Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Prunnet.exe and Vundo


  • Please log in to reply
15 replies to this topic

#1 eb2eb

eb2eb

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 28 December 2008 - 10:06 PM

I keep getting antivirus popups in both Internet explorer and Firefox. I use Zone Alarm and found Prunnet.exe asking for internet access which is how I found out I had that.
I tried Malwarebytes to remove some of the things causing problems, but it still finds Vundo and i still get the antivirus popups. It seems to remove them, but when I restart the PC, they come back.

Here is the DDS log

DDS (Version 1.1.0) - NTFSx86
Run by Ed at 21:56:29.93 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3006.2244 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MediaFaceOnlinePluginsService\dolcore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Twain_32\GiGiCam\GiGiSrv.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
J:\download\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061120
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {0bb659e5-d789-5359-f284-930dacb3240b}: {b0423bca-d039-482f-9535-987d5e956bb0} - c:\windows\system32\yzowoa.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\cyberpower powerpanel personal edition\pppeuser.exe"
uRun: [NBJ] c:\program files\ahead\nero backitup\NBJ.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Power2GoExpress]
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [HPHUPD08] c:\program files\hewlett-packard\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton systemworks\norton ghost\agent\GhostTray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [MediaFaceOnlinePluginsService] c:\program files\mediafaceonlinepluginsservice\dolcore.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [GiGiSrv] c:\windows\twain_32\gigicam\GiGiSrv.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: taxsoftware.com
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
Filter: text/html - {3ad2b54b-2794-49c8-aeac-000f86ee4b66} -
AppInit_DLLs: yzowoa.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\fw3m3s2i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2007-7-28 10368]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-4-7 3968]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-5-12 127768]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-4-19 201320]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-4-19 394952]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-9-17 169584]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-1 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-4-19 144704]
R2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2007-2-10 1174152]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-9-17 192112]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-19 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-4-19 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-4-19 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-4-19 40488]
S3 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-4-19 33832]
S3 SQTECH9060;Dual Mode Camera 1300;c:\windows\system32\drivers\Capt9060.sys [2007-12-26 30634]

=============== Created Last 30 ================

2008-12-28 21:50 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-27 23:20 <DIR> --d----- c:\docume~1\ed\applic~1\Malwarebytes
2008-12-27 23:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 23:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 23:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 23:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 22:41 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2008-12-27 22:37 <DIR> --d----- c:\documents and settings\ed\.housecall6.6
2008-12-27 08:22 134,656 a------- c:\windows\system32\yzowoa.dll
2008-12-27 08:21 134,656 a------- c:\windows\system32\wprblbfe.dll

==================== Find3M ====================

2008-12-28 21:55 49,545,248 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-28 09:19 583,292 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-06-26 12:02 56,912 a------- c:\documents and settings\ed\g2mdlhlpx.exe
2004-08-10 05:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-10 05:00 50,688 ---sh--- c:\windows\twain_32.dll
2006-12-09 23:12 88 ---shr-- c:\windows\system32\3477464750.sys
2006-05-03 05:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2006-12-09 23:13 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2004-08-10 05:00 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-10 05:00 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2004-08-10 05:00 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 21:58:22.56 ===============

Attached Files


Edited by eb2eb, 28 December 2008 - 11:09 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 06 January 2009 - 10:00 AM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Please post the contents of the ark.txt as your next reply.

