[Resolved] Baseline

Welcome! Register for a free account (or login) > How does it work?

Quickly register. It will only take 60 seconds.
Start a new topic. Ask your question. Wait for an email reply.
Is your system infected? Begin reading the malware removal guide.

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

[Resolved] Baseline, recurring infection

Options

protoweenie View Member Profile	Jun 26 2009, 04:04 PM Post #1
New Member Group: Authentic Member Posts: 7 Joined: 26-June 09 Member No.: 86,436 Operating System: xp Home	I'm trying to clean up my girfriend's 18 yr. old son's pc. I keep getting some nasty little buggers showing up when I run Hijack This (lg attached) Any help resolving this would be much appreciated. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:11:13 PM, on 6/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: (no name) - {0dff2b8d-38b9-47ea-96de-6243d478d32b} - C:\WINDOWS\system32\jivazona.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [98c15e92] rundll32.exe "C:\WINDOWS\system32\bunuzeka.dll",b O4 - HKLM\..\Run: [CPM9bf26d0e] Rundll32.exe "c:\windows\system32\kuziyado.dll",a O4 - HKLM\..\Run: [lebahohoje] Rundll32.exe "C:\WINDOWS\system32\jitodujo.dll",s O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\66.tmp.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\66.tmp.exe (User 'Default user') O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .amaena.com (HKLM) O15 - Trusted Zone: .drivecleaner.com (HKLM) O15 - Trusted Zone: .errorprotector.com (HKLM) O15 - Trusted Zone: .errorsafe.com (HKLM) O15 - Trusted Zone: .imageservr.com (HKLM) O15 - Trusted Zone: .imagesrvr.com (HKLM) O15 - Trusted Zone: .systemdoctor.com (HKLM) O15 - Trusted Zone: .winantispyware.com (HKLM) O15 - Trusted Zone: .winantivirus.com (HKLM) O15 - Trusted Zone: .winfixer.com (HKLM) O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://192.168.1.2/xplugLite.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: c:\windows\system32\kuziyado.dll,C:\WINDOWS\system32\dufizige.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: awtustSM - awtustSM.dll (file missing) O20 - Winlogon Notify: jkklk - C:\WINDOWS\system32\jkklk.dll (file missing) O20 - Winlogon Notify: qoMghfEt - qoMghfEt.dll (file missing) O20 - Winlogon Notify: urqpmlj - urqpmlj.dll (file missing) O20 - Winlogon Notify: __c003A344 - C:\WINDOWS\system32\__c003A344.dat O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kuziyado.dll O22 - SharedTaskScheduler: awash - {e3623691-f85d-48d8-8e4d-abe79077f841} - C:\WINDOWS\system32\bcxjqr.dll (file missing) O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kuziyado.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- End of file - 5303 bytes This post has been edited by protoweenie: Jun 26 2009, 04:13 PM

