Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection (previously winXP antivirus but now not sure)


  • This topic is locked This topic is locked
12 replies to this topic

#1 Zacbelle1

Zacbelle1

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 05 April 2009 - 02:38 AM

Hi, I used to have a winxp antivirus problem when my wife followed the prompts on an email. I believed at the time I had removed the infection and this was about 4-5 months ago. Just recently, I had a new problem of google links not working properly, ie click on a link and takes you to random website after title bar scrolls through 8-9 different links. I googled this hijack links problem and worked out that cutting and pasting the correct link will take me to where I want to go. Well it took me to this forum where I read a few other people problems and found that I needed to run Hijack this etc. Found I still had WinXP antivirus problem (or maybe my kids reinfected the computer) ran the fix suggested (fixwareout - my computer kept not booting after runnign this program. It said it could take a while to reboot but mine just had a dark screen with mouse hourglass. Rebooting usually got me back to login screen but this hanging boot problem kept recurring even after runnign fixwareout) and anyway, things seemed ok for a few days - looked like the problem had gone. Then problem resurfaced. Ran another hijack this log and found a "fixnetdir" problem i think it was. Sorry for being a little vague but we are going back a number of days now and I foolishly didn't write down the problem exactly.
The next problems I noticed on my computer were inability to connect to the internet. I could ping the ip address of my modem but even though I was connected at 100MBps I couldn't access any websites or the modems IP address so I couldn't even log in to my modem. Then all of a sudden my internet would work again for a few minutes then it would stop again. All the usual fixes of not having an internet connection wouldn't work (reboot the modem, repair connection etc). I also noticed that when I opened My Computer and tried double clicking the C drive, it wouldn't do anything and then later when I tried again I would get an error message that "recycler + random set of alpha numerics" had a problem. My malwarebytes program picked up a trojan on one occasion.... which I clicked on terminate. (C:\RECYCLERS\S-5-6-49-100023146-100013775-100004571-3077.com (TrojanAgent)

Now in the past when I have had windows problems I have run a chkdsk repair - but now it refuses to run when I reboot the computer. It warned me that the file data is RAW and chkdsk can't run on RAW disks. I then ran basic chkdsk scan and found orphaned files so i popped my Spinrite disk in (purchased from grc.com) and ran a data recovery which didn't pick up any data problems.

After all this though I got my internet connection back and hence I am now able to post to this website believing that I may be able to remove this worm once and for all with expert help. I am running genuine version of win XP pro with paid version of zonealarm pro security suite - my modem/router has firewall enabled also.

Oh I almost forgot, I have not been able to run malware bytes scans. The program refuses to open to the GUI. The tsr version runs happily in the background but I can't run a system scan etc. I have uninstalled and reinstalled but with no joy.


Below is the hijack this log plus the dds.txt cut and paste - I have attached the attach.txt file.

Thanks forum guys and gals for your help should we be able to remove this problem. I have further educated my wife and children to the perils of opening or downloading unknown content so once this prob is licked I can hope to be trojan free for sometime to come..

HiJackThis log:
-----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:38 PM, on 5/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R350 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJP.EXE /P30 "EPSON Stylus Photo R350 Series" /O6 "USB001" /M "Stylus Photo R350"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186754079890
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://ts.macrorecruitment.com.au/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B4C8A4E-70B0-4190-97D9-77084881695D}: NameServer = 85.255.112.70,85.255.112.127
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.70,85.255.112.127
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.70,85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.70,85.255.112.127
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg


DDS.txt:
----------

DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 16:54:25.96 on Sun 05/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1145 [GMT 10:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\WINDOWS\Explorer.EXE
C:\Download Files\AntiVirus Firewall Malware\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet

explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
mRun: [EPSON Stylus Photo R350 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJP.EXE /P30 "EPSON Stylus Photo R350

Series" /O6 "USB001" /M "Stylus Photo R350"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05

