Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WINBLUESOFT and Trojan RUSTOK-N malware


  • This topic is locked This topic is locked
36 replies to this topic

#1 GimmeShelter

GimmeShelter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 04 June 2009 - 06:23 PM

Please see 'http://www.bleepingcomputer.com/forums/t/231437/trojrustok-n-and-winbluesoft/?p=1288185' for further reference and activity to this point in out attempts to remove them.

Requested DDS and ATTACH logs follow:

DDS
____

DDS (Ver_09-05-14.01) - NTFSx86
Run by John Cuccia at 19:07:09.15 on Thu 06/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1508 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\2107fb69-24d8-4cc3-adbf-681b845a5e41.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John Cuccia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [setup2.exe] c:\windows\system32\setup2.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\2107fb69-24d8-4cc3-adbf-681b845a5e41.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-3-1 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-7 394952]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S2 NtmlSvc;NtmlSvc;c:\windows\system32\svchost.exe -k netsvcs [2006-1-5 14336]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-06-04 17:11 5,074 a------- c:\windows\35e9stea5365z.dll
2009-06-04 15:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-04 15:26 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-04 15:26 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-04 14:31 --d----- c:\docume~1\johncu~1\applic~1\Malwarebytes
2009-06-04 14:13 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-04 14:13 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-04 14:13 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-04 14:13 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-04 13:50 6,952 a------- c:\windows\5090backd5oz233.ocx
2009-06-04 12:05 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-04 12:02 --d----- c:\program files\SUPERAntiSpyware
2009-06-04 12:02 --d----- c:\docume~1\johncu~1\applic~1\SUPERAntiSpyware.com
2009-06-04 11:59 --d----- c:\program files\common files\Wise Installation Wizard
2009-06-03 13:13 4,281 a------- c:\windows\5925threat506z.bin
2009-06-01 18:16 10,410 a------- c:\windows\11899notza-virus195.bin
2009-06-01 17:25 17,544 a------- c:\windows\1951th9ef23z9.exe
2009-05-31 23:20 18,390 a------- c:\windows\system32\2df9d9wnloadzr11455.bin
2009-05-28 10:22 3,120 a------- c:\windows\system32\229175p96z1.ocx
2009-05-27 23:38 16,133 a------- c:\windows\system32\30639wo5m1eez.exe
2009-05-27 02:28 18,394 a------- c:\windows\system32\24794hack5ooz3f39.ocx
2009-05-26 22:12 12,438 a------- c:\windows\6a5bviz5965.dll
2009-05-26 21:09 8,822 a------- c:\windows\5z689sp9mbot169.cpl
2009-05-25 01:15 3,649 a------- c:\windows\system32\41z9thr5at4921.cpl
2009-05-22 05:20 10,980 a------- c:\windows\7345stzal97645.dll
2009-05-22 03:16 9,650 a------- c:\windows\system32\72f9th5ef3z89.bin
2009-05-21 10:53 12,393 a------- c:\windows\25910w9rm5z05.cpl
2009-05-21 00:25 16,233 a------- c:\windows\15zevir1489.bin
2009-05-18 20:26 3,499 a------- c:\windows\system32\5f7eszea927275.bin
2009-05-17 20:09 4,808 a------- c:\windows\20983spazbot55a.cpl
2009-05-17 20:04 7,385 a------- c:\windows\20850spam5o92bz.bin
2009-05-17 12:19 6,025 a------- c:\windows\5f1bzckdoor24079.exe
2009-05-17 05:10 15,110 a------- c:\windows\system32\5z09hac5tool6b0.bin
2009-05-15 05:47 17,661 a------- c:\windows\system32\e3fs5ars971z.ocx
2009-05-15 03:47 13,619 a------- c:\windows\50b9thief57z89.cpl
2009-05-14 11:09 7,156 a------- c:\windows\system32\5f5ebackdooz639.ocx
2009-05-13 15:34 15,752 a------- c:\windows\system32\94830hac5tool5z4.ocx
2009-05-13 02:25 11,188 a------- c:\windows\system32\79z55teal69.exe
2009-05-12 20:36 16,994 a------- c:\windows\system32\91z35troj15.cpl
2009-05-08 15:24 14,924 a------- c:\windows\56235z9ambot205.bin
2009-05-07 19:37 17,089 a------- c:\windows\system32\2dfcdo9nload5z3274.dll
2009-05-07 07:17 15,934 a------- c:\windows\59c6thiz53074.dll
2009-05-07 05:19 14,194 a------- c:\windows\ze995teal9556.ocx

==================== Find3M ====================

2009-06-04 17:17 2,198 a------- c:\docume~1\johncu~1\applic~1\wklnhst.dat
2009-05-27 17:10 68,622,880 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-27 17:10 920,132 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-02 01:48 16,324 a------- c:\windows\system32\5458zir9095.exe
2009-04-25 12:59 7,355 a------- c:\windows\system32\1903wz5m925.bin
2009-04-23 23:04 10,246 a------- c:\windows\system32\16439zackt5ol357.bin
2009-04-16 14:34 9,548 a------- c:\windows\system32\4912s5yzare2432.dll
2009-04-15 23:33 14,403 a------- c:\windows\system32\1a3e5ownl9ader2z58.dll
2009-04-13 19:39 15,802 a------- c:\windows\4985worz695.exe
2009-04-07 22:27 17,451 a------- c:\windows\59f4downl9a5zr646.bin
2009-04-07 00:18 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-04-06 21:32 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-06 17:14 14,567 a------- c:\windows\system32\8e1down9oader219z5.exe
2009-04-01 23:50 4,552 a------- c:\windows\system32\51e6th9ea5284z7.dll
2009-04-01 00:28 15,144 a------- c:\windows\system32\7bzstea9754.exe
2009-03-27 03:37 16,068 a------- c:\windows\system32\170665o9m7zc.bin
2009-03-22 23:24 16,130 a------- c:\windows\system32\z35265pamb9t585.bin
2009-03-19 08:19 9,839 a------- c:\windows\aa75iz1694.bin
2009-03-15 06:05 15,731 a------- c:\windows\321z09py1f95.dll
2009-03-13 16:43 9,299 a------- c:\windows\system32\59fbaddware9z25.dll
2009-03-13 15:41 12,099 a------- c:\windows\system32\7z12thief5694.bin
2009-03-13 05:54 12,094 a------- c:\windows\15966worm7a5z.dll
2009-03-12 05:51 10,173 a------- c:\windows\511629zya4.bin
2009-03-10 14:42 10,959 a------- c:\windows\47555hi9z3166.bin
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2006-05-07 20:47 425,984 a------- c:\program files\ccsetup129_slim.exe

============= FINISH: 19:07:47.59 ===============


'Attach' file should be attached. Please let me know if it is not.

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 06 June 2009 - 10:06 PM

Hello GimmeShelter,

I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
ZoneAlarm Security Suite Antivirus or Norton Internet Security 2006 Antivirus

Also you have two firewalls installed: ZoneAlarm Security Suite Firewall and
Norton Internet Security 2006.

Running two firewalls will cause major problems, so I recommend you uninstall one of them.




Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update 13
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ SE Runtime Environment 6 Update 1
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a Hijackthis log (not a DDS log).
This scanner will only scan. It does not remove any malware it finds.

