Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deeply infected computer


  • This topic is locked This topic is locked
14 replies to this topic

#1 Siphotomo

Siphotomo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 12 March 2009 - 09:00 PM

This is what i've done previously with garmanma helping me

http://www.bleepingcomputer.com/forums/t/208653/computer-restarting-automatically/




DDS (Ver_09-02-01.01) - NTFSx86
Run by Jeff at 22:57:37.04 on Thu 03/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.892 [GMT -7:00]

FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {b5801fda-b112-48c5-95a3-d3248d4889bc} - c:\windows\system32\mcicda32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236900437812
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeff\applic~1\mozilla\firefox\profiles\okc3krka.default\

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-12 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-03-12 21:54 --d----- c:\program files\BurnWorld
2009-03-12 21:43 --d----- c:\program files\avisplit
2009-03-12 21:35 --d----- c:\docume~1\jeff\applic~1\BSplayer Pro
2009-03-12 21:35 --d----- c:\docume~1\jeff\applic~1\BSplayer
2009-03-12 21:35 --d----- c:\program files\Webteh
2009-03-12 21:24 815,104 a------- c:\windows\system32\xvidcore.dll
2009-03-12 21:24 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-03-12 21:24 77,824 a------- c:\windows\system32\xvid.ax
2009-03-12 21:24 --d----- c:\program files\Xvid
2009-03-12 21:21 --d----- c:\program files\common files\DivX Shared
2009-03-12 21:21 --d----- c:\program files\DivX
2009-03-12 20:00 --d----- c:\program files\Serials 2005
2009-03-12 19:00 --d----- c:\docume~1\jeff\applic~1\BitTorrent
2009-03-12 18:53 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-12 18:38 --d----- c:\program files\Zone Labs
2009-03-12 18:38 --d----- c:\windows\Internet Logs
2009-03-12 18:05 29,952 a------- c:\windows\system32\mcicda32.dll
2009-03-12 17:24 --d----- c:\program files\Realtek AC97
2009-03-12 16:51 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-12 16:51 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-12 16:51 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-12 16:51 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-12 16:43 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-12 16:43 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-03-12 16:43 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-12 16:43 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-12 16:43 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-12 16:43 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-12 16:43 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-12 16:43 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-12 16:43 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-12 16:40 --d----- c:\windows\network diagnostic
2009-03-12 16:17 --d----- c:\windows\system32\CatRoot_bak
2009-03-12 16:17 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-12 16:17 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-03-12 16:15 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-12 16:15 --dsh--- c:\documents and settings\jeff\UserData
2009-03-12 16:14 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-03-12 16:14 --d----- c:\windows\system32\PreInstall
2009-03-12 16:14 --d-h--- c:\windows\$hf_mig$
2009-03-12 16:13 --d----- c:\documents and settings\Jeff
2009-03-12 16:11 13,648 a------- c:\windows\system32\wpa.bak
2009-03-12 16:10 --d----- c:\windows\system32\SoftwareDistribution
2009-03-12 16:06 --ds---- c:\windows\system32\Microsoft
2009-03-12 16:06 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-12 16:03 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-03-12 16:02 66,594 ac------ c:\windows\system32\dllcache\c_864.nls
2009-03-12 16:00 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-12 15:59 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-12 15:59 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-12 15:59 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-12 15:59 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-12 15:58 196,864 a------- c:\windows\system32\drivers\rdpdr.sys
2009-03-12 15:58 40,840 a------- c:\windows\system32\drivers\termdd.sys
2009-03-12 15:55 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-03-12 15:55 1,888,992 a------- c:\windows\system32\ati3duag.dll
2009-03-12 15:55 870,784 a------- c:\windows\system32\ati3d1ag.dll
2009-03-12 15:55 701,440 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-03-12 15:55 516,768 a------- c:\windows\system32\ativvaxx.dll
2009-03-12 15:55 201,728 a------- c:\windows\system32\ati2dvag.dll
2009-03-12 15:54 27,165 a------- c:\windows\system32\drivers\fetnd5.sys
2009-03-12 15:54 74,240 a------- c:\windows\system32\usbui.dll
2009-03-12 15:54 685,056 a------- c:\windows\system32\drivers\HSFCXTS2.sys
2009-03-12 15:54 220,032 a------- c:\windows\system32\drivers\HSFBS2S2.sys
2009-03-12 15:54 86,016 a------- c:\windows\system32\mdmxsdk.dll
2009-03-12 15:54 32,285 a------- c:\windows\system32\HSFCISP2.dll
2009-03-12 15:54 11,868 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-03-12 15:53 1,041,536 a------- c:\windows\system32\drivers\HSFDPSP2.sys
2009-03-12 15:53 129,045 a------- c:\windows\system32\drivers\cxthsfS2.cty
2009-03-12 15:15 --d----- c:\windows\system32\xircom
2009-03-12 15:15 0 a------- c:\windows\control.ini
2009-03-12 15:15 23,392 a------- c:\windows\system32\nscompat.tlb
2009-03-12 15:15 16,832 a------- c:\windows\system32\amcompat.tlb
2009-03-12 15:15 316,640 a------- c:\windows\WMSysPr9.prx
2009-03-12 15:14 --dsh--- c:\documents and settings\all users\DRM
2009-03-12 15:13 --d-h--- c:\program files\WindowsUpdate
2009-03-12 15:12 --d----- c:\program files\common files\MSSoap
2009-03-12 15:11 --d----- c:\program files\Online Services
2009-03-12 15:11 --d----- c:\program files\Messenger
2009-03-12 15:10 --d----- c:\program files\MSN Gaming Zone
2009-03-12 15:10 --d----- c:\program files\Windows NT
2009-03-12 07:04 --d----- c:\program files\common files\ODBC
2009-03-12 07:04 --d----- c:\program files\common files\SpeechEngines
2009-03-12 07:04 --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-12 15:59 22,720 a------- c:\windows\system32\emptyregdb.dat
2009-03-12 15:14 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-15 23:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-26 18:35 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-26 18:35 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-01-26 18:35 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-26 18:35 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-01-26 18:35 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-26 18:35 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-26 18:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-01-26 18:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-26 18:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-26 18:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-26 18:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-26 18:34 684,032 a------- c:\windows\system32\DivX.dll
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 22:57:57.65 ===============