\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet

explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12

\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-

9ac6be844f99/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186754079890
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://ts.macrorecruitment.com.au/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.70,85.255.112.127
TCP: {1B4C8A4E-70B0-4190-97D9-77084881695D} = 85.255.112.70,85.255.112.127
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-1-21 21512]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-12-7 40368]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-14 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-30 353672]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact

manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-3 179856]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service

[?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-3 15504]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-12-18 29181272]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-28 6400]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\lbeepke.sys --> c:\windows\system32\drivers\LBeepKE.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-18 13352]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-1-21 26248]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\drivers\Navcar.sys [2008-2-21 30329]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2006-5-1 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2008-7-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2008-7-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2008-7-2

88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2008-7-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2008-7-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2008-7-2 90800]

=============== Created Last 30 ================

2009-04-03 22:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 22:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 22:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 09:26 <DIR> --d----- c:\documents and settings\user\Tracing
2009-03-27 06:11 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-27 06:08 <DIR> --d----- c:\program files\Microsoft
2009-03-27 06:08 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-27 06:00 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-24 22:29 <DIR> --d----- c:\program files\Trend Micro
2009-03-24 22:26 <DIR> --d----- C:\fixwareout
2009-03-22 21:07 424 ---shr-- C:\autorun.inf
2009-03-15 22:33 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-15 22:33 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-15 22:33 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-03-15 22:33 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-03-15 22:33 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-03-15 22:33 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-03-15 22:33 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-03-15 22:33 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-03-15 22:33 19,200 ac------ c:\windows\system32\dllcache\wstcodec.sys
2009-03-15 22:33 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-03-15 22:31 64,605 ac------ c:\windows\system32\dllcache\vvoice.sys
2009-03-15 22:30 69,632 ac------ c:\windows\system32\dllcache\umaxu12.dll
2009-03-15 22:29 241,664 ac------ c:\windows\system32\dllcache\tosdvd02.sys
2009-03-15 22:28 10,240 ac------ c:\windows\system32\dllcache\swpdflt2.dll
2009-03-15 22:27 58,368 ac------ c:\windows\system32\dllcache\smiminib.sys
2009-03-15 22:26 161,568 ac------ c:\windows\system32\dllcache\sgsmusb.sys
2009-03-15 22:25 210,496 ac------ c:\windows\system32\dllcache\s3mvirge.dll
2009-03-15 22:24 3,328 ac------ c:\windows\system32\dllcache\qv2kux.sys
2009-03-15 22:23 75,776 ac------ c:\windows\system32\dllcache\philcam1.sys
2009-03-15 22:22 54,186 ac------ c:\windows\system32\dllcache\otcsercb.sys
2009-03-15 22:21 27,936 ac------ c:\windows\system32\dllcache\n9i3d.sys
2009-03-15 22:20 17,280 ac------ c:\windows\system32\dllcache\mraid35x.sys
2009-03-15 22:19 606,684 ac------ c:\windows\system32\dllcache\ltmdmnt.sys
2009-03-15 22:18 45,632 ac------ c:\windows\system32\dllcache\ip5515.sys
2009-03-15 22:17 58,592 ac------ c:\windows\system32\dllcache\i740nt5.sys
2009-03-15 22:16 32,768 ac------ c:\windows\system32\dllcache\hpgtmcro.dll
2009-03-15 22:15 442,240 ac------ c:\windows\system32\dllcache\fpnpbase.sys
2009-03-15 22:14 144,896 ac------ c:\windows\system32\dllcache\epcfw2k.sys
2009-03-15 22:13 110,621 ac------ c:\windows\system32\dllcache\digirlpt.dll
2009-03-15 22:12 10,240 ac------ c:\windows\system32\dllcache\compbatt.sys
2009-03-15 22:11 13,824 ac------ c:\windows\system32\dllcache\bulltlp3.sys
2009-03-15 22:10 12,032 ac------ c:\windows\system32\dllcache\amsint.sys
2009-03-15 22:09 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-03-14 20:52 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-03-14 20:37 <DIR> --d----- c:\program files\ZAR
2009-03-12 05:51 <DIR> --d----- c:\program files\Pcsx2
2009-03-07 17:10 <DIR> --d----- c:\program files\WinAVI Video Converter
2009-03-06 18:23 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-03-06 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-04-03 22:20 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-22 21:07 235,900,704 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-21 07:35 2,981,012 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-18 17:48 73,216 a------- c:\windows\system32\RBRegEx350.dll
2009-03-18 17:48 60,416 a------- c:\windows\system32\rbap350.dll
2009-03-18 17:48 56,832 a------- c:\windows\system32\RBSpriteSurface350.dll
2009-03-18 17:48 27,648 a------- c:\windows\system32\rbselectfolder350.dll
2009-03-03 16:20 73,216 a------- c:\windows\RBRegEx350.dll
2009-03-03 16:20 60,416 a------- c:\windows\rbap350.dll
2009-03-03 16:20 56,832 a------- c:\windows\RBSpriteSurface350.dll
2009-03-03 16:20 27,648 a------- c:\windows\rbselectfolder350.dll
2009-02-15 22:10 72,584 a------- c:\windows\zllsputility.exe
2009-02-06 17:52 49,504 a------- c:\windows\system32\sirenacm.dll
2008-04-23 19:11 150,480 -------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2007-09-03 23:07 774,144 a------- c:\program files\RngInterstitial.dll
2004-10-01 17:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2008-09-19 21:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920