Edited by SifuMike, 06 June 2009 - 10:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 07 June 2009 - 01:03 AM

Hello SifuMike and thanks. Regarding your comments:


I don't have Norton antivirus running. It may have come as a trial version when I first bought my computer(I don't remember), but I have never used it. It is definitely not running. As a matter of fact, there aren't any files or folders with 'norton' contained in the name on my computer. There must be some kind of false indicator that it's on in the DDS/Attach logs that I sent. Only ZoneAlarm security suite is active.

About JAVA, I believe I'd installed the latest update available to me as of a few days ago. See the following:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1

Perhaps they changed the naming scheme from "J2SE Runtime Environment" to "Java™" starting with version 6. What do you think? I currently have V6, update 13 running on my computer now. I checked. Didn't UPDATE 14 come out just a few days ago? I hesitate. Regardless, I've installed UPDATE 14.

Concerning the Firewalls - I have only Windows firewall active. I have ZoneAlarm firewall disabled. I've always had it configured that way. and there is not any Norton security or firewall active on my PC. None visible anyway, and nothing obviously that can be deleted or uninstalled.

Perhaps these malwares we are struggling with are giving false impressions as to activity of Norton A/V and firewall functions....or maybe they are disguising themselves as Norton. This WINBLUESOFT hijacker security package is especially vicious.

I needed to state the discrepancies above in case you were thinking they had something to do with our problems in extinguishing the the WINBLUESOFT and TROJ/RUSTOK-N malwares............

Now, I have one question before I run the Kasperski scanner. What is the "Hijackthis log' log that you mention? Did I miss something?

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 07 June 2009 - 10:26 AM

Hi GimmeShelter,

I don't have Norton antivirus running. It may have come as a trial version when I first bought my computer(I don't remember), but I have never used it. It is definitely not running. As a matter of fact, there aren't any files or folders with 'norton' contained in the name on my computer. There must be some kind of false indicator that it's on in the DDS/Attach logs that I sent. Only ZoneAlarm security suite is active.


You still have registry entries indicating Norton is there.
To fully remove Norton AntiVirus, Norton Security or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.
Please read the instructions first before you use it.

For older versions of Norton (2000, 2001, 2002), choose this http://service1.symantec.com/SUPPORT/sunse...sv_lvl=&seg

Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton:
http://basconotw.mvps.org/SymRem.htm
http://basconotw.mvps.org/SymRem


About JAVA, I believe I'd installed the latest update available to me as of a few days ago. See the following:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1


As I said before, the above are all old versions. Uninstall them as they are malware magnets.

I currently have V6, update 13 running on my computer now. I checked. Didn't UPDATE 14 come out just a few days ago? I hesitate. Regardless, I've installed UPDATE 14


As I said before Java Update 13 is an old verion. Java Update 14 has been out for several weeks.

Concerning the Firewalls - I have only Windows firewall active. I have ZoneAlarm firewall disabled. I've always had it configured that way. and there is not any Norton security or firewall active on my PC. None visible anyway, and nothing obviously that can be deleted or uninstalled.


If you are not using ZoneAlarm firefilall then uninstall it.
Running the Norton removal tool will get rid of the Norton Security (with firewall).

I do not recommend Windows XP's software firewall, as it monitors only inbound connections, offering no protection from malware already on your PC. All commercial firewalls offer both inbound and outbound connection monitoring.


Here are five free firewalls available for personal use. If one conflicts with your system, try another. I use Online Armour on my computer, but you may like another one.

You Need a (Properly Configured) Firewall://http://basconotw.mvps.org/SymRem


Understanding and Using Firewalls
http://www.bleepingcomputer.com/forums/tutorial60.html

Online Armor Free
http://www.tallemu.com/free-firewall-prote...n-software.html

Comodo Firewall Pro and Antivirus (You will have to disable Combo anitvirus if you have previously installed an antivirus)
http://www.personalfirewall.comodo.com/

Sunbelt Kerio Firewall
[url="http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/""]http://www.sunbelt-software.com/Home-Home-...Firewall/"[/url]

Outpost Firewall Free
http://www.agnitum.com/products/

ZoneAlarm
http://www.zonelabs.com/store/content/comp...reeDownload.jsp

http://www.personalfirewall.comodo.com/sup...&country=US
Comodo Firewall Pro user guide

What is the "Hijackthis log' log that you mention? Did I miss something?


I assumed you had it already installed on your computer.

Please download and install the new version by following the instructions here: http://www.download.com/Trend-Micro-Hijack...4-10227353.html
Let it install in the default folder C:\Program Files\Trend Micro\HijackThis
Please post it.

Edited by SifuMike, 07 June 2009 - 10:48 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 07 June 2009 - 12:58 PM

I've uninstalled the non-current versions of JAVA, as well as running the software to remove Norton vestiges. Cannot uninstall ZoneAlarm firewall separately from the other ZoneAlarm facilities. As mentioned, it's part of a security suite and I do have it disabled. I'll also take into consideration your suggestions for alternative firewall protection.

Moving along, while running Kaspersky Online Scanner, received message "Starting Java Applet has failed. Please go online to use this program" during the "downloading and updating the program" phase of "Update". It stops and goes no further apparently. I have my ZoneAlarm disabled. Please advise as to how to get Kaspersky Online Scanner running successfully.

#6 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 07 June 2009 - 01:03 PM

P.S. I'm using the Kaspersky link provided earlier. I've also re-booted in an attempt to clear the condition and to have ZoneAlarm not start automatically during the re-boot - same result with same java applet message.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 07 June 2009 - 01:22 PM

Hi,

Leave the ZoneAlarm firewall enabaled. ZoneAlarm firewall is far better than Windows XP firewall, as itis bidirectional.

I do not recommend Windows XP's software firewall, as it monitors only inbound connections, offering no protection from malware already on your PC. All commercial firewalls offer both inbound and outbound connection monitoring.
If you have Windows firewall enabled, then disable it. Only one firewall is necessary, as two firewalls cause problems. http://support.microsoft.com/kb/283673


If Kaspersky will not run, then use ESET online scanner.

Disable the ZoneAlarm antivirus while running ESET.

Please go to the following link ESET Online Scanner Link
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update

Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient

When the scan finishes click the Details tab
Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

Edited by SifuMike, 07 June 2009 - 01:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 07 June 2009 - 01:35 PM

I'll pick up on this late tonight eastern time. Hopefully you'll have logs by tomorrow. Thank you.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 07 June 2009 - 01:46 PM

Your welcome.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 07 June 2009 - 10:04 PM

your instructions for running ESET online scanner indicate the following:

Do Not tick the box Remove found threats
Click the Scan button


However, there is not any button for simply 'Scan'. There is:

1) Scan archives

In addition, in the advanced settings, there are the following options

1) Scan for potentially unwanted applications
2) Scan for potentially unsafe applications
3) Enable anti-stealth techology

The options are in conflict with your instructions. I'm now confused. Please advise as to which options to check.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 07 June 2009 - 10:55 PM

Yes, they have changed it again.

We will use this scanner instead of ESET.

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
Go to http://support.f-secure.com/enu/home/ols.shtml

Notes:
This scan will only work with Internet Explorer
You must have administrator rights to run this scan
This scan can take several hours, so please be patient

Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post


If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Edited by SifuMike, 07 June 2009 - 11:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 07 June 2009 - 11:59 PM

note: I'm NOT going to disable my current antivirus software while this is running. This facility( F-Secure online scan ) apparently runs 'online', and you say for hours. I'm not sure that I can afford to be connected to the internet unprotected for that long. Advise please.

