Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winlogon.exe using most of my CPU... super slow computer!


  • Please log in to reply
13 replies to this topic

#1 computerchick

computerchick

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 20 April 2009 - 05:46 PM

OK, so this is long. Please bear with me.

I started having problems about 2 weeks ago, but my DSL has been offline for the last week due to a bad phone line, so nothing has happened recently.

I have Windows XP Pro, Service Pack 3. I use Firefox 2.0.0.20. I have tried upgrading to Firefox 3, but have problems with my bank website with it, so had to downgrade back to 2. I have ZoneAlarm as my Firewall and anti-virus/anti spyware , and I also HAD Spybot Search and Destroy, but it is gone as a result of a failed fix of the problem.

First thing that happened was that I was getting 2 repeat messages from Spybot every few minutes.

The messages were as follows:

denied (based on user blacklist)
value "seokyyic" (new data:"") added in winlogon notifiers

denied (based on user blacklist)
value "srePostpone" (new data:"") deleted in system startup global entry

My computer became incredibly slow. I ran a virus/spyware check using ZoneAlarm and it found and dealt with a virus. I cannot find on the ZoneAlarm logs what virus it was. The only logs I can find are alert logs.

After restarting my computer I still had multiple pop-ups from SpyBot, but it was a new message and my computer was even slower.

It said:

denied (based on user blacklist)
value "Fmofoyefulu" (new data: "rundll32.exe"C:\WINDOWS\ujaxesakoril.dll"",e" added in system startup global entry

When I say multiple pop-ups, I mean that even though I told it not to allow the change and checked the box that said to "remember" my decision, a new alert for the same file was popping up literally every second.

Called my father (a free-lance computer consultant) and he said it sounded like SpyBot was having issues and took me to System Config where I removed the permission for it to start on start-up along with a few other things he said I didn't need and could be slowing down my computer. I unfortunately do not know what else I got rid of. Then I restarted my computer and uninstalled SpyBot. Messages gone! Did another virus/spyware scan with ZoneAlarm and got nothing. Computer worked OK at first , but then got incredibly slow again in that same session.

Called my father again. He had me open Windows Task Manager (it took like 15 minutes to open). For some reason winlogon was using an incredible amount of my CPU (97-99%) He said I should try a system restore point. I went to System Restore and the only restore point was one created when I opened it. All others had been wiped. My dad said I needed to go to this website to get help. So here I am!

Since that time, I have only turned on my computer a few times for a limited amount of time. It has been slow some times and not slow others. I am not sure what is determining the difference. ZoneAlarm had an update in the 13th, so I immediately did a new scan, hoping to find something, but it came up empty. It has no slowing issue when I start it in safe mode. I have checked the system restore a couple of times and even created restore points, but each time I open it again there is only one system restore point, and it was created the instant I opened System Restore. I know conflicker wipes system restore points, but I don't think I have any of its other symptoms.

What should I do? I have important files backed up, but would prefer not to have to wipe my computer if at all possible.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:33 PM

Posted 20 April 2009 - 05:52 PM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/


if MBAM won't install or run

Try this to install MBAM

Try renaming the setup file to install.com

try installing in safe mode

here's a random renamer for the program if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

http://www.gt500.org/malwarebytes/database.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#3 computerchick

computerchick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 20 April 2009 - 07:13 PM

Here is the Malware log. Looks like I had quite a bit, so I hope this will resolve things.

Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3

4/20/2009 8:00:14 PM
mbam-log-2009-04-20 (20-00-14).txt

Scan type: Quick Scan
Objects scanned: 97396
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ftqbuly.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{852267e5-40ed-4408-9370-6ea44ec38051} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\seokyyjc (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{852267e5-40ed-4408-9370-6ea44ec38051} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvdryhcb (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvdryhcb (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{852267e5-40ed-4408-9370-6ea44ec38051} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmofoyefulu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: rvcows32.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\ftqbuly.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\rvcows32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ujaxesakoril.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\DUTPHONE.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\ENGPHONE.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\FREPHONE.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\GERPHONE.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\ITAPHONE.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PIPERMD.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PORPHONE.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\SPAPHONE.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\TABCTRL.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W05T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W07T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W19T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W20T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W21T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W33T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W44T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W48T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\W4W49T.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\WFTP16.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\WINOCRPX.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:33 PM

Posted 20 April 2009 - 07:16 PM

After the reboot run another quick scan

This is rarely a one shot deal
Chewy

No. Try not. Do... or do not. There is no try.