\index.dat

============= FINISH: 16:55:02.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Zacbelle1

Zacbelle1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 05 April 2009 - 02:49 AM

Hi,
Not sure if it's relevant but just remembered I tried a system restore also. A long time ago, I had set system restore to "maximum available disk space" which was about 50 GB. However when I opened up system restore yesterday there were only 2 restore points available and neither would work. With it set to max, system restore should have had multiple restore points dating back for months. The weird thing was - it would let me select the restore points but it wouldn't let me go any further, ie clicking "next" didn't work. So sys restore never actually attempted to restore anything. This may also help with identifying my infection.

PS zone alarm didn't find any trojan when it scanned for spyware.

#3 Zacbelle1

Zacbelle1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 07 April 2009 - 10:55 AM

Hi,
I can see how busy you all are fixing malware problems, so I decided to do some digging myself and follow some scans / fixes that worked for others.
I ran the GMER scan and it found gaopdx...... rootkit problem.
I found out that combo fix seemed to be the best option for fixing so I followed the tutorial and it seems to have worked so far......
I have posted the log below.
Please let me know if you discover any more trojans from viewing any logs. I will let you know if I find any more problems and any actions I take.
You may want the gmer log which I didn't complete, so if you want me to rescan then just ask.

After Combo Fix, I can confirm now that I can open c: drive directly and so far google searches don't have hijacked links.
Malware Bites now opens normally, and I managed to run a chkdsk /f.
So far so good.
Your forum for some rootkit problems states the best method for attack is to wipe hard drive and reinstall clean version of windows.
Can you confirm that my rootkit problem is severe enough to warrant a clean install of windows, or is this most likely fixed using combo fix?

Combo Fix log:

ComboFix 09-04-04.01 - User 2009-04-08 0:59:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1565 [GMT 10:00]
Running from: c:\documents and settings\User\Desktop\ComboFix25.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\User\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\User\LOCALS~1\Temp\tmp2.tmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gaopdxdfvpwxdcndqerpodbwynbakawyjeoirk.sys
c:\windows\system32\drivers\gaopdxdoylllovbwtmpuxfltpdqbppqpfvaswu.sys
c:\windows\system32\drivers\gaopdxsbiebeywqdyjfgyfjgmyboeavmiuxigp.sys
c:\windows\system32\drivers\gaopdxsdotlbnfynauvgkamnkrjutjiymtewqe.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxdxsuomgnnneolpgacseisrnlvwccqkvf.dll
c:\windows\system32\setup.ini
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_OREANS32


