Solved win32:vundo-HU and HW trojans

rthompson · 2010/03/30

[Resolved] win32:vundo-HU and HW trojans

Hello,

My buddy uses Facebooks Farmville and thinks that he contracted the above trojans while playing the game. I do not know if he responds to friend requests or not, but Facebook is infamous for its virus transmissions.

I used Avast, Advanced System Care and Spybot S&D to scan his computer. I removed several trojans using these programs, however the vundo-HU and HW trojans keep reappearing. I would like to make sure his system is clean before returning it to him.

Here is the DDS file and Attach file:

DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by log77 at 3:17:07.09 on Tue 03/30/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.316 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\log77\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
uLocal Page = c:\windows\system32\blank.htmURLSearchHooks: H - No File
uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLPURLSearchHooks: H - No File
uSearch Page = hxxp://www.google.comURLSearchHooks: H - No File
uSearch Bar = hxxp://www.google.com/ieURLSearchHooks: H - No File
uDefault_Search_URL = hxxp://www.google.com/ieURLSearchHooks: H - No File
mDefault_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhomeURLSearchHooks: H - No File
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=URLSearchHooks: H - No File
mSearch Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchURLSearchHooks: H - No File
mLocal Page = %SystemRoot%\system32\blank.htmURLSearchHooks: H - No File
mStart Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=homeURLSearchHooks: H - No File
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
mSearch Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
mLocal Page = %SystemRoot%\system32\blank.htm
mStart Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
BHO: uLocal Page = c:\windows\system32\blank.htm - No File
BHO: uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP - No File
BHO: uSearch Page = hxxp://www.google.com - No File
BHO: uSearch Bar = hxxp://www.google.com/ie - No File
BHO: uDefault_Search_URL = hxxp://www.google.com/ie - No File
BHO: mDefault_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome - No File
BHO: mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q= - No File
BHO: mSearch Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch - No File
BHO: mLocal Page = %SystemRoot%\system32\blank.htm - No File
BHO: mStart Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home - No File
TB: uLocal Page = c:\windows\system32\blank.htm - No File
TB: uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP - No File
TB: uSearch Page = hxxp://www.google.com - No File
TB: uSearch Bar = hxxp://www.google.com/ie - No File
TB: uDefault_Search_URL = hxxp://www.google.com/ie - No File
TB: mDefault_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome - No File
TB: mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q= - No File
TB: mSearch Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch - No File
TB: mLocal Page = %SystemRoot%\system32\blank.htm - No File
TB: mStart Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home - No File
EB: uLocal Page = c:\windows\system32\blank.htm - No File
EB: uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP - No File
EB: uSearch Page = hxxp://www.google.com - No File
EB: uSearch Bar = hxxp://www.google.com/ie - No File
EB: uDefault_Search_URL = hxxp://www.google.com/ie - No File
EB: mDefault_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome - No File
EB: mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q= - No File
EB: mSearch Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch - No File
EB: mLocal Page = %SystemRoot%\system32\blank.htm - No File
EB: mStart Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home - No File
uRun: [DBISQL9] "c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe" -preload
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe" /silentRetrials /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
IE: uLocal Page = c:\windows\system32\blank.htm
IE: uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
IE: uSearch Page = hxxp://www.google.com
IE: uSearch Bar = hxxp://www.google.com/ie
IE: uDefault_Search_URL = hxxp://www.google.com/ie
IE: mDefault_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IE: mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
IE: mSearch Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE: mLocal Page = %SystemRoot%\system32\blank.htm
IE: mStart Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IE: {uLocal Page = c:\windows\system32\blank.htm
IE: {uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
IE: {uSearch Page = hxxp://www.google.com
IE: {uSearch Bar = hxxp://www.google.com/ie
IE: {uDefault_Search_URL = hxxp://www.google.com/ie
IE: {mDefault_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IE: {mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
IE: {mSearch Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE: {mLocal Page = %SystemRoot%\system32\blank.htm
IE: {mStart Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: zunefemi.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli zunefemi.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\log77\applic~1\mozilla\firefox\profiles\jvbx3phe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - component: c:\documents and settings\log77\application data\mozilla\firefox\profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\log77\application data\mozilla\firefox\profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-9-26 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-26 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-30 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-30 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-30 40384]