#13 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 June 2009 - 01:32 AM

results of F-secure online scan(also submitted F-secure as requested):

Scanning Report
Monday, June 8, 2009 01:38:14 - 02:15:42
Computer name: MASTEROFDOMAIN
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

10 malware found
TrackingCookie.Questionmarket (spyware)
System (Disinfected)
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Advertising (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Revsci (spyware)
System (Disinfected)
TrackingCookie.Adrevolver (spyware)
System (Disinfected)
TrackingCookie.Mediaplex (spyware)
System (Disinfected)
TrackingCookie.Atwola (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29138
System: 4130
Not scanned: 7
Actions:
Disinfected: 10
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.



hijackthis log from 'system scan'
___________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:56 AM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\2107fb69-24d8-4cc3-adbf-681b845a5e41.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\2107fb69-24d8-4cc3-adbf-681b845a5e41.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 9100 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 08 June 2009 - 08:00 AM

Hi GimmeShelter,


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Zone Alarm Antivirus before running ComboFix, as it will prevent it from running.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 GimmeShelter

GimmeShelter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 June 2009 - 12:10 PM

combofix log follows. A couple of quick notes first:

1) I could not run installed file as 'COMBOFIX.EXE'. I had to rename to '1COMBOFIX.EXE' for it to run. This type of thing was typical in that the malware(s)
seemed to have recognized and prevented the running of certain programs.
2) No component of ZoneAlarm was running when Combofix started. Combofix stated it was. I bypassed and let it run.
3) Combofix detected presence of 'Root Kit' and requested re-boot. I allowed it.
4 ) Combofix rebooted once more towards the end for whatever reason

otherwise, it seems to have worked fine. I can say so far this has appeared to have finally done the trick, although only time will tell. I have seen none of the problems or symptoms I've reported earlier concerning Troj/Rustok-N and WINBLUESOFT malwares. Please let me know what your further findings and thoughts are after reviewing the log.