((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-08 00:56 . 2009-04-08 01:35 2,992,672 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-04-08 00:56 . 2009-04-08 01:09 32,084 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-04-07 23:46 . 2009-04-07 23:46 <DIR> d-------- C:\rsit
2009-04-06 22:12 . 2009-04-06 22:12 <DIR> d-------- c:\program files\PTDD Group
2009-04-06 21:45 . 2009-04-06 21:45 <DIR> d-------- c:\program files\EASEUS
2009-04-06 20:16 . 2009-04-07 18:11 <DIR> d-------- c:\documents and settings\User\Application Data\MailFrontier
2009-04-03 22:32 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-03 22:31 . 2009-04-07 23:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 22:31 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 17:37 . 2009-04-03 17:37 <DIR> d-------- c:\documents and settings\3. Zac\Application Data\Windows Search
2009-03-27 09:26 . 2009-04-08 01:34 <DIR> d-------- c:\documents and settings\User\Tracing
2009-03-27 06:11 . 2009-03-27 06:11 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-27 06:11 . 2009-03-27 06:11 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-03-27 06:08 . 2009-03-27 06:08 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-27 06:08 . 2009-03-27 06:11 <DIR> d-------- c:\program files\Microsoft
2009-03-27 06:00 . 2009-03-27 06:00 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-24 22:29 . 2009-03-24 22:29 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 22:26 . 2009-04-06 20:16 <DIR> d-------- C:\fixwareout
2009-03-15 22:33 . 2008-04-14 09:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-15 22:33 . 2001-08-17 21:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2009-03-15 22:33 . 2001-08-17 21:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2009-03-15 22:33 . 2001-08-17 21:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-15 22:33 . 2004-08-03 21:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2009-03-15 22:33 . 2008-04-14 03:46 19,200 --a--c--- c:\windows\system32\dllcache\wstcodec.sys
2009-03-15 22:33 . 2008-04-14 09:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-03-15 22:33 . 2001-08-17 11:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2009-03-15 22:33 . 2004-08-03 21:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2009-03-15 22:33 . 2001-08-17 21:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2009-03-15 22:31 . 2001-08-17 12:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2009-03-15 22:30 . 2001-08-17 21:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2009-03-15 22:29 . 2001-08-17 13:01 241,664 --a--c--- c:\windows\system32\dllcache\tosdvd02.sys
2009-03-15 22:28 . 2001-08-17 11:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2009-03-15 22:27 . 2001-08-17 13:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2009-03-15 22:26 . 2001-08-17 21:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2009-03-15 22:25 . 2001-08-17 12:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2009-03-15 22:24 . 2008-04-14 09:12 363,520 --a--c--- c:\windows\system32\dllcache\psisdecd.dll
2009-03-15 22:23 . 2001-08-17 13:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2009-03-15 22:22 . 2001-08-17 11:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys
2009-03-15 22:21 . 2001-08-17 11:11 128,000 --a--c--- c:\windows\system32\dllcache\n100325.sys
2009-03-15 22:20 . 2001-08-17 12:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2009-03-15 22:19 . 2001-08-17 12:28 727,786 --a--c--- c:\windows\system32\dllcache\ltck000c.sys
2009-03-15 22:18 . 2008-04-14 09:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll
2009-03-15 22:17 . 2001-08-17 12:28 542,879 --a--c--- c:\windows\system32\dllcache\hsf_msft.sys
2009-03-15 22:16 . 2001-08-17 13:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-03-15 22:15 . 2001-08-17 11:17 629,952 --a--c--- c:\windows\system32\dllcache\eqn.sys
2009-03-15 22:14 . 2001-08-17 11:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2009-03-15 22:13 . 2001-08-17 21:36 419,357 --a--c--- c:\windows\system32\dllcache\dgconfig.dll
2009-03-15 22:12 . 2001-08-17 11:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2009-03-15 22:11 . 2001-08-17 12:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2009-03-15 22:10 . 2001-08-17 12:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2009-03-15 22:09 . 2001-08-17 13:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2009-03-14 20:52 . 2009-03-31 19:20 1,221,512 --a------ c:\windows\system32\zpeng25.dll