Attached Files


Edited by Siphotomo, 12 March 2009 - 09:02 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:34 PM

Posted 24 March 2009 - 04:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Siphotomo

Siphotomo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 25 March 2009 - 06:27 PM

I am still getting multiple Blue screen errors mainly when i'm trying to run Malwarebytes' Anti-malware, or any other program that is used to get rid of viruses/malware/spyware. Since i posted the last log i have also reinstalled Microsoft Windows XP SP2 i've installed all the updates, with the exception of SP3 because i was told not to install it until i have all the malware/viruses/spyware removed from the PC otherwise it will be harder to fix if i update it before addressing the problems. i noticed i have 5 different svchost.exe running in my Processes Tab on the task manager, i don't think this is normal i don't know but as for the svchost.exe they are running as this...


Image Name User Name CPU Mem Usage
svchost.exe SYSTEM 00 4,712K
svchost.exe NETWORK SERVICE 00 3,960K
svchost.exe SYSTEM 00 23,940K
svchost.exe NETWORK SERVICE 00 5,928K
svchost.exe LOCAL SERVICE 00 4,360K


I can close 2 or 3 of the svchost.exe but when i close some they start a system shutdown countdown, so i just go to the cmd prompt and type "shutdown -a" to abort it and then they will reload, but i can get it down to 2 or 3 without some of them reloading so they must be bad i'm assuming i think. I don't know. I try to run Malwarebytes' Anti-malware but ALMOST everytime i try running it i get an error loading it or it will error out during the scan, i can only run it in safemode which isn't any good because i need to run it in regular mode. Please help Thank you so much for any help i appreciate the time your taking.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeff at 15:52:26.89 on Wed 03/25/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.818 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jeff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\jeff\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236900437812
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeff\applic~1\mozilla\firefox\profiles\okc3krka.default\

