Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected pc


  • This topic is locked This topic is locked
9 replies to this topic

#1 dhdpla

dhdpla

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 18 October 2008 - 02:44 PM

My wifes/kids del inspiron 6000 laptop is badly infected with malware. The symptoms are that the task manager is disabled, the desktop background is switchedto a waring sign that the system is infected with spyware, popups in the taskbar warn the same thing and ask me to download software that is probably filled with trojans. Eventually the taskbar stops working entirely. Before I found this site I ran ATG antivirus Free and got rid of a bunch of the malware , but have no record of their names, sorry. After I found this site I followed all the steps recommended in the preparation guide for posting a hiJackThis log, but as I said I have no idea what trojans were infecting the machine. I was not able to run windows update, the update would not download. I have run HijackThis and paste the output below. Hope someone here can help. Sorry I coudn't be more specfic .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:28 AM, on 10/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINDOWS\rytmdkba.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\LANDesk\LDClient\softmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\rytmdkba.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: getsn32.msiesn - {36142BDD-7850-42FC-9681-1534A35285B9} - C:\WINDOWS\system32\getsn32.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: innbanner browser enhancer - {EA70F31E-7E2A-078F-5B90-5CF8E81A29A6} - C:\WINDOWS\system32\ztnaiyifus.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SciFinder Scholar Bar - {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [XP Antispyware 2009] "C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe" /hide
O4 - HKLM\..\Run: [genadm] C:\WINDOWS\rytmdkba.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [GetModule23] "C:\Program Files\GetModule\GetModule23.exe"
O4 - HKCU\..\Run: [ActAdm] C:\WINDOWS\system32\qfuvgtkb.exe
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\rachel\Application Data\Gool\Gool.exe"
O4 - HKCU\..\Run: [Uyo] "C:\Documents and Settings\rachel\Application Data\?icrosoft\w?auboot.exe"
O4 - HKCU\..\Run: [Trap] "C:\Documents and Settings\rachel\Application Data\F?nts\m?iexec.exe"
O4 - HKCU\..\Run: [ofiq] C:\PROGRA~1\COMMON~1\ofiq\ofiqm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [1z57HvW5Vr] C:\Documents and Settings\All Users\Application Data\nenclahu\vkludkdc.exe
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\rachel\Local Settings\Temp\{23773443-88C2-4DDD-96E5-704A45D01ECD}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scripps.edu
O17 - HKLM\Software\..\Telephony: DomainName = scripps.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: Domain = scripps.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: NameServer = 137.131.200.9,137.131.200.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{695CE2CB-7124-4FDB-BCD3-62011E80ED35}: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = scripps.edu,lj.ad.scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: NameServer = 137.131.200.9,137.131.200.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = scripps.edu,lj.ad.scripps.edu
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat
O21 - SSODL: webstr - {5742926E-6A89-8968-78A3-0B24A6950632} - C:\Program Files\fhuuifg\webstr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\softmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12557 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:31 PM

Posted 19 October 2008 - 01:31 AM

Hi,

This computer is indeed severly infected :thumbsup:

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dhdpla

dhdpla
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 19 October 2008 - 02:32 PM

So far so good. Here is the combofix log. HijackThis log in the next post.