#5 computerchick

computerchick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 20 April 2009 - 08:22 PM

Ran it again. It came up clean. Anything else I should do? Should I run the Malware scan regularly? Once a week or something? And should I re-install the newest version of Spybot?

Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3

4/20/2009 9:15:27 PM
mbam-log-2009-04-20 (21-15-27).txt

Scan type: Quick Scan
Objects scanned: 97276
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:33 PM

Posted 20 April 2009 - 08:31 PM

Spybot is good for sdhelper and immuniation, but beware of teatimer, it's what interfers with malware cleaning

MBAM is an essential scan tool

Here's another one that I use when MBAM finds something

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#7 computerchick

computerchick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 11 May 2009 - 04:37 PM

OK, so now my computer is still creeping along, but only when I access the internet! I usually use Firefox, but I did a test and it does exactly the same thing if I'm using Internet Explorer or Opera. Anytime I try to load any page the browser will end up using 90-99% of my CPU. I ran a deep scan using MBAM and it found something, but removing that didn't help the problem, and I actually think it is a valid file. Also, I noticed in MBAM that all the files it said previously that it quarantined and then deleted are not in fact deleted, but only quarantined. Is this a problem?
n
Malwarebytes' Anti-Malware 1.36
Database version: 2024
Windows 5.1.2600 Service Pack 3

5/1/2009 12:19:42 AM
mbam-log-2009-05-01 (00-19-42).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 232149
Time elapsed: 1 hour(s), 53 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Collectorz.com\Photo Collector\PhotoCollector.exe (Rogue.AstrumAntivirus) -> Quarantined and deleted successfully.


Do I need to start a new topic for this?

#8 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:04:33 PM

Posted 11 May 2009 - 04:59 PM

The file that it removed was a rogue antivirus software, named Astrum AntiVirus and its a good thing it got removed, an its annoying one too.
A little info on this little bugger:

Astrum Antivirus Pro is a rogue anti-spyware application and a clone of VirusTrigger and Antivirus Trigger. Astrum Antivirus Pro is often downloaded and installed by a Trojan or through browser security holes. Astrum Antivirus Pro may generate large numbers of popup adverts. Astrum Antivirus Pro will also display notifications of imaginary security risks in its attempts to get the user to purchase the full version. Astrum Antivirus Pro may run a fake system scanner and then display fake system scan results stating that your system is flooded with spyware. Astrum Antivirus Pro program may be difficult to remove manually, and will continue to try to recreate itself.


It may not be fully removed, so let the heper walk you through cleaning your machine.

Edited by RavenPhoenix, 11 May 2009 - 05:05 PM.

Forum Skulker. Preventing Comp Nukes everywhere. :-)

#9 computerchick

computerchick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 12 May 2009 - 01:08 AM

Here is the SuperAntiSpyware log entry:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2009 at 10:30 PM

Application Version : 4.26.1002

Core Rules Database Version : 3886
Trace Rules Database Version: 1834

Scan type : Complete Scan
Total Scan Time : 04:30:20

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 5009
Registry threats detected : 0
File items scanned : 121656
File threats detected : 57

Adware.Tracking Cookie
.atdmt.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.servedby.advertising.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.servedby.advertising.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\fsypbmw2.slt\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Stacia\Application Data\Mozilla\Profiles\default\a9g7pawr.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Stacia\Application Data\Mozilla\Profiles\default\a9g7pawr.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Stacia\Application Data\Mozilla\Profiles\default\a9g7pawr.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Stacia\Application Data\Mozilla\Profiles\default\a9g7pawr.slt\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Stacia\Application Data\Mozilla\Profiles\default\a9g7pawr.slt\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Stacia\Application Data\Mozilla\Profiles\default\a9g7pawr.slt\cookies.txt ]
F:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@adlegend[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@ads.pugetsoundsoftware[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@interclick[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@kontera[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@media.sensis.com[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@microsoftwga.112.2o7[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@palmone.112.2o7[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@sensismediasmart.com[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
F:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
F:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt


Still web browsing is taking up 90+% of my CPU and is very slow. Is it possible I need to do a wipe of my hard drive? It seems like every program finds something new, but the problem remains after the crap is quarantined. What to do?

