe"mRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /smRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCentermRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /minmRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttrayStartupFolder: c:\docume~1\jay\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hawkin~1.lnk - c:\program files\hawking technologies\hawking_hwu54g_utility\HWU54G.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks pro\components\qbagent\QBDAgent.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dllIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dllTrusted Zone: musicmatch.com\onlineDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dllDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dllDPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cabDPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dllDPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cabDPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cabDPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cabNotify: igfxcui - igfxsrvc.dllAppInit_DLLs: hugimizu.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,================= FIREFOX ===================FF - ProfilePath - c:\docume~1\jay\applic~1\mozilla\firefox\profiles\jkx7w763.default\FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ymFF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-31 11608]R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-31 56816]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-7-10 19160]S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [2008-7-10 247296]============== File Associations ===============regfile=regedit.exe "%1" %*=============== Created Last 30 ================2010-01-09 03:19:47 0 ----a-w- c:\documents and settings\jay\defogger_reenable2010-01-09 01:07:09 0 ----a-w- c:\windows\system32\8201.exe2010-01-09 00:47:08 0 ----a-w- c:\windows\system32\1274.exe2010-01-09 00:07:02 0 ----a-w- c:\windows\system32\15724.exe2010-01-08 23:47:02 0 ----a-w- c:\windows\system32\19169.exe2010-01-08 23:27:01 0 ----a-w- c:\windows\system32\26500.exe2010-01-08 23:06:49 0 ----a-w- c:\windows\system32\6334.exe2010-01-08 22:46:45 0 ----a-w- c:\windows\system32\18467.exe2010-01-08 19:56:33 0 ----a-w- c:\windows\system32\IS15.exe2010-01-08 19:56:16 2931 ----a-w- c:\windows\system32\warning.html2009-12-13 05:04:44 471552 ------w- c:\windows\system32\dllcache\aclayers.dll==================== Find3M ====================2009-12-30 20:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-12-30 20:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-21 00:40:16 1386 ----a-w- c:\docume~1\jay\applic~1\wklnhst.dat2009-12-09 03:29:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe2009-10-25 22:51:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll2008-09-26 04:08:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092520080926\index.dat============= FINISH: 21:28:20.31 ===============Attach.zip Link to post Share on other sites More sharing options...
kahdah Posted January 9, 2010 ID:182062 Share Posted January 9, 2010 MAM honorary members are not allowed to post in this forum.=======================================pecosred Welcome to Malwarebytes forum.One or more of the identified infections is a backdoor trojan or rootkit.This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. Link to post Share on other sites More sharing options...
pecosred Posted January 10, 2010 Author ID:182449 Share Posted January 10, 2010 Thank you for the swift reply, kahdah.I was considering a reformat and reinstall. But I am told that the computer does not contain any sensitive information and is not used for online banking (and only rarely for making credit card purchases), so that approach might not be warranted. And since I'm pretty certain they will continue using P2P applications, it seems fairly likely that the computer will become reinfected before long.I'm thinking maybe I should just go ahead and clean the machine. Do you have any advice or recommendations beyond the information in the links you provided? (If you'd prefer not to answer that, I understand, but I thought I would ask.)Thanks. Link to post Share on other sites More sharing options...
kahdah Posted January 10, 2010 ID:182472 Share Posted January 10, 2010 ok other advice and recommendations will be given when we finish it up.We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. Link to post Share on other sites More sharing options...
pecosred Posted January 10, 2010 Author ID:182489 Share Posted January 10, 2010 ok other advice and recommendations will be given when we finish it up.Sorry, I guess I was unclear. I meant advice and recommendations regarding the decision whether to reformat or clean the infection. Link to post Share on other sites More sharing options...
kahdah Posted January 10, 2010 ID:182491 Share Posted January 10, 2010 Well if it is not used for financial transactions then it will be fine.I would recommend cleaning it up since that is not the case. Link to post Share on other sites More sharing options...
