Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown nasty


  • This topic is locked This topic is locked
5 replies to this topic

#1 Kandinsky

Kandinsky

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 07 January 2009 - 02:59 AM

Hello,

I've gone through a lot of proccesses trying to get rid of this but unfortunately did not write everything down. & I reformatted 3 times but did not save some files... So I did forget some stuff. I seem to have reformatted the hard disk right but did not unplug my modem during the process. OR it may have come in again through the Norton auto updater...

Either malwarebytes or ssuperantispyware or trojan hunter (2 of these- I forget which) did find 3 separate trojan registries before reformatting and fixed them. All I can remember is one was a "trojan" BHO or BOT. The other 2 had different names.

I have something that I suspect takes over the auto update parts of various programs, including at first an updated Avast free version, then a paid cd of Norton. It seemed to have taken over Orbit downloader and TCPview as well. (I might have missed configuring orbit to NOT use p2p originally... ) I have Zone Alarm 7+ free version and it's been a great tool for stopping connections but I suspect bits of stuff are leaking in anyway. I think through firefox.

If I watch Zone alarm logs I can still see the same address attacking me over and over and windows explorer and other programs trying to connect with that ip address as well. The address trys to connect with scvhost and explorer mostly at this point, but was trying with others before.

What was interesting is once I reformatted something called DIFx gave itself a trusted address in zone alarm which I couldn't delete and was downloading from *that address*. It made itself an entry in "add remove programs" which came back after deletion. I found the dll file and I think ? exe file and those came back after deletion. Nor could I deny connection permissions through zone alarm. On the next reformat I was able to add it to zone alarm before connecting to the internet and deny it AND the windows installer (which also did all of the same things except enter in ZA) any connections. Windows installer also was connecting to the internet.

Then disabled all auto updates I could find. Then loaded norton cd, connected and pressed "update". I think I disabled norton autoupdate first but might have missed one of them ?? 3 hours into the norton update windows explorer started trying to reach it. So I guess it got in again.

Right now norton, avast, malwarebytes, trojan hunter, superantispyware fail to find anything. Spybot didn't find anything earlier. All have been updated more than once. I now have avast on the pc.

I think it has gotten some control over the keyboard and mouse= snoopfree antikeyboard logger will not reinstall without crashing now, and the mouse makes small erratic movements.

xpsp2, asus m2n motherboard. When I first got the computer I tryed updating the motherboard drivers and it was a total mess. I've ordered xp3 cd from microsoft and will order zone alarm pro and will reformat when I get those, but I'd still really like to find what this is and how to keep it away.

Usually I have a lot of services disabled but right now I haven't bothered.

thanks to all of you at this forum for the time you spend with people!



DDS (Version 1.1.0) - NTFSx86
Run by Lynn at 23:03:54.56 on Tue 01/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1474 [GMT -8:00]

AV: avast! antivirus 4.8.1296 [VPS 090106-1] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\Lynn\Desktop\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Lynn\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [THGuard] "c:\program files\trojanhunter 5.0\THGuard.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {3A0C875F-8F9E-4670-94EA-A16B341923F1} = 66.81.1.250 66.81.1.252
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-6 111184]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-3 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-3 394952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-6 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-6 352920]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-6 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-6 155160]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-06 16:18 <DIR> a-dshr-- C:\autorun.inf
2009-01-05 02:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-04 18:05 16,958 a------- c:\windows\system32\evga.ico
2009-01-04 17:57 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-04 17:56 53,760 ac------ c:\windows\system32\dllcache\wiamsmud.dll
2009-01-04 17:55 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-01-04 17:54 50,176 ac------ c:\windows\system32\dllcache\umaxp60.dll
2009-01-04 17:53 241,664 ac------ c:\windows\system32\dllcache\tosdvd02.sys
2009-01-04 17:52 3,968 ac------ c:\windows\system32\dllcache\swusbflt.sys
2009-01-04 17:51 114,688 ac------ c:\windows\system32\dllcache\sonypi.dll
2009-01-04 17:50 91,294 ac------ c:\windows\system32\dllcache\skfpwin.sys
2009-01-04 17:49 6,912 ac------ c:\windows\system32\dllcache\seaddsmc.sys
2009-01-04 17:48 82,432 ac------ c:\windows\system32\dllcache\rwia450.dll
2009-01-04 17:47 49,024 ac------ c:\windows\system32\dllcache\ql1280.sys
2009-01-04 17:46 92,416 ac------ c:\windows\system32\dllcache\phildec.sys
2009-01-04 17:45 31,872 ac------ c:\windows\system32\dllcache\ovce.sys
2009-01-04 17:44 39,264 ac------ c:\windows\system32\dllcache\neo20xx.sys
2009-01-04 17:43 12,416 ac------ c:\windows\system32\dllcache\msriffwv.sys
2009-01-04 17:42 48,768 ac------ c:\windows\system32\dllcache\maestro.sys
2009-01-04 17:41 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-01-04 17:40 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll
2009-01-04 17:39 1,041,536 ac------ c:\windows\system32\dllcache\hsfdpsp2.sys
2009-01-04 17:38 165,888 ac------ c:\windows\system32\dllcache\hpgt53.dll
2009-01-04 17:37 455,680 ac------ c:\windows\system32\dllcache\fus2base.sys
2009-01-04 17:36 53,248 ac------ c:\windows\system32\dllcache\eqndiag.exe
2009-01-04 17:35 38,985 ac------ c:\windows\system32\dllcache\disrvsu.dll
2009-01-04 17:34 60,970 ac------ c:\windows\system32\dllcache\cpqtrnd5.sys
2009-01-04 17:33 35,456 ac------ c:\windows\system32\dllcache\bthprint.sys
2009-01-04 17:32 36,224 ac------ c:\windows\system32\dllcache\an983.sys
2009-01-04 01:11 <DIR> --d----- c:\docume~1\lynn\applic~1\TrojanHunter
2009-01-04 00:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-04 00:46 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-04 00:46 <DIR> --d----- c:\docume~1\lynn\applic~1\SUPERAntiSpyware.com
2009-01-04 00:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-04 00:37 <DIR> --d----- c:\docume~1\lynn\applic~1\Malwarebytes
2009-01-04 00:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 00:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 00:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-04 00:36 <DIR> --d----- c:\program files\TrojanHunter 5.0
2009-01-04 00:32 <DIR> --d----- c:\windows\pss
2009-01-03 19:20 905,216 a------- c:\windows\system32\GearDrvs.msi
2009-01-03 15:59 1,468,448 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-03 15:59 17,636 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-03 15:59 <DIR> --d----- c:\program files\ZoneAlarmSB
2009-01-03 15:57 <DIR> --d----- c:\program files\Zone Labs
2009-01-03 15:31 <DIR> --d----- c:\docume~1\lynn\applic~1\Symantec
2009-01-03 15:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-01-03 15:27 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-01-03 15:21 <DIR> --d----- c:\program files\CONEXANT
2009-01-03 15:16 <DIR> --d----- c:\documents and settings\Lynn
2009-01-03 15:15 <DIR> --ds---- c:\windows\system32\Microsoft
2009-01-03 15:15 8,192 a------- c:\windows\REGLOCS.OLD
2009-01-03 15:13 189,986 ac------ c:\windows\system32\dllcache\c_1361.nls
2009-01-03 15:12 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-01-03 15:12 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-01-03 15:12 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-01-03 15:11 <DIR> --d----- c:\program files\common files\MSSoap
2009-01-03 15:09 <DIR> --d----- c:\program files\Messenger
2009-01-03 15:09 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-01-03 15:08 <DIR> --d----- c:\program files\Windows NT
2009-01-03 07:02 <DIR> --d----- c:\program files\common files\ODBC
2009-01-03 07:02 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-01-03 07:02 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-01-03 17:06 142,758 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-01-03 17:05 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-03 15:59 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-01-03 15:09 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:04:15.96 ===============

Edited by Kandinsky, 07 January 2009 - 03:05 AM.


BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:18 AM

Posted 20 January 2009 - 03:07 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

go to c:\windows\internet logs and attach to your next post all the files with ZALOGS.txt in the name. There may be a few with dates as well. Attach them as well.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 Kandinsky

Kandinsky
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 26 January 2009 - 06:56 PM

Hi Hoov,

Sorry it took so long to get back to you. I've been getting my emails by web mail & missed a page of emails.

I have done sooo many things at this point that I think the best thing to do is reformat and clear the memory & maybe the master boot section. It will be easier on both of us especially since I can't remember everything I've done and have been playing around with it. & I may have actually gotten rid of it at this point.

Thank you for your consideration and if after reformatting I still have a problem I'll come back to this forum.

I've read the stuff on the microsoft updates and have ordered sp3 by mail & will get the other updates as well before reformatting. I believe the hole the thing is coming into is fixed in them.

Thanks for being a volunteer here!

#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:18 AM

Posted 26 January 2009 - 09:38 PM

That is your choice, but if we can run a few scans to make sure you are clean, or get a picture of where you are at, you may not need to do a reinstall. Let me know.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Kandinsky

Kandinsky
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 29 January 2009 - 01:10 AM

thanks very much Hoov, Appreciate it.

But at this point I will reformat & update but I'll come back if there are problems after that.

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:18 AM

Posted 29 January 2009 - 06:54 AM

OK. Let me know if you need this thread reopened.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users