View Full Version : vundo and virtumonde, merry christmas
Among other things...
HJT log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:04:31 PM, on 12/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avcenter.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlbtraderumors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (file missing)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Input Device Main Program] C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [rijanogul] Rundll32.exe "c:\windows\system32\zodetego.dll",a
O4 - HKUS\S-1-5-18\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7153F67E-D655-4AEC-AEC1-6577ECA5B200}: NameServer = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A79411-4DE1-46A4-BA45-D4CEBD61739B}: NameServer = 193.104.110.38,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: nujanizo.dll c:\windows\system32\ledanozo.dll c:\windows\system32\tizomahu.dll c:\windows\system32\maboveli.dll c:\windows\system32\lojaloke.dll c:\windows\system32\sefewana.dll c:\windows\system32\yolobohi.dll c:\windows\system32\sojerire.dll c:\windows\system32\yohujoku.dll c:\windows\system32\zodetego.dll
O21 - SSODL: sagomelal - {37fb00b4-e06c-4d2b-9a2d-8a62fd00ed20} - c:\windows\system32\ledanozo.dll (file missing)
O21 - SSODL: soyuhuhob - {7120e0a5-a89c-4a76-9e4a-c28085d9cf02} - c:\windows\system32\maboveli.dll (file missing)
O21 - SSODL: gozojiyow - {2372c775-97b8-4670-810f-d43919e99115} - c:\windows\system32\lojaloke.dll (file missing)
O21 - SSODL: rewabisun - {038dd5f2-de31-4f93-b78a-39f93e7a2f27} - c:\windows\system32\sefewana.dll (file missing)
O21 - SSODL: zeyodopal - {b3662919-b187-4e9e-bf72-8cbd5114fef0} - c:\windows\system32\yohujoku.dll (file missing)
O21 - SSODL: kuyevifih - {930efc65-d8f2-4b9b-aadc-d959b8daa738} - c:\windows\system32\zodetego.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: tokatiluy - {37fb00b4-e06c-4d2b-9a2d-8a62fd00ed20} - c:\windows\system32\ledanozo.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {7120e0a5-a89c-4a76-9e4a-c28085d9cf02} - c:\windows\system32\maboveli.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {2372c775-97b8-4670-810f-d43919e99115} - c:\windows\system32\lojaloke.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {038dd5f2-de31-4f93-b78a-39f93e7a2f27} - c:\windows\system32\sefewana.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {b3662919-b187-4e9e-bf72-8cbd5114fef0} - c:\windows\system32\yohujoku.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {930efc65-d8f2-4b9b-aadc-d959b8daa738} - c:\windows\system32\zodetego.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11461 bytes
Thanks for your help!!!
IndiGenus
2009-12-28, 18:12
Hi ngus22 and welcome to the forums here at Spybot S&D.
Identity Theft
Along with Vundo and others, it looks like you have been infected by one or more Backdoor Trojans.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we cannot guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.
More information on Remote Access Trojans can be found here (http://antivirus.about.com/library/weekly/aa100400a.htm).
I suggest you do the following immediately:
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities. I must remind you that i cannot guarantee that your computer will be completely clean afterwards since we have no way of knowing what has been done to it.
To help you make your decision, here are a few related articles that i suggest you read:
Danger: Remote Access Trojans. (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud? (http://www.dslreports.com/faq/10451)
Should you have any questions, please feel free to ask.
Please let me know what you decide to do in your next post.
Thanks IndiGenus.
Fortunately this computer isn't used for anything sensitive at all, no bank accounts, credit card stuff, etc. We'll change a few passwords for things - not important ones - but otherwise let's see what we can do to get it clean without reformatting.
Very much appreciate all the links for identity theft and related info.
Hopefully we can make this machine last a little while longer, it's not really all that long for the world and not much worth reformatting at this point, but right after Christmas isn't a great time to have to replace it either.
IndiGenus
2009-12-29, 03:30
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Holy moley, that's a lot of junk. Here's the combofix and hijackthis logs:
ComboFix 09-12-22.09 - Nick G 12/28/2009 19:39:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.205 [GMT -8:00]
Running from: c:\documents and settings\Nick G\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\NICKG~1\LOCALS~1\Temp\lsass.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\Nick G\Application Data\AntiVirus Plus
c:\documents and settings\Nick G\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll
c:\documents and settings\Nick G\Application Data\avp.ico
c:\documents and settings\Nick G\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
c:\documents and settings\Nick G\ntuser.dll
c:\documents and settings\Nick G\Start Menu\Internet Security 2010.lnk
c:\documents and settings\Nick G\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\Nick G\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\Nick G\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\Nick G\Start Menu\Programs\Startup\AntiVirus Plus.lnk
C:\evcwinw.exe
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
c:\program files\popcorn Terms.html
c:\windows\kb913800.exe
c:\windows\system32\10161.exe
c:\windows\system32\10934.exe
c:\windows\system32\12.exe
c:\windows\system32\13294.exe
c:\windows\system32\17774.exe
c:\windows\system32\18467.exe
c:\windows\system32\18683.exe
c:\windows\system32\30253.exe
c:\windows\system32\31038.exe
c:\windows\system32\32468.exe
c:\windows\system32\3842.exe
c:\windows\system32\3852.exe
c:\windows\system32\41.exe
c:\windows\system32\519.exe
c:\windows\system32\5221.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\bafuvisi.dll
c:\windows\system32\besohaki.dll
c:\windows\system32\bezayedo.dll
c:\windows\system32\biyedepu.dll
c:\windows\system32\buloboti.dll
c:\windows\system32\buraboto.dll
c:\windows\system32\calc.dll
c:\windows\system32\certstore.dat
c:\windows\system32\daqdrv.sys
c:\windows\system32\disidaji.dll
c:\windows\system32\domemaha.exe
c:\windows\system32\dugiwise.dll
c:\windows\system32\dugiwise.exe
c:\windows\system32\dupejume.dll
c:\windows\system32\dusazewa.dll
