Jump to content

Malwarebytes

Hijack this and combo fix logs..revisited

- - - - -
Started by Randus Maximus, Feb 06 2009 10:17 PM

15 replies to this topic

#1
Randus Maximus
Posted 06 February 2009 - 10:17 PM

    New Member

  • Members
  • Pip
  • 18 posts
I started a posting on Feb 3rd but wasn't able to get back to it right away and now it is closed. I was finally able to run combofix after I renamed the file and I'm including the log in this posting. I also reran HiJackThis and I'm including the log as well. Btw, Combofix would only run on this machine after I removed McAfee and renamed the file. It wouldn't run by simply renaming the file, i had to remove the anti virus first. Windows update is activated again (I haven't update yet) and I think Malewarebytes will run but i want to wait to hear from you before I run it.

My original posting including the first hijackthis log is under the post "hijack this log...Malware bytes will not install" on feb 3rd.

Here are my logs.


ComboFix 09-02-06.01 - Bill 2009-02-06 15:49:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.749 [GMT -6:00]
Running from: c:\documents and settings\Bill\Desktop\1d2s3f.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\ZangoSA
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf_update.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
c:\documents and settings\Bill\Application Data\EHEncrypt8521.dll
c:\documents and settings\Bill\Application Data\EHZComp8521.dll
c:\documents and settings\Bill\Application Data\GetModule
c:\documents and settings\Bill\Application Data\GetModule\dicik.gz
c:\documents and settings\Bill\Application Data\GetModule\kwdik.gz
c:\documents and settings\Bill\Application Data\GetModule\ofadik.gz
c:\documents and settings\Bill\Application Data\MBSMainPlugin3542.dll
c:\documents and settings\Bill\Application Data\MBSPicturePlugin3542.dll
c:\documents and settings\Bill\Application Data\MBSProcessPlugin3543.dll
c:\documents and settings\Bill\Application Data\MBSRegistrationPlugin3542.dll
c:\documents and settings\Bill\Application Data\MBSRegistryPlugin3544.dll
c:\documents and settings\Bill\Application Data\MBSUsernamePlugin3541.dll
c:\documents and settings\Bill\Application Data\MBSWinPlugin3544.dll
c:\documents and settings\Bill\Application Data\rbap550.dll
c:\documents and settings\Bill\Application Data\RBInternetEncodings600.dll
c:\documents and settings\Bill\Application Data\RBShell555.dll
c:\documents and settings\Bill\Application Data\RBXML550.dll
c:\documents and settings\Bill\Application Data\WeatherDPA
c:\documents and settings\Bill\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Bill\Application Data\Zango
c:\documents and settings\Bill\Start Menu\Programs\PlayMP3z
c:\documents and settings\Bill\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk
c:\program files\Antivirus 2009
c:\program files\Antivirus 2009\av2009.exe.tmp
c:\program files\GetModule
c:\program files\GetModule\GetModule29.exe
c:\program files\GetModule\GetModule30.exe
c:\program files\GetModule\GetModule31.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\hosts
c:\windows\system32\~.exe
c:\windows\system32\afevuhof.ini
c:\windows\system32\aj1T08dd.exe.a_a
c:\windows\system32\akodubut.ini
c:\windows\system32\apugibiw.ini
c:\windows\system32\bibafedo.dll.tmp
c:\windows\system32\bqnlknyh.ini
c:\windows\system32\bsmqmlnj.ini
c:\windows\system32\buknfetm.ini
c:\windows\system32\cblcxkok.ini
c:\windows\system32\cbXQiJdE.dll
c:\windows\system32\chkaobop.ini
c:\windows\system32\crxamvyl.ini
c:\windows\system32\dftfsikn.ini
c:\windows\system32\diaykvjy.ini
c:\windows\system32\dibawumi.dll.tmp
c:\windows\system32\difajowu.dll
c:\windows\system32\digeste.dll
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\E30K1247.exe.a_a
c:\windows\SYSTEM32\EdJiQXbc.ini
c:\windows\system32\EdJiQXbc.ini2
c:\windows\system32\egirazak.ini
c:\windows\system32\ehobeyuw.ini
c:\windows\system32\ejiyufum.ini
c:\windows\system32\eywwixnq.ini
c:\windows\system32\fidogile.dll
c:\windows\system32\fogomume.dll
c:\windows\system32\fyctbcsk.ini
c:\windows\system32\G06M7814.dll
c:\windows\system32\gahipknk.ini
c:\windows\system32\gelarijo.dll
c:\windows\system32\gerwrwha.ini
c:\windows\system32\gldwmhwg.ini
c:\windows\system32\gxgjpwaw.ini
c:\windows\system32\gzvba.sys
c:\windows\system32\hgGxVPGv.dll
c:\windows\system32\hjkkhlgr.ini
c:\windows\system32\hnkdlvjg.ini
c:\windows\system32\ijabazer.ini
c:\windows\system32\invxbtus.ini
c:\windows\system32\ipugoseg.ini
c:\windows\system32\irasiruy.ini
c:\windows\system32\isopufum.ini
c:\windows\system32\k86.bin
c:\windows\system32\kaleguli.dll.tmp
c:\windows\system32\kexqnfph.ini
c:\windows\system32\kwave.sys
c:\windows\system32\ljjfxnjs.ini
c:\windows\system32\lpmvefwn.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mhhtcmkx.ini
c:\windows\system32\msansspc.dll
c:\windows\system32\mufuyije.dll
c:\windows\system32\mvgdaurg.ini
c:\windows\system32\nhxvlgbh.ini
c:\windows\system32\okujihoh.ini
c:\windows\system32\oodliqqe.ini
c:\windows\system32\otenipev.ini
c:\windows\system32\owalulis.ini
c:\windows\system32\owuzajib.ini
c:\windows\system32\oyohanov.ini
c:\windows\system32\pdcnhgsc.ini
c:\windows\system32\picjqlsa.ini
c:\windows\system32\pipidesa.dll
c:\windows\system32\pomefeya.dll.tmp
c:\windows\system32\qskqnyof.ini
c:\windows\system32\sgvneetf.ini
c:\windows\system32\sutuyape.dll.tmp
c:\windows\system32\tcfefiiq.ini
c:\windows\system32\TDSShrxr.dll
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtql.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\tovebogi.dll
c:\windows\system32\tremir.bin
c:\windows\system32\ufupabaf.ini