pecosred Posted January 11, 2010 Author ID:182634 Share Posted January 11, 2010 OK, I got ComboFix to run, although a rogue was blocking it at first. I kept getting the following warning message: "Application cannot be executed. The file Combofix.exe is infected. Do you want to activate your antivirus software now?" (In fact, a similar message popped up while ComboFIx was preparing its log file.)To get it to run, I tried renaming it ComboFix.scr and winlogon.exe, but it was blocked both times. Finally I tried running it as a different user (this computer has four user accounts). That worked.Here is the log:ComboFix 10-01-04.01 - jay 01/10/2010 17:48:23.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.714 [GMT -6:00]Running from: c:\documents and settings\jay\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\docume~1\omar\LOCALS~1\Temp\tmp2.tmpC:\sc:\windows\patch.exec:\windows\system32\11478.exec:\windows\system32\11538.exec:\windows\system32\11942.exec:\windows\system32\12316.exec:\windows\system32\12382.exec:\windows\system32\1274.exec:\windows\system32\12859.exec:\windows\system32\14604.exec:\windows\system32\14771.exec:\windows\system32\15141.exec:\windows\system32\153.exec:\windows\system32\15724.exec:\windows\system32\16827.exec:\windows\system32\17035.exec:\windows\system32\17421.exec:\windows\system32\17673.exec:\windows\system32\1842.exec:\windows\system32\18467.exec:\windows\system32\1869.exec:\windows\system32\18716.exec:\windows\system32\19169.exec:\windows\system32\19718.exec:\windows\system32\19895.exec:\windows\system32\19912.exec:\windows\system32\20037.exec:\windows\system32\21726.exec:\windows\system32\22190.exec:\windows\system32\23281.exec:\windows\system32\23811.exec:\windows\system32\24464.exec:\windows\system32\25547.exec:\windows\system32\25667.exec:\windows\system32\26299.exec:\windows\system32\26500.exec:\windows\system32\26962.exec:\windows\system32\27529.exec:\windows\system32\27644.exec:\windows\system32\28145.exec:\windows\system32\28253.exec:\windows\system32\28703.exec:\windows\system32\288.exec:\windows\system32\292.exec:\windows\system32\29358.exec:\windows\system32\2995.exec:\windows\system32\30106.exec:\windows\system32\30333.exec:\windows\system32\3035.exec:\windows\system32\31322.exec:\windows\system32\32391.exec:\windows\system32\32662.exec:\windows\system32\32757.exec:\windows\system32\3902.exec:\windows\system32\41.exec:\windows\system32\4664.exec:\windows\system32\4827.exec:\windows\system32\491.exec:\windows\system32\5436.exec:\windows\system32\5447.exec:\windows\system32\5705.exec:\windows\system32\6334.exec:\windows\system32\6868.exec:\windows\system32\7711.exec:\windows\system32\778.exec:\windows\system32\8201.exec:\windows\system32\8723.exec:\windows\system32\9040.exec:\windows\system32\9741.exec:\windows\system32\9894.exec:\windows\system32\9961.exec:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\kjbmtlc:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\kjbmtl\hhkjsysguard.exec:\windows\system32\drivers\fad.sysc:\windows\system32\fanudugu.dllc:\windows\system32\helper32.dllc:\windows\system32\jaduyodu.dllc:\windows\system32\kadidika.dllc:\windows\system32\kbdsock.dllc:\windows\system32\mshlps.dllc:\windows\Tasks\eknqyenl.jobc:\windows\Tasks\lmwcyaxx.jobc:\windows\Temp\0c3770fb.exeInfected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it .((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_TDSSSERV.SYS((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 ))))))))))))))))))))))))))))))).2010-01-10 23:29 . 2010-01-10 23:31 -------- d-----w- C:\32788R22FWJFW2010-01-10 23:17 . 2010-01-10 23:17 34816 ----a-w- c:\windows\system32\IS15.exe2010-01-10 23:02 . 2010-01-10 23:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE2010-01-09 17:26 . 2010-01-09 17:25 33792 ----a-w- c:\windows\system32\winlogon32.exe2010-01-09 17:26 . 2010-01-09 17:25 33792 ----a-w- c:\windows\system32\smss32.exe2010-01-09 17:25 . 2010-01-09 17:25 33792 ----a-w- C:\khkil.exe2010-01-09 17:25 . 2010-01-09 17:25 52224 ----a-w- C:\eujbmv.exe2010-01-09 05:41 . 2010-01-09 05:43 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe2010-01-08 01:43 . 2010-01-08 01:43 -------- d-sh--w- c:\documents and settings\missy\PrivacIE2010-01-07 23:49 . 2010-01-07 23:49 -------- d-sh--w- c:\documents and settings\omar\PrivacIE2010-01-07 01:28 . 2010-01-07 01:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache2009-12-29 05:06 . 2009-12-29 05:06 -------- d-----w- c:\documents and settings\jay\Local Settings\Application Data\Apple2009-12-13 05:04 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-01-11 00:09 . 2010-01-11 00:09 0 ----a-w- c:\windows\system32\41.exe2010-01-11 00:09 . 2010-01-11 00:09 0 ----a-w- c:\windows\system32\helper32.dll2010-01-09 00:27 . 2008-07-10 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-01-08 03:53 . 2007-03-06 03:26 -------- d-----w- c:\documents and settings\jay\Application Data\LimeWire2010-01-08 03:35 . 2004-12-28 20:01 14174 ----a-w- c:\documents and settings\marcie\Application Data\wklnhst.dat2010-01-08 02:19 . 