c:\windows\system32\fakugupu.dll
c:\windows\system32\fanudugu.dll
c:\windows\system32\fegufula.dll
c:\windows\system32\fomikudo.exe
c:\windows\system32\fugudipi.dll
c:\windows\system32\gekujoni.dll
c:\windows\system32\gelarijo.dll
c:\windows\system32\gilopisa.dll
c:\windows\system32\gohifodi.dll
c:\windows\system32\gojobeju.dll
c:\windows\system32\goyukuyu.dll
c:\windows\system32\gulidowu.dll
c:\windows\system32\hokegemu.dll
c:\windows\system32\hubobazi.dll
c:\windows\system32\Iasv32.dll
c:\windows\system32\jegulufo.dll
c:\windows\system32\jepazeje.dll
c:\windows\system32\jokigaju.exe
c:\windows\system32\jukohani.dll
c:\windows\system32\kasiyebo.dll
c:\windows\system32\kihugali.dll
c:\windows\system32\kiyajeru.dll
c:\windows\system32\kohisiva.dll
c:\windows\system32\krncode.dat
c:\windows\system32\kukolare.dll
c:\windows\system32\kusudewi.exe
c:\windows\system32\lajijasu.dll
c:\windows\system32\luyiwiya.exe
c:\windows\system32\matedibu.dll
c:\windows\system32\mevozeha.dll
c:\windows\system32\miliyepa.dll
c:\windows\system32\mohesuwo.exe
c:\windows\system32\musebehi.dll
c:\windows\system32\nakonaze.dll
c:\windows\system32\napikiha.exe
c:\windows\system32\nazoduse.dll
c:\windows\system32\negonito.exe
c:\windows\system32\neniweja.dll
c:\windows\system32\nsysd.ini
c:\windows\system32\nsysk.ini
c:\windows\system32\nsysp.ini
c:\windows\system32\nsysw.ini
c:\windows\system32\nujanizo.dll
c:\windows\system32\nukizota.dll
c:\windows\system32\olsysk.dat
c:\windows\system32\olsysp.dat
c:\windows\system32\olsysw.dat
c:\windows\system32\pedabara.dll
c:\windows\system32\peyisowi.dll
c:\windows\system32\pipuduse.dll
c:\windows\system32\puwenesu.dll
c:\windows\system32\pwrcode.dat
c:\windows\system32\rafomife.dll
c:\windows\system32\rahunidi.dll
c:\windows\system32\ravezula.dll
c:\windows\system32\redivipo.dll
c:\windows\system32\rigivika.dll
c:\windows\system32\rimolodo.dll
c:\windows\system32\rirupage.dll
c:\windows\system32\rsysd.tmp
c:\windows\system32\ruhoniro.dll
c:\windows\system32\rutihuku.dll
c:\windows\system32\sejutedi.dll
c:\windows\system32\shifld2.old
c:\windows\system32\simejufa.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\sosarure.dll
c:\windows\system32\suhokamo.dll
c:\windows\system32\sysk.tmp
c:\windows\system32\sysp.tmp
c:\windows\system32\sysw.tmp
c:\windows\system32\tewetopi.dll
c:\windows\system32\tibarozo.dll
c:\windows\system32\tubivabo.dll
c:\windows\system32\tuzeyopu.exe
c:\windows\system32\vafedewe.dll
c:\windows\system32\vegibeya.dll
c:\windows\system32\vigalefe.dll
c:\windows\system32\vodarowo.dll
c:\windows\system32\vohetufa.dll
c:\windows\system32\vozigoji.dll
c:\windows\system32\wabedelu.dll
c:\windows\system32\wejuwava.dll
c:\windows\system32\wincode.dat
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\yagepodo.dll
c:\windows\system32\yayosiyi.dll
c:\windows\system32\yubiyufo.dll
c:\windows\system32\yumikedi.dll
c:\windows\system32\yye90.dll
c:\windows\system32\zamateho.dll
c:\windows\system32\zepulabe.dll
c:\windows\system32\zewobihu.dll
c:\windows\system32\zijaputa.exe
c:\windows\system32\zusidebi.dll
c:\windows\Tasks\umbpfsjr.job
c:\windows\Temp\tmp3.tmp
----- BITS: Possible infected sites -----
hxxp://82.98.231.102
hxxp://82.98.235.29
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IAS
-------\Service_Ias
-------\Legacy_daqdrv
-------\Service_daqdrv
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.
2009-12-26 18:04 . 2009-12-26 18:04 92672 --sh--w- c:\windows\system32\wemetuvi.dll
2009-12-26 06:00 . 2009-12-26 06:00 39424 ----a-w- c:\windows\system32\kedohugu.dll
2009-12-26 01:03 . 2009-12-26 01:03 -------- d-----w- c:\program files\TrendMicro
2009-12-26 01:00 . 2009-12-26 01:00 -------- d-----w- c:\program files\ERUNT
2009-12-25 02:10 . 2009-12-25 02:10 61952 ----a-w- c:\windows\system32\rasawofu.dll
2009-12-19 09:06 . 2009-12-19 09:06 39424 --sh--w- c:\windows\system32\hisozega.dll
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-18 21:07 . 2009-12-18 21:07 92672 --sh--w- c:\windows\system32\fonemike.dll
2009-12-18 21:07 . 2009-12-18 21:07 39424 --sh--w- c:\windows\system32\hohokaza.dll
2009-12-12 19:52 . 2009-12-12 19:54 -------- d-----w- c:\program files\FrostWire
2009-12-10 22:57 . 2009-12-10 22:57 -------- d-s---w- c:\documents and settings\LocalService\IETldCache
2009-12-04 21:09 . 2009-12-04 21:09 -------- d-s---w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-02 05:37 . 2009-12-02 05:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-12-02 05:36 . 2009-12-02 05:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 01:03 . 2009-12-26 01:03 388096 ----a-r- c:\documents and settings\Nick G\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-26 00:11 . 2009-01-02 08:56 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-21 08:06 . 2009-05-11 04:03 -------- d-----w- c:\documents and settings\Nick G\Application Data\FrostWire
2009-11-28 21:46 . 2009-11-28 21:44 16883056 ----a-w- c:\documents and settings\Nick G\Application Data\OpenCandy\IE8-WindowsXP-x86-ENU.exe
2009-11-28 21:44 . 2009-11-28 21:43 -------- d-----w- c:\documents and settings\Nick G\Application Data\OpenCandy
2009-11-28 21:43 . 2009-11-28 21:43 265768 ----a-w- c:\documents and settings\Nick G\Application Data\OpenCandy\IE8Wrapper.exe
2009-11-28 05:52 . 2009-11-28 05:52 -------- d-----w- c:\program files\HP
2009-11-28 05:52 . 2005-12-05 16:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-28 05:52 . 2009-11-28 05:52 -------- d-----w- c:\documents and settings\Nick G\Application Data\InstallShield
2009-11-27 07:08 . 2008-10-12 03:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-27 07:07 . 2009-01-02 09:11 -------- d-----w- c:\program files\SpywareBlaster
2009-11-03 03:29 . 2006-03-18 05:49 -------- d-----w- c:\documents and settings\Nick G\Application Data\AdobeUM
2009-10-30 21:00 . 2006-01-04 06:40 -------- d-----w- c:\program files\iTunes
2009-10-30 20:59 . 2006-01-02 22:13 -------- d-----w- c:\program files\iPod
2009-10-30 20:58 . 2007-07-18 03:34 -------- d-----w- c:\program files\Common Files\Apple
2009-10-30 20:40 . 2009-10-30 20:40 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-19 21:06 . 2009-09-19 21:06 39424 --sha-w- c:\windows\system32\bemoriva.dll
2009-09-27 06:04 . 2009-09-27 06:04 45568 --sha-w- c:\windows\system32\davedeyo.dll
2009-09-19 21:06 . 2009-09-19 21:06 93184 --sha-w- c:\windows\system32\diposeli.dll
2009-09-26 18:04 . 2009-09-26 18:04 39424 --sha-w- c:\windows\system32\duteyesi.dll