c:\windows\system32\uhepizep.ini
c:\windows\system32\ujosayen.ini
c:\windows\system32\usevanov.ini
c:\windows\system32\uzajiguv.ini
c:\windows\system32\vipxnbmr.ini
c:\windows\system32\viriteda.dll
c:\windows\system32\vlhhnata.ini
c:\windows\system32\vonahoyo.dll
c:\windows\system32\vozaposo.dll.tmp
c:\windows\system32\wegusisi.dll
c:\windows\system32\winusime.dll
c:\windows\system32\wpv651227390984.cpx
c:\windows\system32\wpv871228088431.cpx
c:\windows\system32\ynhfkhoj.ini
c:\windows\system32\yphlyaqp.ini
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-03 11:51 . 2009-02-03 11:52 <DIR> d-------- C:\nice mb remover
2009-02-03 11:05 . 2009-02-03 11:05 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2009-02-03 11:05 . 2009-02-03 11:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-03 11:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-03 11:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-30 17:05 . 2004-08-03 22:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2009-01-30 17:05 . 2004-08-03 22:58 14,848 --a------ c:\windows\SYSTEM32\DLLCACHE\kbdhid.sys
2009-01-30 17:05 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2009-01-30 17:05 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 21:22 --------- d-----w c:\program files\McAfee.com
2009-02-03 15:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-03 14:54 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-03 14:54 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-08-06 15:25 31,088 ----a-w c:\documents and settings\Bill\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 23:27 774,144 ----a-w c:\program files\RngInterstitial.dll
2005-04-08 00:25 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2005-03-18 05:02 62,253 --sha-w c:\windows\SYSTEM32\tutejawu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-29 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-03-29 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\modzlib]
2005-03-17 01:04 20096 c:\windows\SYSTEM32\modzlib.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wanatw4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlbxcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\lib\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\SYSTEM32\\TASKMGR.EXE"=
"c:\\WINDOWS\\SYSTEM32\\E30K1247.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f0c70d9-a920-11dd-af27-001111e3b3e6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{400600c8-9684-11d9-af1e-001111e3b3e6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-04 c:\windows\Tasks\At1.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-03 c:\windows\Tasks\At10.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-03 c:\windows\Tasks\At11.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-03 c:\windows\Tasks\At12.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-06 c:\windows\Tasks\At13.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-06 c:\windows\Tasks\At14.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-03 c:\windows\Tasks\At15.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-06 c:\windows\Tasks\At16.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-04 c:\windows\Tasks\At17.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At18.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-31 c:\windows\Tasks\At19.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At2.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-31 c:\windows\Tasks\At20.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-31 c:\windows\Tasks\At21.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-05 c:\windows\Tasks\At22.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-05 c:\windows\Tasks\At23.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-05 c:\windows\Tasks\At24.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At25.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At26.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At27.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At28.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At29.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At3.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At30.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At31.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At32.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At33.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-02-03 c:\windows\Tasks\At34.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-02-03 c:\windows\Tasks\At35.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-02-03 c:\windows\Tasks\At36.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-02-06 c:\windows\Tasks\At37.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-02-06 c:\windows\Tasks\At38.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-02-03 c:\windows\Tasks\At39.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At4.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-06 c:\windows\Tasks\At40.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-02-06 c:\windows\Tasks\At41.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At42.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-31 c:\windows\Tasks\At43.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-31 c:\windows\Tasks\At44.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-31 c:\windows\Tasks\At45.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-05 c:\windows\Tasks\At46.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-05 c:\windows\Tasks\At47.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-05 c:\windows\Tasks\At48.job
- c:\windows\system32\E30K1247.exe [2009-02-06 15:13]

