Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable virus infection, origin of virus unknown


  • This topic is locked This topic is locked
20 replies to this topic

#1 novirusplease

novirusplease

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 31 January 2009 - 03:31 AM

I have an Athlon 2400 running under WinXP SP3 with 900MB RAM.
The free versions of AVG Antivir and ZoneAlarm protect my PC.

I recently got a warning stating a new version of ZoneAlarm was available (standard message with possibility to immediately download the update or be reminded in X days). After downloading the zaSetup_en file, I went through the whole install process and chose the free version update (the other choice was a 15-day trial Internet suite version). After update and re-boot, I immediately noticed that everything was ultra-slow. The CPU was indeed at 100% all the time. I could not even open a folder as it took for hours to open (it actually never opened). I re-booted twice to be sure that everything was installed correctly.

Also, a Windows message warned that the firewall program was deactivate. I tried to open the ZoneAlarm setup page but it ignored all my attempts to start/open ZoneAlarm. After waiting over 10-15 minutes for any folder/program to open/start, I had to realise that my PC was most probably infected by a virus. These last few days, I noticed that my PC was a bit slower than usual, but attributed it to an intense use with too many Internet pages open simultaneously. This slowness was however nothing to compare with the current situation where I can actually do nothing.

I am not 100% sure that current ultra-slowness is due to the ZoneAlarm update. I noticed though that the update file was not as usual, as the file name did not contain any reference to the version, such as "zlsSetup_70_408_000_en". The last update file was simply "zaSetup_en". Not sure if this is of any importance.

I had to start in safe mode to send this message.

I would warmly appreciate any help to fix the problem.
Many thanks in advance too all Malware experts.

-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:52:24, on 31.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188102650531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189487632718
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6521 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 07 February 2009 - 07:09 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

-- Note: The screen instructions indicate the attach.txt must be zipped before attaching (not posted) to your forum post. Instead, we want you to include attach.txt as an attachment to upload using the "Browse" button in the text editor when making your reply.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

In your next reply please include the following:
  • DSS.txt
  • Attach.txt
  • GMER Log
  • Kaspersky's Log
  • What Problems do you still have?

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 08 February 2009 - 04:30 AM

My sincerest thanks to help me in this very sad situation.

---

I followed all instructions up to the Gmer part. After downloading and starting Gmer, I checked the first five boxes under settings (by the way, it did NOT give me a warning at program start about rootkit activity and ask if I want to run a scan). After checking the boxes, I clicked "Modify" as nothing happened, and it did not prompt to restart my computer either. I actually went to the Rootkit tab and started the scan after making sure that all drives except the C were unchecked and all boxes on the the right were checked except "Show all".

After re-reading you post, I realised that I should reboot BEFORE scanning, so I rebooted and started Gmer again. Here is my question: I see under "Settings" that the first five boxes are no longer checked. Should I check them again and scan, or should I leaved them unchecked and go scan?

Many thanks again for you inestimable help.



NOTE: today, I will have to leave home (my PC) time to time for family tasks, but I definitely come back to the PC and follow your instructions, top priority after that.

#4 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 08 February 2009 - 04:48 AM

I just wanted to add what I already have, in case it can help go faster.


---

DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by YS at 9:33:26.93 on 08.02.2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.896.615 [GMT 1:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\YS\Bureau\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [BlazeServoTool] "c:\program files\blazevideo\blazedtv 2.5a\MediaDetector.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UBSShell] c:\program files\ubs e-banking\ubs shell\UBSShell.exe Hidden
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album edition découverte\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [PrnStatusMX] c:\program files\hewlett-packard\prnstatusmx\PrnStatusMX.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\acroba~1.lnk - c:\program files\adobe\acrobat 4.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\gestio~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188102650531
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189487632718
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dr4708~1.yos\applic~1\mozilla\firefox\profiles\gggf2rlf.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-28 353680]
S1 atitray;atitray;\??\c:\program files\radeon omega drivers\v3.8.252\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v3.8.252\ati tray tools\atitray.sys [?]
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]
S1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2006-12-1 11840]
S2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2006-12-1 68865]
S2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2006-12-1 151297]
S2 MLPTDR_B;MLPTDR_B;c:\windows\system32\MLPTDR_B.SYS [2002-7-23 19872]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2008-1-11 799744]
S3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [2007-10-22 117376]
S3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2006-12-1 52032]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2006-12-30 131776]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2007-1-31 28928]

=============== Created Last 30 ================

2009-01-31 07:55 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-01-26 16:06 <DIR> --d----- C:\spoolerlogs

==================== Find3M ====================

2009-01-31 07:55 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-09 16:57 410,984 a------- c:\windows\system32\deploytk.dll
2008-06-07 07:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012008060720080608\index.dat
2008-06-07 07:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 9:33:46.42 ===============










UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professionnel
Boot Device: \Device\HarddiskVolume1
Install Date: 27/10/2006 23:10:25
System Uptime: 02/08/2009 08:25:48 (-4199 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7V8X-X
Processor: AMD Athlon™ XP 2600+ | SOCKET A | 1905/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 46,615 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 75 GiB total, 36,173 GiB free.
F: is CDROM ()
I: is Removable
J: is Removable
K: is Removable
L: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP128: 11/12/2008 10:13:30 - Point de vérification système
RP129: 12/12/2008 20:49:19 - Point de vérification système
RP130: 14/12/2008 08:47:59 - Point de vérification système
RP131: 15/12/2008 17:25:05 - Point de vérification système
RP132: 16/12/2008 19:17:06 - Point de vérification système
RP133: 17/12/2008 20:17:55 - Point de vérification système
RP134: 18/12/2008 20:52:50 - Point de vérification système
RP135: 19/12/2008 21:10:27 - Point de vérification système
RP136: 21/12/2008 09:55:32 - Point de vérification système
RP137: 22/12/2008 12:18:40 - Point de vérification système
RP138: 23/12/2008 13:46:08 - Point de vérification système
RP139: 25/12/2008 10:06:00 - Point de vérification système
RP140: 26/12/2008 14:48:32 - Point de vérification système
RP141: 27/12/2008 14:58:37 - Point de vérification système
RP142: 29/12/2008 08:07:48 - Point de vérification système
RP143: 30/12/2008 09:33:10 - Point de vérification système
RP144: 31/12/2008 09:43:01 - Point de vérification système
RP145: 01/01/2009 10:56:07 - Point de vérification système
RP146: 02/01/2009 21:47:56 - Point de vérification système
RP147: 03/01/2009 22:20:15 - Point de vérification système
RP148: 04/01/2009 22:22:51 - Point de vérification système
RP149: 06/01/2009 08:19:32 - Point de vérification système
RP150: 07/01/2009 12:23:12 - Point de vérification système
RP151: 08/01/2009 16:44:21 - Point de vérification système
RP152: 09/01/2009 18:08:49 - Point de vérification système
RP153: 11/01/2009 08:37:04 - Point de vérification système
RP154: 12/01/2009 09:17:05 - Point de vérification système
RP155: 13/01/2009 18:51:43 - Point de vérification système
RP156: 15/01/2009 19:26:47 - Point de vérification système
RP157: 16/01/2009 19:48:39 - Point de vérification système
RP158: 18/01/2009 09:39:14 - Point de vérification système
RP159: 19/01/2009 09:50:09 - Point de vérification système
RP160: 20/01/2009 18:17:56 - Point de vérification système
RP161: 22/01/2009 18:02:10 - Point de vérification système
RP162: 23/01/2009 21:05:46 - Point de vérification système
RP163: 25/01/2009 20:24:37 - Point de vérification système
RP164: 27/01/2009 12:12:25 - Point de vérification système
RP165: 28/01/2009 13:01:06 - Point de vérification système
RP166: 28/01/2009 19:43:11 - Installed Windows Media Player 11
RP167: 30/01/2009 16:01:27 - Point de vérification système

==== Installed Programs ======================

63-Zero
A&D WinCT-Moisture
A&D WinCT-UFC
Active@ ISO Burner v 1.1
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe PDF IFilter 6.0
Adobe Reader 8.1.2 - Français
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe® Photoshop® Album Edition Découverte 3.0
Archiveur WinRAR
ArcSoft PhotoStudio 5.5
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
µTorrent
AutoUpdate
Avira AntiVir Personal - Free Antivirus
BlazeDTV 2.5a
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CanoScan Toolbox 4.5
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Chinese Simplified Fonts Support For Adobe Reader 8
Chinese Traditional Fonts Support For Adobe Reader 8
Dataway
DivX
DivX Content Uploader
DivX Player
DivX Web Player
DriveImage XML
EndNote
eSalaryReport
eSalaryReport2
EuroTalk Talk Now Plus!
FileZilla Client 3.1.0.1
Free CD Ripper 3.1
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Color LaserJet CP1210 Series
HP Color LaserJet CP1210 Series Toolbox
HP LaserJet Toolbox
HP Update
HPSSupply
Huge Pine USB to UART Driver
Intel® Play™ QX3™ Computer Microscope
Intel® System Information Viewer
Internet Library
iTunes
J2SE Runtime Environment 5.0 Update 11
Japanese Fonts Support For Adobe Reader 8
Java™ 6 Update 11
Joost ™ Beta 1.0.3
Kaspersky Online Scanner
Lizardtech DjVu Control
Logitech MouseWare 9.79.1
magicolor 2300 DL
Malwarebytes' Anti-Malware
Manual CanoScan LiDE 35
MediaPortal
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97 Professional
Microsoft OpenType Font File Properties Extension
Microsoft Visual C++ 2005 Redistributable
MINOLTA-QMS magicolor 2300 DL Logiciel du pilote d'imprimante
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB928090)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB929969)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB931768)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB933566)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB937143)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB939653)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB942615)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB944533)
MovieEdit Task
Mozilla Firefox (3.0.6)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MultiRes (remove only)
OmniPage SE 2.0
Panda ActiveScan
PhotoStitch
Produit Suite driver modem ADSL
QuickTime
RAW Image Task 1.2
RealPlayer
RemoteCapture Task 1.1
Samsung CLP-300 Series
SetIP
Silicon Laboratories CP210x VCP Drivers for Windows 2000/XP/2003 Server
Skins
SoundMAX
UBS BESR e-list 5.2.004 (build 1)
UBSPay
USB File Transfer 1.11A
VaudTax2006
VaudTax2007
VC 9.0 Runtime
VG Driver
VideoLAN VLC media player 0.8.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinPhone
XXClone ver 0.58.0
Zattoo 3.3.1 Beta
ZoneAlarm
ZoneAlarm Spy Blocker

==== End Of File ===========================

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 February 2009 - 02:26 PM

Hello.

Regardin the GMER question. After you have those 5 settings checked, please click Ok and Apply before closing GMER and restart. Then run GMER by clicking scan and it will begin to scan. Post the results when it's complete. Also post the Kaspersky log if you are not running it already.

Also, do not run your scans in Safe Mode unless I tell you to. Can you tell me why you ran the scans in safe mode? Any particular reason?

What problems do you still have?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 08 February 2009 - 05:13 PM

Ok, I ran Gmer in Normal mode.


Why in Safe mode?
When running in Normal mode, the CPU is monopolised - a few minutes after Windows boot - by some process. In the Windows task manager, I can see that vsmon.exe in SYSTEM is using all capacities (almost always 98-99%). My PC becomes then extreeeeemely slow. Extremely slow is actually not the adequate word to qualify the situation, "quasi freezed" is closer to reality. In fact, the Gmer scan should not take more than 10-20 minutes to complete (if I am right). It took well above an hour for me. Once the scan completed, it took 10-15 seconds to copy the scan report (yes, the time between clicking the "copy" button and getting the message saying that it has been copied). After that, it took me 20 minutes to paste and save it.
Also, I am not sure that the scan is complete as it took so long to scan that the screen saver appeared. To stop the screen saver and go back to the normal screen took me about 100 hits on my space bar and more than 60 seconds. When the screen came back, a small message windows said that the scan has been stopped (after over an hour scan). Not sure when it has stopped, not sure if this is standard message for scan complete.

I am open to scan with Kaspersky in normal mode, but I fear that it will take days, or weeks to complete, if ever it completes. This problem (the main, and also the reason for which I am posting here) is still there after running Gmer.

The Gmer scan report is hereunder.

I am all ears to follow your next instructions.


NOTE: again many thanks for following my case. I realise that we must have a significantly large time differential as it is about time for me to go to bed. I will check your eventual message first thing in the morning. I sincerely appreciate that someone in a very far region do care help me, but in this particular case, it somehow slows down reactivity. My apologies for taking more of your time than it would if we were in the same time region.


----
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-08 22:27:34
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEEC6E6E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xEEC7B490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEEC78C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEEC78E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEEC7CD50]
SSDT F7C663E4 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEEC6EC70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEEC7BD10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xEEC7BAC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEEC78600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEEC7C230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEEC7C2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEEC6EAD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEEC7A4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEEC7A2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEEC7C970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEEC7C3D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xEEC7C7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEEC71AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEEC6EEA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xEEC7B800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEEC79580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xEEC79400]
SSDT F7C663DA ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? srescan.sys Le fichier spécifié est introuvable. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EEC76410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EEC76220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EEC76B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EEC74780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EEC74780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EEC76410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EEC76220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EEC76B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EEC76410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EEC74780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EEC76B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EEC76220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EEC76B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EEC76220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EEC76410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EEC74780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EEC76410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EEC76220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EEC76B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EEC7E870] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EEC76410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EEC74780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EEC76B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EEC76220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EEC6F320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EEC6F4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EEC6F040] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EEC6F3D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2028] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5A8F0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2028] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5A8F0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2028] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A528E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2028] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5A8F0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.14 ----

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 February 2009 - 05:43 PM

Hello.

Vsmon.exe is related to Zone Alarm Firewall. Let's uninstall it since it is causing so much trouble for you.

Removing Programs using Add/Remove

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

ZoneAlarm
ZoneAlarm Spy Blocker


Additional instructions can be found here if needed.

Reboot afterwards

Your log looks clean right now. GMER is clean and DDS scan is fairly good as well.

Let's see if removing Zone Alarm helps.

Tell me how it goes and post back with a new pair of DDS logs.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 February 2009 - 01:52 AM

I ran Kaspersky after removing ZoneAlarm.

Then I ran DDS. Scan reports are as follows:

Many thanks.


----
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, February 9, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 08, 2009 22:50:36
Records in database: 1770849
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 200619
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 05:36:03

No malware has been detected. The scan area is clean.

The selected area was scanned.

----


DDS (Ver_09-02-01.01) - NTFSx86
Run by YS at 7:44:31.80 on 09.02.2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.896.561 [GMT 1:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe
C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\YS\Bureau\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [BlazeServoTool] "c:\program files\blazevideo\blazedtv 2.5a\MediaDetector.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UBSShell] c:\program files\ubs e-banking\ubs shell\UBSShell.exe Hidden
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album edition découverte\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [PrnStatusMX] c:\program files\hewlett-packard\prnstatusmx\PrnStatusMX.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\acroba~1.lnk - c:\program files\adobe\acrobat 4.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\gestio~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188102650531
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189487632718
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dr4708~1.yos\applic~1\mozilla\firefox\profiles\gggf2rlf.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2006-12-1 11840]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2006-12-1 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2006-12-1 151297]
R2 MLPTDR_B;MLPTDR_B;c:\windows\system32\MLPTDR_B.SYS [2002-7-23 19872]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2008-1-11 799744]
R3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [2007-10-22 117376]
R3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2006-12-1 52032]
S1 atitray;atitray;\??\c:\program files\radeon omega drivers\v3.8.252\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v3.8.252\ati tray tools\atitray.sys [?]
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2006-12-30 131776]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2007-1-31 28928]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-02-08 09:47 357 a------- c:\windows\gmer.ini
2009-01-26 16:06 <DIR> --d----- C:\spoolerlogs

==================== Find3M ====================

2009-01-31 07:55 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-09 16:57 410,984 a------- c:\windows\system32\deploytk.dll
2008-06-07 07:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012008060720080608\index.dat
2008-06-07 07:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 7:44:48.64 ===============


---


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professionnel
Boot Device: \Device\HarddiskVolume1
Install Date: 27/10/2006 23:10:25
System Uptime: 02/09/2009 07:19:39 (-4920 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7V8X-X
Processor: AMD Athlon™ XP 2600+ | SOCKET A | 1905/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 46,308 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 75 GiB total, 36,174 GiB free.
F: is CDROM ()
I: is Removable
J: is Removable
K: is Removable
L: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP128: 11/12/2008 10:13:30 - Point de vérification système
RP129: 12/12/2008 20:49:19 - Point de vérification système
RP130: 14/12/2008 08:47:59 - Point de vérification système
RP131: 15/12/2008 17:25:05 - Point de vérification système
RP132: 16/12/2008 19:17:06 - Point de vérification système
RP133: 17/12/2008 20:17:55 - Point de vérification système
RP134: 18/12/2008 20:52:50 - Point de vérification système
RP135: 19/12/2008 21:10:27 - Point de vérification système
RP136: 21/12/2008 09:55:32 - Point de vérification système
RP137: 22/12/2008 12:18:40 - Point de vérification système
RP138: 23/12/2008 13:46:08 - Point de vérification système
RP139: 25/12/2008 10:06:00 - Point de vérification système
RP140: 26/12/2008 14:48:32 - Point de vérification système
RP141: 27/12/2008 14:58:37 - Point de vérification système
RP142: 29/12/2008 08:07:48 - Point de vérification système
RP143: 30/12/2008 09:33:10 - Point de vérification système
RP144: 31/12/2008 09:43:01 - Point de vérification système
RP145: 01/01/2009 10:56:07 - Point de vérification système
RP146: 02/01/2009 21:47:56 - Point de vérification système
RP147: 03/01/2009 22:20:15 - Point de vérification système
RP148: 04/01/2009 22:22:51 - Point de vérification système
RP149: 06/01/2009 08:19:32 - Point de vérification système
RP150: 07/01/2009 12:23:12 - Point de vérification système
RP151: 08/01/2009 16:44:21 - Point de vérification système
RP152: 09/01/2009 18:08:49 - Point de vérification système
RP153: 11/01/2009 08:37:04 - Point de vérification système
RP154: 12/01/2009 09:17:05 - Point de vérification système
RP155: 13/01/2009 18:51:43 - Point de vérification système
RP156: 15/01/2009 19:26:47 - Point de vérification système
RP157: 16/01/2009 19:48:39 - Point de vérification système
RP158: 18/01/2009 09:39:14 - Point de vérification système
RP159: 19/01/2009 09:50:09 - Point de vérification système
RP160: 20/01/2009 18:17:56 - Point de vérification système
RP161: 22/01/2009 18:02:10 - Point de vérification système
RP162: 23/01/2009 21:05:46 - Point de vérification système
RP163: 25/01/2009 20:24:37 - Point de vérification système
RP164: 27/01/2009 12:12:25 - Point de vérification système
RP165: 28/01/2009 13:01:06 - Point de vérification système
RP166: 28/01/2009 19:43:11 - Installed Windows Media Player 11
RP167: 30/01/2009 16:01:27 - Point de vérification système
RP168: 09/02/2009 00:27:26 - Point de vérification système

==== Installed Programs ======================

63-Zero
A&D WinCT-Moisture
A&D WinCT-UFC
Active@ ISO Burner v 1.1
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe PDF IFilter 6.0
Adobe Reader 8.1.2 - Français
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe® Photoshop® Album Edition Découverte 3.0
Archiveur WinRAR
ArcSoft PhotoStudio 5.5
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
µTorrent
AutoUpdate
Avira AntiVir Personal - Free Antivirus
BlazeDTV 2.5a
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CanoScan Toolbox 4.5
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Chinese Simplified Fonts Support For Adobe Reader 8
Chinese Traditional Fonts Support For Adobe Reader 8
Dataway
DivX
DivX Content Uploader
DivX Player
DivX Web Player
DriveImage XML
EndNote
eSalaryReport
eSalaryReport2
EuroTalk Talk Now Plus!
FileZilla Client 3.1.0.1
Free CD Ripper 3.1
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Color LaserJet CP1210 Series
HP Color LaserJet CP1210 Series Toolbox
HP LaserJet Toolbox
HP Update
HPSSupply
Huge Pine USB to UART Driver
Intel® Play™ QX3™ Computer Microscope
Intel® System Information Viewer
Internet Library
iTunes
J2SE Runtime Environment 5.0 Update 11
Japanese Fonts Support For Adobe Reader 8
Java™ 6 Update 11
Joost ™ Beta 1.0.3
Kaspersky Online Scanner
Lizardtech DjVu Control
Logitech MouseWare 9.79.1
magicolor 2300 DL
Malwarebytes' Anti-Malware
Manual CanoScan LiDE 35
MediaPortal
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97 Professional
Microsoft OpenType Font File Properties Extension
Microsoft Visual C++ 2005 Redistributable
MINOLTA-QMS magicolor 2300 DL Logiciel du pilote d'imprimante
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB928090)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB929969)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB931768)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB933566)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB937143)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB939653)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB942615)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB944533)
MovieEdit Task
Mozilla Firefox (3.0.6)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MultiRes (remove only)
OmniPage SE 2.0
Panda ActiveScan
PhotoStitch
Produit Suite driver modem ADSL
QuickTime
RAW Image Task 1.2
RealPlayer
RemoteCapture Task 1.1
Samsung CLP-300 Series
SetIP
Silicon Laboratories CP210x VCP Drivers for Windows 2000/XP/2003 Server
Skins
SoundMAX
UBS BESR e-list 5.2.004 (build 1)
UBSPay
USB File Transfer 1.11A
VaudTax2006
VaudTax2007
VC 9.0 Runtime
VG Driver
VideoLAN VLC media player 0.8.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinPhone
XXClone ver 0.58.0
Zattoo 3.3.1 Beta

==== End Of File ===========================

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 09 February 2009 - 12:59 PM

Hello.

Kaspersky scan was clean. Hijackthis log also looks fine. How's your computer running at the moment? Any problems?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 February 2009 - 02:24 PM

Glad to hear that both Kaspersky scan and Hijackthis log are clean. I am sincerely relieved.

So far, my PC runs smoothly, not slower, but not faster than before THE problem.
I am a bit scared at the moment because there is no firewall running. Also, I have some difficulty to locate the ZoneAlarm.exe file. Did we completely erased it when removing ZoneAlarm from the Control Panel?

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 09 February 2009 - 03:53 PM

Hello.

Let's get you to install a firewall. Just wanted to make sure you don't have any problems. Don't install Zone Alarm since it was causing major slow down for you.

Install Firewall

Install a third-party firewall from the following selection of excellent programsThe main reason you would prefer a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop Outgoing signles (possibly ones that could intrude your privacy) from sending information to the Internet or to other networks.

After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.

*Note: If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so.

Tell me how it goes.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 February 2009 - 05:07 PM

Sorry for my ignorance.
Is there any "Better" firewall? I used ZoneAlarm so far, mainly because it is free and I was not aware of any (critical) negative feedback.

Is your list in any specific order of preference or are these programs all equal in efficiency and reliability?

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 09 February 2009 - 05:30 PM

Hello.

No. They are not ranked from top to bottom. They are just listed there as how I put them there.

Choosing a firewall or anti-virus software is based on personal prefrence and how well it works on your machine. Those are just some free firewall programs I listed above that are fairly popular and many people use them. There are probably alot more but I can't list all of them, now can I? Some of those I listed require a registartion, meaning they need your e-mail address so they can privately e-mail you the code.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 February 2009 - 06:02 PM

Ok, I just installed PC Tools Firewall. I will probably need some time to understand all features and settings. By the way, there is strange white and green vertical bar on the extreme left side of my screen. Do you think it has to do with PC Tools Firewall?

I did not pick ZoneAlarm as I had some troubles (THE problem), although I like it somehow.

---
Now, it is already tomorrow, therefore I am afraid I will have to get some sleep. However, I will definitely read and follow your instructions first thing in the morning.

Thanks again for following up my case.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 09 February 2009 - 06:09 PM

Hello.

No Problem. Get some good sleep. We are almost done anyways.

I'm not too sure what that green vertical bar is but if it hapened right after you reboot of installing PC Tools Firewall, then I believe it should be related to it.

Post back with a new pair of DDS logs please before we wrap everything up. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users