ComboFix 08-10-18.03 - rachel 2008-10-19 11:15:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT -8:00]
Running from: C:\Documents and Settings\rachel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rachel\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\rachel\Application Data\FNTS~1
C:\Documents and Settings\rachel\Application Data\ICROSO~1
C:\Documents and Settings\rachel\Application Data\SpeedRunner
C:\Documents and Settings\rachel\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\rachel\Application Data\SpeedRunner\fusion.cfg.ea5e95067608f10dd9f95ff05e1babbc.88a444ffb028cc86d77ee71092a2f384
C:\Documents and Settings\rachel\Cookies\bylazeqag.bat
C:\Documents and Settings\rachel\Cookies\hidugy.vbs
C:\Documents and Settings\rachel\Cookies\ihix.ban
C:\Documents and Settings\rachel\Cookies\ipyd.exe
C:\Documents and Settings\rachel\Cookies\raxoj._sy
C:\Documents and Settings\rachel\Cookies\utume.lib
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\buwogi._sy
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\dyluhubere.dat
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\elan.exe
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\ubaja.lib
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\udit.dat
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\utuvusod.dl
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\yteme._sy
C:\Documents and Settings\rachel\Local Settings\Temporary Internet Files\zupikivy.vbs
C:\Documents and Settings\rachel\My Documents\WNSXS~1
C:\Program Files\GetModule
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\kwdik.gz
C:\Program Files\XP_AntiSpyware
C:\Program Files\XP_AntiSpyware\htmlayout.dll
C:\Program Files\ymbols~1
C:\Program Files\ymbols~1\?ymbols\
C:\WINDOWS\b116.exe
C:\WINDOWS\default.htm
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.