2009-03-01 06:20 . 2006-04-06 06:17 104 --sh--r- c:\windows\system32\FB83D3AC07.sys
2009-09-29 00:33 . 2009-09-29 00:33 39424 --sha-w- c:\windows\system32\fipezuvo.dll
2009-09-17 18:07 . 2009-09-17 18:07 45568 --sha-w- c:\windows\system32\fipuyuko.dll
2009-09-08 20:41 . 2009-09-08 20:41 7046 --sha-w- c:\windows\system32\godisida.dll
2009-09-19 09:06 . 2009-09-19 09:06 45568 --sha-w- c:\windows\system32\guyeroso.dll
2009-09-02 21:41 . 2009-09-02 21:41 3 --sha-w- c:\windows\system32\herugife.dll
2009-09-26 18:04 . 2009-09-26 18:04 45568 --sha-w- c:\windows\system32\hivotivi.dll
2009-09-25 02:14 . 2009-09-25 02:14 45568 --sha-w- c:\windows\system32\jiwofehu.dll
2009-09-25 02:14 . 2009-09-25 02:14 22016 --sha-w- c:\windows\system32\jiwofehu.exe
2009-03-01 06:20 . 2006-04-06 06:17 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-29 00:33 . 2009-09-29 00:33 45568 --sha-w- c:\windows\system32\libulije.dll
2009-09-22 20:22 . 2009-09-22 20:22 39424 --sha-w- c:\windows\system32\metadomo.dll
2009-09-11 21:47 . 2009-09-11 21:47 93184 --sha-w- c:\windows\system32\nikalute.dll
2009-09-22 08:22 . 2009-09-22 08:22 45568 --sha-w- c:\windows\system32\pokumala.dll
2009-09-27 06:04 . 2009-09-27 06:04 39424 --sha-w- c:\windows\system32\powalogi.dll
2009-09-21 07:25 . 2009-09-21 07:25 45568 --sha-w- c:\windows\system32\remofeko.dll
2009-09-25 02:14 . 2009-09-25 02:14 18727 --sha-w- c:\windows\system32\sebajuyo.dll
2009-09-22 20:22 . 2009-09-22 20:22 45568 --sha-w- c:\windows\system32\seduvumo.dll
2009-09-19 21:06 . 2009-09-19 21:06 45568 --sha-w- c:\windows\system32\tebajovo.dll
2009-09-26 06:04 . 2009-09-26 06:04 45568 --sha-w- c:\windows\system32\yapafeju.dll
2009-09-29 00:33 . 2009-09-29 00:33 61440 --sha-w- c:\windows\system32\yazizitu.dll
2009-09-27 06:04 . 2009-09-27 06:04 93184 --sha-w- c:\windows\system32\yebizopo.dll
2009-09-19 09:06 . 2009-09-19 09:06 61952 --sha-w- c:\windows\system32\yihaguta.dll
2009-09-21 07:25 . 2009-09-21 07:25 39424 --sha-w- c:\windows\system32\yilopepu.dll
2009-09-17 18:07 . 2009-09-17 18:07 39424 --sha-w- c:\windows\system32\yosimanu.dll
2009-09-22 08:22 . 2009-09-22 08:22 39424 --sha-w- c:\windows\system32\zelayira.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"HP Input Device Main Program"="c:\program files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe" [2008-09-20 356352]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"sb"=c:\program files\Spybot - Search & Destroy\SpybotSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [1/2/2009 12:56 AM 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe [1/2/2009 12:56 AM 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [1/2/2009 12:56 AM 41217]
R3 HpGmb001;USB Mobile Packet Filter Driver;c:\windows\system32\drivers\HpGmb001.sys [11/27/2009 9:53 PM 11264]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [8/16/2005 2:18 AM 2304]
S3 oflpydin;oflpydin;\??\c:\docume~1\NICKG~1\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\NICKG~1\LOCALS~1\Temp\oflpydin.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mlbtraderumors.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: avsda.dll
TCP: {486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A} = 208.67.220.220,208.67.222.222
TCP: {7153F67E-D655-4AEC-AEC1-6577ECA5B200} = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
TCP: {97A79411-4DE1-46A4-BA45-D4CEBD61739B} = 193.104.110.38,4.2.2.1
.
- - - - ORPHANS REMOVED - - - -
BHO-{a1aa9fb7-b0af-4ac7-b565-61e273e8f7b4} - kiyajeru.dll
HKCU-Run-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
HKLM-Run-rijanogul - c:\windows\system32\puwenesu.dll
HKLM-Run-zoluvefowa - zepulabe.dll
HKU-Default-Run-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
SharedTaskScheduler-{37fb00b4-e06c-4d2b-9a2d-8a62fd00ed20} - c:\windows\system32\ledanozo.dll
SharedTaskScheduler-{7120e0a5-a89c-4a76-9e4a-c28085d9cf02} - c:\windows\system32\maboveli.dll
SharedTaskScheduler-{2372c775-97b8-4670-810f-d43919e99115} - c:\windows\system32\lojaloke.dll
SharedTaskScheduler-{038dd5f2-de31-4f93-b78a-39f93e7a2f27} - c:\windows\system32\sefewana.dll
SharedTaskScheduler-{b3662919-b187-4e9e-bf72-8cbd5114fef0} - c:\windows\system32\yohujoku.dll
SharedTaskScheduler-{c75f4770-ce15-4f6d-a5ca-701ae9e42469} - c:\windows\system32\puwenesu.dll
SSODL-sagomelal-{37fb00b4-e06c-4d2b-9a2d-8a62fd00ed20} - c:\windows\system32\ledanozo.dll
SSODL-soyuhuhob-{7120e0a5-a89c-4a76-9e4a-c28085d9cf02} - c:\windows\system32\maboveli.dll
SSODL-gozojiyow-{2372c775-97b8-4670-810f-d43919e99115} - c:\windows\system32\lojaloke.dll
SSODL-rewabisun-{038dd5f2-de31-4f93-b78a-39f93e7a2f27} - c:\windows\system32\sefewana.dll
SSODL-zeyodopal-{b3662919-b187-4e9e-bf72-8cbd5114fef0} - c:\windows\system32\yohujoku.dll
SSODL-vugatepaf-{c75f4770-ce15-4f6d-a5ca-701ae9e42469} - c:\windows\system32\puwenesu.dll
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 19:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,12,e4,77,ba,2d,f9,44,b3,ec,6c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,12,e4,77,ba,2d,f9,44,b3,ec,6c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1012)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'lsass.exe'(1068)
c:\windows\system32\avsda.dll
- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Premium\sched.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Avira\AntiVir PersonalEdition Premium\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\UAService7.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-28 20:05:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 04:05
Pre-Run: 6,623,227,904 bytes free
Post-Run: 6,862,381,056 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - CA4D31555A5EDBEDE24B62EA4DC8B76C
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:17:09 PM, on 12/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\update\update.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlbtraderumors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Input Device Main Program] C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7153F67E-D655-4AEC-AEC1-6577ECA5B200}: NameServer = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A79411-4DE1-46A4-BA45-D4CEBD61739B}: NameServer = 193.104.110.38,4.2.2.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8865 bytes
By the way, when Combofix ran a window popped up telling me there was a newer version and did I want to update it. I clicked "no," assuming you directed me to the place I belonged already.