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-24 28544]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-13 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-12 353672]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-13 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-13 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-13 52032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-03-25 11:24 950 a------- C:\net_save.dna
2009-03-25 11:24 <DIR> --d----- c:\program files\support.com
2009-03-25 11:24 <DIR> --d----- c:\program files\common files\SupportSoft
2009-03-24 15:29 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-03-24 15:28 <DIR> --d----- c:\program files\Panda Security
2009-03-24 15:15 <DIR> --d----- C:\VundoFix Backups
2009-03-22 10:30 <DIR> --dsh--- C:\found.000
2009-03-20 22:34 <DIR> --d----- c:\docume~1\jeff\applic~1\IObit
2009-03-20 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-20 21:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-20 21:22 <DIR> --d----- c:\docume~1\jeff\applic~1\SUPERAntiSpyware.com
2009-03-20 21:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-20 19:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-20 19:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 19:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 08:11 <DIR> --d----- c:\docume~1\jeff\applic~1\Malwarebytes
2009-03-20 08:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-17 09:24 <DIR> --d----- c:\program files\Sony
2009-03-15 21:18 <DIR> --d----- c:\program files\PeerGuardian2
2009-03-15 20:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-15 20:49 <DIR> --d----- c:\program files\Lavasoft
2009-03-14 02:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-14 01:51 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-14 01:51 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-13 01:08 <DIR> --d----- c:\program files\Avira
2009-03-13 01:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-13 00:54 <DIR> --d----- c:\program files\BurnWorld
2009-03-13 00:43 <DIR> --d----- c:\program files\avisplit
2009-03-13 00:35 <DIR> --d----- c:\docume~1\jeff\applic~1\BSplayer Pro
2009-03-13 00:35 <DIR> --d----- c:\docume~1\jeff\applic~1\BSplayer
2009-03-13 00:35 <DIR> --d----- c:\program files\Webteh
2009-03-13 00:24 815,104 a------- c:\windows\system32\xvidcore.dll
2009-03-13 00:24 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-03-13 00:24 77,824 a------- c:\windows\system32\xvid.ax
2009-03-13 00:24 <DIR> --d----- c:\program files\Xvid
2009-03-13 00:21 <DIR> --d----- c:\program files\common files\DivX Shared
2009-03-13 00:21 <DIR> --d----- c:\program files\DivX
2009-03-12 23:00 <DIR> --d----- c:\program files\Serials 2005
2009-03-12 22:00 <DIR> --d----- c:\docume~1\jeff\applic~1\BitTorrent
2009-03-12 21:53 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-12 21:38 <DIR> --d----- c:\program files\Zone Labs
2009-03-12 21:38 <DIR> --d----- c:\windows\Internet Logs
2009-03-12 20:24 <DIR> --d----- c:\program files\Realtek AC97
2009-03-12 19:51 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-12 19:51 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-12 19:51 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-12 19:51 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-12 19:43 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-12 19:43 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-03-12 19:43 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-12 19:43 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-12 19:43 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-12 19:43 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-12 19:43 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-12 19:43 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-12 19:43 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-12 19:40 <DIR> --d----- c:\windows\network diagnostic
2009-03-12 19:17 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-12 19:17 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-12 19:17 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-03-12 19:15 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-12 19:15 <DIR> --dsh--- c:\documents and settings\jeff\UserData
2009-03-12 19:14 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-03-12 19:14 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-12 19:14 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-12 19:13 <DIR> --d----- c:\documents and settings\Jeff
2009-03-12 19:11 13,648 a------- c:\windows\system32\wpa.bak
2009-03-12 19:10 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-12 19:06 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-12 19:06 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-12 19:03 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-03-12 19:02 66,594 ac------ c:\windows\system32\dllcache\c_864.nls
2009-03-12 19:00 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-12 18:59 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-12 18:59 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-12 18:59 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-12 18:59 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-12 18:58 196,864 a------- c:\windows\system32\drivers\rdpdr.sys
2009-03-12 18:58 40,840 a------- c:\windows\system32\drivers\termdd.sys
2009-03-12 18:55 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-03-12 18:55 1,888,992 a------- c:\windows\system32\ati3duag.dll
2009-03-12 18:55 870,784 a------- c:\windows\system32\ati3d1ag.dll
2009-03-12 18:55 701,440 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-03-12 18:55 516,768 a------- c:\windows\system32\ativvaxx.dll
2009-03-12 18:55 201,728 a------- c:\windows\system32\ati2dvag.dll
2009-03-12 18:54 27,165 a------- c:\windows\system32\drivers\fetnd5.sys
2009-03-12 18:54 74,240 a------- c:\windows\system32\usbui.dll
2009-03-12 18:54 685,056 a------- c:\windows\system32\drivers\HSFCXTS2.sys
2009-03-12 18:54 220,032 a------- c:\windows\system32\drivers\HSFBS2S2.sys
2009-03-12 18:54 86,016 a------- c:\windows\system32\mdmxsdk.dll
2009-03-12 18:54 32,285 a------- c:\windows\system32\HSFCISP2.dll
2009-03-12 18:54 11,868 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-03-12 18:53 1,041,536 a------- c:\windows\system32\drivers\HSFDPSP2.sys
2009-03-12 18:53 129,045 a------- c:\windows\system32\drivers\cxthsfS2.cty
2009-03-12 18:15 <DIR> --d----- c:\windows\system32\xircom
2009-03-12 18:15 0 a------- c:\windows\control.ini
2009-03-12 18:15 23,392 a------- c:\windows\system32\nscompat.tlb
2009-03-12 18:15 16,832 a------- c:\windows\system32\amcompat.tlb
2009-03-12 18:15 316,640 a------- c:\windows\WMSysPr9.prx
2009-03-12 18:14 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-12 18:13 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-12 18:12 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-12 18:11 <DIR> --d----- c:\program files\Online Services
2009-03-12 18:11 <DIR> --d----- c:\program files\Messenger
2009-03-12 18:10 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-12 18:10 <DIR> --d----- c:\program files\Windows NT
2009-03-12 10:04 <DIR> --d----- c:\program files\common files\ODBC
2009-03-12 10:04 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-12 10:04 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-15 04:03 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-12 18:59 22,720 a------- c:\windows\system32\emptyregdb.dat
2009-02-16 02:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-26 21:35 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-26 21:35 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-01-26 21:35 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-26 21:35 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-01-26 21:35 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-26 21:35 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-26 21:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-26 21:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-26 21:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-26 21:34 684,032 a------- c:\windows\system32\DivX.dll

============= FINISH: 15:52:58.85 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 25 March 2009 - 07:43 PM

Hello.

First backup your registry and then Run Combofix and GMER.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.


Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Post back with both log in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Siphotomo

Siphotomo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 26 March 2009 - 04:12 AM

Here is Combox-Fix.exe Log First....