2008-10-19 10:45 . 2008-10-19 10:54 8,704 --a------ C:\WINDOWS\system32\smwin32.dll
2008-10-17 23:18 . 2008-10-18 07:49 <DIR> d-------- C:\Documents and Settings\rachel\.housecall6.6
2008-10-17 21:03 . 2008-10-17 21:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-17 21:03 . 2008-10-17 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-17 17:28 . 2008-10-17 17:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-17 17:28 . 2008-10-17 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-17 17:18 . 2008-10-17 17:18 <DIR> d---s---- C:\Documents and Settings\rachel\UserData
2008-10-17 16:57 . 2008-10-17 16:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 22:07 . 2008-10-17 15:52 <DIR> d-------- C:\quarantine
2008-10-16 20:09 . 2008-10-19 10:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-16 19:16 . 2008-10-16 22:18 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-16 19:16 . 2008-10-16 19:16 <DIR> d-------- C:\Documents and Settings\rachel\Application Data\AVGTOOLBAR
2008-10-16 19:16 . 2008-10-16 19:16 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-16 19:16 . 2008-10-16 19:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-16 19:15 . 2008-10-16 19:15 <DIR> d-------- C:\Program Files\AVG
2008-10-16 19:15 . 2008-10-16 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-16 18:52 . 2008-10-16 18:52 19,257 --a------ C:\WINDOWS\system32\kigifa.ban
2008-10-16 18:52 . 2008-10-16 18:52 16,159 --a------ C:\WINDOWS\system32\fesagixu.bin
2008-10-16 18:52 . 2008-10-16 18:52 15,987 --a------ C:\WINDOWS\lohosanap.scr
2008-10-16 18:52 . 2008-10-16 18:52 15,418 --a------ C:\WINDOWS\system32\hilyfymy.dat
2008-10-16 18:52 . 2008-10-16 18:52 15,399 --a------ C:\WINDOWS\jiku.ban
2008-10-16 18:52 . 2008-10-16 18:52 13,520 --a------ C:\WINDOWS\xuzufulo.vbs
2008-10-16 18:52 . 2008-10-16 18:52 12,347 --a------ C:\WINDOWS\iwym.dl
2008-10-16 18:52 . 2008-10-16 18:52 11,431 --a------ C:\WINDOWS\afoti._sy
2008-10-15 05:32 . 2008-10-15 23:52 79,088 --a------ C:\WINDOWS\system32\wvyyysbagxeobkau.exe
2008-10-14 20:11 . 2008-10-14 20:11 49,152 --------- C:\WINDOWS\rytmdkba.exe
2008-10-14 17:39 . 2008-10-14 17:39 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-10-14 17:39 . 2008-10-14 17:39 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-10-14 17:28 . 2008-10-16 20:07 <DIR> d-------- C:\Program Files\OINAnalytics
2008-10-14 17:23 . 2008-10-17 19:30 <DIR> d--hs---- C:\WINDOWS\YWQ
2008-10-14 17:18 . 2008-10-14 17:18 <DIR> d-------- C:\WINDOWS\ofiq
2008-10-14 17:18 . 2008-10-16 22:02 <DIR> d-------- C:\Program Files\Common Files\ofiq
2008-10-14 16:58 . 2008-10-16 22:08 <DIR> d-------- C:\Documents and Settings\rachel\Application Data\Gool
2008-10-14 16:53 . 2008-10-16 23:37 <DIR> d-------- C:\Program Files\Webtools
2008-10-14 16:48 . 2008-10-16 23:35 <DIR> d-------- C:\Program Files\Mjcore
2008-10-12 20:22 . 2008-10-12 20:22 19,233 --a------ C:\Documents and Settings\rachel\Application Data\amydunemi.exe
2008-10-12 20:22 . 2008-10-12 20:22 18,644 --a------ C:\WINDOWS\system32\runejilyfi.inf
2008-10-12 20:22 . 2008-10-12 20:22 17,932 --a------ C:\WINDOWS\uviv.inf
2008-10-12 20:22 . 2008-10-12 20:22 17,860 --a------ C:\WINDOWS\ozehyd.db
2008-10-12 20:22 . 2008-10-12 20:22 15,804 --a------ C:\WINDOWS\system32\ocegipi.scr
2008-10-12 20:22 . 2008-10-12 20:22 15,784 --a------ C:\Documents and Settings\All Users\Application Data\uzas.sys
2008-10-12 20:22 . 2008-10-12 20:22 15,739 --a------ C:\WINDOWS\lamugun.com
2008-10-12 20:22 . 2008-10-12 20:22 14,774 --a------ C:\WINDOWS\sezamyfu.lib
2008-10-12 20:22 . 2008-10-12 20:22 13,913 --a------ C:\Program Files\Common Files\uwenoh.scr
2008-10-12 20:22 . 2008-10-12 20:22 13,618 --a------ C:\WINDOWS\lafoweteri._sy
2008-10-12 20:22 . 2008-10-12 20:22 10,585 --a------ C:\Program Files\Common Files\juvo.scr
2008-10-12 16:55 . 2008-10-12 16:55 19,668 --a------ C:\WINDOWS\system32\ygokyf.bat
2008-10-12 16:55 . 2008-10-12 16:55 19,073 --a------ C:\Program Files\Common Files\uvodygyty.dat
2008-10-12 16:55 . 2008-10-12 16:55 18,270 --a------ C:\Documents and Settings\rachel\Application Data\pesaw.reg
2008-10-12 16:55 . 2008-10-12 16:55 17,777 --a------ C:\WINDOWS\elujidiqox.bin
2008-10-12 16:55 . 2008-10-12 16:55 16,468 --a------ C:\Documents and Settings\rachel\Application Data\muzyz.sys
2008-10-12 16:55 . 2008-10-12 16:55 15,424 --a------ C:\WINDOWS\ojacikife.vbs
2008-10-12 16:55 . 2008-10-12 16:55 15,104 --a------ C:\Documents and Settings\rachel\Application Data\ixulite.dll
2008-10-12 16:55 . 2008-10-12 16:55 15,103 --a------ C:\WINDOWS\system32\ejyhat.dat
2008-10-12 16:55 . 2008-10-12 16:55 14,711 --a------ C:\WINDOWS\awed.dl
2008-10-12 16:55 . 2008-10-12 16:55 12,293 --a------ C:\Documents and Settings\All Users\Application Data\kesir.dll
2008-10-12 16:55 . 2008-10-12 16:55 11,550 --a------ C:\WINDOWS\kapyvare.lib
2008-10-12 16:55 . 2008-10-12 16:55 10,907 --a------ C:\WINDOWS\aminodyv.vbs
2008-10-12 16:55 . 2008-10-12 16:55 10,875 --a------ C:\WINDOWS\system32\zelusy.ban
2008-10-12 16:55 . 2008-10-12 16:55 10,757 --a------ C:\Program Files\Common Files\tybyruma.bat
2008-10-12 16:30 . 2008-10-12 16:30 <DIR> d-------- C:\Program Files\fhuuifg
2008-10-12 16:30 . 2008-10-17 05:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nenclahu
2008-10-12 16:26 . 2008-10-12 16:27 85,008 --a------ C:\WINDOWS\system32\uesiuqcr.exe
2008-09-27 09:19 . 2008-09-27 09:19 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-09-27 09:17 . 2008-09-27 09:17 <DIR> d-------- C:\Program Files\Mattel Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 19:24 --------- d-----w C:\Documents and Settings\rachel\Application Data\Skype
2008-10-19 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-10-19 18:46 --------- d-----w C:\Documents and Settings\rachel\Application Data\skypePM
2008-10-18 01:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 06:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 06:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 06:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 06:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 06:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 06:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 06:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 06:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 06:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 06:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 06:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 06:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 06:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 06:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 06:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-13 20:03 0 ----a-w C:\Documents and Settings\rachel\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uyo"="C:\Documents and Settings\rachel\Application Data\?icrosoft\w?auboot.exe" [?]
"Trap"="C:\Documents and Settings\rachel\Application Data\F?nts\m?iexec.exe" [?]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 22058792]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-05-05 26112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-05 98304]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"genadm"="C:\WINDOWS\rytmdkba.exe" [2008-10-14 49152]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-16 1234712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-05-26 25214]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-01 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-05 24576]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"webstr"= {5742926E-6A89-8968-78A3-0B24A6950632} - C:\Program Files\fhuuifg\webstr.dll [2008-10-12 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 13:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\cba\\PDS.EXE"=
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:TCP"= 67:TCP:LANDesk® PXE TCP Port
"67:UDP"= 67:UDP:LANDesk® PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-16 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-16 231704]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 122880]
R2 Softmon;LANDesk® Software Monitoring Service;C:\PROGRA~1\LANDesk\LDClient\softmon.exe [2007-07-26 266240]
.
- - - - ORPHANS REMOVED - - - -

