[[Edited to include Hijackthis log]]
Okay, I uninstalled Limewire & Ares.
When I ran ComboFix, I got a few errors. One of them being "ComboFix has detected the
presence of Rootkit activity and needs to reboot the machine". Several files were listed
under that message. I wrote them down if you need them.
Another was:
Error : C: \Boot.ini is not correctly formatted/
There were also a few errors re files that failed to initialize.
Here is the log:
ComboFix 09-04-01.01 - Owner 2009-04-01 17:26:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.409 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFixx.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Start Menu\A360
c:\documents and settings\Owner\Start Menu\A360\A360.lnk
c:\documents and settings\Owner\Start Menu\A360\Help.lnk
c:\documents and settings\Owner\Start Menu\A360\Registration.lnk
c:\program files\Common Files\System\Uninstall
c:\program files\Common Files\System\Uninstall\Uninstall A360.lnk
c:\windows\ewamabimonusijeg.dll
c:\windows\iwukivegohekeva.dll
c:\windows\system32\ademidul.ini
c:\windows\system32\afiburiw.ini
c:\windows\system32\agesenut.ini
c:\windows\system32\aheyuhip.ini
c:\windows\system32\ahezofod.ini
c:\windows\system32\amurihuj.ini
c:\windows\system32\aneroyoy.ini
c:\windows\system32\ateyosun.ini
c:\windows\system32\ayukifug.ini
c:\windows\system32\bejifafo.dll
c:\windows\system32\bizijeju.dll
c:\windows\system32\bufojodi.dll
c:\windows\system32\byqkol.dll
c:\windows\system32\cbdswd.dll
c:\windows\system32\danuzihi.dll
c:\windows\system32\digoteri.dll
c:\windows\system32\dofozeha.dll
c:\windows\system32\drivers\UACehtavxbk.sys
c:\windows\system32\dvetmi.dll
c:\windows\system32\ebinapew.ini
c:\windows\system32\ejeforav.ini
c:\windows\system32\enujumub.ini
c:\windows\system32\fajohiti.dll
c:\windows\system32\gilefede.dll
c:\windows\system32\govuyoni.dll
c:\windows\system32\hesuwopa.dll
c:\windows\system32\hinirole.dll
c:\windows\system32\holuyibi.dll
c:\windows\system32\hulutozu.dll
c:\windows\system32\ibiyuloh.ini
c:\windows\system32\ibujupop.ini
c:\windows\system32\idojofub.ini
c:\windows\system32\igpidj.dll
c:\windows\system32\ikayovub.ini
c:\windows\system32\ikevizur.ini
c:\windows\system32\iperajoz.ini
c:\windows\system32\ipoyiduw.ini
c:\windows\system32\ipozazil.ini
c:\windows\system32\irafasem.ini
c:\windows\system32\iretogid.ini
c:\windows\system32\itobumek.ini
c:\windows\system32\ivoyosor.ini
c:\windows\system32\iyizovur.ini
c:\windows\system32\izufefor.ini
c:\windows\system32\jevetedo.dll
c:\windows\system32\livulene.dll
c:\windows\system32\luhadipu.dll
c:\windows\system32\mitayide.dll
c:\windows\system32\nadusajo.dll
c:\windows\system32\odewohis.ini
c:\windows\system32\ofujufip.ini
c:\windows\system32\ojevuyol.ini
c:\windows\system32\ojimitov.ini
c:\windows\system32\ojutihid.ini
c:\windows\system32\omusehal.ini
c:\windows\system32\opisiduz.ini
c:\windows\system32\opoweyij.ini
c:\windows\system32\opufusom.ini
c:\windows\system32\owazihut.ini
c:\windows\system32\owojusiv.ini
c:\windows\system32\sozivado.dll
c:\windows\system32\UACdrirjoym.log
c:\windows\system32\UACduyxetla.dll
c:\windows\system32\UACgkvxfmhm.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmrqoemnt.dll
c:\windows\system32\UACpjfqbwqw.dll
c:\windows\system32\UACswwujxva.dat
c:\windows\system32\UACuwkbeskr.log
c:\windows\system32\UACwxilrdpy.log
c:\windows\system32\UACylksrqrp.dll
c:\windows\system32\ufemenan.ini
c:\windows\system32\uhoyifev.ini
c:\windows\system32\ujejizib.ini
c:\windows\system32\upidahul.ini
c:\windows\system32\uremehew.ini
c:\windows\system32\utimeyul.ini
c:\windows\system32\uwozuwas.ini
c:\windows\system32\uyosilir.ini
c:\windows\system32\uzijodan.ini
c:\windows\system32\vahuyayu.dll
c:\windows\system32\varofeje.dll
c:\windows\system32\wupinade.dll
c:\windows\system32\yoyorena.dll
c:\windows\system32\zasiyugi.dll
c:\windows\system32\zudisipo.dll
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://82.98.235.205.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Legacy_botdrv
-------\Service_botdrv
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.