#3 eb2eb

eb2eb
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 06 January 2009 - 09:14 PM

Results of GMER ark.txt:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-06 21:12:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8AB01400 ZwAlertResumeThread
SSDT 8ACB65D0 ZwAlertThread
SSDT 8AAD3690 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xB6969040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB6965930]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6853410]
SSDT 8AADB450 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xB6969510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xB696F870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xB696FAA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xB6972FD0]
SSDT 8AB0E1D0 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xB6969600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB6965F20]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB68536B0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6853DC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xB696F580]
SSDT 8ABFFD60 ZwFreeVirtualMemory
SSDT 8AC0A158 ZwImpersonateAnonymousToken
SSDT 8ABE2358 ZwImpersonateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB69718B0]
SSDT 8ACAEE18 ZwMapViewOfSection
SSDT 8AB52FD0 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB6965D70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xB696F350]
SSDT 8AC555A0 ZwOpenProcessToken
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xB696F150]
SSDT 8ABCF740 ZwOpenThreadToken
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xB6972250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB6971CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xB6968C00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB6972080]
SSDT 8ADD9DC8 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xB6969220]
SSDT 8AA95600 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB6966120]
SSDT 8AC98C68 ZwSetInformationProcess
SSDT 8AD3E908 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6854020]
SSDT 8AB52F10 ZwSuspendProcess
SSDT 8AACDC88 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xB696FCD0]
SSDT 8AC2BE00 ZwTerminateThread
SSDT 8AB4DB68 ZwUnmapViewOfSection
SSDT 8AAB0648 ZwWriteVirtualMemory

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB678CAE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB678CACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB678CB0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB678CA29]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB678C9BC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB678CB4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB678CAB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB678CAA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB678CAF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB678C9D2]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device USBSTOR.SYS (USB Mass Storage Class Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat B1534D20

AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\Temp\mca286.tmp 0 bytes
File C:\WINDOWS\Temp\mca287.tmp 0 bytes
File C:\WINDOWS\Temp\UPD289.tmp 0 bytes

---- EOF - GMER 1.0.14 ----

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 07 January 2009 - 04:01 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#5 eb2eb

eb2eb
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 07 January 2009 - 09:37 PM

Combofix log

ComboFix 09-01-07.02 - Ed 2009-01-07 21:24:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2466 [GMT -5:00]
Running from: c:\documents and settings\Ed\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.sig
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-06 20:58 . 2009-01-06 20:58 250 --a------ c:\windows\gmer.ini
2009-01-04 13:30 . 2009-01-04 13:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2009-01-04 12:11 . 2009-01-04 12:11 61,224 --a------ c:\documents and settings\Ed\GoToAssistDownloadHelper.exe
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\system32\scripting
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\system32\en
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\system32\bits
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\l2schemas
2009-01-02 09:26 . 2009-01-02 09:31 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-01 18:34 . 2009-01-01 18:34 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-01 18:33 . 2009-01-01 18:33 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-01 18:33 . 2009-01-01 18:33 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-01 18:33 . 2009-01-01 18:33 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-28 21:50 . 2008-12-28 21:50 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-27 23:20 . 2008-12-27 23:20 <DIR> d-------- c:\documents and settings\Ed\Application Data\Malwarebytes
2008-12-27 23:19 . 2008-12-27 23:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 23:19 . 2008-12-27 23:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 23:19 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 23:19 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 22:41 . 2008-12-27 22:37 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-27 22:37 . 2008-12-27 22:58 <DIR> d-------- c:\documents and settings\Ed\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 02:31 51,202,080 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-08 02:25 --------- d-----w c:\program files\Common
2009-01-08 02:15 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition
2009-01-08 02:13 602,492 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-02 14:46 10,517,564 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-02 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 08:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 02:50 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-01 18:21 --------- d-----w c:\program files\MemoriesOnTV4
2008-12-01 17:29 --------- d-----w c:\documents and settings\Ed\Application Data\U3
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-06-26 17:02 56,912 ----a-w c:\documents and settings\Ed\g2mdlhlpx.exe
2005-01-07 20:20 278,528 ----a-w c:\program files\internet explorer\plugins\PanoViewer.dll
2005-01-07 20:20 143,360 ----a-w c:\program files\internet explorer\plugins\UPjpeg.dll
2004-08-10 10:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2006-12-10 04:12 88 --sh--r c:\windows\system32\3477464750.sys
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2006-12-10 04:13 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-10-24 262144]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2003-07-21 1753088]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HPHUPD08"="c:\program files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-09 11776]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"Norton Ghost 10.0"="c:\program files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2005-09-14 1537648]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"MediaFaceOnlinePluginsService"="c:\program files\MediaFaceOnlinePluginsService\dolcore.exe" [2007-02-27 278528]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"GiGiSrv"="c:\windows\Twain_32\GiGiCam\GiGiSrv.exe" [2003-08-01 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yzowoa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\NOVADE~1\MEDIAN~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2007-07-28 10368]
S3 SQTECH9060;Dual Mode Camera 1300;c:\windows\system32\drivers\Capt9060.sys [2007-12-26 30634]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2432b6c0-9d3b-11db-9241-00137238d2db}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-08 c:\windows\Tasks\mzqxcasy.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-05 22:02]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
Trusted Zone: *.taxsoftware.com
Trusted Zone: *.turbotax.com
Trusted Zone: online.musicmatch.com