log
__

ComboFix 09-06-07.07 - John Cuccia 06/08/2009 12:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1672 [GMT -4:00]
Running from: c:\documents and settings\John Cuccia\Desktop\1ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\10582not9a-vzrus607.cpl
c:\windows\10cbba9zdoor3535.bin
c:\windows\11295spa5bot662z.ocx
c:\windows\117519roj4z5.bin
c:\windows\11899notza-virus195.bin
c:\windows\11899t5oz154.dll
c:\windows\11950s9ambot45bz.cpl
c:\windows\11957worz715.dll
c:\windows\119835acztool1919.bin
c:\windows\12028v5r9s2z9.cpl
c:\windows\12587w9rm5cdz.exe
c:\windows\12606not-a-vi59s5cz.exe
c:\windows\12865not-a-vir955ze.ocx
c:\windows\12b85zywa9e171.cpl
c:\windows\12zfdow5lo9der2906.dll
c:\windows\13122v59us5zb.exe
c:\windows\135z9not-a5v9rus17d.ocx
c:\windows\13646spy49z5.bin
c:\windows\13z779roj54.exe
c:\windows\14326not-a5virzs924.bin
c:\windows\14369zp5mbot452.ocx
c:\windows\14czhreat29105.dll
c:\windows\14z23tr5j5619.exe
c:\windows\14z83v5rus54e9.exe
c:\windows\1512zo9-5-virus295.exe
c:\windows\151zs5yware31179.bin
c:\windows\15215py69dz.bin
c:\windows\1536thze9t20287.cpl
c:\windows\153z3wor93da.cpl
c:\windows\15467wz9m5c3.cpl
c:\windows\15639wzrm195.cpl
c:\windows\15687noz-5-vi9us75e.exe
c:\windows\15758vir59z08.dll
c:\windows\158ezh9ef5997.cpl
c:\windows\15966worm7a5z.dll
c:\windows\15995hiefz982.ocx
c:\windows\15cathrzat85795.cpl
c:\windows\15z05spa9bot56f.ocx
c:\windows\15z7spyware11519.exe
c:\windows\15zevir1489.bin
c:\windows\16030spa9zot570.cpl
c:\windows\16525spzmbo9151.ocx
c:\windows\1659thiefz4965.ocx
c:\windows\1669z9acktool775.bin
c:\windows\16888n5t-z-vir9s9e.bin
c:\windows\16928hazktool25e.cpl
c:\windows\16928not-5-viz9s269.cpl
c:\windows\16967ha5ztool29c.dll
c:\windows\16972vi5usz9.dll
c:\windows\16f5zir399.exe
c:\windows\17200spam9ot5z4.ocx
c:\windows\172dsparze11559.exe
c:\windows\17575hackto9l319z.exe
c:\windows\1762zot-a-virusc59.cpl
c:\windows\17883virzs965.dll
c:\windows\18599z5a9bot797.dll
c:\windows\1869zspambot5a8.cpl
c:\windows\18814szy925.exe
c:\windows\18ccsp5zse239.bin
c:\windows\190405ot-a-v9rus9z.cpl
c:\windows\1909zha5ktool6f0.dll
c:\windows\1909zworm9b5.ocx
c:\windows\19165troz27a.cpl
c:\windows\1918s5amboz47d.bin
c:\windows\1918threzt53184.ocx
c:\windows\1925threa566z99.dll
c:\windows\1926t5oj189z.cpl
c:\windows\19514vizu97e95.bin
c:\windows\1951th9ef23z9.exe
c:\windows\19524hac9zool13a.dll
c:\windows\19615pamzot169.exe
c:\windows\1977zv5ru97b7.exe
c:\windows\19870sz5af.cpl
c:\windows\19a1spazse3050.cpl
c:\windows\19b9spyzare14865.bin
c:\windows\19dspa5sz573.bin
c:\windows\19e15irz080.exe
c:\windows\1a3bdow5zoa9er2496.ocx
c:\windows\1a5cst9al2584z.dll
c:\windows\1ad4t9iez15375.ocx
c:\windows\1b95spy5ar965z.cpl
c:\windows\1becthr95z10967.ocx
c:\windows\1c10s5ezl29459.ocx
c:\windows\1da4zac59oor2671.dll
c:\windows\1dd9adzware5979.cpl
c:\windows\1f5czpa59e552.exe
c:\windows\1z116w5rm919.dll
c:\windows\1z2as9yware3157.dll
c:\windows\1z516v9rus6ab.dll
c:\windows\2046z9ro5521.cpl
c:\windows\20542not-azviru9375.bin
c:\windows\20832zir9s55.ocx
c:\windows\20850spam5o92bz.bin
c:\windows\20983spazbot55a.cpl
c:\windows\2099vir1z54.ocx
c:\windows\20z88v9ru5669.ocx
c:\windows\21029h95ktozl1aa.cpl
c:\windows\212895r9z249.dll
c:\windows\21626not-9-vi5us63z.cpl
c:\windows\21895hac5tozl198.cpl
c:\windows\219299p5zbot483.bin
c:\windows\21b8download5r1z97.bin
c:\windows\21z3hack9o5l1c8.exe
c:\windows\21zspy9are3559.dll
c:\windows\22633spamboz1195.cpl
c:\windows\22749spam5ot4zc9.cpl
c:\windows\229zs5eal1536.dll
c:\windows\23207h9cz5ool517.ocx
c:\windows\233105pamb9t11z.cpl
c:\windows\23f9thzeat52225.ocx
c:\windows\23fdspars9317z5.bin
c:\windows\24152sz9359.ocx
c:\windows\24292hacktool59z.bin
c:\windows\24355zacktoo96c3.ocx
c:\windows\2453s9z337.ocx
c:\windows\2502zwor5249.exe
c:\windows\25191not5a-virus66fz.ocx
c:\windows\25197not95-virzs157.ocx
c:\windows\2519threatz5994.dll
c:\windows\25289spamboz9d.dll
c:\windows\25828no5-a-9izus7ce.cpl
c:\windows\25860viruz6519.exe
c:\windows\25910w9rm5z05.cpl
c:\windows\25c7addwa9e27z1.cpl
c:\windows\25z929py557.cpl
c:\windows\262195py5z3.bin
c:\windows\26395vzrus6e95.ocx
c:\windows\267959rojz98.bin
c:\windows\27078w5rm9fz.cpl
c:\windows\271zaddw5re3292.cpl
c:\windows\2735thief7z9.exe
c:\windows\274089p5473z.bin
c:\windows\27409sp5mbot2z9.bin
c:\windows\27699s9y6z35.bin
c:\windows\27zcspy5are971.cpl
c:\windows\28293not-z-virus5d0.cpl
c:\windows\2881zspam5ot47a9.ocx
c:\windows\28901zro521c.bin
c:\windows\295165ot-a-vzrus456.cpl
c:\windows\29532wzrm4cb9.exe
c:\windows\29581noz-a-vi5usb9.ocx
c:\windows\29832worz50.dll
c:\windows\2990zorm5a5.ocx
c:\windows\29a4spazs59391.cpl
c:\windows\29dzparse1155.ocx
c:\windows\2b0zs9eal752.dll
c:\windows\2d7bv5r226z9.cpl
c:\windows\2e51zi51976.bin
c:\windows\2ee59zre5t19480.exe
c:\windows\2ee9stea5z076.exe
c:\windows\2z447worm159.dll
c:\windows\2z571spambo9115.dll
c:\windows\2z9275py9b2.exe
c:\windows\2z939worm3635.ocx
c:\windows\2za9ste9l5248.cpl
c:\windows\30708notza-9i5us53c.dll
c:\windows\30992zpy695.ocx
c:\windows\30z59n9t-a-virus44.ocx
c:\windows\31252not5z-viru9789.ocx
c:\windows\31558virzs791.cpl
c:\windows\31958trzjf5.exe
c:\windows\3196ztroj43e5.dll
c:\windows\31979z5rm2d4.bin
c:\windows\31e65pywaze1194.bin
c:\windows\3205dow9loadez1516.ocx
c:\windows\321z09py1f95.dll
c:\windows\322fspywa5937z.dll
c:\windows\3267no5-a-v9ruz4d2.ocx
c:\windows\32z409acktool915.dll
c:\windows\3357wozmd9.bin
c:\windows\337download9z5608.exe
c:\windows\33b5th9ef2591z.bin
c:\windows\350dspywarz3199.cpl
c:\windows\3529spyw5rez166.ocx
c:\windows\35e9stea5365z.dll
c:\windows\35f6stz9l1590.exe
c:\windows\35z9add5are2431.bin
c:\windows\3769sp5zse475.cpl
c:\windows\381zs5y99.dll
c:\windows\3899spzmbot5a95.ocx
c:\windows\39216notza-vir5s92.exe
c:\windows\395thief224z.cpl
c:\windows\3993spzmb5t378.exe
c:\windows\39bzt5ief3909.dll
c:\windows\39ccdo9nlza5er2777.dll
c:\windows\39zthief5622.cpl
c:\windows\3d29s9ar5z1332.exe
c:\windows\3f57stzal9744.exe
c:\windows\3fc9threat7053z.bin
c:\windows\3fz7stea51789.exe
c:\windows\3z792spambot350.dll
c:\windows\4009v591z.cpl
c:\windows\409ct5r9az29915.dll
c:\windows\40acdow5loaze91059.dll
c:\windows\40b2addw9re45z.exe
c:\windows\41b5thie91z81.ocx
c:\windows\42cc9d5ware3143z.cpl
c:\windows\4329t9zjee5.ocx
c:\windows\4595virz29.ocx
c:\windows\45a5tealz8769.ocx
c:\windows\45b2t9ief31z8.exe
c:\windows\45ez95r38.exe
c:\windows\45z5t9reat223.cpl
c:\windows\46479ot-a-zir5s544.exe
c:\windows\46ffzte5l1039.exe
c:\windows\47555hi9z3166.bin
c:\windows\4859backzoor1275.dll
c:\windows\4957zacktool253.cpl