IndiGenus
2009-12-29, 06:48
By the way, when Combofix ran a window popped up telling me there was a newer version and did I want to update it. I clicked "no," assuming you directed me to the place I belonged already.
Actually I would like you to run combofix again and let it update, then run and post the new log. The tool is constantly being updated for new infections by the developer.
okay, here are the new combofix and hijackthis logs
ComboFix 09-12-27.04 - Nick G 12/28/2009 21:26:02.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.279 [GMT -8:00]
Running from: c:\documents and settings\Nick G\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Nick G\Local Settings\Application Data\swwrbi
c:\documents and settings\Nick G\Local Settings\Application Data\swwrbi\nxtjsysguard.exe
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.
2009-12-29 04:05 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-29 04:05 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-29 04:05 . 2009-12-29 04:11 -------- d-----w- c:\windows\LastGood
2009-12-26 18:04 . 2009-12-26 18:04 92672 --sh--w- c:\windows\system32\wemetuvi.dll
2009-12-26 06:00 . 2009-12-26 06:00 39424 ----a-w- c:\windows\system32\kedohugu.dll
2009-12-26 01:03 . 2009-12-26 01:03 388096 ----a-r- c:\documents and settings\Nick G\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-26 01:03 . 2009-12-26 01:03 -------- d-----w- c:\program files\TrendMicro
2009-12-26 01:00 . 2009-12-26 01:00 -------- d-----w- c:\program files\ERUNT
2009-12-25 02:10 . 2009-12-25 02:10 61952 ----a-w- c:\windows\system32\rasawofu.dll
2009-12-19 09:06 . 2009-12-19 09:06 39424 --sh--w- c:\windows\system32\hisozega.dll
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-18 21:07 . 2009-12-18 21:07 92672 --sh--w- c:\windows\system32\fonemike.dll
2009-12-18 21:07 . 2009-12-18 21:07 39424 --sh--w- c:\windows\system32\hohokaza.dll
2009-12-12 19:52 . 2009-12-12 19:54 -------- d-----w- c:\program files\FrostWire
2009-12-10 22:57 . 2009-12-10 22:57 -------- d-s---w- c:\documents and settings\LocalService\IETldCache
2009-12-04 21:09 . 2009-12-04 21:09 -------- d-s---w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-02 05:37 . 2009-12-02 05:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-12-02 05:36 . 2009-12-02 05:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 00:11 . 2009-01-02 08:56 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-21 08:06 . 2009-05-11 04:03 -------- d-----w- c:\documents and settings\Nick G\Application Data\FrostWire
2009-11-28 21:46 . 2009-11-28 21:44 16883056 ----a-w- c:\documents and settings\Nick G\Application Data\OpenCandy\IE8-WindowsXP-x86-ENU.exe
2009-11-28 21:44 . 2009-11-28 21:43 -------- d-----w- c:\documents and settings\Nick G\Application Data\OpenCandy
2009-11-28 21:43 . 2009-11-28 21:43 265768 ----a-w- c:\documents and settings\Nick G\Application Data\OpenCandy\IE8Wrapper.exe
2009-11-28 05:52 . 2009-11-28 05:52 -------- d-----w- c:\program files\HP
2009-11-28 05:52 . 2005-12-05 16:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-28 05:52 . 2009-11-28 05:52 -------- d-----w- c:\documents and settings\Nick G\Application Data\InstallShield
2009-11-27 07:08 . 2008-10-12 03:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-27 07:07 . 2009-01-02 09:11 -------- d-----w- c:\program files\SpywareBlaster
2009-11-03 03:29 . 2006-03-18 05:49 -------- d-----w- c:\documents and settings\Nick G\Application Data\AdobeUM
2009-10-30 21:00 . 2006-01-04 06:40 -------- d-----w- c:\program files\iTunes
2009-10-30 20:59 . 2006-01-02 22:13 -------- d-----w- c:\program files\iPod
2009-10-30 20:58 . 2007-07-18 03:34 -------- d-----w- c:\program files\Common Files\Apple
2009-10-30 20:40 . 2009-10-30 20:40 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-19 21:06 . 2009-09-19 21:06 39424 --sha-w- c:\windows\system32\bemoriva.dll
2009-09-27 06:04 . 2009-09-27 06:04 45568 --sha-w- c:\windows\system32\davedeyo.dll
2009-09-19 21:06 . 2009-09-19 21:06 93184 --sha-w- c:\windows\system32\diposeli.dll
2009-09-26 18:04 . 2009-09-26 18:04 39424 --sha-w- c:\windows\system32\duteyesi.dll
2009-03-01 06:20 . 2006-04-06 06:17 104 --sh--r- c:\windows\system32\FB83D3AC07.sys
2009-09-29 00:33 . 2009-09-29 00:33 39424 --sha-w- c:\windows\system32\fipezuvo.dll
2009-09-17 18:07 . 2009-09-17 18:07 45568 --sha-w- c:\windows\system32\fipuyuko.dll
2009-09-08 20:41 . 2009-09-08 20:41 7046 --sha-w- c:\windows\system32\godisida.dll
2009-09-19 09:06 . 2009-09-19 09:06 45568 --sha-w- c:\windows\system32\guyeroso.dll
2009-09-02 21:41 . 2009-09-02 21:41 3 --sha-w- c:\windows\system32\herugife.dll
2009-09-26 18:04 . 2009-09-26 18:04 45568 --sha-w- c:\windows\system32\hivotivi.dll
2009-09-25 02:14 . 2009-09-25 02:14 45568 --sha-w- c:\windows\system32\jiwofehu.dll
2009-09-25 02:14 . 2009-09-25 02:14 22016 --sha-w- c:\windows\system32\jiwofehu.exe
2009-03-01 06:20 . 2006-04-06 06:17 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-29 00:33 . 2009-09-29 00:33 45568 --sha-w- c:\windows\system32\libulije.dll
2009-09-22 20:22 . 2009-09-22 20:22 39424 --sha-w- c:\windows\system32\metadomo.dll
2009-09-11 21:47 . 2009-09-11 21:47 93184 --sha-w- c:\windows\system32\nikalute.dll
2009-09-22 08:22 . 2009-09-22 08:22 45568 --sha-w- c:\windows\system32\pokumala.dll
2009-09-27 06:04 . 2009-09-27 06:04 39424 --sha-w- c:\windows\system32\powalogi.dll
2009-09-21 07:25 . 2009-09-21 07:25 45568 --sha-w- c:\windows\system32\remofeko.dll
2009-09-25 02:14 . 2009-09-25 02:14 18727 --sha-w- c:\windows\system32\sebajuyo.dll
2009-09-22 20:22 . 2009-09-22 20:22 45568 --sha-w- c:\windows\system32\seduvumo.dll
2009-09-19 21:06 . 2009-09-19 21:06 45568 --sha-w- c:\windows\system32\tebajovo.dll
2009-09-26 06:04 . 2009-09-26 06:04 45568 --sha-w- c:\windows\system32\yapafeju.dll
2009-09-29 00:33 . 2009-09-29 00:33 61440 --sha-w- c:\windows\system32\yazizitu.dll