c:\windows\Downloaded Program Files\SpinTopGamesLauncher.dll - O16 -: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0}
hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
c:\windows\Downloaded Program Files\SpinTopGamesLauncher.inf
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\fw3m3s2i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 21:31:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-07 21:33:41
ComboFix-quarantined-files.txt 2009-01-08 02:33:35

Pre-Run: 103,219,347,456 bytes free
Post-Run: 103,335,763,968 bytes free

195 --- E O F --- 2009-01-04 17:51:05

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 08 January 2009 - 10:34 AM

Download Flash_Disinfector from HERE and save it to your Desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.

Note: This utility will create a file "Autorun.inf" on all removable storage devices, and protect the file with attributes making it a System, Hidden, Read-only file. You would be best served to leave these files be. They are designed to prevent commont Autorun malware infections from using this same file to launch repeated infections. This is a protection mechanism and the file should be left alone.

When this is all done, reboot.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\3477464750.sys
C:\Windows\System32\yzowoa.dll
C:\WINDOWS\Temp\mca286.tmp
C:\WINDOWS\Temp\mca287.tmp
C:\WINDOWS\Temp\UPD289.tmp
c:\windows\Tasks\mzqxcasy.job

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#7 eb2eb

eb2eb
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 08 January 2009 - 09:52 PM

my virus scanner stopped me from downloading the flash_disinfector. I recieved the following when I tried to download it in both Firefox and IE.
McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Generic.dx (Trojan), Generic.dx (Trojan)
Location: C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\HDH400GZ\Flash_Disinfector[1].exe

Do you think there is a problem with the exe I am trying to download?

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 09 January 2009 - 12:19 PM

No...its a false positive. Please allow it to be downloaded.

#9 eb2eb

eb2eb
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 09 January 2009 - 07:28 PM

ComboFix 09-01-08.05 - Ed 2009-01-09 19:19:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2375 [GMT -5:00]
Running from: c:\documents and settings\Ed\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ed\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\3477464750.sys
c:\windows\System32\yzowoa.dll
c:\windows\Tasks\mzqxcasy.job
c:\windows\Temp\mca286.tmp
c:\windows\Temp\mca287.tmp
c:\windows\Temp\UPD289.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3477464750.sys
c:\windows\Tasks\mzqxcasy.job