2008-04-04 17:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2010-01-08 01:41 . 2005-10-28 21:34 -------- d-----w- c:\documents and settings\missy\Application Data\LimeWire2010-01-07 23:57 . 2007-03-06 03:32 -------- d-----w- c:\documents and settings\omar\Application Data\LimeWire2009-12-31 23:00 . 2008-07-10 17:08 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-12-31 21:30 . 2004-12-11 06:49 -------- d-----w- c:\program files\Java2009-12-31 21:28 . 2009-12-31 21:28 152576 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll2009-12-31 21:27 . 2009-12-31 21:27 79488 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2009-12-30 20:55 . 2008-07-25 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-12-30 20:54 . 2008-07-10 16:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-29 05:07 . 2009-12-07 00:34 -------- d-----w- c:\documents and settings\jay\Application Data\Apple Computer2009-12-25 21:14 . 2009-08-05 01:03 -------- d-----w- c:\documents and settings\marcie\Application Data\Apple Computer2009-12-21 00:40 . 2004-12-30 02:29 1386 ----a-w- c:\documents and settings\jay\Application Data\wklnhst.dat2009-12-09 03:29 . 2009-08-01 04:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-12-05 19:28 . 2009-12-05 19:28 -------- d-----w- c:\program files\Microsoft Silverlight2009-12-04 00:58 . 2008-12-28 03:12 -------- d-----w- c:\documents and settings\missy\Application Data\Apple Computer2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll2009-11-20 03:06 . 2004-12-28 02:04 10842 ----a-w- c:\documents and settings\missy\Application Data\wklnhst.dat2009-11-17 16:24 . 2009-11-18 18:15 586108 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll2009-11-17 16:24 . 2009-11-18 18:15 237943 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll2009-11-17 03:17 . 2008-04-04 17:37 -------- d-----w- c:\program files\SpywareBlaster2009-11-11 22:08 . 2009-11-18 18:15 364917 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll2009-11-06 23:32 . 2009-11-18 18:15 2093432 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll2009-11-05 21:21 . 2009-11-18 18:15 422261 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll2009-11-05 21:21 . 2009-11-18 18:15 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll2009-10-29 07:45 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll2009-10-25 22:51 . 2009-10-25 22:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll1601-01-01 00:00 . 1601-01-01 00:00 53248 --sha-w- c:\windows\SYSTEM32\diyukode.dll1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\SYSTEM32\gerabuse.dll1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\SYSTEM32\holuyibi.dll1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\SYSTEM32\yemikome.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aee77b27-a0b7-494f-bda9-0f8a9055e7f4}]1601-01-01 00:00 53248 --sha-w- c:\windows\SYSTEM32\diyukode.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-12-11 26112]"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-30 429392]"smss32.exe"="c:\windows\system32\smss32.exe" [2010-01-09 33792]c:\documents and settings\missy\Start Menu\Programs\Startup\LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456]c:\documents and settings\jay\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592]Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-11 24576]Hawking HWU54G Utility.lnk - c:\program files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2009-1-10 438272]Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-9-13 118784]ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Userinit"="c:\windows\system32\winlogon32.exe"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="c:\\WINDOWS\\SYSTEM32\\lxdicoms.exe"="c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"="c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"="c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"="c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"="c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdipswx.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdijswx.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxditime.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdiwbgw.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\MMDiag.exe"=R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2009 10:31 PM 108289]R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdiserv.exe [9/17/2007 5:08 PM 99248]R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [7/10/2008 10:35 AM 19160]S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2008 10:35 AM 235344]S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [7/10/2008 10:53 AM 247296]--- Other Services/Drivers In Memory ---*Deregistered* - IPVNMon.Contents of the 'Scheduled Tasks' folder2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]..------- Supplementary Scan -------.uStart Page = hxxp://att.yahoo.comuSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywayuSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.comTrusted Zone: musicmatch.com\onlineFF - ProfilePath - c:\documents and settings\jay\Application Data\Mozilla\Firefox\Profiles\jkx7w763.default\FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ymFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\.