=============== Created Last 30 ================

2010-03-30 06:53:05 0 d-----w- c:\program files\IObit
2010-03-30 06:53:05 0 d-----w- c:\docume~1\log77\applic~1\IObit
2010-03-30 05:01:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-30 04:46:17 26698 -c--a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
2010-03-30 04:46:17 26698 ----a-w- c:\windows\system32\drivers\DLH5XND5.sys

==================== Find3M ====================

2009-09-25 23:35:35 19076 -c--a-w- c:\program files\common files\hoxexisod.lib
2009-09-25 23:35:35 15444 -c--a-w- c:\program files\common files\kiminejyd.exe
2009-09-25 23:35:35 13883 -c--a-w- c:\program files\common files\recubiz._dl
2009-09-25 23:35:35 11955 -c--a-w- c:\program files\common files\cyvanyxi.reg
2009-09-25 23:35:35 11250 -c--a-w- c:\program files\common files\agexohesy.vbs
2009-09-25 23:35:35 11128 -c--a-w- c:\program files\common files\yzut.pif
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\fegelegu.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\fosopoku.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\haditapo.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\harupeza.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\kubuyula.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\ruyebana.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\vidohosi.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\yefanopa.dll

============= FINISH: 3:17:38.82 ===============

Attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/21/2006 8:21:55 PM
System Uptime: 3/30/2010 1:21:24 AM (2 hours ago)