2009-09-27 06:04 . 2009-09-27 06:04 93184 --sha-w- c:\windows\system32\yebizopo.dll
2009-09-19 09:06 . 2009-09-19 09:06 61952 --sha-w- c:\windows\system32\yihaguta.dll
2009-09-21 07:25 . 2009-09-21 07:25 39424 --sha-w- c:\windows\system32\yilopepu.dll
2009-09-17 18:07 . 2009-09-17 18:07 39424 --sha-w- c:\windows\system32\yosimanu.dll
2009-09-22 08:22 . 2009-09-22 08:22 39424 --sha-w- c:\windows\system32\zelayira.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"HP Input Device Main Program"="c:\program files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe" [2008-09-20 356352]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"sb"=c:\program files\Spybot - Search & Destroy\SpybotSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [1/2/2009 12:56 AM 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe [1/2/2009 12:56 AM 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [1/2/2009 12:56 AM 41217]
R3 HpGmb001;USB Mobile Packet Filter Driver;c:\windows\system32\drivers\HpGmb001.sys [11/27/2009 9:53 PM 11264]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [8/16/2005 2:18 AM 2304]
S3 oflpydin;oflpydin;\??\c:\docume~1\NICKG~1\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\NICKG~1\LOCALS~1\Temp\oflpydin.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mlbtraderumors.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: avsda.dll
TCP: {486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A} = 208.67.220.220,208.67.222.222
TCP: {7153F67E-D655-4AEC-AEC1-6577ECA5B200} = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
TCP: {97A79411-4DE1-46A4-BA45-D4CEBD61739B} = 193.104.110.38,4.2.2.1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 21:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,12,e4,77,ba,2d,f9,44,b3,ec,6c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,12,e4,77,ba,2d,f9,44,b3,ec,6c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1012)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'lsass.exe'(1068)
c:\windows\system32\avsda.dll
.
Completion time: 2009-12-28 21:37:27
ComboFix-quarantined-files.txt 2009-12-29 05:37
ComboFix2.txt 2009-12-29 04:05
Pre-Run: 5,572,931,584 bytes free
Post-Run: 5,553,569,792 bytes free
- - End Of File - - D2B1632C6BA21EBBC3BEB5AC584318CD
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:45:14 PM, on 12/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlbtraderumors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Input Device Main Program] C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7153F67E-D655-4AEC-AEC1-6577ECA5B200}: NameServer = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A79411-4DE1-46A4-BA45-D4CEBD61739B}: NameServer = 193.104.110.38,4.2.2.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8591 bytes
Internet Explorer still not working right - graphics not loading properly or pages not coming up at all, and Avira Antivir still had a virus it blocked when I re-enabled it:
Virus or unwanted program 'TR/PCK.Tdss.AA.2580 [trojan]'
detected in file 'C:\WINDOWS\system32\diposeli.dll.
Action performed: Move file to quarantine
IndiGenus
2009-12-29, 16:05
Internet Explorer still not working right - graphics not loading properly or pages not coming up at all, and Avira Antivir still had a virus it blocked when I re-enabled it:
Virus or unwanted program 'TR/PCK.Tdss.AA.2580 [trojan]'
detected in file 'C:\WINDOWS\system32\diposeli.dll.
Action performed: Move file to quarantine
Yes, there is still quite a mess present that we need to deal with, but you need to take care of something first.
Per the instructions at the following post you must uninstall any and all P2P/BitTorrent/File Sharing Software prior to getting help here.
http://forums.spybot.info/showpost.php?p=218503&postcount=4
In your case you have FrostWire installed. Please remove the program and run the following scan.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Uninstalled frostwire.
Here's the DDS log:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Nick G at 7:57:37.92 on Tue 12/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.121 [GMT -8:00]
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Nick G\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.mlbtraderumors.com/
uInternet Connection Wizard,ShellNext = iexplore
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition premium\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Input Device Main Program] c:\program files\hp\hp wireless comfort mobile mouse\tsr\xDaemon.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: avsda.dll
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A} = 208.67.220.220,208.67.222.222
TCP: {7153F67E-D655-4AEC-AEC1-6577ECA5B200} = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
TCP: {97A79411-4DE1-46A4-BA45-D4CEBD61739B} = 193.104.110.38,4.2.2.1
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir personaledition premium\avgio.sys [2009-1-2 11608]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\avira\antivir personaledition premium\avmailc.exe [2009-1-2 164097]
R2 AntiVirScheduler;Avira AntiVir Premium Scheduler;c:\program files\avira\antivir personaledition premium\sched.exe [2009-1-2 68865]
R2 AntiVirService;Avira AntiVir Premium Guard;c:\program files\avira\antivir personaledition premium\avguard.exe [2009-1-2 151297]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\avira\antivir personaledition premium\avwebgrd.exe [2009-1-2 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\avira\antivir personaledition premium\avesvc.exe [2009-1-2 41217]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition premium\avgntflt.sys [2009-1-2 52056]
R3 HpGmb001;USB Mobile Packet Filter Driver;c:\windows\system32\drivers\HpGmb001.sys [2009-11-27 11264]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [2005-8-16 2304]
S3 oflpydin;oflpydin;\??\c:\docume~1\nickg~1\locals~1\temp\oflpydin.sys --> c:\docume~1\nickg~1\locals~1\temp\oflpydin.sys [?]
