Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All anti virus updates disabled


  • This topic is locked This topic is locked
45 replies to this topic

#1 zschiff

zschiff

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 11 June 2009 - 11:10 AM

I am unable to connect to updaters of virus programs. Web access is slow. msconfig is showing RBOT-M WORM in startup items. (wuam, PDSched,lsrv) Even though I keep unchecking them they keep coming back.
Thanks in advance for any help.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Zvi Schiff at 18:42:34.62 on 11-Jun-09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1023.503 [GMT 3:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
F:\Program Files\iriver\iriver plus 2\iAgent2.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\OpenOffice.org 2.4\program\soffice.exe
F:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\WINDOWS\explorer.exe
F:\Documents and Settings\Zvi Schiff\Desktop\dds.scr
F:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - f:\program files\ws_ftp pro\wsbho2k0.dll
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - f:\program files\agat\agform\AGFormsHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - f:\program files\agat\agform\AGForms.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [iPlusAgent2] "f:\program files\iriver\iriver plus 2\iAgent2.exe"
uRun: [SpybotSD TeaTimer] f:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Microsoft Update Time] wuam.exe
mRun: [IMONTRAY] f:\program files\intel\intel® active monitor\imontray.exe
mRun: [RegKillElbyCheck] "f:\program files\elaborate bytes\dvd region killer\ElbyCheck.exe" /L RegKill
mRun: [RegKillTray] "f:\program files\elaborate bytes\dvd region killer\RegKillTray.exe"
mRun: [ISUSPM] "f:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [OSSelectorReinstall] f:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [AppleSyncNotifier] f:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "f:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "f:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [egui] "f:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MSConfig] f:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [Microsoft Update Time] wuam.exe
mRunServices: [Microsoft Update Time] wuam.exe
mRunServices: [Microsoft DirectX] PDSched.exe
StartupFolder: f:\docume~1\zvisch~1\startm~1\programs\startup\openof~1.lnk - f:\program files\openoffice.org 2.4\program\quickstart.exe
IE: Add to AMV Convert Tool... - f:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - f:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120170377109
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140612129937
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://192.168.10.253:50000/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
TCP: {79F5B094-2307-4D8F-8CBA-6CA6F12997D2} = 192.116.202.222,192.115.106.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\zvisch~1\applic~1\mozilla\firefox\profiles\mlsjzv2i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_27.dll
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: f:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: f:\program files\picasa2\npPicasa2.dll

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 IFP900;iriver Internet Audio Player IFP-900;f:\windows\system32\drivers\Ifp900.sys [2005-7-19 14531]
R1 epfwtdir;epfwtdir;f:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 KLIF;KLIF;f:\windows\system32\drivers\klif.sys [2009-3-29 148496]
R1 vsdatant;vsdatant;f:\windows\system32\vsdatant.sys [2004-6-17 353672]
R2 ekrn;Eset Service;f:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 vsmon;TrueVector Internet Monitor;f:\windows\system32\zonelabs\vsmon.exe -service --> f:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 RegKill;RegKill;f:\windows\system32\drivers\RegKill.sys [2002-3-10 6144]
S2 AtiBt829;ATI WDM Bt829 Video;f:\windows\system32\drivers\atinbtxx.sys [2001-9-26 60464]
S2 BEATUSB;BEATUSB.sys Eratech USB driver;f:\windows\system32\drivers\beatusb.sys [2004-8-25 10988]
S2 TTDec;ATI WDM Teletext Decoder;f:\windows\system32\drivers\atinttxx.sys [2001-9-26 20960]
S3 ati2mpaa;ati2mpaa;f:\windows\system32\drivers\ati2mpaa.sys [2004-6-15 281856]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);f:\windows\system32\drivers\ativxbar.sys [2004-6-15 26624]
S3 cirrus;cirrus;f:\windows\system32\drivers\cirrus.sys [2005-9-7 45696]
S3 DCamVQ110;VQ110 Digital Video Camera;f:\windows\system32\drivers\vq110.sys --> f:\windows\system32\drivers\VQ110.sys [?]
S3 ForteUSB;PERSTEL Chic USB Driver Service;f:\windows\system32\drivers\ForteUSB.sys [2004-6-16 10658]
S3 ICDUSB2;Sony IC Recorder (P);f:\windows\system32\drivers\IcdUsb2.sys [2005-2-3 39048]
S3 RipFlash;RipFlash Digital Music Recoder/Player;f:\windows\system32\drivers\RFlashDX.sys [2004-6-16 11100]
S3 Sflodd;Sflodd; [x]