2009-04-01 17:55 . 2009-04-01 17:55 462 --a------ c:\windows\ufebehamicunojag.dll
2009-04-01 17:53 . 6,656 c:\windows\system32\drivers\restore.sys
2009-04-01 17:22 . 2009-04-01 17:55 878,112 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-04-01 17:22 . 2009-04-01 17:51 188,448 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-04-01 17:22 . 2009-04-01 17:51 7,912 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-04-01 17:22 . 2009-04-01 17:51 1,724 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-04-01 14:30 . 2009-04-01 14:30 <DIR> d-------- c:\program files\Alwil Software
2009-04-01 13:54 . 2009-04-01 13:54 1,263 --a------ c:\windows\system32\%LocalXml%
2009-04-01 13:04 . 2009-04-01 13:52 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-04-01 13:04 . 2009-04-01 13:52 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-04-01 13:03 . 2009-04-01 13:03 <DIR> d-------- c:\program files\Kaspersky Lab
2009-04-01 13:03 . 2009-04-01 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-01 12:04 . 2009-04-01 11:39 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6
2009-04-01 11:43 . 2009-04-01 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-01 11:38 . 2009-04-01 11:38 64 --a------ c:\windows\wininit.ini
2009-04-01 09:58 . 2009-04-01 09:58 <DIR> d-------- C:\4c1727e96774f6efe758776af2
2009-04-01 09:51 . 2009-04-01 09:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 09:50 . 2009-04-01 09:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 13:08 . 2009-03-31 13:08 <DIR> d-------- c:\program files\AVG
2009-03-31 13:08 . 2009-04-01 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-31 12:53 . 2009-03-31 12:53 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 12:20 . 2009-03-29 12:20 45,056 --a------ C:\dmsiacq.exe
2009-03-29 12:20 . 2009-03-29 12:20 2 --a------ C:\-2080303660
2009-03-28 22:27 . 2009-03-28 22:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\iWin
2009-03-28 22:26 . 2009-03-28 22:29 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-27 00:20 . 2009-03-27 00:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\iWin Games
2009-03-19 23:37 . 2004-08-04 12:00 81,920 --a------ c:\windows\system32\ieencode.dll
2009-03-19 23:37 . 2004-08-04 12:00 81,920 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-03-19 23:37 . 2004-08-04 12:00 68,608 --a------ c:\windows\system32\plugin.ocx
2009-03-19 23:37 . 2004-08-04 12:00 68,608 --a------ c:\windows\system32\dllcache\plugin.ocx
2009-03-19 17:35 . 2009-03-19 17:35 <DIR> d-------- c:\program files\Onlinebandit
2009-03-19 07:28 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-03-19 07:28 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-03-19 07:28 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-03-19 07:28 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2009-03-19 07:28 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2009-03-19 07:28 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-03-19 07:28 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-03-19 07:28 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-03-19 07:28 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2009-03-19 07:28 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2009-03-19 07:28 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2009-03-19 07:28 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2009-03-18 09:43 . 2009-03-18 09:43 7,502 ---hs---- c:\windows\system32\fivuriji.dll
2009-03-18 09:43 . 2009-03-18 09:43 7,502 ---hs---- c:\windows\system32\bovehiye.dll
2009-03-18 09:43 . 2009-03-18 09:43 2,713 ---hs---- c:\windows\system32\nofiteza.dll
2009-03-16 09:51 . 2009-03-16 09:51 <DIR> d--hs---- c:\windows\system32\config\systemprofile\PrivacIE
2009-03-16 09:43 . 2009-03-16 09:43 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-03-05 22:46 . 2009-03-05 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-03-05 15:51 . 2009-03-05 15:51 <DIR> d--hs---- c:\documents and settings\Owner\IECompatCache
2009-03-05 15:49 . 2009-03-05 15:49 <DIR> d--hs---- c:\documents and settings\Owner\IETldCache
2009-03-05 15:10 . 2009-01-10 22:00 79,360 --a--c--- c:\windows\system32\dllcache\iecompat.dll
2009-03-02 15:57 . 2009-03-02 15:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Yahoo!