Motherboard: Dell Computer Corp. | |
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Microprocessor | 1992/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 31.07 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP477: 1/11/2010 7:19:26 PM - System Checkpoint
RP478: 1/12/2010 9:09:04 PM - System Checkpoint
RP479: 1/14/2010 12:36:25 AM - System Checkpoint
RP480: 1/15/2010 1:17:22 AM - System Checkpoint
RP481: 1/16/2010 1:18:22 AM - System Checkpoint
RP482: 1/17/2010 2:17:10 AM - System Checkpoint
RP483: 1/18/2010 2:18:08 AM - System Checkpoint
RP484: 1/19/2010 2:20:57 AM - System Checkpoint
RP485: 1/20/2010 2:21:58 AM - System Checkpoint
RP486: 1/21/2010 3:20:48 AM - System Checkpoint
RP487: 1/22/2010 4:20:41 AM - System Checkpoint
RP488: 1/23/2010 4:39:02 AM - System Checkpoint
RP489: 1/24/2010 5:38:58 AM - System Checkpoint
RP490: 1/25/2010 6:38:55 AM - System Checkpoint
RP491: 1/26/2010 7:38:49 AM - System Checkpoint
RP492: 1/27/2010 7:59:10 AM - System Checkpoint
RP493: 1/28/2010 8:35:23 AM - System Checkpoint
RP494: 1/29/2010 8:38:23 AM - System Checkpoint
RP495: 1/30/2010 9:38:20 AM - System Checkpoint
RP496: 1/31/2010 5:28:33 PM - System Checkpoint
RP497: 2/1/2010 9:17:18 PM - System Checkpoint
RP498: 2/2/2010 10:12:37 PM - System Checkpoint
RP499: 2/3/2010 10:41:12 PM - System Checkpoint
RP500: 2/4/2010 11:00:09 PM - System Checkpoint
RP501: 2/5/2010 11:13:56 PM - System Checkpoint
RP502: 2/6/2010 11:59:56 PM - System Checkpoint
RP503: 2/8/2010 1:08:50 AM - System Checkpoint
RP504: 2/9/2010 1:13:08 AM - System Checkpoint
RP505: 2/10/2010 2:02:40 AM - System Checkpoint
RP506: 2/11/2010 2:12:34 AM - System Checkpoint
RP507: 2/12/2010 3:12:25 AM - System Checkpoint
RP508: 2/13/2010 4:12:17 AM - System Checkpoint
RP509: 2/14/2010 5:30:24 AM - System Checkpoint
RP510: 2/15/2010 6:12:10 AM - System Checkpoint
RP511: 2/16/2010 7:12:08 AM - System Checkpoint
RP512: 2/17/2010 7:49:51 AM - System Checkpoint
RP513: 2/18/2010 8:49:49 AM - System Checkpoint
RP514: 2/19/2010 9:04:40 AM - System Checkpoint
RP515: 2/20/2010 9:49:37 AM - System Checkpoint
RP516: 2/21/2010 2:24:52 PM - System Checkpoint
RP517: 2/22/2010 3:07:38 PM - System Checkpoint
RP518: 2/23/2010 5:05:08 PM - System Checkpoint
RP519: 2/24/2010 5:49:33 PM - System Checkpoint
RP520: 2/26/2010 12:34:14 AM - System Checkpoint
RP521: 2/27/2010 2:15:51 AM - System Checkpoint
RP522: 2/28/2010 3:04:33 AM - System Checkpoint
RP523: 3/1/2010 3:23:26 AM - System Checkpoint
RP524: 3/2/2010 3:31:44 AM - System Checkpoint
RP525: 3/3/2010 4:13:59 AM - System Checkpoint
RP526: 3/4/2010 4:45:29 AM - System Checkpoint
RP527: 3/5/2010 5:45:29 AM - System Checkpoint
RP528: 3/6/2010 6:19:11 AM - System Checkpoint
RP529: 3/7/2010 7:19:03 AM - System Checkpoint
RP530: 3/8/2010 7:36:25 AM - System Checkpoint
RP531: 3/9/2010 7:57:21 AM - System Checkpoint
RP532: 3/10/2010 8:57:12 AM - System Checkpoint
RP533: 3/11/2010 9:37:48 AM - System Checkpoint
RP534: 3/12/2010 10:41:56 AM - System Checkpoint
RP535: 3/13/2010 12:24:37 PM - System Checkpoint
RP536: 3/14/2010 2:15:08 PM - System Checkpoint
RP537: 3/15/2010 2:28:42 PM - System Checkpoint
RP538: 3/16/2010 3:27:39 PM - System Checkpoint
RP539: 3/17/2010 3:35:57 PM - System Checkpoint
RP540: 3/18/2010 4:50:58 PM - System Checkpoint
RP541: 3/19/2010 5:25:33 PM - System Checkpoint
RP542: 3/20/2010 5:26:34 PM - System Checkpoint
RP543: 3/21/2010 5:27:39 PM - System Checkpoint
RP544: 3/22/2010 6:32:11 PM - System Checkpoint
RP545: 3/23/2010 6:40:44 PM - System Checkpoint
RP546: 3/24/2010 7:24:17 PM - System Checkpoint
RP547: 3/25/2010 8:24:11 PM - System Checkpoint
RP548: 3/26/2010 11:33:36 PM - System Checkpoint
RP549: 3/27/2010 11:46:39 PM - System Checkpoint
RP550: 3/28/2010 11:49:45 PM - System Checkpoint
RP551: 3/30/2010 1:01:37 AM - avast! Free Antivirus Setup
RP552: 3/30/2010 2:54:01 AM - Advanced SystemCare RestorePoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Advanced SystemCare 3
avast! Free Antivirus
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.2)
MSN
MSXML 6.0 Parser (KB933579)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
SmartShopper
SoundMAX
Spybot - Search & Destroy
SQL Anywhere Studio 9, Software
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live ID Sign-in Assistant
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

==== Event Viewer Messages From Past Week ========

3/30/2010 12:21:42 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/29/2010 8:27:15 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/28/2010 1:28:41 PM, error: W32Time [46] - The time service encountered an error and was forced to shut down. The error was: 0x800706BB
3/23/2010 12:30:54 PM, error: NETLOGON [5719] - No Domain Controller is available for domain DCS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