ComboFix 09-03-25.02 - Jeff 2009-03-26 2:46:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.951 [GMT -4:00]
Running from: c:\documents and settings\Jeff\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-26 02:29 . 2009-03-26 02:29 <DIR> d-------- c:\program files\ERUNT
2009-03-25 11:24 . 2009-03-25 11:27 <DIR> d-------- c:\program files\support.com
2009-03-25 11:24 . 2009-03-25 11:24 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-25 11:24 . 2009-03-25 11:24 950 --a------ C:\net_save.dna
2009-03-24 15:29 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-24 15:28 . 2009-03-24 15:28 <DIR> d-------- c:\program files\Panda Security
2009-03-24 15:15 . 2009-03-24 15:15 <DIR> d-------- C:\VundoFix Backups
2009-03-22 10:30 . 2009-03-22 10:30 <DIR> d--hs---- C:\found.000
2009-03-20 22:34 . 2009-03-20 22:34 <DIR> d-------- c:\documents and settings\Jeff\Application Data\IObit
2009-03-20 21:22 . 2009-03-20 21:22 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-20 21:22 . 2009-03-20 21:22 <DIR> d-------- c:\documents and settings\Jeff\Application Data\SUPERAntiSpyware.com
2009-03-20 21:22 . 2009-03-20 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-20 21:21 . 2009-03-20 21:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-20 19:43 . 2009-03-20 19:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 19:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 19:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-20 18:39 . 2009-03-20 18:39 <DIR> d-------- c:\documents and settings\Administrator
2009-03-20 08:11 . 2009-03-20 08:11 <DIR> d-------- c:\documents and settings\Jeff\Application Data\Malwarebytes
2009-03-20 08:11 . 2009-03-20 08:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-17 09:24 . 2009-03-17 09:24 <DIR> d-------- c:\program files\Sony
2009-03-15 21:18 . 2009-03-26 02:41 <DIR> d-------- c:\program files\PeerGuardian2
2009-03-15 20:52 . 2009-03-15 20:52 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-15 20:49 . 2009-03-15 21:06 <DIR> d-------- c:\program files\Lavasoft
2009-03-14 02:03 . 2009-03-20 19:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 02:02 . 2009-03-15 20:52 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-14 02:00 . 2009-03-15 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-14 01:51 . 2008-10-16 17:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-14 01:51 . 2008-10-16 17:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-13 02:50 . 2009-03-13 02:50 <DIR> d-------- c:\documents and settings\Marcy
2009-03-13 01:10 . 2009-03-13 01:10 0 --a------ c:\windows\nsreg.dat
2009-03-13 01:08 . 2009-03-13 01:08 <DIR> d-------- c:\program files\Avira
2009-03-13 01:08 . 2009-03-13 01:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-13 00:54 . 2009-03-13 00:54 <DIR> d-------- c:\program files\BurnWorld
2009-03-13 00:43 . 2009-03-13 00:43 <DIR> d-------- c:\program files\avisplit
2009-03-13 00:35 . 2009-03-13 00:35 <DIR> d-------- c:\program files\Webteh
2009-03-13 00:35 . 2009-03-13 00:35 <DIR> d-------- c:\documents and settings\Jeff\Application Data\BSplayer Pro
2009-03-13 00:35 . 2009-03-20 02:49 <DIR> d-------- c:\documents and settings\Jeff\Application Data\BSplayer
2009-03-13 00:30 . 2009-03-13 00:44 <DIR> d-------- c:\documents and settings\Jeff\Application Data\DivX
2009-03-13 00:24 . 2009-03-13 00:24 <DIR> d-------- c:\program files\Xvid
2009-03-13 00:24 . 2008-12-05 00:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2009-03-13 00:24 . 2008-12-05 00:46 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-03-13 00:24 . 2008-12-13 23:01 77,824 --a------ c:\windows\system32\xvid.ax
2009-03-13 00:21 . 2009-03-13 00:22 <DIR> d-------- c:\program files\DivX
2009-03-13 00:21 . 2009-03-13 00:21 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-12 23:00 . 2009-03-20 21:21 <DIR> d-------- c:\program files\Serials 2005
2009-03-12 22:00 . 2009-03-25 21:53 <DIR> d-------- c:\documents and settings\Jeff\Application Data\BitTorrent
2009-03-12 21:53 . 2009-03-12 23:16 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-03-12 21:38 . 2009-03-26 02:31 <DIR> d-------- c:\windows\Internet Logs
2009-03-12 21:38 . 2009-03-12 21:38 <DIR> d-------- c:\program files\Zone Labs
2009-03-12 20:42 . 2009-03-12 20:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-12 20:24 . 2009-03-12 20:24 <DIR> d-------- c:\program files\Realtek AC97
2009-03-12 20:24 . 2009-03-12 20:24 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-12 20:23 . 2009-03-12 20:23 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-12 19:51 . 2008-08-14 06:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-12 19:51 . 2008-08-14 05:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-12 19:51 . 2008-08-14 05:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-12 19:51 . 2008-08-14 05:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-12 19:43 . 2008-12-20 19:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-03-12 19:43 . 2007-04-17 05:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-12 19:43 . 2007-03-08 01:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-12 19:43 . 2008-12-20 19:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-03-12 19:43 . 2008-12-20 19:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-12 19:43 . 2008-12-20 19:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-03-12 19:43 . 2008-12-20 19:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-03-12 19:43 . 2008-12-20 19:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-12 19:43 . 2008-12-19 05:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-03-12 19:17 . 2009-03-19 19:47 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-12 19:17 . 2008-06-13 09:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-03-12 19:17 . 2008-06-13 09:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-12 19:15 . 2009-03-12 19:26 <DIR> d--hs---- c:\documents and settings\Jeff\UserData
2009-03-12 19:15 . 2008-10-24 07:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-12 19:14 . 2009-03-12 20:04 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-12 19:14 . 2006-09-06 21:43 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-03-12 19:13 . 2009-03-22 12:36 <DIR> d-------- c:\documents and settings\Jeff
2009-03-12 19:11 . 2009-03-12 19:11 13,648 --a------ c:\windows\system32\wpa.bak
2009-03-12 19:06 . 2009-03-12 19:06 <DIR> d---s---- c:\windows\system32\Microsoft
2009-03-12 19:06 . 2009-03-20 21:37 <DIR> d--hs---- c:\documents and settings\LocalService
2009-03-12 19:06 . 2009-03-12 19:06 8,192 --a------ c:\windows\REGLOCS.OLD
2009-03-12 19:05 . 2009-03-20 21:37 <DIR> d--hs---- c:\documents and settings\NetworkService
2009-03-12 19:03 . 2004-08-04 08:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-03-12 19:02 . 2004-05-13 04:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-03-12 19:00 . 2009-03-12 19:00 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-03-12 10:03 . 2009-03-12 19:11 <DIR> d--h----- c:\documents and settings\Default User
2009-03-12 10:03 . 2009-03-12 18:14 <DIR> d-------- c:\documents and settings\All Users