#10 computerchick

computerchick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 12 May 2009 - 01:09 AM

Oh yeah, and the PhotoCollector File that is supposedly a big nasty? I can't open that program without it. Do I need to reinstall the program or is there a way to clean the file?

#11 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:04:33 PM

Posted 12 May 2009 - 10:46 AM

Actually what SAS found were tracking cookies that you get while naturally browsing around the net. Again I will let the helper assist you bt the ones found by SAS are not a big concern.
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:33 PM

Posted 12 May 2009 - 03:53 PM

Let's dig a little deeper, try to follow the directions as best you can, rootkits scans are hit or miss depending on what's running that might interfer with them.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#13 computerchick

computerchick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 18 May 2009 - 12:34 PM

Here's the GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-17 00:31:38
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF3B03FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF3B00C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF3B1B170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF3B04580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF3B18900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF3B18B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF3B1CB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF3B04670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF3B01210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF3B1B9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF3B1B7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF3B18280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xF3AFD8C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF3B1BF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF3B1BF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xF3B1CD90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF3B01070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF3B1A180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF3B19F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF3B1C6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF3B1C150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF3B03BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF3B1C540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF3B04190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF3B01440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xF3AFD6A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF3B1B4E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF3B19200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF3B19080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xF3AFDAF0]

INT 0x20 srescan.sys F74CAC90

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [80, 45, B0, F3, 00, 89, B1, ...] {ADD BYTE [EBP-0x50], 0xf3; ADD [ECX-0x74ef0c4f], CL; MOV CL, 0xf3}
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E282C 12 Bytes [C0, D8, AF, F3, 10, BF, B1, ...]
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] ntdll.dll!KiFastSystemCall + 2 7C90E512 2 Bytes [CD, 20] {INT 0x20}
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1120] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F3B08B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F3B08930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F3B09260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F3B06E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F3B06E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F3B08B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F3B08930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F3B09260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F3B08B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F3B06E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F3B09260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F3B08930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3B09260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F3B08930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3B08B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F3B21B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F3B06E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F3B08B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F3B08930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F3B09260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F3B08B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F3B06E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F3B09260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F3B08930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F3B018D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F3B01A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F3B015E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F3B01980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[312] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1008] @ C:\WINDOWS\system32\Iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{AAFEEFAC-0013-0021-0012-ABCDEFFEDCBA}@ Java Plug-in 1.3.1_12
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{CAFEEFAC-0013-0021-0013-ABCDEFFEDCBA}@ Java Plug-in 1.3.1_13
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}@ Java Plug-in 1.3.1_13????????????B???????????t???????????????????????S????xem3????B??B???o5x????? ?????????????B?????B??????????,???&???????????????????????? ???????B??????????????????????\? F????????????C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll???Apartment?????????????2??
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:P:\p,\0003\0003\0,\0H\0K\0C\0U\0,\0S\0O\0F\0T\0W\0A\0R\0E\0\\0M\0i\0c\0r\0o 0x67 0x03 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\485\Shell@SortDir 1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\514\Shell@con 0xFF 0xFF 0xFF 0xFF
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\533\Shell@WinPos1024x768(1\xa8{ 0x2C 0x00 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\594\Shell@Mode 6
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\594\Shell@SortDir 1

---- EOF - GMER 1.0.15 ----

#14 computerchick

computerchick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:33 PM

Posted 31 May 2009 - 08:25 PM

I posted the GMER log, but no one has responded to it. What should I do next?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users