- - - - ORPHANS REMOVED - - - -HKLM-Run-yizovaliv - c:\windows\system32\fanudugu.dllHKLM-Run-bugivigafo - jaduyodu.dllSharedTaskScheduler-{fd978867-51f5-4f8d-b953-129029c8dc68} - c:\windows\system32\fanudugu.dllSSODL-dazunepim-{fd978867-51f5-4f8d-b953-129029c8dc68} - c:\windows\system32\fanudugu.dll**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-01-10 18:05Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(2976)c:\windows\system32\WININET.dllc:\progra~1\WINDOW~2\wmpband.dllc:\windows\system32\ieframe.dllc:\windows\system32\mshtml.dllc:\windows\system32\msls31.dllc:\windows\system32\jscript.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Lavasoft\Ad-Aware\aawservice.exec:\windows\system32\LEXBCES.EXEc:\windows\system32\LEXPPS.EXEc:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\lxdicoms.exec:\program files\Dell Support Center\bin\sprtsvc.exec:\progra~1\Yahoo!\browser\ycommon.exec:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exec:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exec:\program files\OpenOffice.org 3\program\soffice.exec:\program files\OpenOffice.org 3\program\soffice.binc:\windows\system32\mrtMngr.EXEc:\program files\iPod\bin\iPodService.exec:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe.**************************************************************************.Completion time: 2010-01-10 18:15:03 - machine was rebootedComboFix-quarantined-files.txt 2010-01-11 00:14Pre-Run: 186,154,455,040 bytes freePost-Run: 189,586,264,064 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect- - End Of File - - ACC5865EE8A17BA3CAF1B6EA615A10CE Link to post Share on other sites More sharing options...
kahdah Posted January 11, 2010 ID:182645 Share Posted January 11, 2010 Please uninstall Limewire first it is a part of the Hijackthis forum policy.HiJack This! Forum Policy1. Open notepad and copy/paste the text in the codebox below into it:http://www.malwarebytes.org/forums/index.php?showtopic=35943KillAll:Registry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"File::c:\windows\system32\winlogon32.exec:\windows\system32\smss32.exec:\windows\system32\41.exec:\windows\system32\helper32.dllc:\windows\SYSTEM32\diyukode.dllc:\windows\SYSTEM32\gerabuse.dllc:\windows\SYSTEM32\holuyibi.dllc:\windows\SYSTEM32\yemikome.dllCollect::[44]c:\windows\system32\IS15.exeC:\khkil.exeC:\eujbmv.exeSave this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exeWhen finished, it shall produce a log for you. Post that log in your next reply.**Note** When CF finishes running, the ComboFix log will open. With the above script, ComboFix will capture files to submit for analysis.If it does not say that it uploaded the files sucessfully then please do the following below.===========Note::If Combofix fails to upload anything please do the following:Go to Start > My Computer > C:\Then Navigate to C:\Qoobox\Quarantine\[44]-Submit_Date_Time.zipClick Here to upload the submit.zip please. Link to post Share on other sites More sharing options...
pecosred Posted January 11, 2010 Author ID:182663 Share Posted January 11, 2010 I uninstalled LimeWire as requested.I did not see a message indicating that ComboFix had uploaded any files, so I submitted them to the link provided.Here is the new log:ComboFix 10-01-04.01 - jay 01/10/2010 20:29:03.2.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.577 [GMT -6:00]Running from: c:\documents and settings\jay\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\jay\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}FILE ::"c:\windows\system32\41.exe""c:\windows\SYSTEM32\diyukode.dll""c:\windows\SYSTEM32\gerabuse.dll""c:\windows\system32\helper32.dll""c:\windows\SYSTEM32\holuyibi.dll""c:\windows\system32\smss32.exe""c:\windows\system32\winlogon32.exe""c:\windows\SYSTEM32\yemikome.dll"file zipped: C:\eujbmv.exefile zipped: C:\khkil.exefile zipped: c:\windows\system32\IS15.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\eujbmv.exeC:\khkil.exec:\windows\system32\11478.exec:\windows\system32\15724.exec:\windows\system32\18467.exec:\windows\system32\19169.exec:\windows\system32\26500.exec:\windows\system32\41.exec:\windows\system32\6334.exec:\windows\SYSTEM32\diyukode.dllc:\windows\SYSTEM32\gerabuse.dllc:\windows\system32\helper32.dllc:\windows\SYSTEM32\holuyibi.dllc:\windows\system32\IS15.exec:\windows\system32\smss32.exec:\windows\system32\winlogon32.exec:\windows\SYSTEM32\yemikome.dll.((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 ))))))))))))))))))))))))))))))).2010-01-10 23:02 . 2010-01-10 23:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE2010-01-09 05:41 . 2010-01-09 05:43 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe2010-01-08 01:43 . 2010-01-08 01:43 -------- d-sh--w- c:\documents and settings\missy\PrivacIE2010-01-07 23:49 . 2010-01-07 23:49 -------- d-sh--w- c:\documents and settings\omar\PrivacIE2010-01-07 01:28 . 