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 22:35 142,920 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_25_18_30_33_small.dmp.zip
2009-03-25 22:30 344,064 ----a-w c:\windows\Internet Logs\xDB6F.tmp
2009-03-25 22:30 2,012,160 ----a-w c:\windows\Internet Logs\xDB70.tmp
2009-03-24 18:47 93,360 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_17_19_31_13_small.dmp.zip
2009-03-20 22:31 1,948,160 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-03-20 22:31 1,164,288 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-03-20 13:57 2,927,104 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-03-20 13:57 1,939,968 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-03-19 20:21 1,926,656 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-03-18 03:17 138,336 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_17_20_12_37_small.dmp.zip
2009-03-17 23:31 2,858,496 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-03-17 20:52 28,780 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_17_16_49_06_small.dmp.zip
2009-03-17 20:52 27,952 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_17_16_49_41_small.dmp.zip
2009-03-17 20:52 27,903 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_17_16_49_50_small.dmp.zip
2009-03-17 20:52 27,881 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_17_16_50_03_small.dmp.zip
2009-03-15 00:52 1,876,992 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-12 22:15 --------- d-----w c:\program files\microsoft frontpage
2009-02-16 06:10 1,221,512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-27 01:35 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-01-27 01:35 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-01-27 01:35 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-01-27 01:35 129,784 ------w c:\windows\system32\pxafs.dll
2009-01-27 01:35 120,056 ------w c:\windows\system32\pxcpyi64.exe
2009-01-27 01:35 118,520 ------w c:\windows\system32\pxinsi64.exe
2009-01-27 01:34 90,112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 684,032 ----a-w c:\windows\system32\DivX.dll
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
2004-08-04 08:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe
2004-08-04 08:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\dllcache\svchost.exe

2008-04-13 20:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\user32.dll
2004-08-04 08:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\system32\user32.dll
2004-08-04 08:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\system32\dllcache\user32.dll

2008-04-13 20:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ws2_32.dll
2004-08-04 08:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll
2004-08-04 08:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\dllcache\ws2_32.dll

2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2004-08-04 08:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\ie7\wininet.dll
2007-08-13 22:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB961260-IE7\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2GDR\wininet.dll
2008-12-20 19:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2QFE\wininet.dll
2008-08-26 03:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
2008-08-26 05:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
2008-10-16 06:37 659456 6f1e4bfd78c4e0d05ff3725d59b72925 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2GDR\wininet.dll
2008-10-16 06:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2QFE\wininet.dll
2008-10-15 21:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3GDR\wininet.dll
2008-10-15 21:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3QFE\wininet.dll
2008-04-13 20:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 19:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll

2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB951748$\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\SoftwareDistribution\Download\2ad1413c5dc0d16e6d56d3e6ca94ed48\backup\sp2gdr\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\SoftwareDistribution\Download\2ad1413c5dc0d16e6d56d3e6ca94ed48\backup\sp2qfe\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\SoftwareDistribution\Download\2ad1413c5dc0d16e6d56d3e6ca94ed48\backup\sp3gdr\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\SoftwareDistribution\Download\2ad1413c5dc0d16e6d56d3e6ca94ed48\backup\sp3qfe\tcpip.sys
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2gdr\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2qfe\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\drivers\tcpip.sys

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
2004-08-04 08:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe
2004-08-04 08:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\dllcache\winlogon.exe

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
2004-08-04 08:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2004-08-04 08:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ip6fw.sys
2004-08-04 08:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\dllcache\ip6fw.sys
2004-08-04 08:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2008-08-14 05:18 2062976 63ec865dff6ccfc7bef94b5c50297cad c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
2008-08-14 19:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2004-08-04 08:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 05:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-08-14 05:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntkrnlpa.exe
2008-08-14 05:18 2062976 63ec865dff6ccfc7bef94b5c50297cad c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntkrnlpa.exe
2008-08-14 05:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntkrnlpa.exe
2008-08-14 19:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntkrnlpa.exe
2008-04-13 14:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntkrnlpa.exe
2008-08-14 05:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\system32\ntkrnlpa.exe
2008-08-14 05:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\system32\dllcache\ntkrnlpa.exe