.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-06 20:58 . 2009-01-06 20:58 250 --a------ c:\windows\gmer.ini
2009-01-04 13:30 . 2009-01-04 13:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2009-01-04 12:11 . 2009-01-04 12:11 61,224 --a------ c:\documents and settings\Ed\GoToAssistDownloadHelper.exe
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\system32\scripting
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\system32\en
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\system32\bits
2009-01-02 09:31 . 2009-01-02 09:31 <DIR> d-------- c:\windows\l2schemas
2009-01-02 09:26 . 2009-01-02 09:31 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-01 18:34 . 2009-01-01 18:34 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-01 18:33 . 2009-01-01 18:33 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-01 18:33 . 2009-01-01 18:33 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-01 18:33 . 2009-01-01 18:33 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-28 21:50 . 2008-12-28 21:50 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-27 23:20 . 2008-12-27 23:20 <DIR> d-------- c:\documents and settings\Ed\Application Data\Malwarebytes
2008-12-27 23:19 . 2008-12-27 23:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 23:19 . 2008-12-27 23:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 23:19 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 23:19 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 22:41 . 2008-12-27 22:37 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-27 22:37 . 2008-12-27 22:58 <DIR> d-------- c:\documents and settings\Ed\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 00:24 51,503,136 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-10 00:07 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition
2009-01-10 00:06 605,924 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-08 02:25 --------- d-----w c:\program files\Common
2009-01-02 14:46 10,517,564 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-02 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 08:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 02:50 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-01 18:21 --------- d-----w c:\program files\MemoriesOnTV4
2008-12-01 17:29 --------- d-----w c:\documents and settings\Ed\Application Data\U3
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-06-26 17:02 56,912 ----a-w c:\documents and settings\Ed\g2mdlhlpx.exe
2005-01-07 20:20 278,528 ----a-w c:\program files\internet explorer\plugins\PanoViewer.dll
2005-01-07 20:20 143,360 ----a-w c:\program files\internet explorer\plugins\UPjpeg.dll
2004-08-10 10:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2006-12-10 04:13 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_21.32.21.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-08 00:55:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-09 20:39:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-08 00:55:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-09 20:39:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-08 00:55:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 20:39:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-10 00:07:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_30c.dat
+ 2009-01-10 00:07:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-10-24 262144]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2003-07-21 1753088]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HPHUPD08"="c:\program files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-09 11776]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"Norton Ghost 10.0"="c:\program files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2005-09-14 1537648]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"MediaFaceOnlinePluginsService"="c:\program files\MediaFaceOnlinePluginsService\dolcore.exe" [2007-02-27 278528]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"GiGiSrv"="c:\windows\Twain_32\GiGiCam\GiGiSrv.exe" [2003-08-01 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\NOVADE~1\MEDIAN~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2007-07-28 10368]
S3 SQTECH9060;Dual Mode Camera 1300;c:\windows\system32\drivers\Capt9060.sys [2007-12-26 30634]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2432b6c0-9d3b-11db-9241-00137238d2db}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-05 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
Trusted Zone: *.taxsoftware.com
Trusted Zone: *.turbotax.com
Trusted Zone: online.musicmatch.com

c:\windows\Downloaded Program Files\SpinTopGamesLauncher.dll - O16 -: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0}
hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
c:\windows\Downloaded Program Files\SpinTopGamesLauncher.inf
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\fw3m3s2i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 19:24:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-09 19:26:33
ComboFix-quarantined-files.txt 2009-01-10 00:26:28
ComboFix2.txt 2009-01-08 02:33:43

Pre-Run: 103,241,183,232 bytes free
Post-Run: 103,252,246,528 bytes free

206 --- E O F --- 2009-01-04 17:51:05

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 11 January 2009 - 03:36 PM

Looks good. Are you still having the same problems?

#11 eb2eb

eb2eb
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 12 January 2009 - 09:52 PM

Everything looks better. I am not receiving the popups anymore. Malwarebytes and Spybot have not found anything other than cookies.
Mcafee has been fining Tool-NirCmd everyday. i have Mcafee remove it, but it still has been finding it everyday. Is this related to anything we installed? Any thoughts on how to get rid of it?

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 12 January 2009 - 10:19 PM

Nircmd is part of combofix. Where is it finding it?

#13 eb2eb

eb2eb
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 12 January 2009 - 11:33 PM

It was finding them in what I think are the restore points. c:\System Volume information\_restore-...

The last one it found was this morning.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 12 January 2009 - 11:37 PM

We will get those at the end of this process. If everything is good, we can clean those up now and finish the topic.

#15 eb2eb

eb2eb
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 13 January 2009 - 07:44 PM

Then, yes. Everything seems to be fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users