2010-01-07 01:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache2009-12-29 05:06 . 2009-12-29 05:06 -------- d-----w- c:\documents and settings\jay\Local Settings\Application Data\Apple2009-12-13 05:04 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-01-11 02:13 . 2005-10-28 21:33 -------- d-----w- c:\program files\LimeWire2010-01-09 00:27 . 2008-07-10 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-01-08 03:53 . 2007-03-06 03:26 -------- d-----w- c:\documents and settings\jay\Application Data\LimeWire2010-01-08 03:35 . 2004-12-28 20:01 14174 ----a-w- c:\documents and settings\marcie\Application Data\wklnhst.dat2010-01-08 02:19 . 2008-04-04 17:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2010-01-08 01:41 . 2005-10-28 21:34 -------- d-----w- c:\documents and settings\missy\Application Data\LimeWire2010-01-07 23:57 . 2007-03-06 03:32 -------- d-----w- c:\documents and settings\omar\Application Data\LimeWire2009-12-31 23:00 . 2008-07-10 17:08 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-12-31 21:30 . 2004-12-11 06:49 -------- d-----w- c:\program files\Java2009-12-31 21:28 . 2009-12-31 21:28 152576 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll2009-12-31 21:27 . 2009-12-31 21:27 79488 ----a-w- c:\documents and settings\missy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2009-12-30 20:55 . 2008-07-25 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-12-30 20:54 . 2008-07-10 16:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-29 05:07 . 2009-12-07 00:34 -------- d-----w- c:\documents and settings\jay\Application Data\Apple Computer2009-12-25 21:14 . 2009-08-05 01:03 -------- d-----w- c:\documents and settings\marcie\Application Data\Apple Computer2009-12-21 00:40 . 2004-12-30 02:29 1386 ----a-w- c:\documents and settings\jay\Application Data\wklnhst.dat2009-12-09 03:29 . 2009-08-01 04:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-12-05 19:28 . 2009-12-05 19:28 -------- d-----w- c:\program files\Microsoft Silverlight2009-12-04 00:58 . 2008-12-28 03:12 -------- d-----w- c:\documents and settings\missy\Application Data\Apple Computer2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll2009-11-20 03:06 . 2004-12-28 02:04 10842 ----a-w- c:\documents and settings\missy\Application Data\wklnhst.dat2009-11-17 16:24 . 2009-11-18 18:15 586108 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll2009-11-17 16:24 . 2009-11-18 18:15 237943 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll2009-11-17 03:17 . 2008-04-04 17:37 -------- d-----w- c:\program files\SpywareBlaster2009-11-11 22:08 . 2009-11-18 18:15 364917 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll2009-11-06 23:32 . 2009-11-18 18:15 2093432 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll2009-11-05 21:21 . 2009-11-18 18:15 422261 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll2009-11-05 21:21 . 2009-11-18 18:15 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll2009-10-29 07:45 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll2009-10-25 22:51 . 2009-10-25 22:51 60364 ---ha-w- c:\windows\system32\mlfcache.dat2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-12-11 26112]"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-30 429392]"bugivigafo"="jaduyodu.dll" [bU]c:\documents and settings\jay\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592]Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-11 24576]Hawking HWU54G Utility.lnk - c:\program files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2009-1-10 438272]Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-9-13 118784]ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="c:\\WINDOWS\\SYSTEM32\\lxdicoms.exe"="c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"="c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"="c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"="c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"="c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdipswx.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdijswx.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxditime.exe"="c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdiwbgw.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\MMDiag.exe"="c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2009 10:31 PM 108289]R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdiserv.exe [9/17/2007 5:08 PM 99248]R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [7/10/2008 10:35 AM 19160]S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2008 10:35 AM 235344]S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [7/10/2008 10:53 AM 247296]--- Other Services/Drivers In Memory ---*Deregistered* - IPVNMon.Contents of the 'Scheduled Tasks' folder2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]..------- Supplementary Scan -------.uStart Page = hxxp://att.yahoo.comuSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywayuSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.comTrusted Zone: musicmatch.com\onlineFF - ProfilePath - c:\documents and settings\jay\Application Data\Mozilla\Firefox\Profiles\jkx7w763.default\FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/?