BHO-{EA70F31E-7E2A-078F-5B90-5CF8E81A29A6} - C:\WINDOWS\system32\ztnaiyifus.dll
HKCU-Run-GetModule23 - C:\Program Files\GetModule\GetModule23.exe
HKCU-Run-ActAdm - C:\WINDOWS\system32\qfuvgtkb.exe
HKCU-Run-Gool - C:\Documents and Settings\rachel\Application Data\Gool\Gool.exe
HKCU-Run-ofiq - C:\PROGRA~1\COMMON~1\ofiq\ofiqm.exe
HKLM-Run-XP Antispyware 2009 - C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe
HKLM-Explorer_Run-1z57HvW5Vr - C:\Documents and Settings\All Users\Application Data\nenclahu\vkludkdc.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html -
O17 -: HKLM\CCS\Interface\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: NameServer = 137.131.200.9,137.131.200.10
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 11:22:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\PDS.EXE
C:\Program Files\LANDesk\LDClient\LDISCN32.EXE
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\msgsys.exe
.
**************************************************************************
.
Completion time: 2008-10-19 11:29:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-19 19:28:52

Pre-Run: 34,796,224,512 bytes free
Post-Run: 34,910,744,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

285

#4 dhdpla

dhdpla
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 19 October 2008 - 02:34 PM

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:46 AM, on 10/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINDOWS\rytmdkba.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\rytmdkba.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SciFinder Scholar Bar - {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [genadm] C:\WINDOWS\rytmdkba.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uyo] "C:\Documents and Settings\rachel\Application Data\?icrosoft\w?auboot.exe"
O4 - HKCU\..\Run: [Trap] "C:\Documents and Settings\rachel\Application Data\F?nts\m?iexec.exe"
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\rachel\Local Settings\Temp\{23773443-88C2-4DDD-96E5-704A45D01ECD}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scripps.edu
O17 - HKLM\Software\..\Telephony: DomainName = scripps.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: Domain = scripps.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: NameServer = 137.131.200.9,137.131.200.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{695CE2CB-7124-4FDB-BCD3-62011E80ED35}: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = scripps.edu,lj.ad.scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: NameServer = 137.131.200.9,137.131.200.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = scripps.edu,lj.ad.scripps.edu
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: webstr - {5742926E-6A89-8968-78A3-0B24A6950632} - C:\Program Files\fhuuifg\webstr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\softmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11271 bytes

