Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes and combofix won't help this one


  • This topic is locked This topic is locked
16 replies to this topic

#1 mreasyrider

mreasyrider

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 02 January 2009 - 09:07 AM

I have learned a fair amout here by doing some reading. What I have? I don't know. Combofix found these two rootkits

windows/sys32/drivers/msqpdxesiwwfr.sys
windows/sys32/msqpdxqftpiemp.dll

The problem is whatever it is causes errors in AVG and it will not finish. I uninstalled AVG and went to download it again. The page was redirected several times to a page saying Google could not find the download. I tried several more times and finally I got to a download page but when the download box popped up all that was in it was INDEX.PHP. I went to another computer and made a CD with AVG on it and tried to install it. Each time I try I get errors and the install stops. Below is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:47 AM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\J\Desktop\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\7FIRTZ86\HiJackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] //~c:\program files\logitech\video\logitray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\J\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6633 bytes

BC AdBot (Login to Remove)

 


#2 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 02 January 2009 - 06:09 PM

After reading a thread here that recommended running F-Secure online, below is the report from that

Result: 5 malware found
Adware:W32/AdRotator.GEQ (spyware)
System
Backdoor.Win32.Bifrose.agym (virus)
C:\DOCUMENTS AND SETTINGS\J\MY DOCUMENTS\EVI-ELIM\EVIDENCE_ELIMINATOR_V6[1].01_BY_SHANU\EVIDENCE ELIMINATOR V6.01\INSTEELM2.EXE (Renamed & Submitted)
Packed.Win32.Black (virus)
System
TrackingCookie.2o7 (spyware)
System
W32/Packed_FSG.D (virus)
C:\DOCUMENTS AND SETTINGS\J\MY DOCUMENTS\MYEBOOKS\DVDFAB-GOLD-4[1].0.3.2-CRACKED_CIM\CIM.NFO.VIEWER.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 23762
System: 3351
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 4
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-02
F-Secure AVP: 7.0.171, 2009-01-02
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------
And a new HJT Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:30 PM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\J\Desktop\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\J\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\J\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\J\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] //~c:\program files\logitech\video\logitray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\J\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6816 bytes

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:51 PM

Posted 14 January 2009 - 08:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 January 2009 - 12:11 PM

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/19/2007 6:28:08 PM
System Uptime: 1/14/2009 7:21:08 AM (3 hours ago)

Motherboard: | | SiS-661
Processor: Intel® Pentium® 4 CPU 2.60GHz | Socket 478 | 2600/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 23.986 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 1/4/2009 5:43:47 AM - System Checkpoint
RP2: 1/4/2009 5:45:55 AM - jhh1-4
RP3: 1/5/2009 6:42:55 AM - System Checkpoint
RP4: 1/5/2009 3:30:45 PM - Installed Diskeeper 2009 Professional.
RP5: 1/6/2009 2:28:01 PM - Install AnyDVD
RP6: 1/6/2009 4:16:04 PM - Install AnyDVD
RP7: 1/6/2009 4:23:08 PM - Remove AnyDVD
RP8: 1/6/2009 4:24:52 PM - Install AnyDVD
RP9: 1/6/2009 4:30:03 PM - Restore Operation
RP10: 1/6/2009 4:35:06 PM - Remove AnyDVD
RP11: 1/6/2009 4:37:59 PM - Restore Operation
RP12: 1/6/2009 4:42:24 PM - Install AnyDVD
RP13: 1/6/2009 4:51:48 PM - Remove AnyDVD
RP14: 1/6/2009 5:14:37 PM - Install AnyDVD
RP15: 1/6/2009 5:15:51 PM - Install AnyDVD
RP16: 1/6/2009 5:23:03 PM - Remove AnyDVD
RP17: 1/6/2009 5:25:40 PM - Restore Operation
RP18: 1/6/2009 5:28:39 PM - Install AnyDVD
RP19: 1/6/2009 5:40:21 PM - Install AnyDVD
RP20: 1/6/2009 5:43:02 PM - Remove AnyDVD
RP21: 1/6/2009 5:43:54 PM - Install AnyDVD
RP22: 1/6/2009 5:44:42 PM - Remove AnyDVD
RP23: 1/7/2009 6:59:35 AM - ComboFix created restore point
RP24: 1/8/2009 4:16:15 PM - Avg8 Update
RP25: 1/8/2009 5:02:11 PM - Removed Diskeeper 2009 Professional.
RP26: 1/9/2009 6:59:32 PM - System Checkpoint
RP27: 1/10/2009 7:44:08 PM - System Checkpoint
RP28: 1/11/2009 7:45:13 PM - System Checkpoint
RP29: 1/12/2009 8:00:28 PM - System Checkpoint
RP30: 1/13/2009 8:26:57 PM - System Checkpoint
RP31: 1/14/2009 7:02:55 AM - Software Distribution Service 3.0