2009-01-04 c:\windows\Tasks\At5.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At6.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At7.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At8.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At9.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]
.
- - - - ORPHANS REMOVED - - - -

BHO-{81C92A3B-D873-49B2-BC76-18DD454135EE} - c:\windows\system32\cbXQiJdE.dll
BHO-{8535c159-ec62-4549-bb61-6b8c7b3ae388} - c:\windows\system32\pipidesa.dll
BHO-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\hgGxVPGv.dll
BHO-{AFF8BD2C-FA1A-438A-989F-EFF6E22622C5} - (no file)
BHO-{B463B611-8D99-4EA5-B2F4-EEBE56C1DEEA} - (no file)
HKCU-Run-DellSupport - c:\program files\Dell Support\DSAgnt.exe
HKCU-Run-GetModule31 - c:\program files\GetModule\GetModule31.exe
HKLM-Run-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
HKLM-Run-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
ShellExecuteHooks-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\hgGxVPGv.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 15:55:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuaueng.dll.wusetup.160921.bak 1811656 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\modzlib.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SYSTEM32\dlbxcoms.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-06 15:59:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 21:59:14

Pre-Run: 51,048,787,968 bytes free
Post-Run: 51,654,606,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

389 --- E O F --- 2008-11-02 08:03:37

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:49 PM, on 2/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\E30K1247.exe
C:\Documents and Settings\Bill\Desktop\Spyware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O20 - Winlogon Notify: modzlib - C:\WINDOWS\SYSTEM32\modzlib.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5563 bytes

#2
AdvancedSetup
Posted 07 February 2009 - 09:41 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
STEP 1
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
  • O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
  • O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
  • O20 - Winlogon Notify: modzlib - C:\WINDOWS\SYSTEM32\modzlib.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 2
Please click on START - RUN and copy/paste the contents of the CODE box (one by one) into the run line and click the OK button.
A window will flash very quickly and is normal. The fix is done.
REG DELETE HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f0c70d9-a920-11dd-af27-001111e3b3e6} /F
REG DELETE HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{400600c8-9684-11d9-af1e-001111e3b3e6} /F
DEL /F /Q c:\windows\Tasks\*.JOB

STEP 3
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\modzlib]

File::
c:\windows\SYSTEM32\modzlib.dll
c:\windows\SYSTEM32\tutejawu.dll
c:\windows\system32\wuaueng.dll.wusetup.160921.bak

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 4
Please go here: and download the Microsoft Visual Basic 6 run-time files and install them on your system.