c:\windows\4965szarse957.cpl
c:\windows\4985worz695.exe
c:\windows\4a5z9pyware903.exe
c:\windows\4az5teal23169.exe
c:\windows\4b53thief9z7.bin
c:\windows\4c0adownl9adez5825.bin
c:\windows\4czspars913835.bin
c:\windows\4d9z5hief2099.ocx
c:\windows\4e99t5reat1z442.bin
c:\windows\4fbad5wnl9aderz301.exe
c:\windows\4zd9s5ars91314.cpl
c:\windows\50076w9rm61z.exe
c:\windows\50391w9rm2z6.ocx
c:\windows\5090backd5oz233.ocx
c:\windows\50azv9r5194.ocx
c:\windows\50b9thief57z89.cpl
c:\windows\511629zya4.bin
c:\windows\52019pzmbot1aa.cpl
c:\windows\52220tz9j503.cpl
c:\windows\52a7down5oadzr1293.bin
c:\windows\5319steaz10005.exe
c:\windows\5329spywarez089.bin
c:\windows\539z7spambot6d9.exe
c:\windows\53deth9eat28z58.bin
c:\windows\53zespyw9re7695.bin
c:\windows\5415spa9se15z4.ocx
c:\windows\54910spazbot440.dll
c:\windows\54az9hreat660.ocx
c:\windows\55129pambot7cz.dll
c:\windows\55cf5pzrse9367.cpl
c:\windows\56235z9ambot205.bin
c:\windows\56864ziru927b.exe
c:\windows\569z59r1985.bin
c:\windows\577dbac5doz9849.ocx
c:\windows\5831zworm29c.cpl
c:\windows\58352hacz9ool544.cpl
c:\windows\583z59r553.ocx
c:\windows\58a5zteal9432.ocx
c:\windows\58afvir3029z.bin
c:\windows\59023vzrus76e.cpl
c:\windows\59070zot-a-virus71b.ocx
c:\windows\5925threat506z.bin
c:\windows\5954trojzf79.dll
c:\windows\598bzown9oad5r673.dll
c:\windows\59c6thiz53074.dll
c:\windows\59d9s5arse2948z.ocx
c:\windows\59f4downl9a5zr646.bin
c:\windows\59f9backdooz1669.dll
c:\windows\5a05sz9rse13585.dll
c:\windows\5b3bspa9se37z.dll
c:\windows\5bd1bac5zo9r2874.cpl
c:\windows\5c7d5p9ware26z0.bin
c:\windows\5d06adzwa9e3243.dll
c:\windows\5db2bac5door1z79.cpl
c:\windows\5e6downl59der588z.dll
c:\windows\5f1bzckdoor24079.exe
c:\windows\5fc2dow5loader69z.bin
c:\windows\5z2cthrea519099.cpl
c:\windows\5z64steal999.bin
c:\windows\5z689sp9mbot169.cpl
c:\windows\5zfthief198.dll
c:\windows\6079hie51529z.ocx
c:\windows\6118sp9zs51767.ocx
c:\windows\6124zpars95037.dll
c:\windows\61619hrea531814z.bin
c:\windows\617cspar9e5z82.dll
c:\windows\61fcth9eat5843z.dll
c:\windows\62b49hreat3126z5.bin
c:\windows\62d559arse25z4.dll
c:\windows\644zth5ef963.cpl
c:\windows\6506threat2z5195.cpl
c:\windows\6575vir271z9.exe
c:\windows\657bzddwar91057.exe
c:\windows\65czdownloader9855.dll
c:\windows\66e7thie53294z.exe
c:\windows\68a5v5rz292.dll
c:\windows\694adownloadez27159.ocx
c:\windows\6959worm2zd.exe
c:\windows\6969thre593161z.dll
c:\windows\699ct5ief15z1.cpl
c:\windows\6a5bviz5965.dll
c:\windows\6a79baczdoor1536.ocx
c:\windows\6b9b5dzw9re1527.cpl
c:\windows\6c605hreat17991z.bin
c:\windows\6d54sp9rsz2255.exe
c:\windows\6e9zvir2576.exe
c:\windows\6ee9thr5atz757.ocx
c:\windows\6f85t9izf1410.ocx
c:\windows\6zd2down5oad9r1784.dll
c:\windows\71a9stea59797z.dll
c:\windows\72115par9e1757z.ocx
c:\windows\7283t9zj5fd.cpl
c:\windows\7345stzal97645.dll
c:\windows\7359virus3z0.dll
c:\windows\74f2dow9lozde52972.ocx
c:\windows\7570hzcktool493.ocx
c:\windows\7605spzr9e3192.ocx
c:\windows\7694vzr24059.bin
c:\windows\77409ot5a-zirus6cb.ocx
c:\windows\7897v9r1z50.bin
c:\windows\78ccb5ckdoorz695.bin
c:\windows\7951spy4z49.dll
c:\windows\79f6z5eal2303.exe
c:\windows\7a89zd9war51550.bin
c:\windows\7acfad9wzre1582.ocx
c:\windows\7afbs9arse3245z.bin
c:\windows\7b4zsp5wa9e256.cpl
c:\windows\7bz9dow5loader256.bin
c:\windows\7ez9spyware1855.bin
c:\windows\7f56steaz2391.bin
c:\windows\7fz5ba9kdoor568.dll
c:\windows\7z2thi9f253.ocx
c:\windows\7z599hreat12937.ocx
c:\windows\7z5th9ef596.exe
c:\windows\7z9e95r3138.bin
c:\windows\7za5steal1985.bin
c:\windows\8535n5tza-viru958.cpl
c:\windows\8597hac9tool5cz5.dll
c:\windows\865own9zader1424.bin
c:\windows\865spy9arez351.cpl
c:\windows\8929pars52z38.exe
c:\windows\895zir501.ocx
c:\windows\8z719ot-a-virus7095.ocx
c:\windows\900z5spy310.bin
c:\windows\90495spz5d1.ocx
c:\windows\904b5zeal1744.bin
c:\windows\90571not-a-v5rus2z5.cpl
c:\windows\909fzackdoor2525.bin
c:\windows\9132w5rm3e5z.cpl
c:\windows\9152no9-a-virzs1b4.cpl
c:\windows\915b5ir1z35.dll
c:\windows\916z0spy585.dll
c:\windows\9248sp5ware3z6.bin
c:\windows\9320z5y705.ocx
c:\windows\9332zir1159.cpl
c:\windows\9439vizus2b5.bin
c:\windows\943zviru52b9.ocx
c:\windows\953down9oa5zr2315.bin
c:\windows\95620not-a-virzs4d0.bin
c:\windows\96209spamboz63c5.ocx
c:\windows\96715hackzool17a.exe
c:\windows\96c5addwaze2718.exe
c:\windows\973335ozm25c.cpl
c:\windows\9755n9t-a-virus6z.ocx
c:\windows\97735ackdozr596.exe
c:\windows\978dbackdz5r1934.dll
c:\windows\98132s5yz4c.ocx
c:\windows\98558virzs6d0.ocx
c:\windows\985worm6c5z.ocx
c:\windows\9915zy668.cpl
c:\windows\99c2adzware3015.dll
c:\windows\9ba8thz5f2419.dll
c:\windows\9c0s5ywarz1873.ocx
c:\windows\9f4addw5rez01.ocx
c:\windows\9z14sp5796.bin
c:\windows\9z40backdo5r2909.bin
c:\windows\9z451not-5-virus757.dll
c:\windows\9zbthreat6855.dll
c:\windows\aa75iz1694.bin
c:\windows\c91t9rea5z943.bin
c:\windows\cf4za5kd9or369.ocx
c:\windows\d8vzr1953.ocx
c:\windows\f21ba9kdoo530z7.dll
c:\windows\setup.exe
c:\windows\system32\1059spywaze1251.exe
c:\windows\system32\105t9rzat4312.ocx
c:\windows\system32\10739wo5976cz.exe
c:\windows\system32\11107hac9tool3z5.bin
c:\windows\system32\113499rojz25.ocx
c:\windows\system32\11488zpy195.dll
c:\windows\system32\11514wo9z15d.ocx
c:\windows\system32\119adowz5oader502.ocx
c:\windows\system32\120659pazbo55b6.cpl
c:\windows\system32\12527spambo9z3e.cpl
c:\windows\system32\125bazdwar9453.dll
c:\windows\system32\12e1downlo5der24z89.dll
c:\windows\system32\130bb9ckdoo529z0.dll
c:\windows\system32\132459ir5s1f5z.ocx
c:\windows\system32\1329not-5-vzr9s779.bin
c:\windows\system32\13546not-a-vi5zs2299.ocx
c:\windows\system32\13605spam9zt55f.ocx
c:\windows\system32\13650nzt9a-virus494.cpl
c:\windows\system32\14292not-a9vzrus95.ocx
c:\windows\system32\14389szy259.dll
c:\windows\system32\14423not-a9vi5uz5d1.bin
c:\windows\system32\14817sp9mz5t1d8.exe
c:\windows\system32\14998not9z5virus410.ocx
c:\windows\system32\15432hacktool92z.cpl
c:\windows\system32\15509irz587.ocx
c:\windows\system32\1550ad9wzre1243.dll
c:\windows\system32\156669ot-z-virus45d.ocx
c:\windows\system32\15783wo9m18z.bin
c:\windows\system32\15892zorm397.ocx
c:\windows\system32\1591sparse2z69.exe
c:\windows\system32\15962spyz9.dll
c:\windows\system32\15990n9t-a-virus5cz.ocx
c:\windows\system32\15d25hizf2669.exe
c:\windows\system32\15z89sp5mbot78.cpl
c:\windows\system32\16245sp95zot67c.exe
c:\windows\system32\1625viruz3f9.exe
c:\windows\system32\16276sp5z19.cpl
c:\windows\system32\16321troj495z.ocx
c:\windows\system32\16329zreat31553.dll
c:\windows\system32\164269pazb5t42f.exe
c:\windows\system32\16439zackt5ol357.bin