==== Installed Programs ======================


2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player 11
AIO_Scan
Audacity 1.2.6
Avance AC'97 Audio
AVG 8.0
AviSynth 2.5
BlackBerry Desktop Software 4.2.1
CCleaner (remove only)
CloneCD
CloneDVD2
Cnxt 2011 D850 56K V.9x DF Modem
Comcast High-Speed Internet Install Wizard
ConvertXtoDVD 3.3.0.96
DJ_AIO_Software_min
dj_sf_software_req
DriverMax 4
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.2.2
DVDFab Platinum 4.0.1.2
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet All-In-One Software 9.0
HP Deskjet Printer Driver Software 9.0
J2SE Runtime Environment 5.0 Update 14
Java™ 6 Update 10
Java™ 6 Update 5
Java™ 6 Update 7
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
Magic DVD Ripper V5.3 build 8
magicJack Recovery Tool 1.0
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MiniRingtone 1.5
MSN Messenger 7.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
nCleaner second 2.3.4.0
Nero 7 Ultra Edition
neroxml
Scan
Seagate DiscWizard
SeaTools for Windows
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
SiS 900 PCI Fast Ethernet Adapter Driver
Skype™ 3.8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Startup Delayer v2.3 (build 130)
Toolbox
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
VC 9.0 Runtime
VobSub v2.23 (Remove Only)
WD Diagnostics
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
XviD MPEG4 Video Codec (remove only)
ZoneAlarm

==== Event Viewer Messages From Past Week ========

1/8/2009 8:57:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SABKUTIL
1/7/2009 7:01:11 AM, error: Service Control Manager [7034] - The AVG8 Firewall service terminated unexpectedly. It has done this 2 time(s).
1/7/2009 7:01:05 AM, error: Service Control Manager [7034] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s).
1/7/2009 7:00:52 AM, error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/7/2009 7:00:03 AM, error: Service Control Manager [7034] - The AVG8 Firewall service terminated unexpectedly. It has done this 1 time(s).
1/13/2009 8:04:36 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 00000000.

==== End Of File ===========================

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 14 January 2009 - 12:22 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Let's see what ComboFix can do :thumbsup: .

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER log

Please also tell me of any changes you have made to your computer since you started your topic and the current symptoms.

With Regards,
The Panda

Edited by PropagandaPanda, 14 January 2009 - 12:22 PM.


#6 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 January 2009 - 03:28 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-14 13:03:15
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB7E5B8D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB7E586E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB7E65490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB7E5BE90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB7E62C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB7E62E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB7E66D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB7E5BF80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB7E58C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB7E65D10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB7E65AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB7E62600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB7E66230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB7E662B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB7E58AD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB7E644F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB7E642B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB7E66970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB7E663D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB7E5B4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB7E667C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB7E5BAA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB7E58EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB7E65800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB7E63580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB7E63400]

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 90, BE, E5, B7, 80, 2C, E6, ... ]
? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7E60410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7E60220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7E60B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E5E780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E5E780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7E60410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7E60220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7E60B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7E60410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7E60B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7E60220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7E5E780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7E60B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7E60220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7E60410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B7E68870] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E5E780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7E60410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7E60220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7E60B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7E60410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E5E780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7E60B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7E60220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B7E593D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B7E59320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B7E594D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B7E59040] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.14 ----