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:31 PM

Posted 19 October 2008 - 02:52 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\uesiuqcr.exe
C:\Documents and Settings\rachel\Application Data\amydunemi.exe
C:\WINDOWS\system32\runejilyfi.inf
C:\WINDOWS\uviv.inf
C:\WINDOWS\ozehyd.db
C:\WINDOWS\system32\ocegipi.scr
C:\Documents and Settings\All Users\Application Data\uzas.sys
C:\WINDOWS\lamugun.com
C:\WINDOWS\sezamyfu.lib
C:\Program Files\Common Files\uwenoh.scr
C:\WINDOWS\lafoweteri._sy
C:\Program Files\Common Files\juvo.scr
C:\WINDOWS\system32\ygokyf.bat
C:\Program Files\Common Files\uvodygyty.dat
C:\Documents and Settings\rachel\Application Data\pesaw.reg
C:\WINDOWS\elujidiqox.bin
C:\Documents and Settings\rachel\Application Data\muzyz.sys
C:\WINDOWS\ojacikife.vbs
C:\Documents and Settings\rachel\Application Data\ixulite.dll
C:\WINDOWS\system32\ejyhat.dat
C:\WINDOWS\awed.dl
C:\Documents and Settings\All Users\Application Data\kesir.dll
C:\WINDOWS\kapyvare.lib
C:\WINDOWS\aminodyv.vbs
C:\WINDOWS\system32\zelusy.ban
C:\Program Files\Common Files\tybyruma.bat
C:\WINDOWS\rytmdkba.exe
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\kigifa.ban
C:\WINDOWS\system32\fesagixu.bin
C:\WINDOWS\lohosanap.scr
C:\WINDOWS\system32\hilyfymy.dat
C:\WINDOWS\jiku.ban
C:\WINDOWS\xuzufulo.vbs
C:\WINDOWS\iwym.dl
C:\WINDOWS\afoti._sy
C:\WINDOWS\system32\wvyyysbagxeobkau.exe
C:\WINDOWS\rytmdkba.exe
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\Jamster.ico
Folder::
C:\Program Files\fhuuifg
C:\Program Files\OINAnalytics
C:\WINDOWS\YWQ
C:\WINDOWS\ofiq
C:\Program Files\Common Files\ofiq
C:\Documents and Settings\rachel\Application Data\Gool
C:\Program Files\Webtools
C:\Program Files\Mjcore
C:\Documents and Settings\All Users\Application Data\nenclahu
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"genadm"=-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"webstr"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uyo"=-
"Trap"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 dhdpla

dhdpla
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 19 October 2008 - 03:10 PM

Next comboxfix log, followed by HiJackthyis log in the same post:

ComboFix 08-10-18.03 - rachel 2008-10-19 12:01:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.107 [GMT -8:00]
Running from: C:\Documents and Settings\rachel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rachel\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Application Data\kesir.dll
C:\Documents and Settings\All Users\Application Data\uzas.sys
C:\Documents and Settings\rachel\Application Data\amydunemi.exe
C:\Documents and Settings\rachel\Application Data\ixulite.dll
C:\Documents and Settings\rachel\Application Data\muzyz.sys
C:\Documents and Settings\rachel\Application Data\pesaw.reg
C:\Program Files\Common Files\juvo.scr
C:\Program Files\Common Files\tybyruma.bat
C:\Program Files\Common Files\uvodygyty.dat
C:\Program Files\Common Files\uwenoh.scr
C:\WINDOWS\afoti._sy
C:\WINDOWS\aminodyv.vbs
C:\WINDOWS\awed.dl
C:\WINDOWS\elujidiqox.bin
C:\WINDOWS\iwym.dl
C:\WINDOWS\jiku.ban
C:\WINDOWS\kapyvare.lib
C:\WINDOWS\lafoweteri._sy
C:\WINDOWS\lamugun.com
C:\WINDOWS\lohosanap.scr
C:\WINDOWS\ojacikife.vbs
C:\WINDOWS\ozehyd.db
C:\WINDOWS\rytmdkba.exe
C:\WINDOWS\sezamyfu.lib
C:\WINDOWS\system32\ejyhat.dat
C:\WINDOWS\system32\fesagixu.bin
C:\WINDOWS\system32\hilyfymy.dat
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\kigifa.ban
C:\WINDOWS\system32\ocegipi.scr
C:\WINDOWS\system32\runejilyfi.inf
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\system32\wvyyysbagxeobkau.exe
C:\WINDOWS\system32\ygokyf.bat
C:\WINDOWS\system32\zelusy.ban
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\uviv.inf
C:\WINDOWS\xuzufulo.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\kesir.dll
C:\Documents and Settings\All Users\Application Data\nenclahu
C:\Documents and Settings\All Users\Application Data\uzas.sys
C:\Documents and Settings\rachel\Application Data\amydunemi.exe
C:\Documents and Settings\rachel\Application Data\Gool
C:\Documents and Settings\rachel\Application Data\ixulite.dll
C:\Documents and Settings\rachel\Application Data\muzyz.sys
C:\Documents and Settings\rachel\Application Data\pesaw.reg
C:\Program Files\Common Files\juvo.scr
C:\Program Files\Common Files\ofiq
C:\Program Files\Common Files\ofiq\ofiqa.lck
C:\Program Files\Common Files\ofiq\ofiqd\class-barrel
C:\Program Files\Common Files\ofiq\ofiqh
C:\Program Files\Common Files\ofiq\ofiql.lck
C:\Program Files\Common Files\ofiq\ofiqm.lck
C:\Program Files\Common Files\tybyruma.bat
C:\Program Files\Common Files\uvodygyty.dat
C:\Program Files\Common Files\uwenoh.scr
C:\Program Files\fhuuifg
C:\Program Files\fhuuifg\webstr.dll
C:\Program Files\Mjcore
C:\Program Files\OINAnalytics
C:\Program Files\OINAnalytics\OINAnalytics2.dll
C:\Program Files\OINAnalytics\Uninstall.exe
C:\Program Files\Webtools
C:\WINDOWS\afoti._sy
C:\WINDOWS\aminodyv.vbs
C:\WINDOWS\awed.dl
C:\WINDOWS\elujidiqox.bin
C:\WINDOWS\iwym.dl
C:\WINDOWS\jiku.ban
C:\WINDOWS\kapyvare.lib
C:\WINDOWS\lafoweteri._sy
C:\WINDOWS\lamugun.com
C:\WINDOWS\lohosanap.scr
C:\WINDOWS\ofiq
C:\WINDOWS\ofiq\ofiq.dat
C:\WINDOWS\ofiq\wu
C:\WINDOWS\ojacikife.vbs
C:\WINDOWS\ozehyd.db
C:\WINDOWS\rytmdkba.exe
C:\WINDOWS\sezamyfu.lib
C:\WINDOWS\system32\ejyhat.dat
C:\WINDOWS\system32\fesagixu.bin
C:\WINDOWS\system32\hilyfymy.dat
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\kigifa.ban
C:\WINDOWS\system32\ocegipi.scr
C:\WINDOWS\system32\runejilyfi.inf
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\system32\wvyyysbagxeobkau.exe
C:\WINDOWS\system32\ygokyf.bat
C:\WINDOWS\system32\zelusy.ban
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\uviv.inf
C:\WINDOWS\xuzufulo.vbs
C:\WINDOWS\YWQ

.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.