Then see if you can install MBAM now or not. Please download a NEW copy of MBAM to install.

STEP 5
Try to see if you can run and update MBAM now. If not let me know what error or what happens.
Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#3
Randus Maximus
Posted 08 February 2009 - 12:40 AM

    New Member

  • Members
  • Pip
  • 18 posts
Thank you for your assistance. I will try these fixes on Sundat night (Feb 9th) Please don't close this post as i might need to ask some questions while performing these tasks.

#4
AdvancedSetup
Posted 08 February 2009 - 07:47 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
We'll be here. Thanks for the follow-up.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#5
Randus Maximus
Posted 09 February 2009 - 06:45 PM

    New Member

  • Members
  • Pip
  • 18 posts
Thank you very much for all your efforts to resolve my issues!

New MBAM

Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/9/2009 12:34:45 PM
mbam-log-2009-02-09 (12-34-45).txt

Scan type: Quick Scan
Objects scanned: 50916
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 47
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 133

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\browsingtool.browserwatcher (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{fe3af205-54df-b146-1f0e-c9262829ed18} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{50a1aa3b-80e3-15cf-0f1a-83a98ad98fe9} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7f68785e-4894-7bb2-5fde-cc3eee2ebc82} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e698e657-649e-5d40-752d-9a3b78ea832a} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0daee015-a728-c212-9b8f-298391b8328e} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aaf21892-e4d8-e8ed-e36a-3a91e3b2db29} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.browserwatcher.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.pornpro_bho (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.pornpro_bho.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.precachebrowserhost (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.precachebrowserhost.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{00b77587-be1b-4201-b8e9-09fcf50ab771} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b81f920-6660-4f76-93bf-b1c67bf5d1a0} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{34e29700-0d13-46aa-b9a5-ace68e21a091} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3661af2d-c27b-499c-9bcf-66c8502a3806} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3f0915b8-b238-4c2d-ad1e-60db1e14d27a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{49155dae-c471-40fa-98ee-b2b3cad115ce} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d783385-0dda-4188-a529-c97dc3d67cbd} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e8b851b-05b0-4baf-b24d-d0dfe88dded3} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5a4737a8-b92a-4e54-970e-c2891d98ce3f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{62b0b239-f9ac-4a5b-bfae-62c7a23f7627} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e10479b-31e8-4a3b-81b1-ddaf39097f19} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{726f0ab9-b842-4ae4-90c7-230e233e6a99} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99123ac9-7dda-4c82-b252-44c2804bf392} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ace99e77-aa2a-43c2-8c9d-caf2020fdf2b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b9cc2b92-5611-453f-8381-8b6f72d9c0b8} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c4543e64-1498-410d-8e72-4744eea99ab9} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0fb1610-b25b-49f6-be20-751b2f230e6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e420a65f-9984-4b8c-9fa9-1ed69d3b0a13} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ea58c2ea-be26-49dd-9b9a-c8e4e5ca7791} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fca28ac5-c1e1-4d67-a5ae-c44d6c374d9f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{08755390-f46d-4d09-968c-3430166b3189} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0923208c-e259-4ed5-a778-cb607da350ad} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{229d2451-a617-4b30-b5e8-8138694240cb} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9720de03-5820-4059-b4a4-639d5e52bd09} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c23fa5a4-1fea-419f-8b14-f7465df062bc} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ccc6e232-aa4c-4813-a019-9c14b27776b6} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84d39d08-a551-a4e5-c8d1-3327573d4640} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{216f843f-9efd-4bce-9629-c7c1662598d5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f2b4f93a-8acb-47ae-8a32-b718e10f6a64} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\browsingtool (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BrowsingTool (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BrowsingTool.DLL (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\BrowsingTool (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\BrowsingTool\BrowsingTool-1.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hcokwosl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ajobedpu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cbXPjJyY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dkruwwbm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\drowckgu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ethddrmc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\eyteilwv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\neyasoju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nhihua.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\insyhiho.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iuqagqhg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\keburpkn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\khhkwoea.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kofachcu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kokxclbc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kvtmbc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\luejvt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mlJDUnop.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mlJDvTNd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mnivrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\plioquhh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rezabaji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rhkeieqn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\saebxqir.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\smwxhqkp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sopmlf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\svjsqogw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\thchomil.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tijovuza.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tpchdhgi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tqbllz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\utgiytil.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uwtnlyjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vckqpgdg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vedasapu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vepineto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wcpsfetn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\aceqfdtc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\axsoqesd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dmjahksp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dnpncbha.