c:\windows\system32\16689s9y3z85.ocx
c:\windows\system32\16z24t9oj35b.dll
c:\windows\system32\16z59ddware2046.dll
c:\windows\system32\170665o9m7zc.bin
c:\windows\system32\17425trzj90c.cpl
c:\windows\system32\17506wor92d1z.ocx
c:\windows\system32\17533tzoj5695.bin
c:\windows\system32\17e2t9iefz534.cpl
c:\windows\system32\18454wzr9c8.bin
c:\windows\system32\18b4v5z639.ocx
c:\windows\system32\1903wz5m925.bin
c:\windows\system32\19073hacktozl155.ocx
c:\windows\system32\19553spy4z9.cpl
c:\windows\system32\19871vzrus905.bin
c:\windows\system32\19z009p5mbot63.exe
c:\windows\system32\1a3e5ownl9ader2z58.dll
c:\windows\system32\1ab6s5eal893z.bin
c:\windows\system32\1abavzr25295.ocx
c:\windows\system32\1b29t5reat92281z.dll
c:\windows\system32\1b9b5ir9006z.ocx
c:\windows\system32\1c5dthrezt21792.ocx
c:\windows\system32\1fb9spyware206z5.bin
c:\windows\system32\1z155troj296.cpl
c:\windows\system32\1z259hackt9ol295.cpl
c:\windows\system32\1z261virus7915.dll
c:\windows\system32\1z589ha9ktool41d5.bin
c:\windows\system32\2059t9reat352z.cpl
c:\windows\system32\205znot-a-virus3509.cpl
c:\windows\system32\2075spazse5974.bin
c:\windows\system32\21159spam9ot715z.dll
c:\windows\system32\21207w9rm515z.exe
c:\windows\system32\2143zt9o5526.ocx
c:\windows\system32\21699no5za-virus6f9.dll
c:\windows\system32\2197bacz5oor994.dll
c:\windows\system32\21z86virus395.dll
c:\windows\system32\2238w5rz28b9.cpl
c:\windows\system32\227115ot-z-vir9s433.bin
c:\windows\system32\229175p96z1.ocx
c:\windows\system32\2306t9o55dcz.exe
c:\windows\system32\240695py64z.bin
c:\windows\system32\242535ackzool409.dll
c:\windows\system32\24625tzoj9c7.cpl
c:\windows\system32\24658sp9zb3.dll
c:\windows\system32\24794hack5ooz3f39.ocx
c:\windows\system32\24895t9oj2z25.exe
c:\windows\system32\248fa5zw9re774.bin
c:\windows\system32\24a5thrzat11599.ocx
c:\windows\system32\24czbackd9o51355.dll
c:\windows\system32\251spywarz31699.exe
c:\windows\system32\254159roj28dz.dll
c:\windows\system32\25503sza9bot45f.exe
c:\windows\system32\255279acktozl3bb.ocx
c:\windows\system32\2556zir1459.ocx
c:\windows\system32\257zadd9are2493.bin
c:\windows\system32\2589addw5rez123.cpl
c:\windows\system32\25cavir39z0.cpl
c:\windows\system32\25dzthrea957855.exe
c:\windows\system32\25z945py243.bin
c:\windows\system32\2607zt59j11f.cpl
c:\windows\system32\26409s5ambot76cz.bin
c:\windows\system32\26949spy159z.exe
c:\windows\system32\26z9sp59se2909.ocx
c:\windows\system32\2740t5izf917.cpl
c:\windows\system32\2764359ambot6z6.exe
c:\windows\system32\28590troj3zf5.bin
c:\windows\system32\285f5o9nloadzr68.ocx
c:\windows\system32\288795orz5c3.cpl
c:\windows\system32\28928spambzt18d5.cpl
c:\windows\system32\28964trojz5a.bin
c:\windows\system32\28z3thief1459.exe
c:\windows\system32\29146not-a9vzruse35.ocx
c:\windows\system32\2915zroj4905.ocx
c:\windows\system32\29255hack9zol58.exe
c:\windows\system32\29287zot-a5virus463.exe
c:\windows\system32\295esteal15z0.dll
c:\windows\system32\29794szy5e6.cpl
c:\windows\system32\2979t95ez2700.cpl
c:\windows\system32\29855irz97.exe
c:\windows\system32\29919worm50z.bin
c:\windows\system32\29996tro5zaa.dll
c:\windows\system32\29dcba5kdozr1750.exe
c:\windows\system32\29dzaddwar51083.bin
c:\windows\system32\29z19not-a-vir5s2a.ocx
c:\windows\system32\29z5ba5kdoor758.bin
c:\windows\system32\29zsteal26005.dll
c:\windows\system32\2ab5z59ef901.exe
c:\windows\system32\2b4bspar9e2z57.bin
c:\windows\system32\2cz29t5al2539.dll
c:\windows\system32\2df9d9wnloadzr11455.bin
c:\windows\system32\2dfcdo9nload5z3274.dll
c:\windows\system32\2z372sp59botc1.cpl
c:\windows\system32\2z874v9r5s4d2.dll
c:\windows\system32\2z98addwar52259.bin
c:\windows\system32\2z9espyw9re258.bin
c:\windows\system32\30639wo5m1eez.exe
c:\windows\system32\307539roj7z1.dll
c:\windows\system32\309z05i9us712.dll
c:\windows\system32\30z9addware12945.ocx
c:\windows\system32\3110sp5m9ot1z5.dll
c:\windows\system32\313eaddw9rz5233.exe
c:\windows\system32\3259zvirus501.exe
c:\windows\system32\329zspy651.cpl
c:\windows\system32\33z3spyware1059.exe
c:\windows\system32\3404worm9z5.exe
c:\windows\system32\3439ackt5ol1bz.dll
c:\windows\system32\3490spa5zot40e9.bin
c:\windows\system32\3591ad5wzre1929.bin
c:\windows\system32\359f9zyware5769.exe
c:\windows\system32\35fzsp5rse9039.dll
c:\windows\system32\3615hackzool599.bin
c:\windows\system32\36555pam9zt7de.ocx
c:\windows\system32\3688backdoor156z9.ocx
c:\windows\system32\3690s9a5bzt1a3.ocx
c:\windows\system32\36z5virus719.cpl
c:\windows\system32\3840spy95rz2907.ocx
c:\windows\system32\384zthreat959325.dll
c:\windows\system32\38e59pyware1794z.bin
c:\windows\system32\3935spywaze1194.exe
c:\windows\system32\3951backdooz2049.cpl
c:\windows\system32\3951thie91z9.exe
c:\windows\system32\3957virz539.exe
c:\windows\system32\39885viruz409.exe
c:\windows\system32\39baviz18985.cpl
c:\windows\system32\39z85ir1752.bin
c:\windows\system32\3b4cspzw95e2959.ocx
c:\windows\system32\3dbzth95f2568.exe
c:\windows\system32\414ezhie9295.bin
c:\windows\system32\41z9thr5at4921.cpl
c:\windows\system32\42azv593251.dll
c:\windows\system32\42z9spars52351.bin
c:\windows\system32\4352back9oor113z.exe
c:\windows\system32\4664vizu961e5.ocx
c:\windows\system32\4667szar9e10035.exe
c:\windows\system32\4696ztea910895.cpl
c:\windows\system32\477a5zr198.ocx
c:\windows\system32\4852vi52z709.ocx
c:\windows\system32\4912s5yzare2432.dll
c:\windows\system32\4946downloade5178z.bin
c:\windows\system32\4969sp59bot30bz.exe
c:\windows\system32\49b8viz19945.cpl
c:\windows\system32\49czdownloader5567.bin
c:\windows\system32\4e199hze5585.exe
c:\windows\system32\5001st9al3261z.bin
c:\windows\system32\50595ziru915d.bin
c:\windows\system32\507thie9316z.cpl
c:\windows\system32\509bzpyw9r51868.cpl
c:\windows\system32\51235ac9tool4bz.ocx
c:\windows\system32\5194zroj42c.cpl
c:\windows\system32\51e6th9ea5284z7.dll
c:\windows\system32\52069trojzbe.ocx
c:\windows\system32\5215do9nloadzr3119.ocx
c:\windows\system32\5329downloaderz01.cpl
c:\windows\system32\534a9hie53z39.dll
c:\windows\system32\53zd5ackd9or583.dll
c:\windows\system32\5458zir9095.exe
c:\windows\system32\54780hacktoolz94.dll
c:\windows\system32\54f9dowzloa5er520.ocx
c:\windows\system32\5518threaz196759.ocx
c:\windows\system32\551fdownloader3z79.bin
c:\windows\system32\5538addwarz1795.ocx
c:\windows\system32\5567vzr9s643.exe
c:\windows\system32\55aaspyw95z2367.dll
c:\windows\system32\55z89teal502.ocx
c:\windows\system32\5615addw95e1z95.cpl
c:\windows\system32\56626spambotz2b9.ocx
c:\windows\system32\56696worm1e7z.bin
c:\windows\system32\573bthizf10689.exe
c:\windows\system32\5774hackto5l984z.ocx