2009-03-02 15:56 . 2009-03-05 14:36 <DIR> d-------- c:\program files\Yahoo!
2009-03-02 15:56 . 2009-03-02 23:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-02 12:22 . 2009-03-02 12:22 <DIR> d-------- C:\Installation Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 23:49 --------- d-----w c:\program files\Ares
2009-04-01 20:52 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-29 19:31 213,376 -c--a-w c:\windows\system32\drivers\ndis.sys
2009-03-26 02:50 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-03-21 18:36 --------- d-----w c:\program files\Common Files\AOL
2009-03-20 00:01 --------- d-----w c:\program files\Common Files\Apple
2009-03-06 04:12 --------- d-----w c:\documents and settings\Owner\Application Data\HPAppData
2009-03-05 21:35 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-02 05:06 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2009-02-21 02:12 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-15 18:07 --------- d-----w c:\program files\Google
1601-01-01 00:12 462 -csha-w c:\windows\system32\yayosiyi.dll
.
------- Sigcheck -------
2009-03-29 12:31 213376 3d748d850b1c17c357c54bbfd4835f27 c:\windows\system32\dllcache\ndis.sys
2009-03-29 12:31 213376 3d748d850b1c17c357c54bbfd4835f27 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b96ce8d5-6485-58be-3024-7aa6f4f37ab3}]
2007-03-08 08:36 155136 --a------ c:\windows\ihozawufilelufi.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ovejux"="c:\windows\ihozawufilelufi.dll" [2007-03-08 155136]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-04-01 206088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pbumsv.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=c:\windows\pss\run_startmenu.cmdCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 12:07 496752 c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 12:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-10-14 22:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2007-08-22 17:31 80896 c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2009-02-20 15:22 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ovejux]
--a------ 2007-03-08 08:36 155136 c:\windows\ihozawufilelufi.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 13:42 212992 c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-09 08:00 966656 c:\windows\creator\remind_xp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-10 06:43 136600 c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 16:04 135168 c:\program files\Digital Media Reader\shwiconEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 19:30 543232 c:\windows\zHotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 10:09 36864 c:\windows\ShowWnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-12-09 12:17 67584 c:\windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-08-13 11:48 49152 c:\windows\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2004-08-13 11:48 143360 c:\windows\system32\VTTrayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\aol.exe"=
"c:\\Program Files\\Onlinebandit\\Start.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-04-01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-04-01 20560]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
S1 41abdc71;41abdc71;c:\windows\system32\drivers\41abdc71.sys --> c:\windows\system32\drivers\41abdc71.sys [?]
S2 csiscanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -
BHO-{C2BA40A2-74F3-42BD-F434-2604812C8954} - (no file)
HKCU-Run-ares - c:\program files\Ares\Ares.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\govuyoni.dll
MSConfigStartUp-8401157b - c:\windows\system32\digoteri.dll
MSConfigStartUp-8DB7E0B9F2BA2D7B2FBDBD577B617007 - c:\program files\A360\av360.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-avg8_tray - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Cleanup - c:\docume~1\Owner\LOCALS~1\Temp\200811685836_mcappins.exe
MSConfigStartUp-CPM873226e7 - c:\windows\system32\govuyoni.dll
MSConfigStartUp-diagnostic manager - c:\docume~1\Owner\LOCALS~1\Temp\2212577726.exe
MSConfigStartUp-falitekiti - c:\windows\system32\yimazitu.dll
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-msci - c:\docume~1\Owner\LOCALS~1\Temp\200811685836_mcinfo.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
MSConfigStartUp-reader_s - c:\windows\System32\reader_s.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.myspace.com/uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://www.google.com/search?q=%s
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-01 17:55:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(916)
c:\windows\pbumsv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\Temp\BN2.tmp
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\Setup\avast.setup
.
**************************************************************************
.
Completion time: 2009-04-01 17:58:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 00:58:28
Pre-Run: 43,962,179,584 bytes free
Post-Run: 44,002,435,072 bytes free
354 --- E O F --- 2009-03-06 13:11:09
Hijackthis:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:42 PM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {b96ce8d5-6485-58be-3024-7aa6f4f37ab3} - C:\windows\ihozawufilelufi.dll
O4 - HKLM\..\Run: [Ovejux] rundll32.exe "C:\windows\ihozawufilelufi.dll",e
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photo1.walgreens.com/WalgreensActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -
http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -
http://www.pcpitstop.com/mhLbl.cabO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\windows\
O23 - Service: CSIScanner (csiscanner) - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 4244 bytes