2008-08-14 05:57 2185984 ce69dbd54221f2d40e49ff6db77c6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
2008-08-14 20:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2004-08-04 08:00 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 06:00 2180352 21c91da9cb53aa8a37041ba9684a8458 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-08-14 06:00 2180352 21c91da9cb53aa8a37041ba9684a8458 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntoskrnl.exe
2008-08-14 05:57 2185984 ce69dbd54221f2d40e49ff6db77c6507 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntoskrnl.exe
2008-08-14 06:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntoskrnl.exe
2008-08-14 20:11 2189184 31914172342bff330063f343ac6958fe c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntoskrnl.exe
2008-08-14 06:00 2180352 21c91da9cb53aa8a37041ba9684a8458 c:\windows\system32\ntoskrnl.exe
2008-08-14 06:00 2180352 21c91da9cb53aa8a37041ba9684a8458 c:\windows\system32\dllcache\ntoskrnl.exe

2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 c:\windows\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 c:\windows\system32\dllcache\explorer.exe

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\services.exe
2004-08-04 08:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe
2004-08-04 08:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\dllcache\services.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\lsass.exe
2004-08-04 08:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe
2004-08-04 08:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\dllcache\lsass.exe

2008-04-13 20:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
2004-08-04 08:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe
2004-08-04 08:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\dllcache\ctfmon.exe

2008-04-13 20:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
2004-08-04 08:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\system32\spoolsv.exe
2004-08-04 08:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\system32\dllcache\spoolsv.exe

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
2004-08-04 08:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\userinit.exe
2004-08-04 08:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe

2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\termsrv.dll
2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\termsrv.dll
2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

2008-04-13 20:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\kernel32.dll
2004-08-04 08:00 983552 888190e31455fad793312f8d087146eb c:\windows\system32\kernel32.dll
2004-08-04 08:00 983552 888190e31455fad793312f8d087146eb c:\windows\system32\dllcache\kernel32.dll

2008-04-13 20:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\powrprof.dll
2004-08-04 08:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\powrprof.dll
2004-08-04 08:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\dllcache\powrprof.dll

2008-04-13 20:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\imm32.dll
2004-08-04 08:00 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\imm32.dll
2004-08-04 08:00 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\dllcache\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-24 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - pgfilter
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\okc3krka.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 02:47:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\Jeff\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.
Completion time: 2009-03-26 2:49:16
ComboFix-quarantined-files.txt 2009-03-26 06:49:14

Pre-Run: 11,268,067,328 bytes free
Post-Run: 11,304,742,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

304



Here is GMER


GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-26 04:36:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA9BFAFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA9BF7C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA9C12170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA9BFB580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xA9C0F900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xA9C0FB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xA9C13B10]
SSDT F7AAC064 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA9BFB670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA9BF8210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA9C129F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA9C127A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xA9C0F280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xA9BF48C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA9C12F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA9C12F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xA9C13D90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA9BF8070]
SSDT F7AAC050 ZwOpenProcess
SSDT F7AAC055 ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA9C136F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA9C13150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA9BFABE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA9C13540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xA9BFB190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA9BF8440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xA9BF46A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA9C124E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xA9C10200]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA9AFEF20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xA9BF4AF0]
SSDT F7AAC05A ZwWriteVirtualMemory

INT 0x20 srescan.sys BAFF3C90

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [80, B5, BF, A9, 00, F9, C0, ...] {XOR BYTE [EBP-0x6ff5641], 0xc0; TEST EAX, 0xa9c0fb10}
.text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 7 Bytes [2F, C1, A9, 90, 2F, C1, A9]
? srescan.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\Combo-Fix\catchme.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A9BFFB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A9BFF930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A9C00260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A9BFDE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A9BFDE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A9BFFB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A9BFF930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A9C00260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A9BFFB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A9C00260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A9BFF930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A9BFDE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A9C00260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A9BFF930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A9BFFB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [A9C18B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A9BFDE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A9BFFB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A9BFF930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A9C00260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A9BFFB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A9BFDE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A9C00260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A9BFF930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [A9BF8980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [A9BF88D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [A9BF8A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [A9BF85E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by Siphotomo, 26 March 2009 - 04:39 AM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 26 March 2009 - 02:50 PM

Hello.

Try running Malwarebytes Anti-malware again. Update it first and then run a scan with it. A quick scan is good enough.

Let me know how it goes and see if you get a BSOD or not. If you do get one make sure you copy the information like last time.

We'll deal with the rest next post and remove anything that needs to be done.

Post back with:
-MBAM log
-BSOD error code (if it occured)
-New DDS logs
-Description of the problems you may still have.

Edit: Add info.

With Regards,
Extremeboy

Edited by extremeboy, 26 March 2009 - 02:53 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Siphotomo

Siphotomo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 28 March 2009 - 03:51 PM

I couldn't post any MBAM Logs i got it updated and it reinstalled a new version 1.35 i had 1.34 but i'm still getting the same error messages when i run a scan, everytime the error are...