2009-03-14 20:37 . 2009-04-03 21:35 <DIR> d-------- c:\program files\ZAR
2009-03-12 05:51 . 2009-03-24 22:22 <DIR> d-------- c:\program files\Pcsx2
2009-03-07 17:10 . 2009-03-07 17:10 <DIR> d-------- c:\program files\WinAVI Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 15:35 --------- d-----w c:\documents and settings\User\Application Data\skypePM
2009-04-07 15:35 --------- d-----w c:\documents and settings\User\Application Data\Skype
2009-04-07 15:35 --------- d-----w c:\documents and settings\User\Application Data\BitTorrent
2009-04-06 12:12 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 10:56 --------- d-----w c:\program files\EPSON Print CD
2009-04-03 11:52 --------- d-----w c:\program files\Bluetooth Software
2009-04-03 11:39 --------- d-----w c:\program files\SpeedFan
2009-04-03 11:33 --------- d-----w c:\program files\VideoLAN
2009-04-02 10:02 --------- d-----w c:\program files\ECIClientV5
2009-04-01 07:57 --------- d-----w c:\documents and settings\User\Application Data\DNA
2009-03-31 20:02 --------- d-----w c:\program files\DNA
2009-03-31 09:20 72,584 ----a-w c:\windows\zllsputility.exe
2009-03-26 20:07 --------- d-----w c:\program files\Windows Live
2009-03-15 20:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 08:15 --------- d-----w c:\program files\PSCS2
2009-03-06 08:23 --------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-03-06 08:22 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 06:20 73,216 ----a-w c:\windows\RBRegEx350.dll
2009-03-03 06:20 60,416 ----a-w c:\windows\rbap350.dll
2009-03-03 06:20 56,832 ----a-w c:\windows\RBSpriteSurface350.dll
2009-03-03 06:20 27,648 ----a-w c:\windows\rbselectfolder350.dll
2009-03-02 22:59 --------- d-----w c:\program files\Aussie SPELLFORCE
2009-02-20 22:02 --------- d-----w c:\program files\Common Files\Adobe
2009-02-15 05:28 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-11 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 20:53 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-11 12:09 --------- d-----w c:\documents and settings\User\Application Data\HTML Executable
2008-04-23 09:11 150,480 ------w c:\documents and settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-03-01 00:47 150,480 ----a-w c:\documents and settings\3. Zac\Application Data\GDIPFONTCACHEV1.DAT
2007-09-03 13:07 774,144 ----a-w c:\program files\RngInterstitial.dll
2004-10-01 07:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2008-09-19 11:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091920080920\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2008-12-17 637232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R350 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAJP.EXE" [2005-05-12 98304]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-25 438272]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-06-11 21:43 640376 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
--a------ 2008-06-12 01:25 37232 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 13:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 18:04 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-12-17 06:16 637232 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-12-16 07:14 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 22:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-10-01 22:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 12:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2009-04-06 15:32 401040 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2007-04-20 08:05 8429568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--------- 2007-04-20 08:05 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 09:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegKillElbyCheck]
--a------ 2002-11-02 16:33 45056 c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegKillTray]
--a------ 2002-11-28 07:11 49152 c:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 19:35 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC Service Utility]