Replies

protoweenie View Member Profile	Jun 30 2009, 05:17 PM Post #2
New Member Group: Authentic Member Posts: 7 Joined: 26-June 09 Member No.: 86,436 Operating System: xp Home	Raktor, No worries about using my using ComboFix on my own. I'm slow, not stupid. I will insure that any programs you have me install will be removed before I turn the machine over to the, no longer administrator, knucklehead who infected this system. In 20 years with DOS and Windows machines I've never had this type of issue on any of my systems. Once again, thank you for your efforts. ComboFix log is attached Please do not attach any logs unless requested to do so by the helper, just copy and paste them in. ComboFix 09-06-29.07 - Admin 06/30/2009 18:38.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.250 [GMT -4:00] Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: C:\d45.bat file zipped: c:\windows\010112010146118114.dat file zipped: c:\windows\0101120101465452.dat file zipped: c:\windows\104116116112584747.dat file zipped: c:\windows\bf23567.dat file zipped: c:\windows\system32\drivers\yecimuecbqhxnmbf.sys file zipped: c:\windows\system32\jifakade.dll file zipped: c:\windows\system32\jitodujo.dll file zipped: c:\windows\system32\jivazona.dll file zipped: c:\windows\system32\kuziyado.dll file zipped: c:\windows\system32\rlscsqmg.tmp file zipped: c:\windows\system32\zorihali.dll file zipped: C:\x345.bat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\d45.bat c:\documents and settings\All Users\Application Data\11643754 c:\documents and settings\All Users\Application Data\11643754\pc11643754ins c:\documents and settings\All Users\Application Data\91653746 c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\010112010146118114.dat c:\windows\0101120101465452.dat c:\windows\104116116112584747.dat c:\windows\bf23567.dat c:\windows\system32\ahanalum.ini c:\windows\system32\bazujege.dll c:\windows\system32\drivers\yecimuecbqhxnmbf.sys c:\windows\system32\ibeyabip.ini c:\windows\system32\jifakade.dll c:\windows\system32\jitodujo.dll c:\windows\system32\jivazona.dll c:\windows\system32\kuziyado.dll c:\windows\system32\mulanaha.dll c:\windows\system32\ogewiboy.ini c:\windows\system32\pibayebi.dll c:\windows\system32\rlscsqmg.tmp c:\windows\system32\yipabojo.exe c:\windows\system32\yobiwego.dll c:\windows\system32\zorihali.dll C:\x345.bat ----- BITS: Possible infected sites ----- hxxp://82.98.235.208 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_WOWSYSTEM -------\Service_wowsystem ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 ))))))))))))))))))))))))))))))) . 2009-06-26 22:42 . 2009-06-26 22:42 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-06-26 22:39 . 2009-06-26 22:41 -------- d-----w- c:\windows\ShellNew 2009-06-26 22:39 . 2009-06-26 22:39 -------- d-----w- c:\program files\Common Files\L&H 2009-06-26 22:10 . 2009-06-26 22:10 -------- d-----w- c:\program files\Trend Micro 2009-06-26 19:16 . 2009-06-26 21:29 1922848 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-06-26 19:16 . 2009-06-26 21:29 16928 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-06-26 18:45 . 2009-06-26 21:05 -------- d-----w- c:\program files\Common Files\ParetoLogic 2009-06-26 18:45 . 2009-06-26 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic 2009-06-26 18:45 . 2009-06-26 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS 2009-06-26 18:43 . 2009-06-26 18:43 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Downloaded Installations 2009-06-18 23:08 . 2009-06-18 23:08 -------- d-----w- c:\windows\Favorites 2009-06-18 20:18 . 2009-06-21 23:03 -------- d-----w- c:\program files\driver 2009-06-04 12:57 . 2009-06-04 12:57 -------- d-----w- c:\program files\CONEXANT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-30 22:44 . 2008-11-15 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-30 22:38 . 2007-07-30 07:29 -------- d-----w- c:\program files\Digital Media Reader 2009-06-30 18:42 . 2009-03-30 18:42 83968 --sha-w- c:\windows\system32\zobesohe.dll 2009-06-30 04:43 . 2007-10-13 17:36 -------- d-----w- c:\program files\LogMeIn 2009-06-29 00:41 . 2009-03-29 00:41 83456 --sha-w- c:\windows\system32\zasezara.dll 2009-06-26 21:29 . 2009-06-26 19:16 3632 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-06-26 21:29 . 2009-06-26 19:16 28892 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-06-26 18:45 . 2008-06-29 18:47 31088 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-26 15:10 . 2007-08-31 00:22 -------- d-----w- c:\documents and settings\LSG\Application Data\LimeWire 2009-06-25 23:34 . 2009-04-26 16:41 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-25 23:34 . 2009-04-26 16:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-19 20:49 . 2009-04-26 16:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-19 20:49 . 2009-04-26 16:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-19 19:41 . 2009-05-19 19:41 -------- d-----w- c:\program files\Common Files\SupportSoft 2009-05-19 19:41 . 2009-05-19 19:41 -------- d-----w- c:\program files\ComcastUI 2009-05-08 01:06 . 2007-08-31 00:16 -------- d-----w- c:\program files\LimeWire 2009-04-25 12:24 . 2008-08-25 04:11 31088 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\windows\ShellNew ---- 2000-04-06 20:49 . 