Error 1st time running scan
Error Signature
AppName: mbam.exe AppVer: 1.34.0.0 ModName: oleaut32.dll
ModVer: 5.1.2600.2180 Offset: 00004cb4

Error 2nd time running scan
Error Signature
AppName: mbam.exe AppVer: 1.35.0.0 ModName: oleaut32.dll
ModVer: 5.1.2600.2180 Offset: 00004cb4

Error 3rd time running scan
Error Signature
AppName: mbam.exe AppVer: 1.35.0.0 ModName: msvbvm60.dll
ModVer: 6.0.96.90 Offset: 0002495a


I have tried restarting the computer and running it again, but it doesn't matter i get these error messages everytime. Then i did get 1 BSOD error message while trying to run DDS.scr it was...

PAGE_FAULT_IN_NONPAGED_AREA

Technical Information
*** STOP: 0x00000050 (0xA97AB454, 0x00000001, 0x8054B5BB, 0x00000000)

I posted the new DDS logs i had to restart the computer to get it to run but it did run safely. The problems i'm still having is i just get BSOD's or Error Messages on programs that are used to get rid of Malware/spyware/viruses/trojans that seems to be the only type of programs that are affected. Also there is 5 svchost.exe processes running is that normal? i think i mentioned this earlier, i just wondered if another virus or trojan is using it to run, or if it's hijacked it or something i don't know that's why i'm here for your help. Thank you so much for you time.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeff at 16:36:45.31 on Sat 03/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.889 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jeff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\jeff\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236900437812
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeff\applic~1\mozilla\firefox\profiles\okc3krka.default\

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-24 28544]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-13 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-12 353672]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-13 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-13 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-13 52032]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-20 38496]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-03-26 02:45 <DIR> a-dshr-- C:\cmdcons
2009-03-26 02:44 161,792 a------- c:\windows\SWREG.exe
2009-03-26 02:44 98,816 a------- c:\windows\sed.exe
2009-03-26 02:44 <DIR> --d----- C:\Combo-Fix
2009-03-25 11:24 950 a------- C:\net_save.dna
2009-03-25 11:24 <DIR> --d----- c:\program files\support.com
2009-03-25 11:24 <DIR> --d----- c:\program files\common files\SupportSoft
2009-03-24 15:29 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-03-24 15:28 <DIR> --d----- c:\program files\Panda Security
2009-03-24 15:15 <DIR> --d----- C:\VundoFix Backups
2009-03-22 10:30 <DIR> --dsh--- C:\found.000
2009-03-20 22:34 <DIR> --d----- c:\docume~1\jeff\applic~1\IObit
2009-03-20 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-20 21:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-20 21:22 <DIR> --d----- c:\docume~1\jeff\applic~1\SUPERAntiSpyware.com
2009-03-20 21:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-20 19:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-20 19:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 19:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 08:11 <DIR> --d----- c:\docume~1\jeff\applic~1\Malwarebytes
2009-03-20 08:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-17 09:24 <DIR> --d----- c:\program files\Sony
2009-03-15 21:18 <DIR> --d----- c:\program files\PeerGuardian2
2009-03-15 20:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-15 20:49 <DIR> --d----- c:\program files\Lavasoft
2009-03-14 02:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-14 01:51 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-14 01:51 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-13 01:08 <DIR> --d----- c:\program files\Avira
2009-03-13 01:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-13 00:54 <DIR> --d----- c:\program files\BurnWorld
2009-03-13 00:43 <DIR> --d----- c:\program files\avisplit
2009-03-13 00:35 <DIR> --d----- c:\docume~1\jeff\applic~1\BSplayer Pro
2009-03-13 00:35 <DIR> --d----- c:\docume~1\jeff\applic~1\BSplayer
2009-03-13 00:35 <DIR> --d----- c:\program files\Webteh
2009-03-13 00:24 815,104 a------- c:\windows\system32\xvidcore.dll
2009-03-13 00:24 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-03-13 00:24 77,824 a------- c:\windows\system32\xvid.ax
2009-03-13 00:24 <DIR> --d----- c:\program files\Xvid
2009-03-13 00:21 <DIR> --d----- c:\program files\common files\DivX Shared
2009-03-13 00:21 <DIR> --d----- c:\program files\DivX
2009-03-12 23:00 <DIR> --d----- c:\program files\Serials 2005
2009-03-12 22:00 <DIR> --d----- c:\docume~1\jeff\applic~1\BitTorrent
2009-03-12 21:53 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-12 21:38 <DIR> --d----- c:\program files\Zone Labs
2009-03-12 21:38 <DIR> --d----- c:\windows\Internet Logs
2009-03-12 20:24 <DIR> --d----- c:\program files\Realtek AC97
2009-03-12 19:51 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-12 19:51 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-12 19:51 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-12 19:51 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-12 19:43 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-12 19:43 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-03-12 19:43 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-12 19:43 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-12 19:43 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-12 19:43 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-12 19:43 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-12 19:43 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-12 19:43 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-12 19:40 <DIR> --d----- c:\windows\network diagnostic
2009-03-12 19:17 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-12 19:17 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-12 19:17 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-03-12 19:15 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-12 19:15 <DIR> --dsh--- c:\documents and settings\jeff\UserData
2009-03-12 19:14 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-03-12 19:14 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-12 19:14 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-12 19:13 <DIR> --d----- c:\documents and settings\Jeff
2009-03-12 19:11 13,648 a------- c:\windows\system32\wpa.bak
2009-03-12 19:10 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-12 19:06 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-12 19:06 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-12 19:03 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-03-12 19:02 66,594 ac------ c:\windows\system32\dllcache\c_864.nls
2009-03-12 19:00 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-12 18:59 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-12 18:59 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-12 18:59 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-12 18:59 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-12 18:58 196,864 a------- c:\windows\system32\drivers\rdpdr.sys
2009-03-12 18:58 40,840 a------- c:\windows\system32\drivers\termdd.sys
2009-03-12 18:55 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-03-12 18:55 1,888,992 a------- c:\windows\system32\ati3duag.dll
2009-03-12 18:55 870,784 a------- c:\windows\system32\ati3d1ag.dll
2009-03-12 18:55 701,440 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-03-12 18:55 516,768 a------- c:\windows\system32\ativvaxx.dll
2009-03-12 18:55 201,728 a------- c:\windows\system32\ati2dvag.dll
2009-03-12 18:54 27,165 a------- c:\windows\system32\drivers\fetnd5.sys
2009-03-12 18:54 74,240 a------- c:\windows\system32\usbui.dll
2009-03-12 18:54 685,056 a------- c:\windows\system32\drivers\HSFCXTS2.sys
2009-03-12 18:54 220,032 a------- c:\windows\system32\drivers\HSFBS2S2.sys
2009-03-12 18:54 86,016 a------- c:\windows\system32\mdmxsdk.dll
2009-03-12 18:54 32,285 a------- c:\windows\system32\HSFCISP2.dll
2009-03-12 18:54 11,868 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-03-12 18:53 1,041,536 a------- c:\windows\system32\drivers\HSFDPSP2.sys
2009-03-12 18:53 129,045 a------- c:\windows\system32\drivers\cxthsfS2.cty
2009-03-12 18:15 <DIR> --d----- c:\windows\system32\xircom
2009-03-12 18:15 0 a------- c:\windows\control.ini
2009-03-12 18:15 23,392 a------- c:\windows\system32\nscompat.tlb
2009-03-12 18:15 16,832 a------- c:\windows\system32\amcompat.tlb
2009-03-12 18:15 316,640 a------- c:\windows\WMSysPr9.prx
2009-03-12 18:14 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-12 18:13 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-12 18:12 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-12 18:11 <DIR> --d----- c:\program files\Online Services
2009-03-12 18:11 <DIR> --d----- c:\program files\Messenger
2009-03-12 18:10 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-12 18:10 <DIR> --d----- c:\program files\Windows NT
2009-03-12 10:04 <DIR> --d----- c:\program files\common files\ODBC
2009-03-12 10:04 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-12 10:04 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-15 04:03 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-12 18:59 22,720 a------- c:\windows\system32\emptyregdb.dat
2009-02-16 02:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-26 21:35 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-26 21:35 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-01-26 21:35 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-26 21:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-26 21:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-26 21:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-26 21:34 684,032 a------- c:\windows\system32\DivX.dll