c:\windows\system32\5820spazs91230.cpl
c:\windows\system32\585cspy9are3z95.dll
c:\windows\system32\58b95parse3z4.ocx
c:\windows\system32\5900hzcktool79.dll
c:\windows\system32\5909stea52z30.ocx
c:\windows\system32\5925spy771z.exe
c:\windows\system32\59645hazktool32e.dll
c:\windows\system32\5982z9irus409.bin
c:\windows\system32\598zthreat54689.exe
c:\windows\system32\59ddvir2561z.bin
c:\windows\system32\59e5spywzre1385.bin
c:\windows\system32\59e995z1531.cpl
c:\windows\system32\59fbaddware9z25.dll
c:\windows\system32\5adcthizf16439.bin
c:\windows\system32\5b40sp9wzre1568.bin
c:\windows\system32\5b4zsparse2894.bin
c:\windows\system32\5b75viz926.ocx
c:\windows\system32\5e41steaz9542.exe
c:\windows\system32\5e9cspzrse654.cpl
c:\windows\system32\5f59tzief573.bin
c:\windows\system32\5f5ebackdooz639.ocx
c:\windows\system32\5f68d5wnlo9der2965z.dll
c:\windows\system32\5f6zth9ef2509.ocx
c:\windows\system32\5f7eszea927275.bin
c:\windows\system32\5z09hac5tool6b0.bin
c:\windows\system32\5z126tr9j736.dll
c:\windows\system32\5z41ste9l3219.bin
c:\windows\system32\609ethzef1599.dll
c:\windows\system32\6114s5y9aaz.ocx
c:\windows\system32\6150spywz9e615.ocx
c:\windows\system32\6181spywarz2591.ocx
c:\windows\system32\621zsp9wa5e2511.ocx
c:\windows\system32\6261s5y397z.ocx
c:\windows\system32\62c4szeal5955.ocx
c:\windows\system32\6310spy59re278z.ocx
c:\windows\system32\6363not-a5vizu9596.exe
c:\windows\system32\6395b95kdoor2z06.bin
c:\windows\system32\6466s95mzot4b0.ocx
c:\windows\system32\652bth9zf1598.dll
c:\windows\system32\659vir2421z.exe
c:\windows\system32\6647t9reat538z1.bin
c:\windows\system32\665dthre5t469z.ocx
c:\windows\system32\67c4doznloader3195.exe
c:\windows\system32\67d2thief549z.dll
c:\windows\system32\6856downl9adez1716.cpl
c:\windows\system32\68dz5dd9are309.dll
c:\windows\system32\6945thief16z3.bin
c:\windows\system32\699t5o948z.exe
c:\windows\system32\6a5c9hzeat21065.exe
c:\windows\system32\6af95zarse1101.dll
c:\windows\system32\6b4zste5l2921.ocx
c:\windows\system32\6d52backdoo9z17.exe
c:\windows\system32\6f1bvir9z55.bin
c:\windows\system32\6f91sp5rsez419.cpl
c:\windows\system32\6z47downl9ader593.dll
c:\windows\system32\6z925ir2879.ocx
c:\windows\system32\6zb59ddware516.ocx
c:\windows\system32\7099not-a-v5rusz389.exe
c:\windows\system32\7177h9cktzol165.ocx
c:\windows\system32\71b0addw5re30z59.bin
c:\windows\system32\7296ba5kdoor2201z.ocx
c:\windows\system32\72f9th5ef3z89.bin
c:\windows\system32\7350troz49.exe
c:\windows\system32\73z9back9oor6535.cpl
c:\windows\system32\749zsp543f.ocx
c:\windows\system32\7525vir252z9.dll
c:\windows\system32\7582virusz90.exe
c:\windows\system32\75azstea95250.exe
c:\windows\system32\75z9d9wnloader1516.exe
c:\windows\system32\78z8spa5se3219.dll
c:\windows\system32\791faddwarez583.exe
c:\windows\system32\7924spzr9e5600.bin
c:\windows\system32\794fstea5262z.bin
c:\windows\system32\79635hrezt23183.ocx
c:\windows\system32\79z55teal69.exe
c:\windows\system32\7b9zkd5or283.bin
c:\windows\system32\7bzstea9754.exe
c:\windows\system32\7c9dszywa5e599.bin
c:\windows\system32\7d6as5ywar92885z.cpl
c:\windows\system32\7f06s9yware3150z.cpl
c:\windows\system32\7z03spywa9e5441.ocx
c:\windows\system32\7z12thief5694.bin
c:\windows\system32\7z56sp9ware5968.cpl
c:\windows\system32\8203v5ru94ez.dll
c:\windows\system32\85559zcktool24e5.cpl
c:\windows\system32\8583spy29z.dll
c:\windows\system32\8e1down9oader219z5.exe
c:\windows\system32\8z2add9are2526.dll
c:\windows\system32\9045virus5z5.dll
c:\windows\system32\9048virus752z.exe
c:\windows\system32\9156wzrm44.exe
c:\windows\system32\91759troj45z.exe
c:\windows\system32\91z35troj15.cpl
c:\windows\system32\92055ownloader259z.cpl
c:\windows\system32\9250z59103.cpl
c:\windows\system32\927a5dware209z9.exe
c:\windows\system32\930cbackdooz915.bin
c:\windows\system32\9318s5yzbb9.dll
c:\windows\system32\9359zp9m5ot2c7.bin
c:\windows\system32\93919ot-a5virus9z.cpl
c:\windows\system32\9415trzj55b.dll
c:\windows\system32\9444thizf571.bin
c:\windows\system32\94830hac5tool5z4.ocx
c:\windows\system32\9578s5y9fz.exe
c:\windows\system32\95adownzoade53258.cpl
c:\windows\system32\97620tzoj355.ocx
c:\windows\system32\98fedoznl5ader747.bin
c:\windows\system32\99095not-a-virzs2b5.dll
c:\windows\system32\991bz5eal911.ocx
c:\windows\system32\993da5dwaze2668.ocx
c:\windows\system32\99530zroj560.bin
c:\windows\system32\9967zorm43b5.exe
c:\windows\system32\998backd9oz1475.cpl
c:\windows\system32\99af5parse2886z.cpl
c:\windows\system32\9b415ackdoor293z.bin
c:\windows\system32\9b6zthreat15799.dll
c:\windows\system32\9da9hre5z5854.dll
c:\windows\system32\9dbfbac5door10z5.bin
c:\windows\system32\9z858sp54a5.cpl
c:\windows\system32\9zba5hief1661.dll
c:\windows\system32\c21z5ars9918.bin
c:\windows\system32\cba95zrse1918.exe
c:\windows\system32\dfado95loader46z.ocx
c:\windows\system32\drivers\gxvxcksrrwbxtfmnrbxyllrxhpdpaswvipint.sys
c:\windows\system32\e3fs5ars971z.ocx
c:\windows\system32\gxvxcirvigdpkneyyspqmawvselwbuwjfrxnm.dll
c:\windows\system32\gxvxcodqvpxmbwpsakpjgeojlomxemxqvgyfs.dll
c:\windows\system32\setup2.exe
c:\windows\system32\z08015ackto9l58b.bin
c:\windows\system32\z23fs5ars92394.exe
c:\windows\system32\z2449worm3259.bin
c:\windows\system32\z2465ot-a-virus459.cpl
c:\windows\system32\z296no5-a-virus692.exe
c:\windows\system32\z35265pamb9t585.bin
c:\windows\system32\z499spars5182.bin
c:\windows\system32\z520troj91.cpl
c:\windows\system32\z5364worm3b9.ocx
c:\windows\system32\z5744troj5fd9.bin
c:\windows\system32\z5a6threat19894.bin
c:\windows\system32\z6adspars597.bin
c:\windows\system32\z6c859eal500.dll
c:\windows\system32\z8253sp963d.dll
c:\windows\system32\z9295hreat4847.dll
c:\windows\system32\z98739py560.cpl
c:\windows\system32\z9d2ste5l2674.exe
c:\windows\system32\zc9dow5loader1408.bin
c:\windows\system32\zd589te5l431.cpl
c:\windows\system32\ze7a5hief22869.cpl
c:\windows\z0958wo9m5ac.exe
c:\windows\z0c5steal499.ocx
c:\windows\z15375orm589.dll
c:\windows\z2029hac5to9l4ee.dll
c:\windows\z3319viru53f19.bin
c:\windows\z349viru5557.bin
c:\windows\z453ba9kdoor961.cpl
c:\windows\z6486s9ambo5728.ocx
c:\windows\z67backd5or5919.bin
c:\windows\z6835tro971c.exe
c:\windows\z73ds95ware2651.exe
c:\windows\z7669wo9m395.ocx
c:\windows\z7c7v953254.ocx
c:\windows\z867w9rm75a.bin
c:\windows\z92spar5e1728.exe
c:\windows\z9835roj98d.bin
c:\windows\zc96steal3895.cpl
c:\windows\zdc9addware2533.dll
c:\windows\ze0859reat16114.bin
c:\windows\ze995teal9556.ocx
c:\windows\zf9cthreat4659.cpl
c:\windows\zfet9rea511352.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Legacy_NTMLSVC
-------\Service_NtmlSvc