_bc=1|https://login.yahoo.com/config/login_verify2?&.src=ymFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\.- - - - ORPHANS REMOVED - - - -BHO-{aee77b27-a0b7-494f-bda9-0f8a9055e7f4} - diyukode.dllHKLM-Run-smss32.exe - c:\windows\system32\smss32.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-01-10 21:10Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(4040)c:\windows\system32\WININET.dllc:\progra~1\WINDOW~2\wmpband.dllc:\windows\system32\ieframe.dllc:\windows\system32\mshtml.dllc:\windows\system32\msls31.dllc:\windows\system32\jscript.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Lavasoft\Ad-Aware\aawservice.exec:\windows\system32\LEXBCES.EXEc:\windows\system32\LEXPPS.EXEc:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\lxdicoms.exec:\program files\Dell Support Center\bin\sprtsvc.exec:\progra~1\Yahoo!\browser\ycommon.exec:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exec:\windows\system32\Rundll32.exec:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exec:\program files\OpenOffice.org 3\program\soffice.exec:\windows\system32\mrtMngr.EXEc:\program files\OpenOffice.org 3\program\soffice.binc:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2010-01-10 21:18:52 - machine was rebootedComboFix-quarantined-files.txt 2010-01-11 03:18ComboFix2.txt 2010-01-11 00:15Pre-Run: 189,652,754,432 bytes freePost-Run: 189,617,086,464 bytes free- - End Of File - - C472FD53DA5F9E9199240E570417A9C6 Link to post Share on other sites More sharing options...
kahdah Posted January 11, 2010 ID:182765 Share Posted January 11, 2010 Update Run MalwarebytesPlease update\run Malwarebytes' Anti-Malware.Double Click the Malwarebytes Anti-Malware icon to run the application.Click on the update tab then click on Check for updates.If an update is found, it will download and install the latest version.Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.=====* Go here to run an online scannner from ESET.Note: You will need to use Internet explorer for this scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartCheck next options: Remove found threats and Scan unwanted applications.Click ScanWait for the scan to finishUse notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites More sharing options...
pecosred Posted January 11, 2010 Author ID:182854 Share Posted January 11, 2010 ESET scanner would not run in IE--I probably need to reinstall Java. I downloaded the standalone scanner and ran it instead.Logs are pasted below.Malwarebytes' Anti-Malware 1.44Database version: 3540Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/11/2010 10:12:53 AMmbam-log-2010-01-11 (10-12-53).txtScan type: Quick ScanObjects scanned: 138278Time elapsed: 7 minute(s), 30 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bugivigafo (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\SYSTEM32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.* * * * * * * * * *ESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=ba4e1da03b55d0479780348999eedee1# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2010-01-11 05:32:14# local_time=2010-01-11 11:32:14 (-0600, Central Standard Time)# country="United States"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=512 16777215 100 0 47860912 47860912 0 0# compatibility_mode=1792 16777191 100 0 13204837 13204837 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=196675# found=20# cleaned=20# scan_time=3599C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\diyukode.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fanudugu.dll.vir a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gerabuse.dll.vir a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\holuyibi.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jaduyodu.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kadidika.dll.vir a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbdsock.dll.vir Win32/Agent.QPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\smss32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.SJ virus (deleted - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000004.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000179.dll a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000181.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000182.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000183.dll Win32/Agent.QPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000202.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000311.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000312.dll a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000313.dll a variant of Win32/Adware.SuperJuan.S application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000314.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Link to post Share on other sites More sharing options...
kahdah Posted January 11, 2010 ID:182860 Share Posted January 11, 2010 Great let me know how things are running and post a new DDS log. Link to post Share on other sites More sharing options...