Thank You in advance

broni · 2010/03/30

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

rthompson · 2010/03/31

Log files

Combofix:

ComboFix 10-03-29.04 - log77 03/31/2010 12:43:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.466 [GMT -4:00]
Running from: c:\documents and settings\log77\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\diheh.reg
c:\documents and settings\All Users\Application Data\ekisaraco.inf
c:\documents and settings\All Users\Application Data\juravu.vbs
c:\documents and settings\All Users\Application Data\kigugapohe.vbs
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\oletifitac.reg
c:\documents and settings\All Users\Application Data\ziqifigo.inf
c:\documents and settings\All Users\Documents\erelol.vbs
c:\documents and settings\All Users\Documents\kohowi.bat
c:\documents and settings\All Users\Documents\yvukuj.vbs
c:\documents and settings\log77\Application Data\axiwazupic.vbs
c:\documents and settings\log77\Application Data\ekofobu.reg
c:\documents and settings\log77\Application Data\iniasd.txt
c:\documents and settings\log77\Application Data\puri.reg
c:\documents and settings\log77\Application Data\togo.inf
c:\documents and settings\log77\Cookies\civekuve.exe
c:\documents and settings\log77\Cookies\kyru.scr
c:\documents and settings\log77\Cookies\mezihor.dll
c:\documents and settings\log77\Cookies\otologury.pif
c:\documents and settings\log77\Cookies\ovawikawe.scr
c:\documents and settings\log77\Cookies\pyfo.pif
c:\documents and settings\log77\Cookies\ulesikatex.db
c:\documents and settings\log77\Cookies\wupat.inf
c:\documents and settings\log77\Cookies\yhapimyfe.dll
c:\documents and settings\log77\Cookies\yriqifura.inf
c:\documents and settings\log77\Local Settings\Application Data\efowu.inf
c:\documents and settings\log77\Local Settings\Application Data\ucubebyfe.bat
c:\program files\AskSearch\bin\DeFAultsearch.dll
c:\program files\Common Files\agexohesy.vbs
c:\program files\Common Files\cyvanyxi.reg
c:\recycler\S-1-5-21-3854777405-4113852467-931739554-1007
c:\windows\abawex.inf
c:\windows\cynigyroh.vbs
c:\windows\eSellerateEngine.dll
c:\windows\felyqyxyn.reg
c:\windows\jaboqos.exe
c:\windows\jofyseta.inf
c:\windows\pobepi.scr
c:\windows\system32\ekek.vbs
c:\windows\system32\fegelegu.dll
c:\windows\system32\fosopoku.dll
c:\windows\system32\haditapo.dll
c:\windows\system32\harupeza.dll
c:\windows\system32\kubuyula.dll
c:\windows\system32\ruyebana.dll
c:\windows\system32\utarupel.vbs
c:\windows\system32\vidohosi.dll
c:\windows\system32\yefanopa.dll
c:\windows\zeboj.vbs
c:\windows\zybyda.vbs