=============== Created Last 30 ================
2009-12-29 15:27:02 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-29 15:12:06 0 d-----w- c:\windows\ServicePackFiles
2009-12-29 15:11:39 0 d-----w- c:\windows\ie8updates
2009-12-29 05:03:57 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-12-29 04:57:22 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-12-29 04:57:22 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-29 04:57:22 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-12-29 04:57:22 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-29 04:57:22 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-29 04:57:21 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-29 04:57:21 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-29 04:57:21 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-29 04:57:19 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-29 04:57:19 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-29 04:56:26 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-29 04:56:25 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-29 04:54:26 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-29 04:51:32 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-29 04:38:12 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-29 04:05:54 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-29 04:05:54 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-29 04:05:54 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-29 03:33:48 0 d-sha-r- C:\cmdcons
2009-12-29 03:32:41 98816 ----a-w- c:\windows\sed.exe
2009-12-29 03:32:41 77312 ----a-w- c:\windows\MBR.exe
2009-12-29 03:32:41 261632 ----a-w- c:\windows\PEV.exe
2009-12-29 03:32:41 161792 ----a-w- c:\windows\SWREG.exe
2009-12-26 18:04:34 92672 --sh--w- c:\windows\system32\wemetuvi.dll
2009-12-26 06:00:53 39424 ----a-w- c:\windows\system32\kedohugu.dll
2009-12-26 01:03:56 0 d-----w- c:\program files\TrendMicro
2009-12-25 02:10:15 61952 ----a-w- c:\windows\system32\rasawofu.dll
2009-12-19 06:05:27 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-19 06:05:27 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-19 06:05:26 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-19 06:05:26 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-18 21:07:01 39424 --sh--w- c:\windows\system32\hohokaza.dll
==================== Find3M ====================
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-29 07:45:35 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-29 07:45:35 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2009-10-29 07:45:34 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:33 11069952 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2009-10-29 07:45:32 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll
2009-09-27 06:04:42 45568 --sha-w- c:\windows\system32\davedeyo.dll
2009-09-26 18:04:09 39424 --sha-w- c:\windows\system32\duteyesi.dll
2009-03-01 06:20:46 104 --sh--r- c:\windows\system32\FB83D3AC07.sys
2009-09-29 00:33:52 39424 --sha-w- c:\windows\system32\fipezuvo.dll
2009-09-17 18:07:23 45568 --sha-w- c:\windows\system32\fipuyuko.dll
2009-09-08 20:41:43 7046 --sha-w- c:\windows\system32\godisida.dll
2009-09-02 21:41:01 3 --sha-w- c:\windows\system32\herugife.dll
2009-09-26 18:04:09 45568 --sha-w- c:\windows\system32\hivotivi.dll
2009-09-25 02:14:01 45568 --sha-w- c:\windows\system32\jiwofehu.dll
2009-09-25 02:14:02 22016 --sha-w- c:\windows\system32\jiwofehu.exe
2009-03-01 06:20:54 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-29 00:33:53 45568 --sha-w- c:\windows\system32\libulije.dll
2009-09-22 20:22:51 39424 --sha-w- c:\windows\system32\metadomo.dll
2009-09-11 21:47:43 93184 --sha-w- c:\windows\system32\nikalute.dll
2009-09-25 02:14:03 18727 --sha-w- c:\windows\system32\sebajuyo.dll
2009-09-26 06:04:44 45568 --sha-w- c:\windows\system32\yapafeju.dll
2009-09-29 00:33:52 61440 --sha-w- c:\windows\system32\yazizitu.dll
2009-09-19 09:06:08 61952 --sha-w- c:\windows\system32\yihaguta.dll
2009-09-17 18:07:21 39424 --sha-w- c:\windows\system32\yosimanu.dll
2009-09-22 08:22:09 39424 --sha-w- c:\windows\system32\zelayira.dll
============= FINISH: 7:58:25.85 ===============
Attaching zip of the attach.txt file
IndiGenus
2009-12-29, 18:23
1. Open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
c:\windows\system32\wemetuvi.dll
c:\windows\system32\kedohugu.dll
c:\windows\system32\rasawofu.dll
c:\windows\system32\hisozega.dll
c:\windows\system32\fonemike.dll
c:\windows\system32\hohokaza.dll
c:\windows\system32\bemoriva.dll
c:\windows\system32\davedeyo.dll
c:\windows\system32\diposeli.dll
c:\windows\system32\duteyesi.dll
c:\windows\system32\FB83D3AC07.sys
c:\windows\system32\fipezuvo.dll
c:\windows\system32\fipuyuko.dll
c:\windows\system32\godisida.dll
c:\windows\system32\guyeroso.dll
c:\windows\system32\herugife.dll
c:\windows\system32\hivotivi.dll
c:\windows\system32\jiwofehu.dll
c:\windows\system32\jiwofehu.exe
c:\windows\system32\libulije.dll
c:\windows\system32\metadomo.dll
c:\windows\system32\nikalute.dll
c:\windows\system32\pokumala.dll
c:\windows\system32\powalogi.dll
c:\windows\system32\remofeko.dll
c:\windows\system32\sebajuyo.dll
c:\windows\system32\seduvumo.dll
c:\windows\system32\tebajovo.dll
c:\windows\system32\yapafeju.dll
c:\windows\system32\yazizitu.dll
c:\windows\system32\yebizopo.dll
c:\windows\system32\yihaguta.dll
c:\windows\system32\yilopepu.dll
c:\windows\system32\yosimanu.dll
c:\windows\system32\zelayira.dll
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.
ComboFix 09-12-29.03 - Nick G 12/29/2009 13:10:18.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.344 [GMT -8:00]
Running from: c:\documents and settings\Nick G\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nick G\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
FILE ::
"c:\windows\system32\bemoriva.dll"
"c:\windows\system32\davedeyo.dll"
"c:\windows\system32\diposeli.dll"
"c:\windows\system32\duteyesi.dll"
"c:\windows\system32\FB83D3AC07.sys"
"c:\windows\system32\fipezuvo.dll"
"c:\windows\system32\fipuyuko.dll"
"c:\windows\system32\fonemike.dll"
"c:\windows\system32\godisida.dll"
"c:\windows\system32\guyeroso.dll"
"c:\windows\system32\herugife.dll"
"c:\windows\system32\hisozega.dll"
"c:\windows\system32\hivotivi.dll"
"c:\windows\system32\hohokaza.dll"
"c:\windows\system32\jiwofehu.dll"
"c:\windows\system32\jiwofehu.exe"
"c:\windows\system32\kedohugu.dll"
"c:\windows\system32\libulije.dll"
"c:\windows\system32\metadomo.dll"
"c:\windows\system32\nikalute.dll"
"c:\windows\system32\pokumala.dll"
"c:\windows\system32\powalogi.dll"
"c:\windows\system32\rasawofu.dll"
"c:\windows\system32\remofeko.dll"
"c:\windows\system32\sebajuyo.dll"
"c:\windows\system32\seduvumo.dll"
"c:\windows\system32\tebajovo.dll"
"c:\windows\system32\wemetuvi.dll"
"c:\windows\system32\yapafeju.dll"
"c:\windows\system32\yazizitu.dll"
"c:\windows\system32\yebizopo.dll"
"c:\windows\system32\yihaguta.dll"
"c:\windows\system32\yilopepu.dll"
"c:\windows\system32\yosimanu.dll"
"c:\windows\system32\zelayira.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\davedeyo.dll
c:\windows\system32\duteyesi.dll
c:\windows\system32\FB83D3AC07.sys
c:\windows\system32\fipezuvo.dll
c:\windows\system32\fipuyuko.dll
c:\windows\system32\godisida.dll
c:\windows\system32\herugife.dll
c:\windows\system32\hivotivi.dll
c:\windows\system32\hohokaza.dll
c:\windows\system32\jiwofehu.dll
c:\windows\system32\jiwofehu.exe
c:\windows\system32\kedohugu.dll
c:\windows\system32\libulije.dll
c:\windows\system32\metadomo.dll
c:\windows\system32\nikalute.dll
c:\windows\system32\rasawofu.dll
c:\windows\system32\sebajuyo.dll
c:\windows\system32\wemetuvi.dll
c:\windows\system32\yapafeju.dll
c:\windows\system32\yazizitu.dll
c:\windows\system32\yihaguta.dll
c:\windows\system32\yosimanu.dll
c:\windows\system32\zelayira.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.