pecosred Posted January 11, 2010 Author ID:182901 Share Posted January 11, 2010 Avira started a scheduled scan shortly after I made my previous post, so I've included that log file below.A new DDS log is attached.Avira AntiVir PersonalReport file date: Monday, January 11, 2010 12:00Scanning for 1512108 virus strains and unwanted programs.Licensee : Avira AntiVir Personal - FREE AntivirusSerial number : 0000149996-ADJIE-0000001Platform : Windows XPWindows version : (Service Pack 3) [5.1.2600]Boot mode : Normally bootedUsername : SYSTEMComputer name : MICELLAVersion information:BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00AVSCAN.EXE : 9.0.3.10 466689 Bytes 12/9/2009 03:29:27AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 03:11:02VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:11:05VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 03:11:05VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 03:11:06VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 03:11:06VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 03:11:06VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 03:11:06VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 03:11:06VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 03:11:06VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 03:11:06VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 03:11:07VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 03:11:07VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 03:11:07VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 20:34:57VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 03:26:51VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 03:27:06VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 02:46:37VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 01:43:12VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 00:01:37VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 21:41:04VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 16:03:03VBASE021.VDF : 7.10.2.131 201216 Bytes 1/7/2010 01:40:22VBASE022.VDF : 7.10.2.132 2048 Bytes 1/7/2010 01:40:22VBASE023.VDF : 7.10.2.133 2048 Bytes 1/7/2010 01:40:22VBASE024.VDF : 7.10.2.134 2048 Bytes 1/7/2010 01:40:23VBASE025.VDF : 7.10.2.135 2048 Bytes 1/7/2010 01:40:23VBASE026.VDF : 7.10.2.136 2048 Bytes 1/7/2010 01:40:23VBASE027.VDF : 7.10.2.137 2048 Bytes 1/7/2010 01:40:24VBASE028.VDF : 7.10.2.138 2048 Bytes 1/7/2010 01:40:24VBASE029.VDF : 7.10.2.139 2048 Bytes 1/7/2010 01:40:24VBASE030.VDF : 7.10.2.140 2048 Bytes 1/7/2010 01:40:25VBASE031.VDF : 7.10.2.151 146944 Bytes 1/8/2010 01:41:02Engineversion : 8.2.1.134AEVDF.DLL : 8.1.1.2 106867 Bytes 9/15/2009 22:58:02AESCRIPT.DLL : 8.1.3.7 594296 Bytes 1/5/2010 01:19:44AESCN.DLL : 8.1.3.0 127348 Bytes 12/11/2009 16:12:14AESBX.DLL : 8.1.1.1 246132 Bytes 11/20/2009 03:11:10AERDL.DLL : 8.1.3.4 479605 Bytes 12/1/2009 03:26:47AEPACK.DLL : 8.2.0.4 422263 Bytes 1/5/2010 01:19:43AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/17/2009 21:32:46AEHEUR.DLL : 8.1.0.194 2228599 Bytes 1/9/2010 01:41:08AEHELP.DLL : 8.1.9.0 237943 Bytes 12/17/2009 01:43:17AEGEN.DLL : 8.1.1.83 369014 Bytes 1/5/2010 01:19:36AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 05:15:48AECORE.DLL : 8.1.9.1 180598 Bytes 12/11/2009 16:12:14AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 17:49:34AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59AVPREF.DLL : 9.0.3.0 44289 Bytes 11/18/2009 18:16:53AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58RCTEXT.DLL : 9.0.73.0 86785 Bytes 12/9/2009 03:29:24Configuration settings for the scan:Jobname.............................: Local Hard DisksConfiguration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avpLogging.............................: lowPrimary action......................: interactiveSecondary action....................: ignoreScan master boot sector.............: onScan boot sector....................: onBoot sectors........................: C:, Process scan........................: onScan registry.......................: onSearch for rootkits.................: offIntegrity checking of system files..: offScan all files......................: Intelligent file selectionScan archives.......................: onRecursion depth.....................: 20Smart extensions....................: onMacro heuristic.....................: onFile heuristic......................: mediumStart of the scan: Monday, January 11, 2010 12:00The scan of running processes will be startedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'Na2he17GJ.exe' - '1' Module(s) have been scannedScan process 'ctfmon.exe' - '1' Module(s) have been scannedScan process 'Ymsgr_tray.exe' - '1' Module(s) have been scannedScan process 'iPodService.exe' - '1' Module(s) have been scannedScan process 'mrtmngr.exe' - '1' Module(s) have been scannedScan process 'soffice.bin' - '1' Module(s) have been scannedScan process 'soffice.exe' - '1' Module(s) have been scannedScan process 'ymetray.exe' - '1' Module(s) have been scannedScan process 'QBDAgent.exe' - '1' Module(s) have been scannedScan process 'HWU54G.exe' - '1' Module(s) have been scannedScan process 'DLG.exe' - '1' Module(s) have been scannedScan process 'DSAgnt.exe' - '1' Module(s) have been scannedScan process 'msmsgs.exe' - '1' Module(s) have been scannedScan process 'iTunesHelper.exe' - '1' Module(s) have been scannedScan process 'QTTask.exe' - '1' Module(s) have been scannedScan process 'avgnt.exe' - '1' Module(s) have been scannedScan process 'wuauclt.