----- BITS: Possible infected sites -----

hxxp://82.98.235.138
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-30 06:53 . 2010-03-30 07:07 -------- d-----w- c:\documents and settings\log77\Application Data\IObit
2010-03-30 06:53 . 2010-03-30 06:53 -------- d-----w- c:\program files\IObit
2010-03-30 05:01 . 2010-03-30 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-30 04:46 . 2001-08-17 16:11 26698 -c--a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
2010-03-30 04:46 . 2001-08-17 16:11 26698 ----a-w- c:\windows\system32\drivers\DLH5XND5.sys
2010-03-03 22:39 . 2010-02-23 00:13 52224 ----a-w- c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-03 22:39 . 2010-02-23 00:13 101376 ----a-w- c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 05:02 . 2009-09-26 21:03 -------- d-----w- c:\program files\Alwil Software
2010-03-09 10:24 . 2009-09-26 21:03 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2009-09-26 21:03 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2009-09-26 21:04 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:12 . 2009-09-26 21:03 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 10:09 . 2009-09-26 21:04 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 10:08 . 2009-09-26 21:03 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2009-09-26 21:03 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2009-09-26 21:03 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 10:08 . 2009-09-26 21:04 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-04 23:08 . 2010-03-30 04:09 239786 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-09 23:41 . 2009-06-11 00:18 -------- d-----w- c:\program files\Google
2009-09-25 23:35 . 2009-09-25 23:35 19076 -c--a-w- c:\program files\Common Files\hoxexisod.lib
2009-09-25 23:35 . 2009-09-25 23:35 15444 -c--a-w- c:\program files\Common Files\kiminejyd.exe
2009-09-25 23:35 . 2009-09-25 23:35 13883 -c--a-w- c:\program files\Common Files\recubiz._dl
2009-09-25 23:35 . 2009-09-25 23:35 11128 -c--a-w- c:\program files\Common Files\yzut.pif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9 "= "c:\program files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 131072]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"Synchronization Manager "= "c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe "=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/26/2009 5:03 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/26/2009 5:03 PM 19024]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - component: c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{4e68fa15-6915-425e-8519-ec29f0e7ef8c} - yiregesa.dll
HKCU-Run-COMMUNICATOR - c:\program files\Microsoft Office Communicator\Communicator.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-31 12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2700)
c:\windows\system32\msls31.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\MSCTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-03-31 12:51:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-31 16:51

Pre-Run: 33,147,207,680 bytes free
Post-Run: 33,119,240,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 96C8EF41608FDF14127DE71D1056EFFC

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:16 PM, on 3/31/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\log77\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

--
End of file - 3807 bytes

broni · 2010/03/31

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\program files\Common Files\hoxexisod.lib
c:\program files\Common Files\kiminejyd.exe
c:\program files\Common Files\recubiz._dl
c:\program files\Common Files\yzut.pif


Folder::

Driver::

Registry::

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

rthompson · 2010/04/01

Logs 2

Windows locked up after completing Combofix, the log file was created.

Combofix

ComboFix 10-03-29.04 - log77 04/01/2010 9:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.456 [GMT -4:00]
Running from: c:\documents and settings\log77\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\log77\Desktop\cfscript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\Common Files\hoxexisod.lib "
"c:\program files\Common Files\kiminejyd.exe "
"c:\program files\Common Files\recubiz._dl "
"c:\program files\Common Files\yzut.pif "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\hoxexisod.lib
c:\program files\Common Files\kiminejyd.exe
c:\program files\Common Files\recubiz._dl
c:\program files\Common Files\yzut.pif

.
((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-03-30 06:53 . 2010-03-30 07:07 -------- d-----w- c:\documents and settings\log77\Application Data\IObit
2010-03-30 06:53 . 2010-03-30 06:53 -------- d-----w- c:\program files\IObit
2010-03-30 05:01 . 2010-03-30 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-30 04:46 . 2001-08-17 16:11 26698 -c--a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
2010-03-30 04:46 . 2001-08-17 16:11 26698 ----a-w- c:\windows\system32\drivers\DLH5XND5.sys
2010-03-03 22:39 . 2010-02-23 00:13 52224 ----a-w- c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-03 22:39 . 2010-02-23 00:13 101376 ----a-w- c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 05:02 . 2009-09-26 21:03 -------- d-----w- c:\program files\Alwil Software
2010-03-09 10:24 . 2009-09-26 21:03 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2009-09-26 21:03 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2009-09-26 21:04 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:12 . 2009-09-26 21:03 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 10:09 . 2009-09-26 21:04 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 10:08 . 2009-09-26 21:03 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2009-09-26 21:03 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2009-09-26 21:03 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 10:08 . 2009-09-26 21:04 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-04 23:08 . 2010-03-30 04:09 239786 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-09 23:41 . 2009-06-11 00:18 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9 "= "c:\program files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 131072]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"Synchronization Manager "= "c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe "=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/26/2009 5:03 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/26/2009 5:03 PM 19024]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - component: c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 09:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-01 09:43:18
ComboFix-quarantined-files.txt 2010-04-01 13:43
ComboFix2.txt 2010-03-31 16:51