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\icwvtfaf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\liydpacq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ljJButQj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lkalps.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\llvynxvt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mdqgypoi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mfmlam.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mfufjhux.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mrfjwrkh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nebfhloi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ohrmxumg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\okbdaalh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\omkbvc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pezipehu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pgxglqpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rjeasodd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rncjeuxh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rqRLeccA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rrmvxl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sqxesgtg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tbwykiki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tcqobxsk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ukhdws.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ummbnoaf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wkdckd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\crrpksek.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ciapfhrq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ciwknlyv.dll (Trojan.ConHook) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fohuvefa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fvuutn.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bhsvyged.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bijazuwo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rdjzdc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wibigupa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wighoknd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ashlci.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\asywvpro.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mufuposi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\munupusu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mvfzel.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wnjoymxb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lacifytg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\laklbojd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lepefihi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\liagiydt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qiifefct.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\quaydl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jkkHBUon.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jnlmqmsb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jpiiwrco.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vidbwsmw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vonavesu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vusdwabl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vyvgip.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xeeggs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xeejtkba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xmghpbaj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\edbnluvn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\eluxsgcx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pqaylhpy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hldkowie.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hqiowqan.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hufowebi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tubudoka.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tvlcvobs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tvzmrv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fzbxpx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jysxnr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kazarige.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xvufnsni.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xxyyvUkK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yayxxvWo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yesqiska.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yhvckd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yurisari.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yyukumpc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zjargb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zowwyx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fabapufu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fkwsnnvx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\boyutpvf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bybjbcxg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\byXOiIXQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\byXQijIb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nouugtik.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uoqcymjv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uplese.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\urngvlot.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingTool\pcre3.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingTool\uninstall.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jkkJdDTj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

NEW HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:16 PM, on 2/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bill\Desktop\Spyware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5047 bytes

#6
AdvancedSetup
Posted 10 February 2009 - 01:42 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Okay, please run MBAM again, check for UPDATES and do another Quick Scan and post back that log and a new HJT log.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#7
Randus Maximus
Posted 10 February 2009 - 03:50 PM

    New Member

  • Members
  • Pip
  • 18 posts
I ran the scan again after checking for updates. The message I received was " updated from 1742 to 1742" thats the jist of the messaage i obviously left out all the non vital info. The scan said no malisious material found. Here are the logs.

Thanks!

Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/10/2009 9:43:48 AM
mbam-log-2009-02-10 (09-43-48).txt

Scan type: Quick Scan
Objects scanned: 50684
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:20 AM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Bill\My Documents\Spyware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5022 bytes

#8
AdvancedSetup
Posted 11 February 2009 - 01:43 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Okay let's run the Combofix one more time. Delete your current copy and download a new one.

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Then post back that log please.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#9
Randus Maximus
Posted 11 February 2009 - 03:22 AM

    New Member

  • Members
  • Pip
  • 18 posts
Your forum states my post is too long for this forum. All I weas trying to post is the Combofix log.