2000-04-06 20:49 98304 ----a-w- c:\windows\ShellNew\ACCESS9.MDB 2000-02-06 17:26 . 2000-02-06 17:26 11776 ----a-w- c:\windows\ShellNew\EXCEL9.XLS 1999-03-10 12:41 . 1999-03-10 12:41 11264 ----a-w- c:\windows\ShellNew\PWRPNT10.POT 1997-08-01 04:37 . 1997-08-01 04:37 10752 ----a-w- c:\windows\ShellNew\WINWORD8.DOC ((((((((((((((((((((((((((((( SnapShot@2009-06-28_14.19.24 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-26 16:12 . 2009-06-30 00:46 52764 c:\windows\system32\perfc009.dat - 2004-08-26 16:12 . 2009-06-27 11:42 52764 c:\windows\system32\perfc009.dat + 2007-09-17 19:48 . 2005-07-08 04:55 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe + 2004-08-26 16:12 . 2009-06-30 00:46 380350 c:\windows\system32\perfh009.dat - 2004-08-26 16:12 . 2009-06-27 11:42 380350 c:\windows\system32\perfh009.dat + 2007-07-30 07:25 . 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe + 2007-09-17 19:41 . 2005-07-08 04:55 491520 c:\windows\system32\hphmon05.exe + 2004-09-09 04:10 . 2002-09-13 20:42 212992 c:\windows\SMINST\RECGUARD.EXE . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-07-30 07:54 . 2007-07-30 07:54 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe 2007-08-20 23:19 . 2007-09-14 00:47 421888 c:\program files\Grisoft\AVG7\bak\avgcc.exe 2007-09-26 18:42 . 2007-09-26 18:42 267064 c:\program files\iTunes\bak\iTunesHelper.exe 2008-11-20 18:20 . 2008-11-20 18:20 290088 c:\program files\iTunes\iTunesHelper.exe 2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\qttask.exe 2008-11-04 15:30 . 2008-11-04 15:30 413696 c:\program files\QuickTime\QTTask.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440] "lebahohoje"="c:\windows\system32\jitodujo.dll" [N/A] "98c15e92"="c:\windows\system32\yobiwego.dll" [N/A] "CPM9bf26d0e"="c:\windows\system32\zobesohe.dll" [2009-06-30 83968] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Cognac"="c:\docume~1\Owner\LOCALS~1\Temp\66.tmp.exe" [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "smile"="c:\program files\Applications\wcs.exe" [N/A] c:\documents and settings\LSG\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\zobesohe.dll" [2009-06-30 83968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zobesohe.dll [2009-06-30 83968] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-19 20:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd backup=c:\windows\pss\run_startmenu.cmdCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk backup=c:\windows\pss\TA_Start.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk backup=c:\windows\pss\Think-Adz.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "SAVScan"=3 (0x3) "NPFMntor"=2 (0x2) "navapsvc"=2 (0x2) "mcupdmgr.exe"=3 (0x3) "McAfeeAntiSpyware"=2 (0x2) "LiveUpdate"=3 (0x3) "iPod Service"=3 (0x3) "gusvc"=3 (0x3) "ccSetMgr"=2 (0x2) "ccPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "Automatic LiveUpdate Scheduler"=2 (0x2) "Apple Mobile Device"=2 (0x2) "AOL ACS"=2 (0x2) "SNDSrvc"=3 (0x3) "Viewpoint Manager Service"=2 (0x2) "Bonjour Service"=2 (0x2) "DomainService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\WINDOWS\\system32\\taskmgr.exe"= "c:\\Program Files\\QuickTime\\QTTask.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8085:TCP"= 8085:TCP:driver R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2009 12:41 PM 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2009 12:41 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 7:34 PM 906520] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 7:34 PM 298776] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/12/2007 10:21 AM 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/13/2007 1:36 PM 47640] R3 WlanUIG;NB 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [8/19/2007 5:17 PM 379456] S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [9/12/2007 10:20 AM 12192] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . Contents of the 'Scheduled Tasks' folder 2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-06-30 c:\windows\Tasks\HP Usg Daily.job - c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2007-09-17 04:55] 2007-07-30 c:\windows\Tasks\ISP signup reminder 2.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12] . - - - - ORPHANS REMOVED - - - - BHO-{0dff2b8d-38b9-47ea-96de-6243d478d32b} - c:\windows\system32\jivazona.dll ShellExecuteHooks-{EAE8A482-0DE5-4488-9DBF-C8FE0B1D0497} - (no file) . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000 DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.2/xplugLite.cab . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-30 18:46 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll - - - - - - - > 'explorer.exe'(2700) c:\windows\system32\zobesohe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\LogMeIn\x86\ramaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\program files\LogMeIn\x86\LMIGuardian.exe . ********************************************************************** . Completion time: 2009-06-30 18:50 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-30 22:50 ComboFix2.txt 2009-06-28 14:24 Pre-Run: 28,110,082,048 bytes free Post-Run: 28,249,690,112 bytes free 263 --- E O F --- 2009-05-22 07:04 Attached File(s)** ComboFix2.txt ( 15.22K ) Number of downloads: 157