ComboFix 09-01-13.04 - J 2009-01-14 13:08:24.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.481 [GMT -6:00]
Running from: c:\documents and settings\J\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\w32apiw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-14 12:39 . 2009-01-14 13:05 250 --a------ c:\windows\gmer.ini
2009-01-11 15:56 . 2009-01-11 15:56 <DIR> d-------- c:\program files\AIM6
2009-01-11 15:56 . 2009-01-11 15:57 463 --ah----- C:\IPH.PH
2009-01-04 05:30 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-04 05:20 . 2009-01-04 05:21 <DIR> d-------- c:\program files\Winamp
2009-01-04 05:20 . 2009-01-04 05:21 <DIR> d-------- c:\documents and settings\J\Application Data\Winamp
2009-01-03 05:54 . 2009-01-14 13:07 <DIR> d-------- c:\documents and settings\J\Application Data\Skype
2009-01-03 05:53 . 2009-01-03 05:53 <DIR> d-------- c:\program files\Common Files\Skype
2009-01-03 01:15 . 2009-01-14 01:06 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-02 17:44 . 2009-01-14 07:28 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-02 17:44 . 2009-01-02 17:44 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-02 17:44 . 2009-01-02 17:44 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-02 17:44 . 2009-01-02 17:44 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-02 17:44 . 2009-01-02 17:44 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-02 17:43 . 2009-01-02 17:43 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-02 17:43 . 2009-01-02 17:43 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-02 14:36 . 2009-01-02 14:36 <DIR> d-------- C:\fsaua.data
2009-01-01 20:15 . 2009-01-01 20:15 24,872 --a------ c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-21 10:15 . 2008-12-21 10:15 <DIR> d-------- C:\EE_TEST
2008-12-21 09:51 . 1998-04-24 00:00 368,912 --a------ c:\windows\system32\vbar332.dll
2008-12-21 09:51 . 2000-12-06 01:00 209,608 --a------ c:\windows\system32\TabCtl32.ocx
2008-12-21 09:51 . 2000-05-22 01:00 115,920 --a------ c:\windows\system32\MSINET.ocx
2008-12-21 09:51 . 1999-05-29 21:33 114,696 --a------ c:\windows\system32\Fablock6.ocx
2008-12-21 09:51 . 1996-05-03 23:05 28,672 --a------ c:\windows\system32\MSGHOO32.OCX
2008-12-19 00:12 . 2008-12-19 00:12 <DIR> d-------- c:\program files\support.com
2008-12-19 00:12 . 2008-12-19 00:12 <DIR> d-------- c:\program files\Common Files\SupportSoft
2008-12-19 00:12 . 2008-12-19 00:12 1,000 --a------ C:\net_save.dna
2008-12-16 06:06 . 2008-12-16 06:18 <DIR> d-------- c:\program files\Bride.Ru Informer
2008-12-15 09:07 . 2008-12-15 09:07 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-15 08:59 . 2008-12-15 08:59 <DIR> d-------- c:\program files\Western Digital Technologies
2008-12-14 14:51 . 2008-12-14 14:51 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 14:05 --------- d-----w c:\documents and settings\J\Application Data\skypePM
2009-01-14 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-14 02:04 --------- d-----w c:\documents and settings\J\Application Data\mjusbsp
2009-01-13 00:52 --------- d-----w c:\documents and settings\J\Application Data\Vso
2009-01-06 23:54 --------- d-----w c:\program files\DVDFab 5
2009-01-03 11:53 --------- d-----w c:\program files\Skype
2009-01-03 11:53 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-28 04:04 --------- d-----w c:\program files\Google
2008-12-24 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 18:49 --------- d-----w c:\program files\CCleaner
2008-12-23 00:41 --------- d-----w c:\program files\Common Files\Adobe
2008-12-21 15:57 --------- d-----w c:\program files\MagicDVDRipper
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 16:37 --------- d-----w c:\program files\Elaborate Bytes
2008-12-09 16:33 --------- d-----w c:\program files\SlySoft
2008-12-09 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
2008-12-09 14:29 --------- d-----w c:\documents and settings\All Users\Application Data\Elaborate Bytes
2008-12-05 07:07 --------- d-----w c:\program files\Zone Labs
2008-12-05 00:50 --------- d-----w c:\program files\DVD Flick
2008-12-05 00:49 --------- d-----w c:\documents and settings\J\Application Data\DVD Flick
2008-12-05 00:45 --------- d-----w c:\program files\XoftSpySE
2008-12-03 18:20 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-03 18:08 --------- d-----w c:\program files\Daniusoft
2008-12-03 16:10 --------- d-----w c:\documents and settings\LocalService\Application Data\Ahead
2008-12-03 03:45 --------- d-----w c:\program files\SuperAdBlocker.com
2008-12-03 03:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 02:40 --------- d-----w c:\documents and settings\J\Application Data\SuperAdBlocker.com
2008-12-02 21:59 --------- d-----w c:\documents and settings\J\Application Data\iolo
2008-12-02 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-12-02 21:58 --------- d-----w c:\documents and settings\LocalService\Application Data\iolo
2008-12-01 13:20 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2008-11-30 17:39 --------- d-----w c:\program files\Gabest
2008-11-30 17:39 --------- d-----w c:\program files\AviSynth 2.5