???

#10
AdvancedSetup
Posted 11 February 2009 - 09:09 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Please zip it and attach it then.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#11
Randus Maximus
Posted 11 February 2009 - 09:55 PM

    New Member

  • Members
  • Pip
  • 18 posts
ComboFix 09-02-10.01 - Bill 2009-02-11 13:52:56.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2663 [GMT -6:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\windows\system32\E30K1247.exe.a_a
c:\windows\system32\G06M7814.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-11 13:52 . 2009-02-11 13:54 <DIR> d-------- C:\ComboFix
2009-02-11 13:09 . 2009-02-11 13:09 <DIR> d--hs---- C:\RECYCLER
2009-02-10 12:57 . 2009-02-10 12:57 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-10 12:57 . 2009-02-10 12:57 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-10 12:57 . 2009-02-10 12:57 <DIR> d-------- c:\windows\SYSTEM32\bits
2009-02-10 12:57 . 2009-02-10 12:57 <DIR> d-------- c:\windows\l2schemas
2009-02-10 12:55 . 2009-02-10 12:55 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-10 12:52 . 2009-02-10 12:52 <DIR> d-------- c:\windows\EHome
2009-02-09 12:28 . 2009-02-09 12:28 <DIR> d-------- c:\documents and settings\Bill\Application Data\Malwarebytes
2009-02-09 11:03 . 2009-02-09 11:03 294 --a------ c:\windows\SYSTEM32\MRT.INI
2009-02-06 16:00 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2009-02-06 15:41 . 2009-02-06 15:41 <DIR> drahs---- C:\cmdcons
2009-02-06 15:39 . 2009-02-11 13:52 <DIR> d-------- C:\Qoobox
2009-02-03 11:51 . 2009-02-03 11:52 <DIR> d-------- C:\nice mb remover
2009-02-03 11:51 . 2009-02-03 11:52 <DIR> d-------- C:\nice mb remover
2009-02-03 11:05 . 2009-02-09 12:28 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2009-02-03 11:05 . 2009-02-03 11:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-03 11:05 . 2009-02-09 12:28 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2009-02-03 11:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-03 11:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-30 17:05 . 2008-04-13 12:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2009-01-30 17:05 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2009-01-30 17:05 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 03:13 41,474 ----a-w c:\windows\SYSTEM32\E30K1247.exe
2009-02-06 21:22 --------- d-----w c:\program files\McAfee.com
2009-02-03 15:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-03 14:54 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-03 14:54 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-08-06 15:25 31,088 ----a-w c:\documents and settings\Bill\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 23:27 774,144 ----a-w c:\program files\RngInterstitial.dll
2005-04-08 00:25 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-29 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 417792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-03-29 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlbxcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\lib\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\SYSTEM32\\TASKMGR.EXE"=
"c:\\WINDOWS\\SYSTEM32\\E30K1247.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-04 c:\windows\Tasks\At1.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-03 c:\windows\Tasks\At10.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At11.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At12.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At13.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At14.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At15.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At16.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At17.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At18.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-31 c:\windows\Tasks\At19.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At2.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-31 c:\windows\Tasks\At20.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-31 c:\windows\Tasks\At21.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-11 c:\windows\Tasks\At22.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-11 c:\windows\Tasks\At23.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-05 c:\windows\Tasks\At24.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At25.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At26.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At27.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At28.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At29.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At3.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At30.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At31.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At32.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At33.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-03 c:\windows\Tasks\At34.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-10 c:\windows\Tasks\At35.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-10 c:\windows\Tasks\At36.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-10 c:\windows\Tasks\At37.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-10 c:\windows\Tasks\At38.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-11 c:\windows\Tasks\At39.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At4.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-02-10 c:\windows\Tasks\At40.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-10 c:\windows\Tasks\At41.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At42.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-31 c:\windows\Tasks\At43.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-31 c:\windows\Tasks\At44.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-31 c:\windows\Tasks\At45.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-11 c:\windows\Tasks\At46.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-02-11 c:\windows\Tasks\At47.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-05 c:\windows\Tasks\At48.job
- c:\windows\system32\E30K1247.exe [2009-02-10 21:13]