--a------ 2007-10-09 12:55 665600 c:\program files\SSC Service Utility\ssc_serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 20:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2008-02-29 03:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2007-04-20 08:05 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2007-04-12 19:33 16132608 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"O&O Defrag"=2 (0x2)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"GoogleDesktopManager-121807-210419"=3 (0x3)
"Capture Device Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Download Files\\Modem\\speedtouch st585 firmware upgrade\\SpeedTouch_upgrade_wizard_R4421\\upgradeST.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 21512]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-12-07 40368]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-03 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-03 15504]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-18 29181272]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-28 6400]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys --> c:\windows\system32\Drivers\LBeepKE.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-05-18 13352]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\drivers\Navcar.sys [2008-02-21 30329]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-5-6-49-100023146-100013775-100004571-3077.com c:\
\Shell\Open\command - c:\recycler\S-5-6-49-100023146-100013775-100004571-3077.com c:\
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2008-04-14 10:12]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-OODefragTray - c:\windows\system32\oodtray.exe
MSConfigStartUp-PHIME2002A - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
MSConfigStartUp-PHIME2002ASync - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\bctrlz20.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
//Settings Added By Reohix Internet Cell Boost
FF - user.js: network.http.max-connections - 50
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.max-connections-per-server - 20
FF - user.js: network.http.max-connections-per-proxy - 20
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 32
FF - user.js: network.http.max-persistent-connections-per-server - 32
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: nglayout.initialpaint.delay - 0.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 01:35:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="1A1CD8F40F7B25C59EEC944475DBCB15A4CAD1A6A16AB0581040BBBA5EE922EC73A32778EF893336544217127C97284744941EDED03FC610C8820E4FF3D5E02196BE6B81803ABCFE96A7C3D1DCC0C884C1C1C18B35B92453C6BEA0215073EA59828E64F72F6262604B0E6641FA50E9B4FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794E33DBE7DEA02D15C6F774BBE4D6FC6DA9A4FDE4DE6E36EF883A2AFAAD330E82881F684F17131405A6CA344324FFD622F3308CC5BEEA4661E474D28B5D47B1E39D1C3806CE9FD7805BDC6742D2B3A3F5891AF2DC9A8D10FCB95614B7CD985B7404E5EA9AA39D756714268E1C33A35D193964230A8853A1C0CF3EC98A9087DC5B0C181680F5C6CE21A2A9703B2EE3F4385F83EF9AB88F1F14C3FFCFE0B9AD70B5ECBED9B1FDEB361DC79E5C159C96FF2B541A5232C4BCFACDA2326640F5C4B0083E1E915066466C4FC0BE7FC39E21FF08E4E003724796E9B6E2300A2CB305650BCC93D9B8F2201B6A089B8887A66EC03615056B534522CBE1D18A5067B0BB75B0C20B368AE64C39252F674AB6613BA23DF4F3914202C2FCEE4ABB7CEF97573B2D7559F297A87B66900A7BD9F6E3BAEFDA0233B39D0EDDAB626DBD934C60ED2A1E6ACD381AA7F207F7D44B99622C73375A17A71025014DD1224FB33DC0905602068BDAA061FCF0F4EFE4913B0BBB27620C05776BCD0AFA43687B26F66889F6E606E737F41571653019F097686940C6B46C10FEB2F24E36328DD7B3E62B2380EC3EB0FB331FBFE02F8DFA616A2ABF64665CB4C7011C36991A396A35356973B1BE23DA32C48D44CF5CA9E1B278424A9022F6A8A2E8ECA0CE9958650673A6CA9AE891D99D06B51554BBEA534639E44715E0A8C9D4CC6792EEBA2E5F534FB8A1A2AB6AEAC8DF5038462519C1188D7772C5A8E862B7D4E32C0591FD160797CEE34B11E76EAD4351F56613314A7580B4C4DBF0B0FAC71AD7FCE3C1749AD7C8F39362EA6DEB91BEA00DEB049FC421888765C167FC2EFDEDE8BF35CC831D104FEAF71C9ECB4D0D84D23C37FAAAE7A9212CCF4AB239E9503D5A65F4CA55392DB88BBC9F6C0293C09072BBF3CA463421460C8C4935F08161972C556DCD5590CD3DC683BE724D1DAAE355DA01D39B85F6E9B0A90A4CF46B8E50F7E312533D5ABBF9F675016CFA7604D6BA3481C9AB16AF7E4D4B07748831C30F60EDB01CB3DB4F46C0F2CBD2E0956EDAE0D2D76B3B44F8ACF0E8DEA4ED031426A545790E267BCD24E5503DDDF36161CF7C9DAAA1F0CCE82E042A8A01921BFE99DD53635EE8F31B646D91EBA38D5516936B0ED81ADE57EC2959F940018C9DF7AB8B8A11799D74E054BDC5CDD3E70"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-08 1:39:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 15:39:17