============= FINISH: 16:37:06.79 ===============

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 28 March 2009 - 04:03 PM

Hello.

Well, I don't think so. Those error messages were not related to malware. Having many svchost.exe is not always malware. Svchost.exe does many things. Having many running sometimes mean some programs or applications needs it. I currently have 7 svchost.exe running. :thumbup2:

This seems more like a windows problem. We'll see after.

I would first like you to do an online scan and run chkdsk afterwards.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

How to run CHKDSK: http://support.microsoft.com/kb/315265

Let me know how it goes and post back with the log.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Siphotomo

Siphotomo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 30 March 2009 - 01:39 PM

I can't run Kaspersky WebScanner for some reason i can't install Java Runtimes. It causes an error everytime i try to install it. I've tried Active X Java Runtimes, and other sites to get Java and none works. Maybe your right i have a windows problem, do you think there are any viruses/spyware/trojans/adware at all on my system?

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 30 March 2009 - 02:47 PM

Hello.

It doesn't appear to be one. Please run F-Secure scan for me instaed.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run F-Secure Online Scan

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
Post back with a new DDS log as well.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 01 April 2009 - 02:50 PM

Hello.

How's everything coming along?

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Siphotomo

Siphotomo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 April 2009 - 12:09 PM

I decided to try to Repair my windows by putting the Windows XP SP2 CD and booting from it then repairing my windows it seems to have fixed some of the problems but i still get random BSOD's right now i'm getting ready to run Kaspersky Online Scanner, then i'll run F-Secure also and i'll reply with a new DDS Log also. Since i repaired windows it has let me install the Java files i needed to so i can actually run Kaspersky, so some things seem to be a little better at least. Although everytime i try to install SP3 it seems to not let me load windows xp for some reason so i've just installed all the updates i can. I'll get back with you on the results Thanks for all your help.

Edited by Siphotomo, 03 April 2009 - 12:19 PM.


#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 03 April 2009 - 03:39 PM

Thanks for letting me know :thumbup2:

Regarding those BSOD's it would be better if you start a topic in the Windows XP forum once we are done. I'm sure someone there can help you diagnose the BSOD error code and let you know what's causing and what the problem is.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 05 April 2009 - 10:36 AM

Hello.

Below are just some prevention tips to help you in the future.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 05 April 2009 - 10:37 AM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users