2009-01-04 c:\windows\Tasks\At5.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At6.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At7.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At8.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]

2009-01-04 c:\windows\Tasks\At9.job
- c:\windows\system32\aj1T08dd.exe [2008-11-02 17:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 13:54:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-11 13:56:13
ComboFix-quarantined-files.txt 2009-02-11 19:55:37
ComboFix2.txt 2009-02-11 02:16:05
ComboFix3.txt 2009-02-09 17:48:08
ComboFix4.txt 2009-02-06 21:59:30

Pre-Run: 49,087,623,168 bytes free
Post-Run: 49,079,541,760 bytes free

218 --- E O F --- 2009-02-10 19:01:27

#12
AdvancedSetup
Posted 12 February 2009 - 08:17 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
STEP 1
Please open Control Panel, Scheduled Tasks and DELETE ALL tasks in there.
Then locate and delete these files please.
c:\windows\SYSTEM32\E30K1247.exe
c:\program files\McAfee.com
c:\windows\system32\aj1T08dd.exe

STEP 2
Click on Start Run and type in COMBOFIX.EXE /U to remove Combofix.


STEP 3
    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 4
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

STEP 5
Download to the desktop: Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Posted Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#13
Randus Maximus
Posted 12 February 2009 - 08:52 PM

    New Member

  • Members
  • Pip
  • 18 posts
The first log is the Dr. Web file. I was unble to "Click next icon next to the files found" as instructed in Step 5. I mistakenly highlighted the first item "GTDown" and them clicked move in the menu list. Oops! It had originally had Cured and was changed to move after i click the button...The second log is the HJT log.

GTDownDE_87.ocx;C:\I386;Adware.Gdown;Moved.;
T-3545425-glory tonic solfa.mp3;C:\Program Files\Incomplete;Trojan.WMALoader;Cured.;
christmas canon transiberian (unplugged version).mp3;C:\Program Files\LimeWire;Trojan.WMALoader;Cured.;
christmas canon transiberian.mp3;C:\Program Files\LimeWire;Trojan.WMALoader;Cured.;
king of glory tonic solfa - greatest hits.mp3;C:\Program Files\LimeWire;Trojan.WMALoader;Cured.;
paper airplanes remix.mp3;C:\Program Files\LimeWire;Trojan.WMALoader;Cured.;
run rudolph bryan adams.mp3;C:\Program Files\LimeWire;Trojan.WMALoader;Cured.;
up on housetop gene autry (unplugged version).mp3;C:\Program Files\LimeWire;Trojan.WMALoader;Cured.;
E30K1247.exe_;C:\WINDOWS\SYSTEM32;Trojan.DownLoad.25695;Deleted.;
nunupofa.dll;C:\WINDOWS\SYSTEM32;Trojan.Packed.412;Deleted.;
pazfei.dll;C:\WINDOWS\SYSTEM32;Trojan.Juan.54;Deleted.;
xaejjonc.dll;C:\WINDOWS\SYSTEM32;Trojan.Juan.54;Deleted.;
yelosuso.dll;C:\WINDOWS\SYSTEM32;Trojan.DownLoad.12946;Deleted.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:34 PM, on 2/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bill\My Documents\Spyware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5580 bytes

#14
AdvancedSetup
Posted 13 February 2009 - 05:02 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
That looks pretty good now.

How is the computer running now?
Are there still any signs of infection or other related items?
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#15
Randus Maximus
Posted 13 February 2009 - 02:44 PM

    New Member

  • Members
  • Pip
  • 18 posts
You guys are the best! It might have taken a little while (my fault) but the computer is working great! I am so happy I didn't have to reinstall. Thank you very much!

Randy

#16
AdvancedSetup
Posted 13 February 2009 - 11:47 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
If you need it: Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.
  • Go to http://java.sun.com/...loads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer



Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?


[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us