2009-12-29 15:27 . 2009-12-29 15:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-29 15:12 . 2009-12-29 15:12 -------- d-----w- c:\windows\ServicePackFiles
2009-12-29 15:11 . 2009-12-29 15:25 -------- d-----w- c:\windows\ie8updates
2009-12-29 15:06 . 2009-12-29 15:06 -------- d-s---w- c:\documents and settings\Default User\IETldCache
2009-12-29 05:03 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-12-29 04:57 . 2009-03-06 14:44 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-29 04:57 . 2009-02-09 10:20 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-29 04:57 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-29 04:57 . 2009-02-06 16:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-12-29 04:57 . 2005-07-26 04:39 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-12-29 04:57 . 2009-02-09 10:20 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-29 04:57 . 2009-02-09 10:20 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-29 04:57 . 2009-02-06 16:39 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-29 04:57 . 2009-02-09 10:20 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-29 04:57 . 2009-02-09 10:20 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-29 04:56 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-29 04:56 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-29 04:54 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-29 04:38 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-29 04:05 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-29 04:05 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-26 01:03 . 2009-12-26 01:03 -------- d-----w- c:\program files\TrendMicro
2009-12-26 01:00 . 2009-12-26 01:00 -------- d-----w- c:\program files\ERUNT
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-19 06:05 . 2009-12-19 06:05 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-10 22:57 . 2009-12-10 22:57 -------- d-s---w- c:\documents and settings\LocalService\IETldCache
2009-12-04 21:09 . 2009-12-04 21:09 -------- d-s---w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-02 05:37 . 2009-12-02 05:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-12-02 05:36 . 2009-12-02 05:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 16:04 . 2008-10-12 03:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-29 15:33 . 2008-11-30 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-29 15:25 . 2009-01-02 09:11 -------- d-----w- c:\program files\SpywareBlaster
2009-12-26 00:11 . 2009-01-02 08:56 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-21 08:06 . 2009-05-11 04:03 -------- d-----w- c:\documents and settings\Nick G\Application Data\FrostWire
2009-11-28 21:44 . 2009-11-28 21:43 -------- d-----w- c:\documents and settings\Nick G\Application Data\OpenCandy
2009-11-28 05:52 . 2009-11-28 05:52 -------- d-----w- c:\program files\HP
2009-11-28 05:52 . 2005-12-05 16:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-28 05:52 . 2009-11-28 05:52 -------- d-----w- c:\documents and settings\Nick G\Application Data\InstallShield
2009-11-03 03:29 . 2006-03-18 05:49 -------- d-----w- c:\documents and settings\Nick G\Application Data\AdobeUM
2009-10-29 07:45 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-13 10:53 . 2005-08-16 10:18 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2005-08-16 10:18 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54 . 2005-08-16 10:18 69632 ----a-w- c:\windows\system32\raschap.dll
2009-03-01 06:20 . 2006-04-06 06:17 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"HP Input Device Main Program"="c:\program files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe" [2008-09-20 356352]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"sb"=c:\program files\Spybot - Search & Destroy\SpybotSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [1/2/2009 12:56 AM 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe [1/2/2009 12:56 AM 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [1/2/2009 12:56 AM 41217]
R3 HpGmb001;USB Mobile Packet Filter Driver;c:\windows\system32\drivers\HpGmb001.sys [11/27/2009 9:53 PM 11264]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [8/16/2005 2:18 AM 2304]
S3 oflpydin;oflpydin;\??\c:\docume~1\NICKG~1\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\NICKG~1\LOCALS~1\Temp\oflpydin.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2008-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 19:34]
2009-12-29 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-04-07 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mlbtraderumors.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: avsda.dll
TCP: {486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A} = 208.67.220.220,208.67.222.222
TCP: {7153F67E-D655-4AEC-AEC1-6577ECA5B200} = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
TCP: {97A79411-4DE1-46A4-BA45-D4CEBD61739B} = 193.104.110.38,4.2.2.1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 13:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,12,e4,77,ba,2d,f9,44,b3,ec,6c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,12,e4,77,ba,2d,f9,44,b3,ec,6c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(636)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'lsass.exe'(1068)
c:\windows\system32\avsda.dll
- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Premium\sched.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Avira\AntiVir PersonalEdition Premium\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\UAService7.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-29 13:32:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 21:32
ComboFix2.txt 2009-12-29 05:37
ComboFix3.txt 2009-12-29 04:05
Pre-Run: 4,514,623,488 bytes free
Post-Run: 4,473,323,520 bytes free
- - End Of File - - C576192CEF55F4ED818672FB2942DE85Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:36:29 PM, on 12/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlbtraderumors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Input Device Main Program] C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7153F67E-D655-4AEC-AEC1-6577ECA5B200}: NameServer = 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A79411-4DE1-46A4-BA45-D4CEBD61739B}: NameServer = 193.104.110.38,4.2.2.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8677 bytes
IndiGenus
2009-12-30, 00:27
I think we're making progress. How's it running?
AskBar.dll (Ask Toolbar) process can be removed to free up resources without compromising system performance. http://vil.nai.com/vil/content/v_146646.htm
This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.
Ben Edelman http://blogs.zdnet.com/Spyware/?p=858
I discourage users from running Ask's toolbars for two reasons. First, Ask moves the browser's Address Bar from top-left (where it is found in every browser I've ever seen) to top-right. Ask puts its own search box in the top-left. So Ask's software makes it highly likely that users will accidentally conduct searches when they intend simply to navigate to sites they request by name.
Second, Ask's toolbar leads to landing pages that are objectionable in their own right. Ask's landing pages show ten ads - ten! - above the first organic result. On a 800×600 screen, that means 2 full pages of ads, plus a little bit more after that, all before the first organic result. That's ridiculous. No user deserves that, especially since organic results are safer than sponsored links.
It is advised that you uninstall this program to protect your privacy and computer security and to free up necessary resources. To uninstall the AskToolbar.
Click Start > Control Panel.
In Control Panel, double-click Uninstall Programs.
In Add or Remove Programs, highlight Ask Toolbar , click Remove.
Close the Add or Remove Programs and the Control Panel windows.