Posts in this topic

protoweenie [Resolved] Baseline Jun 26 2009, 04:04 PM

Raktor Hi, welcome to the WTT Forums. My username is Rakt... Jun 26 2009, 04:35 PM

Raktor Hi protoweenie, welcome to the WTT Forums. My user... Jun 27 2009, 08:52 PM

protoweenie Raktor, Thanks for the reply and the help. ... Jun 28 2009, 08:39 AM

Raktor No problem protoweenie. A word of warning: Please... Jun 29 2009, 06:49 PM

protoweenie Raktor, No worries about using my using Combo... Jun 30 2009, 05:17 PM

Raktor We're getting closer. I have another CFScrip... Jun 30 2009, 07:33 PM

protoweenie Raktor, Here's the latest. ComboFix 09-07-... Jul 1 2009, 05:46 PM

Raktor Brilliant job protoweenie. Just a few more steps... Jul 2 2009, 02:46 AM

protoweenie Hello Raktor, At the risk of appearing dense, ... Jul 2 2009, 03:31 PM

Raktor Questions are fine. Submit both of the zip files... Jul 2 2009, 07:08 PM

protoweenie Hello Raktor, The system is, of course, muc... Jul 3 2009, 06:55 PM

Raktor Final CFScript to remove the final little bits, th... Jul 4 2009, 03:44 AM

protoweenie Raktor, Final steps completed and issue resol... Jul 4 2009, 07:57 AM

ken545 Since this issue appears to be resolved ... this T... Jul 4 2009, 05:32 PM

« Next Oldest · Infections Removal · Next Newest »

Topic Title	Replies	Topic Starter	Views	Last Action
Infections Removal [Resolved] Something big.	5	ajones	107	Today, 02:10 AM Last post by: oldman960
Infections Removal [Resolved] Infected with something	11	pacificjade	128	Yesterday, 05:00 PM Last post by: LDTate
Infections Removal [Resolved] Pesky Virus - Need help to be sure it is removed	7	3streamMusic	166	Yesterday, 02:39 PM Last post by: LDTate
Infections Removal [Resolved] It's Baaaaaack!	14	ShawBuck	169	Yesterday, 10:50 AM Last post by: CatByte