((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-08 02:54 . 2009-06-08 02:54 -------- d-----w- c:\program files\ESET
2009-06-07 17:27 . 2009-06-07 17:27 -------- d-----w- c:\program files\Trend Micro
2009-06-07 16:46 . 2009-06-07 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-04 19:27 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-04 19:27 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-04 19:27 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-04 19:27 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-04 19:27 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-04 19:27 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-04 19:27 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-04 19:27 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-06-04 19:27 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-04 19:27 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-04 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-04 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-04 18:31 . 2009-06-04 18:31 -------- d-----w- c:\documents and settings\John Cuccia\Application Data\Malwarebytes
2009-06-04 18:13 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-04 18:13 . 2009-06-04 20:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-04 18:13 . 2009-06-04 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-04 18:13 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-04 16:06 . 2009-06-08 16:46 117760 ----a-w- c:\documents and settings\John Cuccia\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-04 16:05 . 2009-06-04 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-04 16:02 . 2009-06-07 17:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-04 16:02 . 2009-06-04 16:02 -------- d-----w- c:\documents and settings\John Cuccia\Application Data\SUPERAntiSpyware.com
2009-06-04 15:59 . 2009-06-04 15:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-01 04:48 . 2009-06-01 04:48 152576 ----a-w- c:\documents and settings\John Cuccia\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 16:47 . 2007-11-28 04:23 68690976 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-08 16:43 . 2007-11-28 04:23 920900 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-08 05:32 . 2009-06-08 15:08 1946624 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2009-06-07 16:30 . 2006-01-06 11:04 -------- d-----w- c:\program files\Java
2009-06-07 05:33 . 2008-12-03 22:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-04 21:17 . 2006-04-11 19:39 2198 ----a-w- c:\documents and settings\John Cuccia\Application Data\wklnhst.dat
2009-06-04 14:58 . 2006-12-24 01:45 15893830 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-11 21:54 . 2009-05-12 02:09 1245696 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2009-04-21 04:02 . 2009-01-13 00:08 -------- d-----w- c:\documents and settings\John Cuccia\Application Data\Saba
2009-04-21 04:01 . 2009-04-21 04:01 -------- d-----w- c:\documents and settings\John Cuccia\Application Data\Centra
2009-04-21 04:01 . 2009-04-21 04:01 -------- d-----w- c:\program files\Centra
2009-04-21 00:22 . 2009-04-21 01:27 260096 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2009-04-18 19:57 . 2006-04-09 20:30 34088 ----a-w- c:\documents and settings\John Cuccia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 06:06 . 2009-04-16 15:45 1852928 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-04-07 04:18 . 2006-05-08 01:05 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-04-07 01:32 . 2006-01-05 18:31 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-14 00:21 . 2009-03-14 04:12 1258496 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2006-05-08 00:47 . 2006-05-08 00:47 425984 ----a-w- c:\program files\ccsetup129_slim.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\2107fb69-24d8-4cc3-adbf-681b845a5e41.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-10 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11C47931-AA13-9746-0500-080600080400}]
C:\Build.exe
.
Contents of the 'Scheduled Tasks' folder

2006-04-09 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-05 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 12:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3380)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
.
**************************************************************************
.
Completion time: 2009-06-08 12:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-08 16:49

Pre-Run: 55,837,495,296 bytes free
Post-Run: 57,478,668,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /PAE

925 --- E O F --- 2009-06-04 19:30




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users