Pre-Run: 33,034,416,128 bytes free
Post-Run: 33,034,608,640 bytes free

- - End Of File - - 38E432A7186406A1CD6592602CBDE644

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:15 AM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\log77\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

--
End of file - 3897 bytes

broni · 2010/04/01

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

================================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

rthompson · 2010/04/01

logs 3

Note: mbam log was not saved, could not find it after restarting windows

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:24 PM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\log77\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

--
End of file - 3955 bytes

broni · 2010/04/01

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Click to expand...

......

rthompson · 2010/04/01

no logs in those locations

"broni said: ↑

......
Click to expand...

no log folder even

rthompson · 2010/04/01

found log

it was in a hidden folder

mbam:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3944

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/1/2010 3:39:43 PM
mbam-log-2010-04-01 (15-39-43).txt

Scan type: Quick scan
Objects scanned: 104240
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4cf088bd-be95-40a5-be9b-677f8683edea} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6fac4823-815e-4361-836e-46d65ed2550b} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{911f251e-34fd-465e-b6ce-df00ff49a6be} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fe4f1649-8909-49c0-87ba-24d65120db46} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{022c671f-6cba-4a03-a8f9-3b3a361b235a} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ad815fc-607b-419f-8b70-d345a507a54e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.hbax (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.hbax.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebutton (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebutton.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttona (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttona.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttonb (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttonb.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.smrt-shprctrl (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.smrt-shprctrl.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper\SmartShopper - Comapre product prices.lnk (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper\SmartShopper - Compare travel rate.lnk (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SmartShopper\SmartShopper Help.lnk (Adware.SmartShopper) -> Quarantined and deleted successfully.

broni · 2010/04/01

Good

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

rthompson · 2010/04/01

new hjt log

tfc cleaned 81 mb worth of files

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:02 PM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Documents and Settings\log77\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

--
End of file - 3775 bytes

broni · 2010/04/01

What about Kaspersky scan?

rthompson · 2010/04/01

Sorry Broni, jumped ahead of myself, Kapersky scan is in progress. I will post log along with fresh hjt log shortly

rthompson · 2010/04/01

Kapersky and hjt logs

Kapersky:

KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, April 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, April 01, 2010 21:53:35
Records in database: 3913695
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 26312
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:44:21

No threats found. Scanned area is clean.

Selected area has been scanned.

hjt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:56 PM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\log77\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4426 bytes

broni · 2010/04/01

I assume, you're familiar with dcs.local domain?

==============================================================

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

===============================================================

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

==============================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

rthompson · 2010/04/01

New hjt log

"broni said: ↑

I assume, you're familiar with dcs.local domain?

==============================================================

No, what is this dcs.local domain?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:07 PM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\log77\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4102 bytes
Click to expand...

broni · 2010/04/01

OK.
Re-run HJT and checkmark these:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
Click "Fix checked" button.
Restart computer and post fresh HJT log.

rthompson · 2010/04/01

Fresh hjt log

"broni said: ↑

OK.
Re-run HJT and checkmark these:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
Click "Fix checked" button.
Restart computer and post fresh HJT log.
Click to expand...

re-ran and checked the above, restarted, they are still coming up in the scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:07 PM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Documents and Settings\log77\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4080 bytes

broni · 2010/04/01

Did you disable TeaTimer while applying changes?
Try it again and checkmark also this line:
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)

How is your computer doing at the moment?

Log in or Sign up

Solved win32:vundo-HU and HW trojans

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved win32:vundo-HU and HW trojans

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

rthompson Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches