Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Downloader.Win32.FraudLoad.dnt


  • This topic is locked This topic is locked
20 replies to this topic

#1 Kevlar1

Kevlar1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 22 February 2009 - 10:50 PM

Had msantispyware2099 infection. Ran a-squared, spybot, ad-aware, avg, registry mechanic and zonealarm spy/virus. Most in safe mode. Found and deleted numerous entries. Was still getting a pop-up every 5 minutes or so trying to connect to anykuy.com. Also a periodic pop-up asking if I would like to scan my computer. Zonealarm referenced the above infection, but could only rename the file. I moved it to the desktop and was able to delete it after a restart. It was automatically replaced with a new userinit.exe file and logs on to windows fine now. The pop ups seem to have stopped, but my computer wont complete a shutdown on its own. I have to power it off with the button. Would you experts check to see that I dont have any remnants or problems left.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Kevin at 21:28:12.06 on Sun 02/22/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.67 [GMT -6:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NWEReboot]
mRun: [RegistryMechanic]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file://e:\setup\RiffLick.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
Filter: text/html - {b8a66a13-0327-4942-aa13-3f0525169f10} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-2-21 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-8-18 353680]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-7-16 421496]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-12-20 70016]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-02-22 21:07 <DIR> --d----- c:\program files\SonicWallES
2009-02-21 23:01 <DIR> --d----- c:\docume~1\kevin\applic~1\MailFrontier
2009-02-21 22:38 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-21 15:32 <DIR> --d----- c:\program files\Trend Micro
2009-02-20 07:54 <DIR> --d----- c:\docume~1\kevin\applic~1\Malwarebytes
2009-02-20 07:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 07:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 07:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-20 07:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 19:59 <DIR> --d----- c:\windows\system32\myscreenspace
2009-02-04 19:46 503,808 a------- c:\windows\A Perfect Circle.scr
2009-02-04 19:46 606,848 a------- c:\windows\flashax.exe
2009-02-04 19:46 12,288 a------- c:\windows\impborl.dll
2009-02-04 19:46 <DIR> --d----- c:\windows\A Perfect Circle dir
2009-01-23 22:45 152 a------- c:\windows\MetroTimer.ini
2009-01-23 22:13 <DIR> --d----- c:\program files\Free Metronome

==================== Find3M ====================

2009-02-22 21:29 19,837,472 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-22 20:49 260,888 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-22 14:52 34 a------- c:\documents and settings\kevin\jagex_runescape_preferences.dat
2009-02-21 22:52 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-21 17:46 29,238 a------- c:\windows\DIIUnin.dat
2008-12-21 17:30 94,208 a------- c:\windows\DIIUnin.exe
2008-12-21 17:30 2,829 a------- c:\windows\DIIUnin.pif
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2005-12-19 09:12 23,357 a---h--- c:\program files\folder.htt
2005-12-19 09:12 271 ---sh--- c:\program files\desktop.ini
2008-08-29 20:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 21:31:06.90 ===============

Attached Files


Edited by Kevlar1, 22 February 2009 - 10:54 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:29 AM

Posted 05 March 2009 - 10:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Kevlar1

Kevlar1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 06 March 2009 - 06:33 PM

New DDS

DDS (Ver_09-02-01.01) - NTFSx86
Run by Kevin at 17:17:40.81 on Fri 03/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.175 [GMT -6:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\a-squared free\a2service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file://e:\setup\RiffLick.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-28 64160]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-2-21 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-8-18 353680]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-7-16 421496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-12-20 70016]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-02-28 12:52 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-28 10:14 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-28 10:07 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 07:31 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-23 22:22 <DIR> --d----- c:\docume~1\kevin\applic~1\Windows Search
2009-02-23 22:20 <DIR> --d----- c:\docume~1\kevin\applic~1\Windows Desktop Search
2009-02-23 15:32 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-23 15:29 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-23 15:29 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-23 15:29 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-23 15:29 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-23 15:29 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-23 15:29 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-23 15:29 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-23 15:26 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-23 14:33 <DIR> --d----- c:\program files\Windows Desktop Search
2009-02-23 14:33 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-02-23 14:28 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-02-23 14:28 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-02-23 14:28 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-02-22 22:43 <DIR> a-dshr-- C:\cmdcons
2009-02-22 22:41 161,792 a------- c:\windows\SWREG.exe
2009-02-22 22:41 98,816 a------- c:\windows\sed.exe
2009-02-22 21:07 <DIR> --d----- c:\program files\SonicWallES
2009-02-21 23:01 <DIR> --d----- c:\docume~1\kevin\applic~1\MailFrontier
2009-02-21 22:38 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-21 15:32 <DIR> --d----- c:\program files\Trend Micro
2009-02-20 07:54 <DIR> --d----- c:\docume~1\kevin\applic~1\Malwarebytes
2009-02-20 07:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 07:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 07:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-20 07:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 19:59 <DIR> --d----- c:\windows\system32\myscreenspace
2009-02-04 19:46 503,808 a------- c:\windows\A Perfect Circle.scr
2009-02-04 19:46 606,848 a------- c:\windows\flashax.exe
2009-02-04 19:46 12,288 a------- c:\windows\impborl.dll
2009-02-04 19:46 <DIR> --d----- c:\windows\A Perfect Circle dir