2008-10-17 23:18 . 2008-10-18 07:49 <DIR> d-------- C:\Documents and Settings\rachel\.housecall6.6
2008-10-17 21:03 . 2008-10-17 21:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-17 21:03 . 2008-10-17 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-17 17:28 . 2008-10-17 17:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-17 17:28 . 2008-10-17 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-17 17:18 . 2008-10-17 17:18 <DIR> d---s---- C:\Documents and Settings\rachel\UserData
2008-10-17 16:57 . 2008-10-17 16:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 22:07 . 2008-10-17 15:52 <DIR> d-------- C:\quarantine
2008-10-16 20:09 . 2008-10-19 10:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-16 19:16 . 2008-10-16 22:18 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-16 19:16 . 2008-10-16 19:16 <DIR> d-------- C:\Documents and Settings\rachel\Application Data\AVGTOOLBAR
2008-10-16 19:16 . 2008-10-16 19:16 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-16 19:16 . 2008-10-16 19:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-16 19:15 . 2008-10-16 19:15 <DIR> d-------- C:\Program Files\AVG
2008-10-16 19:15 . 2008-10-16 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-27 09:19 . 2008-09-27 09:19 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-09-27 09:17 . 2008-09-27 09:17 <DIR> d-------- C:\Program Files\Mattel Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 19:49 --------- d-----w C:\Documents and Settings\rachel\Application Data\Skype
2008-10-19 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-10-19 18:46 --------- d-----w C:\Documents and Settings\rachel\Application Data\skypePM
2008-10-18 01:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 06:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 06:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 06:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 06:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 06:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 06:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 06:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 06:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 06:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 06:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 06:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 06:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 06:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 06:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 06:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-13 20:03 0 ----a-w C:\Documents and Settings\rachel\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 22058792]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-05-05 26112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-05 98304]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-16 1234712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-05-26 25214]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-01 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-05 24576]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 13:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\cba\\PDS.EXE"=
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:TCP"= 67:TCP:LANDesk® PXE TCP Port
"67:UDP"= 67:UDP:LANDesk® PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-16 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-16 231704]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 122880]
R2 Softmon;LANDesk® Software Monitoring Service;C:\PROGRA~1\LANDesk\LDClient\softmon.exe [2007-07-26 266240]
.
- - - - ORPHANS REMOVED - - - -

SSODL-webstr-{5742926E-6A89-8968-78A3-0B24A6950632} - C:\Program Files\fhuuifg\webstr.dll



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 12:04:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-19 12:06:58
ComboFix-quarantined-files.txt 2008-10-19 20:06:53
ComboFix2.txt 2008-10-19 19:29:16

Pre-Run: 34,903,273,472 bytes free
Post-Run: 34,892,296,192 bytes free

228

===============================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:31 PM, on 10/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\LANDesk\LDClient\LDdrives.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SciFinder Scholar Bar - {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\rachel\Local Settings\Temp\{23773443-88C2-4DDD-96E5-704A45D01ECD}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scripps.edu
O17 - HKLM\Software\..\Telephony: DomainName = scripps.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: Domain = scripps.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: NameServer = 137.131.200.9,137.131.200.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{695CE2CB-7124-4FDB-BCD3-62011E80ED35}: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = scripps.edu,lj.ad.scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: Domain = scripps.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E728EA4-D4AA-44A1-86F8-1A3D7C7F77C9}: NameServer = 137.131.200.9,137.131.200.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = scripps.edu,lj.ad.scripps.edu
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\softmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10949 bytes

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:31 PM

Posted 19 October 2008 - 03:18 PM

Hi,


Just some leftovers to deal with...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: SciFinder Scholar Bar - {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll (file missing)
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\rachel\Local Settings\Temp\{23773443-88C2-4DDD-96E5-704A45D01ECD}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
<== this one was already deleted by combofix anyway.

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
Then...* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 dhdpla

dhdpla
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 19 October 2008 - 03:47 PM

Mission accomplished! Everything seems to be running fine now. Thanks for your help -- before I found this site I was this close to reformatting the hard disk! :thumbsup:

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:31 PM

Posted 20 October 2008 - 01:50 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:31 PM

Posted 25 October 2008 - 10:03 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users