Pre-Run: 133,888,598,016 bytes free
Post-Run: 137,277,411,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

356 --- E O F --- 2009-02-11 20:57:56

#4 Zacbelle1

Zacbelle1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 09 April 2009 - 04:23 AM

I am the only one replying to this post but I hope a more experienced person will eventually catch up to this post. I understand you all have a lot of people needing help.

My virus problem is still there. I have set my Zone Alarm to daily perform the deepest virus and malware scans possible and it's coming up with some serious trojan viruses each time.

Therefore I definitely still need help.

I'm going to take this computer offline now (except for updating ZA) and just use my laptop until I can sort out the problem.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:32 AM

Posted 14 April 2009 - 11:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Zacbelle1

Zacbelle1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 15 April 2009 - 07:02 AM

Thanks for replying. Don't have to apologise for taking so long. What would all of us poor boobs do without you guys?
The instructions said to zip before attaching the attach.txt so I used winzip but I assume it just meant to upload as attachment not as cut and past like the dds.log.




DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 18:26:37.56 on Wed 15/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1510 [GMT 10:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
mRun: [EPSON Stylus Photo R350 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJP.EXE /P30 "EPSON Stylus Photo R350 Series" /O6 "USB001" /M "Stylus Photo R350"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186754079890
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://ts.macrorecruitment.com.au/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\bctrlz20.default\

---- FIREFOX POLICIES ----
//Settings Added By Reohix Internet Cell Boost
FF - user.js: network.http.max-connections - 50
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.max-connections-per-server - 20
FF - user.js: network.http.max-connections-per-proxy - 20
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 32
FF - user.js: network.http.max-persistent-connections-per-server - 32
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: nglayout.initialpaint.delay - 0
============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-1-21 21512]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-12-7 40368]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-13 150544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-13 353672]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-28 6400]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\lbeepke.sys --> c:\windows\system32\drivers\LBeepKE.sys [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-18 13352]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-1-21 26248]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\drivers\Navcar.sys [2008-2-21 30329]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2006-5-1 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2008-7-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2008-7-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2008-7-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2008-7-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2008-7-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2008-7-2 90800]

=============== Created Last 30 ================

2009-04-13 18:53 <DIR> --d----- c:\docume~1\user\applic~1\MailFrontier
2009-04-13 18:50 22,125,856 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-13 18:50 293,660 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-13 18:01 72,584 a------- c:\windows\zllsputility.exe
2009-04-13 18:01 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-04-13 18:01 351,219 a------- c:\windows\system32\vsconfig.xml
2009-04-13 11:23 <DIR> --d----- C:\ComboFix13
2009-04-13 11:04 161,792 a------- c:\windows\SWREG.exe
2009-04-13 11:04 98,816 a------- c:\windows\sed.exe
2009-04-13 11:03 <DIR> --d----- C:\ComboFix25
2009-04-08 00:49 <DIR> a-dshr-- C:\cmdcons
2009-04-06 22:12 <DIR> --d----- c:\program files\PTDD Group
2009-04-06 21:45 <DIR> --d----- c:\program files\EASEUS
2009-04-03 22:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 22:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 22:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 09:26 <DIR> --d----- c:\documents and settings\user\Tracing
2009-03-27 06:11 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-27 06:08 <DIR> --d----- c:\program files\Microsoft
2009-03-27 06:08 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-27 06:00 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-24 22:29 <DIR> --d----- c:\program files\Trend Micro
2009-03-24 22:26 <DIR> --d----- C:\fixwareout