==================== Find3M ====================

2009-03-06 17:01 151,827,232 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-06 17:01 1,716,128 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-05 07:41 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-22 14:52 34 a------- c:\documents and settings\kevin\jagex_runescape_preferences.dat
2008-12-21 17:46 29,238 a------- c:\windows\DIIUnin.dat
2008-12-21 17:30 94,208 a------- c:\windows\DIIUnin.exe
2008-12-21 17:30 2,829 a------- c:\windows\DIIUnin.pif
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2005-12-19 09:12 23,357 a---h--- c:\program files\folder.htt
2005-12-19 09:12 271 ---sh--- c:\program files\desktop.ini
2008-08-29 20:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 17:19:33.60 ===============

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:29 AM

Posted 07 March 2009 - 04:49 PM

Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Now onto trying to fix your computer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Kevlar1

Kevlar1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 07 March 2009 - 07:20 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 3

3/7/2009 6:17:26 PM
mbam-log-2009-03-07 (18-17-26).txt

Scan type: Quick Scan
Objects scanned: 109224
Time elapsed: 13 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:29 AM

Posted 07 March 2009 - 08:56 PM

what happens when you try to shutdown?

I need you to go to the administration tools in XP. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side and click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 Kevlar1

Kevlar1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 08 March 2009 - 08:56 AM

Hoov,
Thanks for the help. When I try to shut down, it takes forever with the hard drive activity light finally stopping and the machine stalls at a point just before it should shut down. If in safe mode it shuts down fine. Otherwise I have to use the power button to complete it. It also seems to take longer than usual to start up and to complete tasks, such as opening a browser or outlook. I remember reading somewhere that the new zonealarm can use a lot of resources and people were reverting to an earlier version? Thinking of going back to AVG or Avir and see if that helps. Will not change anything without your OK. Also, I ran malwarebytes and Combofix before being contacted by you, and it did find some things if I remember correctly. Requested files attached.
Thanks,
Kevin

Attached Files



#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:29 AM

Posted 08 March 2009 - 10:55 AM

It could be ZoneAlarm, but it is usually caused by a bad install. To test that out, disconnect from the internet, and then right click on the ZA icon in the system tray and select shutdown ZA. Once it is done shutting down, try to shutdown windows, and see if it hangs as it did before. Let me know what happens.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 Kevlar1

Kevlar1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 08 March 2009 - 12:05 PM

Hoov,
First time I did not even complete a shut down of zonealarm and it froze. Could not get into task mgr or anything. Had to power down with the button and restart. After that I shut down successfully three times. 1st time closed down zonealarm and ad-aware tray then shut down, 2nd just closed down zone alarm and shut down. 3rd was a successful normal shut down. However start ups seem painfully slow, and certain tasks seem slow also. Aawservice.exe and updclient.exe seem to be using 90% of resources at times.
Thanks,
Kevin

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:29 AM

Posted 08 March 2009 - 02:03 PM

Startups with ZoneAlarm have always been problematic, because everything that starts up, ZA does an MD5 signature check of the file, to make sure it has not changed or been altered by malware. The more you have starting up, the slower the startup. One thing you can do to check to see if it is ZA is to open ZoneAlarm, go to the overview section then to the preferences tab and uncheck the load with windows checkbox, disconnect physically from the internet and reboot. If the boot up goes lots faster, then you can manually start ZA, recheck the box, and then we need to look at trimming down your startup procedure. Its better doing that than trying to remember to start ZA before connecting to the internet.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 Kevlar1

Kevlar1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 08 March 2009 - 03:11 PM

Hoov,
Configured zonealarm to not startup with windows. On shutdown computer hung at "windows is shutting down screen". Had to power off with button again. Restarted and the aaw file was using most resources. Turned off adaware real time protection and restarted successfully. Things seem to be a a bit quicker, however I still have zonealarm off. You have not mentioned anything about my logs. How do they look?
Thanks,
Kevin

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:29 AM

Posted 08 March 2009 - 03:55 PM

Your event viewer logs show that you had big problems on the 7th, but they seem to have straightened themselves out. Other than that there is just the normal kind of problems that crop up from time to time. The DDS scan is also fine. Leave AAW turned off and turn ZA back on and do a reboot that way. I think your problem is mostly software in nature. We just need to find the right combination.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 Kevlar1

Kevlar1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 08 March 2009 - 04:44 PM

Hoov,
Shutdown is taking 7 minutes. Restart and logon is 5+ to the point where the zonealarm tray icon shows up. 6 1/2 or so till the hard drive activity light slows down. 10-15 minutes for a restart. I click on the IE icon and it takes 30-45 seconds till my homepage shows up.

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:29 AM

Posted 08 March 2009 - 05:53 PM

How about if ZA and AAW are both turned off and not allowed to start on restart.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 Kevlar1

Kevlar1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 08 March 2009 - 06:42 PM

Hoov,
Not sure how consistent any of this is but, with ZA and AAW both shut off my computer shut down twice in a row at 30 seconds or under. Startups are around 3 minutes or so. Internet explorer and outlook seem to respond better also.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users