Using Windows Explorer (Windows key+e), search for the Ask Toolbar folder. If the program folder is still there, select/highlight the Ask Toolbar folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
We're definitely making serious progress. Things are running pretty well, no weirdness with IE or anything. MBAM did find and delete a few things.
Malwarebytes' Anti-Malware 1.42
Database version: 3454
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
12/29/2009 9:26:43 PM
mbam-log-2009-12-29 (21-26-43).txt
Scan type: Quick Scan
Objects scanned: 114850
Time elapsed: 11 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Backdoor check (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7153f67e-d655-4aec-aec1-6577eca5b200}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,68.116.46.115 68.189.122.26 68.116.46.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{97a79411-4de1-46a4-ba45-d4cebd61739b}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ndisdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\uid.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:38:39 PM, on 12/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlbtraderumors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Input Device Main Program] C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A}: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8729 bytes
IndiGenus
2009-12-30, 15:16
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post:
Kaspersky log
New HJT log taken after the above scan has run
FYI - the 2nd Kaspersky link gives the following notice:
"Coming soon:
A new, improved version of the Kaspersky Online Scanner
The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience."
The first link works though.
Here's the result. I had actually run a full Avira scan earlier or it would have found much more of the quarantined stuff I already got rid of.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 30, 2009 19:26:31
Records in database: 3417177
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 74479
Threats found: 4
Infected objects found: 13
Suspicious objects found: 2
Scan duration: 04:28:59
File name / Threat / Threats count
C:\Documents and Settings\Nick G\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000009.exe Infected: Trojan.Win32.FraudPack.aisx 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000034.exe Infected: Trojan.Win32.FraudPack.aisx 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000064.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000067.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000094.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000098.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000111.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000112.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000121.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000141.exe Infected: Trojan.Win32.Vilsel.qbt 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000142.exe Infected: Trojan.Win32.Vilsel.qbt 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000145.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000146.dll Infected: Packed.Win32.TDSS.aa 1
Selected area has been scanned.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:06:30 PM, on 12/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Input Device Main Program] C:\Program Files\HP\HP Wireless Comfort Mobile Mouse\TSR\xDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{486370F6-BA9E-4E24-8CF0-FCF5C4A08C1A}: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8708 bytes
IndiGenus
2009-12-31, 20:48
Not bad. You do appear to have at least one email that may be infected, or have an infected attachment. Kaspersky does not fix this. You will need to go through your inbox and clean it out. Do not open anything suspicious.
The remainder of what was found is in your restore points, and we'll clean those out next.
Uninstall Combofix
Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Premium
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Spybot - Search & Destroy 1.4
SpywareBlaster 4.2
Java(TM) 6 Update 17
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
IndiGenus
2010-01-01, 18:05
As you can see from the last log you need a couple of updates.
You should update your Adobe Reader. See the following link:
http://www.adobe.com/support/downloads/product.jsp?platform=windows&product=10
Windows should also be updated to Service Pack 3.
http://support.microsoft.com/kb/322389
In addition to updating and using what you currently have you may want to consider the following:
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.
Online-Armor (http://www.tallemu.com/free-firewall-protection-software.html)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/)
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)
Install SpywareBlaster - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49)
Install Winpatrol -
Use Winpatrol (http://www.winpatrol.com/) to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here (http://www.winpatrol.com/features.html)
Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.
Keep your applications up to date -
Use Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help stay on top of application updates that could leave your PC vulnerable to attack.
I'll leave the thread open a few days in case you have questions or issues.
Regards,
Dave
I started on upgrading to SP3 as soon as I read that. Automatic updates have been on all along, but obviously not working right. Going through the update site wasn't much easier, but I finally got SP3 and all other updates installed.
So the Windows firewall isn't very effective on its own I take it?
Spywareblaster has been installed all along - that one did show in the screen317 report.
Adobe reader 9.2 is installing now. I'll get on the other stuff here soon, along with updating spybot S&D
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Premium
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Spybot - Search & Destroy 1.4
SpywareBlaster 4.2
Java(TM) 6 Update 17
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
IndiGenus
2010-01-01, 23:54
So the Windows firewall isn't very effective on its own I take it?
It's certainly better than nothing, but its' effectiveness is limited to inbound traffic only, nothing outbound.
Well, we'll see how it goes with all this installed for a while.
Thanks a ton for all your great help!
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Premium
Outpost Firewall 2009
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
WinPatrol 2009
MVPS Hosts File
Spybot - Search & Destroy 1.4
SpywareBlaster 4.2
Spybot - Search & Destroy
Secunia PSI
Java(TM) 6 Update 17
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
WinPatrol winpatrol.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
Not sure why that spybot 1.4 showed up after I upgraded to the latest 1.6.2.46 or whatever it is and not before, but in any case the latest is installed.
IndiGenus
2010-01-02, 16:19
Not sure why that spybot 1.4 showed up after I upgraded to the latest 1.6.2.46 or whatever it is and not before, but in any case the latest is installed.
Yes, I was going to ask you about that. Did you completely uninstall the older version? Before installing the new?
Also, you can uninstall the old Java runtime:
Java 2 Runtime Environment, SE v1.4.2_03
You have the latest which is good (Java(TM) 6 Update 17) but old versions can still lead to vulnerabilities, and take up space.
I didn't unistall the old, but there only seems to be one folder/exectable file there. The Add/Delete programs also shows both the new one and 1.4, but they both show as the same exact size, date last used, etc.
I'll get rid of that old java
IndiGenus
2010-01-03, 16:14
I didn't unistall the old, but there only seems to be one folder/exectable file there. The Add/Delete programs also shows both the new one and 1.4, but they both show as the same exact size, date last used, etc.
I would uninstall the old version via Add or Remove Programs. I'm not sure why they are being reported that way by Windows. Worst case scenario is that you would need to re-install the new version. It's not a big deal but for me I like to keep things "clean".
Well, I had to uninstall both and start fresh with Spybot, but that's done now. I think we're pretty clean now.
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Premium
Outpost Firewall 2009
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
WinPatrol 2009
MVPS Hosts File
SpywareBlaster 4.2
Spybot - Search & Destroy
Secunia PSI
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
WinPatrol winpatrol.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
There have been a couple new problems with IE opening some sites, like MSN and Yahoo, unless I deactivate Avira's WebGuard online protection, but it's not consistent. We'll see how it goes from here.
IndiGenus
2010-01-04, 03:06
There have been a couple new problems with IE opening some sites, like MSN and Yahoo, unless I deactivate Avira's WebGuard online protection, but it's not consistent. We'll see how it goes from here.
Did a little research on it but don't run the Premium version myself. I've seen some others with the same issue and it could be a number of things. I would suggest you post over at the Avira forums if the issue continues.
http://forum.avira.com/wbb/index.php?page=Board&boardID=131
Good luck and regards,
Dave
Thanks Dave, for all your great help. I'll check there if any issues continue.