==================== Find3M ====================

2009-04-13 18:58 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-18 17:48 73,216 a------- c:\windows\system32\RBRegEx350.dll
2009-03-18 17:48 60,416 a------- c:\windows\system32\rbap350.dll
2009-03-18 17:48 56,832 a------- c:\windows\system32\RBSpriteSurface350.dll
2009-03-18 17:48 27,648 a------- c:\windows\system32\rbselectfolder350.dll
2009-03-03 16:20 73,216 a------- c:\windows\RBRegEx350.dll
2009-03-03 16:20 60,416 a------- c:\windows\rbap350.dll
2009-03-03 16:20 56,832 a------- c:\windows\RBSpriteSurface350.dll
2009-03-03 16:20 27,648 a------- c:\windows\rbselectfolder350.dll
2009-02-09 21:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-06 17:52 49,504 a------- c:\windows\system32\sirenacm.dll
2008-04-23 19:11 150,480 -------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2007-09-03 23:07 774,144 a------- c:\program files\RngInterstitial.dll
2004-10-01 17:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2008-09-19 21:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 18:27:06.10 ===============

Attached Files



#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:32 PM

Posted 15 April 2009 - 05:22 PM

Hello, Zacbelle1

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Pretty much every rootkit causes much of the chaos you described and allows hackers to steal your sensitive information. Also, you should refrain from using ComboFix unsupervised as in some cases in can do more damage then good if your not experienced with the tool. In answer to your question, yes gaopdxserv is a dangerous rootkit and I would give you the following warning:

:thumbup2: Rootkit Warning

Rootkits are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Please let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 Zacbelle1

Zacbelle1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 16 April 2009 - 05:43 AM

I kind of thought you would give me this option.
I will reinstall. I've done it before for other reasons so looks like I will have to do it again.
By the way I had a laptop that appeared not to be compromised (deep virus and malware scans found no problems) so I used it to log on to the internet and change all my banking passwords etc, but just today it found trojan.win32.patched.dy. Do I have to assume that my laptop now needs full wipe and reinstall too?

#9 Zacbelle1

Zacbelle1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 16 April 2009 - 05:47 AM

by the way, how do I log in to my router and change the login password (to a strong password) without the trojan potentially logging the keystrokes and reporting back to the f**k**g crook who is compromising my system?
Do I need to hook the router up to a clean computer?

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:32 PM

Posted 16 April 2009 - 06:04 AM

Hello,

Yes I would wipe your laptop too. It depends on what type of router it is, I am only experienced in Linksys routers. I would make a post in the Networking Forum for all other makes.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 Zacbelle1

Zacbelle1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 16 April 2009 - 08:54 AM

Thanks Jat90.
I have searched my home top to bottom and can't find my windows xp disc. I have rung my other family members whcih I may have lent it to but they said they havne't got it.
I have a copy that I made when I first bought xp pro (sp2) but I have never used it. Will I have a problem registering or validating if I do a clean install using a copied disc? Is it illegal?
This is very frustrating.
Also I can do a reinstallation of vista on my laptop using recovery discs I created but I would really prefer xp as it seems to be more reliable. I have heard though reverting a vista laptop to xp is very difficult and no guarantee to work. Any thoughts? I guess I need another post on another forum?

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:32 PM

Posted 17 April 2009 - 05:25 AM

Hello,

I can only go as far as malware is concerned here. To get a reliable answer please ask my colleagues in the Windows XP Forum
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:32 PM

Posted 18 April 2009 - 06:18 AM

Since the problem is not malware related, this topic is now Closed.
If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users