2008-11-30 02:49 --------- d-----w c:\documents and settings\J\Application Data\DVDFab
2008-11-29 10:39 --------- d-----w c:\program files\VSO
2008-11-26 22:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 21:49 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-26 21:49 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-26 21:49 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-26 21:49 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-24 13:00 --------- d-----w c:\program files\Java
2008-11-19 11:20 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2007-12-20 12:55 47,360 ----a-w c:\documents and settings\J\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot_2009-01-07_ 7.09.42.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-14 18:39:05 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-12-10 09:21:28 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-14 13:14:45 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-12-10 09:21:29 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-14 13:14:46 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-10 09:21:29 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-14 13:14:46 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-12-10 09:21:29 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-14 13:14:46 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-12-10 09:21:29 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-14 13:14:46 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-10 09:21:29 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-14 13:14:47 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-10 09:21:30 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-14 13:14:47 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-10 09:21:29 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-14 13:14:46 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-10 09:21:29 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-14 13:14:46 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-10 09:21:29 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-14 13:14:46 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-10 09:21:30 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-14 13:14:47 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-10 09:21:28 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-14 13:14:45 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2009-01-14 18:39:05 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-12-02 21:26:30 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-09 23:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-14 19:14:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7d4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"cdloader"="c:\documents and settings\J\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoTray"="files\logitech\video\logitray.exe" [BU]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-02 1601304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-02 17:44 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-04-19 21:38 1945688 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 11:28 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
--a------ 2008-12-17 12:36 50520 c:\documents and settings\J\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 13:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-04-19 21:24 1169744 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2008-10-22 16:10 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-09-04 15:40 6856704 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupDelayer]
--a------ 2007-12-14 03:11 26112 c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-24 07:00 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-19 18:40 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--------- 2001-05-30 01:02 124416 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\J\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-02 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-02 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-02 107272]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-02 29208]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-11-19 15504]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2008-11-13 56960]
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2008-10-21 245760]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-02 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-02 1339600]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-11-19 170640]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2008-11-13 45696]
S0 hknfm;hknfm;c:\windows\system32\drivers\ufnb.sys --> c:\windows\system32\drivers\ufnb.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-02 29208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{473a7342-ae4d-11dc-8135-806d6172696f}]
\Shell\AutoRun\command - D:\start.exe languages.dbd
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\Malwarebytes' Scheduled Scan for J.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2009-01-14 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe []

2009-01-13 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe []
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 13:15:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-14 13:18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 19:18:48
ComboFix2.txt 2009-01-07 13:11:28
ComboFix3.txt 2009-01-02 13:14:25
ComboFix4.txt 2009-01-02 12:47:22
ComboFix5.txt 2009-01-14 19:07:11

Pre-Run: 25,752,129,536 bytes free
Post-Run: 25,734,873,088 bytes free

275 --- E O F --- 2009-01-14 13:14:51

#7 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 January 2009 - 03:34 PM

I have done nothing more since the f-secure scan. At times the machine just slows and the CPU usage goes way up. If I just cut the power and reboot I now get a message that the machine has just recovered from a serious error. Now I have my sons computer with a c000021a code. I think my family is haunted by a evil computer ghost or something :thumbsup:

Edited by mreasyrider, 14 January 2009 - 03:37 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 14 January 2009 - 05:27 PM

Hello mreasyrider.

Doesn't look like there is an active infection.

Please make sure your protection is disabled.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Driver::
    hknfm
    
    Rootkit::
    c:\windows\system32\drivers\ufnb.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Re-enable your protection at this time.

Please post back with:
-the ComboFix log
-the Kaspersky scan log

With Regards,
The Panda

#9 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 15 January 2009 - 07:50 AM

ComboFix 09-01-13.04 - J 2009-01-15 6:24:28.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.585 [GMT -6:00]
Running from: c:\documents and settings\J\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\J\Desktop\cfscript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\J\Application Data\AnyDVD.v6.5.x.x.Patcher.v1.0.R2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG
-------\Service_hknfm


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-14 16:21 . 2009-01-14 16:25 22,016 --a------ c:\documents and settings\J\Application Data\patch.exe
2009-01-14 12:39 . 2009-01-14 13:05 250 --a------ c:\windows\gmer.ini
2009-01-11 15:56 . 2009-01-11 15:56 <DIR> d-------- c:\program files\AIM6
2009-01-11 15:56 . 2009-01-11 15:57 463 --ah----- C:\IPH.PH
2009-01-10 10:25 . 2009-01-10 10:25 103,488 --a------ c:\windows\system32\drivers\AnyDVD.sys
2009-01-04 05:30 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-04 05:20 . 2009-01-04 05:21 <DIR> d-------- c:\program files\Winamp
2009-01-04 05:20 . 2009-01-04 05:21 <DIR> d-------- c:\documents and settings\J\Application Data\Winamp
2009-01-03 05:54 . 2009-01-14 13:07 <DIR> d-------- c:\documents and settings\J\Application Data\Skype
2009-01-03 05:53 . 2009-01-03 05:53 <DIR> d-------- c:\program files\Common Files\Skype
2009-01-03 01:15 . 2009-01-14 01:06 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-02 17:44 . 2009-01-14 15:29 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-02 17:44 . 2009-01-02 17:44 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-02 17:44 . 2009-01-02 17:44 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-02 17:44 . 2009-01-02 17:44 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-02 17:44 . 2009-01-02 17:44 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-02 17:43 . 2009-01-02 17:43 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-02 17:43 . 2009-01-02 17:43 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-02 14:36 . 2009-01-02 14:36 <DIR> d-------- C:\fsaua.data
2009-01-01 20:15 . 2009-01-01 20:15 24,872 --a------ c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-21 09:51 . 1998-04-24 00:00 368,912 --a------ c:\windows\system32\vbar332.dll
2008-12-21 09:51 . 2000-12-06 01:00 209,608 --a------ c:\windows\system32\TabCtl32.ocx
2008-12-21 09:51 . 2000-05-22 01:00 115,920 --a------ c:\windows\system32\MSINET.ocx
2008-12-21 09:51 . 1999-05-29 21:33 114,696 --a------ c:\windows\system32\Fablock6.ocx
2008-12-21 09:51 . 1996-05-03 23:05 28,672 --a------ c:\windows\system32\MSGHOO32.OCX
2008-12-19 00:12 . 2008-12-19 00:12 <DIR> d-------- c:\program files\support.com
2008-12-19 00:12 . 2008-12-19 00:12 <DIR> d-------- c:\program files\Common Files\SupportSoft
2008-12-19 00:12 . 2008-12-19 00:12 1,000 --a------ C:\net_save.dna
2008-12-16 06:06 . 2008-12-16 06:18 <DIR> d-------- c:\program files\Bride.Ru Informer
2008-12-15 09:07 . 2008-12-15 09:07 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-15 08:59 . 2008-12-15 08:59 <DIR> d-------- c:\program files\Western Digital Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 05:42 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-15 02:22 --------- d-----w c:\documents and settings\J\Application Data\Vso
2009-01-14 14:05 --------- d-----w c:\documents and settings\J\Application Data\skypePM
2009-01-14 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 02:04 --------- d-----w c:\documents and settings\J\Application Data\mjusbsp
2009-01-06 23:54 --------- d-----w c:\program files\DVDFab 5
2009-01-03 11:53 --------- d-----w c:\program files\Skype
2009-01-03 11:53 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-01-02 11:48 2,521,931 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2008-12-31 14:51 1,471,488 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-12-29 19:39 1,470,976 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-12-28 16:33 1,465,856 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-12-28 04:04 --------- d-----w c:\program files\Google
2008-12-24 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 18:49 --------- d-----w c:\program files\CCleaner
2008-12-23 00:41 --------- d-----w c:\program files\Common Files\Adobe
2008-12-21 15:57 --------- d-----w c:\program files\MagicDVDRipper
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 16:37 --------- d-----w c:\program files\Elaborate Bytes
2008-12-09 16:33 --------- d-----w c:\program files\SlySoft
2008-12-09 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
2008-12-09 14:29 --------- d-----w c:\documents and settings\All Users\Application Data\Elaborate Bytes
2008-12-05 07:07 --------- d-----w c:\program files\Zone Labs
2008-12-05 00:50 --------- d-----w c:\program files\DVD Flick
2008-12-05 00:49 --------- d-----w c:\documents and settings\J\Application Data\DVD Flick
2008-12-05 00:45 --------- d-----w c:\program files\XoftSpySE
2008-12-03 18:20 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-03 18:08 --------- d-----w c:\program files\Daniusoft
2008-12-03 16:10 --------- d-----w c:\documents and settings\LocalService\Application Data\Ahead
2008-12-03 03:45 --------- d-----w c:\program files\SuperAdBlocker.com
2008-12-03 03:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 02:40 --------- d-----w c:\documents and settings\J\Application Data\SuperAdBlocker.com
2008-12-02 21:59 --------- d-----w c:\documents and settings\J\Application Data\iolo
2008-12-02 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-12-02 21:58 --------- d-----w c:\documents and settings\LocalService\Application Data\iolo
2008-12-01 13:20 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2008-11-30 17:39 --------- d-----w c:\program files\Gabest
2008-11-30 17:39 --------- d-----w c:\program files\AviSynth 2.5
2008-11-30 02:49 --------- d-----w c:\documents and settings\J\Application Data\DVDFab
2008-11-29 10:39 --------- d-----w c:\program files\VSO
2008-11-26 22:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 21:49 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-26 21:49 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-26 21:49 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-26 21:49 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-24 13:00 --------- d-----w c:\program files\Java
2008-11-19 11:20 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2007-12-20 12:55 47,360 ----a-w c:\documents and settings\J\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"cdloader"="c:\documents and settings\J\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-19 68856]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-01-14 2522048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-02 1601304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-02 17:44 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-04-19 21:38 1945688 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 11:28 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
--a------ 2008-12-17 12:36 50520 c:\documents and settings\J\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 13:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-04-19 21:24 1169744 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2008-10-22 16:10 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-09-04 15:40 6856704 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupDelayer]
--a------ 2007-12-14 03:11 26112 c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-24 07:00 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-19 18:40 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--------- 2001-05-30 01:02 124416 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\J\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-02 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-02 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-02 107272]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-02 29208]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-11-19 15504]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2008-11-13 56960]
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2008-10-21 245760]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-02 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-02 1339600]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-11-19 170640]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2008-11-13 45696]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-02 29208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{473a7342-ae4d-11dc-8135-806d6172696f}]
\Shell\AutoRun\command - D:\start.exe languages.dbd
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\Malwarebytes' Scheduled Scan for J.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2009-01-15 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe []

2009-01-13 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LogitechVideoTray - files\logitech\video\logitray.exe
MSConfigStartUp-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 06:28:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-01-15 6:32:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 12:32:23
ComboFix2.txt 2009-01-14 19:18:54

Pre-Run: 22,582,382,592 bytes free
Post-Run: 22,560,165,888 bytes free

240 --- E O F --- 2009-01-14 13:14:51

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 15 January 2009 - 11:44 AM

Hello.

Looks better. Let's get an online scan.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Also include a fresh DDS.txt log.

Any change in symptoms?

With Regards,
The panda

#11 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 15 January 2009 - 01:16 PM

You are correct about the scan taking a while. Been running now for 2 hours and only 5% completed. Yes it did do something strange this morning. Something shut AVG down and the red windows sheild came up saying I had no antivirus. Then suddenly another AVG icon popped up on the task bar so I had two AVG icons, the sheild went away, the other AVG icon went away and that was all off that. However using the internet was almost like using a dial-up connect. Zone Alarm popped up and said rblns36.mailshell.net was trying to access the internet. Not knowing what it was I denied access for it.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 15 January 2009 - 03:31 PM

Hello.

The icon issue was probably just the explorer not refreshing the tray.

Doesn't appear to be an issue caused by malware.

Let's get a fresh DDS.txt log please.

With Regards,
The Panda

#13 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 15 January 2009 - 05:18 PM

I messed up and saved the Kaspersky as a HTML. Anyway it found one virus that was in a .RAR file that I had downloaded. I deleted the file. Here is the DDS


DDS (Ver_09-01-07.01) - NTFSx86
Run by J at 16:09:53.00 on Thu 01/15/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.397 [GMT -6:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\J\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {d38ccbf8-0270-6d4f-7bf8-16a2f7db4a4c} - Search panel
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\j\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-2 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-2 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-2 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-2 107272]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-5 353680]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-2 29208]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-11-19 15504]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2008-11-13 56960]
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2008-10-21 245760]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-2 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-1-2 1339600]
R4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-11-19 170640]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2008-11-13 45696]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-2 29208]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\j\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\j\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]

=============== Created Last 30 ================

2009-01-15 07:11 217,127 a------- c:\windows\system32\drv43260.dll
2009-01-15 07:11 208,935 a------- c:\windows\system32\drv33260.dll
2009-01-15 07:11 176,165 a------- c:\windows\system32\drv23260.dll
2009-01-14 16:21 22,016 a------- c:\docume~1\j\applic~1\patch.exe
2009-01-14 12:39 250 a------- c:\windows\gmer.ini
2009-01-11 15:56 <DIR> --d----- c:\program files\AIM6
2009-01-11 15:56 463 a---h--- C:\IPH.PH
2009-01-10 10:25 103,488 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-01-04 05:30 <DIR> --d----- C:\SDFix
2009-01-03 01:15 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-02 17:44 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-02 17:44 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-02 17:44 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-02 17:44 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-02 17:44 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-02 17:43 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-01-02 17:43 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-01-02 17:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-02 14:36 <DIR> --d----- C:\fsaua.data
2009-01-02 06:34 161,792 a------- c:\windows\SWREG.exe
2009-01-02 06:34 98,816 a------- c:\windows\sed.exe
2009-01-01 20:15 24,872 a------- c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-21 09:51 115,920 a------- c:\windows\system32\MSINET.ocx
2008-12-21 09:51 114,696 a------- c:\windows\system32\Fablock6.ocx
2008-12-21 09:51 209,608 a------- c:\windows\system32\TabCtl32.ocx
2008-12-21 09:51 28,672 a------- c:\windows\system32\MSGHOO32.OCX
2008-12-21 09:51 368,912 a------- c:\windows\system32\vbar332.dll
2008-12-19 00:12 1,000 a------- C:\net_save.dna
2008-12-19 00:12 <DIR> --d----- c:\program files\support.com
2008-12-19 00:12 <DIR> --d----- c:\program files\common files\SupportSoft

==================== Find3M ====================

2008-12-11 05:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 01:07 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-11-30 11:39 43,698 a------- c:\windows\system32\xvid-uninstall.exe
2008-11-24 07:00 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-19 11:21 93,128 a------- c:\windows\system32\ElbyCDIO.dll
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2007-12-20 06:55 47,360 a------- c:\docume~1\j\applic~1\pcouffin.sys

============= FINISH: 16:10:45.81 ===============

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 15 January 2009 - 05:23 PM

Hello.

That log looks clean.

Unless there are any other signs of infection, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Reset clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear the System Restore cache and create new a restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#15 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 15 January 2009 - 06:03 PM

Just curious to what was found is the only thing I'd like to ask. I very much appreciate your help with this. Thank you so much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users