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'mim.exe' - '1' Module(s) have been scannedScan process 'sprtcmd.exe' - '1' Module(s) have been scannedScan process 'DVDLauncher.exe' - '1' Module(s) have been scannedScan process 'ycommon.exe' - '1' Module(s) have been scannedScan process 'MMDiag.exe' - '1' Module(s) have been scannedScan process 'hkcmd.exe' - '1' Module(s) have been scannedScan process 'lxdiamon.exe' - '1' Module(s) have been scannedScan process 'lxdimon.exe' - '1' Module(s) have been scannedScan process 'WkUFind.exe' - '1' Module(s) have been scannedScan process 'realplay.exe' - '1' Module(s) have been scannedScan process 'ybrwicon.exe' - '1' Module(s) have been scannedScan process 'explorer.exe' - '1' Module(s) have been scannedScan process 'alg.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'sprtsvc.exe' - '1' Module(s) have been scannedScan process 'lxdicoms.exe' - '1' Module(s) have been scannedScan process 'lxdiserv.exe' - '1' Module(s) have been scannedScan process 'jqs.exe' - '1' Module(s) have been scannedScan process 'mDNSResponder.exe' - '1' Module(s) have been scannedScan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scannedScan process 'avguard.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'sched.exe' - '1' Module(s) have been scannedScan process 'LEXPPS.EXE' - '1' Module(s) have been scannedScan process 'spoolsv.exe' - '1' Module(s) have been scannedScan process 'LEXBCES.EXE' - '1' Module(s) have been scannedScan process 'aawservice.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'lsass.exe' - '1' Module(s) have been scannedScan process 'services.exe' - '1' Module(s) have been scannedScan process 'winlogon.exe' - '1' Module(s) have been scannedScan process 'csrss.exe' - '1' Module(s) have been scannedScan process 'smss.exe' - '1' Module(s) have been scanned56 processes with 56 modules were scannedStarting master boot sector scan:Master boot sector HD0 [iNFO] No virus was found!Start scanning boot sectors:Boot sector 'C:\' [iNFO] No virus was found!Starting to scan executable files (registry).The registry was scanned ( '75' files ).Starting the file scan:Begin scan in 'C:\'C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning.C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning.C:\Qoobox\Quarantine\C\eujbmv.exe.vir [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kitC:\Recovery\072109\missy\Local Settings\Temp\ymsgr.Id_32118.yim [0] Archive type: CAB (Microsoft) --> ymsgr.exe [WARNING] No further files can be extracted from this archive. The archive will be closed [WARNING] No further files can be extracted from this archive. The archive will be closedC:\Recovery\072109\missy\Local Settings\Temp\ymsgr.yim [0] Archive type: CAB (Microsoft) --> ymsgr.exe [WARNING] No further files can be extracted from this archive. The archive will be closed [WARNING] No further files can be extracted from this archive. The archive will be closedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000309.exe [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kitBeginning disinfection:C:\Qoobox\Quarantine\C\eujbmv.exe.vir [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit [NOTE] The file was moved to '4bb57b88.qua'!C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000309.exe [DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit [NOTE] The file was moved to '4b7b7b43.qua'!End of the scan: Monday, January 11, 2010 13:25Used time: 1:13:14 Hour(s)The scan has been done completely. 23183 Scanned directories 729266 Files were scanned 2 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 2 Files were moved to quarantine 0 Files were renamed 2 Files cannot be scanned 729262 Files not concerned 6467 Archives were scanned 6 Warnings 4 NotesAttach_2.zip Link to post Share on other sites More sharing options...
kahdah Posted January 11, 2010 ID:183013 Share Posted January 11, 2010 Looks good Avira only removed what we did already.The files it found are in the Combofix quarantine folder.=======Cleanup======= Click START then RUN Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.======Next======Download OTC to your desktop and run itClick Yes to begin the Cleanup process and remove these components, including this application.You will be asked to reboot the machine to finish the Cleanup process. Choose Yes. Delete\uninstall anything else that we have used that is leftover.=====================================After that your all set. The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes. If your computer is slow Is a tutorial on what you can do if your computer is slow.File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc... Link to post Share on other sites More sharing options...
Recommended Posts