=============== Created Last 30 ================

2009-06-11 15:16 <DIR> --d----- f:\docume~1\zvisch~1\applic~1\Malwarebytes
2009-06-11 15:15 40,160 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 15:15 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 15:15 19,096 a------- f:\windows\system32\drivers\mbam.sys
2009-06-11 15:15 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-06-10 15:29 <DIR> --d----- f:\documents and settings\zvi schiff\DoctorWeb
2009-06-09 19:12 <DIR> a-dshr-- F:\autorun.inf
2009-06-09 14:53 161,792 a------- f:\windows\SWREG.exe
2009-06-09 14:53 155,136 a------- f:\windows\PEV.exe
2009-06-09 14:53 98,816 a------- f:\windows\sed.exe
2009-06-07 13:26 352 a---h--- f:\windows\nod32fixtemdono.reg
2009-06-07 13:25 <DIR> --d----- f:\program files\ESET

==================== Find3M ====================

2009-06-11 18:42 1,595,355,168 a--sh--- f:\windows\system32\drivers\fidbox.dat
2009-06-11 16:13 18,697,232 a--sh--- f:\windows\system32\drivers\fidbox.idx
2009-06-08 15:29 1,744 a------- f:\windows\system32\d3d9caps.dat
2009-04-21 17:09 4,212 a---h--- f:\windows\system32\zllictbl.dat
2009-03-30 16:56 48,728 a---h--- f:\windows\system32\mlfcache.dat
2008-02-12 16:14 32 a------- f:\docume~1\alluse~1\applic~1\ezsid.dat
2006-11-19 19:24 252 a------- f:\documents and settings\zvi schiff\test.dat
2003-05-07 18:13 131,072 a------- f:\windows\inf\DriverInstaller.exe

============= FINISH: 18:43:53.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 20 June 2009 - 05:21 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 21 June 2009 - 07:32 AM

Still have same problems.
here's the log:
Thanks


DDS (Ver_09-05-14.01) - NTFSx86
Run by Zvi Schiff at 15:19:36.65 on 21-Jun-09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1023.512 [GMT 3:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
F:\Program Files\iriver\iriver plus 2\iAgent2.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\OpenOffice.org 2.4\program\soffice.exe
F:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\iPod\bin\iPodService.exe
F:\Documents and Settings\Zvi Schiff\Desktop\anti virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - f:\program files\ws_ftp pro\wsbho2k0.dll
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - f:\program files\agat\agform\AGFormsHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - f:\program files\agat\agform\AGForms.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [iPlusAgent2] "f:\program files\iriver\iriver plus 2\iAgent2.exe"
uRun: [SpybotSD TeaTimer] "f:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Microsoft Update Time] wuam.exe
mRun: [IMONTRAY] "f:\program files\intel\intel® active monitor\imontray.exe"
mRun: [RegKillElbyCheck] "f:\program files\elaborate bytes\dvd region killer\ElbyCheck.exe" /L RegKill
mRun: [RegKillTray] "f:\program files\elaborate bytes\dvd region killer\RegKillTray.exe"
mRun: [ISUSPM] "f:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [OSSelectorReinstall] "f:\program files\common files\acronis\acronis disk director\oss_reinstall.exe"
mRun: [AppleSyncNotifier] "f:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "f:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [egui] "f:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Microsoft Update Time] wuam.exe
mRunServices: [Microsoft DirectX] PDSched.exe
mRunServices: [Microsoft Update Time] wuam.exe
StartupFolder: f:\docume~1\zvisch~1\startm~1\programs\startup\openof~1.lnk - f:\program files\openoffice.org 2.4\program\quickstart.exe
IE: Add to AMV Convert Tool... - f:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - f:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120170377109
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140612129937
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://192.168.10.253:50000/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
TCP: {79F5B094-2307-4D8F-8CBA-6CA6F12997D2} = 192.116.202.222,192.115.106.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\zvisch~1\applic~1\mozilla\firefox\profiles\mlsjzv2i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_27.dll
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: f:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: f:\program files\picasa2\npPicasa2.dll

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 IFP900;iriver Internet Audio Player IFP-900;f:\windows\system32\drivers\Ifp900.sys [2005-7-19 14531]
R1 epfwtdir;epfwtdir;f:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 KLIF;KLIF;f:\windows\system32\drivers\klif.sys [2009-3-29 148496]
R1 vsdatant;vsdatant;f:\windows\system32\vsdatant.sys [2004-6-17 353672]
R2 ekrn;Eset Service;f:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 vsmon;TrueVector Internet Monitor;f:\windows\system32\zonelabs\vsmon.exe -service --> f:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 RegKill;RegKill;f:\windows\system32\drivers\RegKill.sys [2002-3-10 6144]
S2 AtiBt829;ATI WDM Bt829 Video;f:\windows\system32\drivers\atinbtxx.sys [2001-9-26 60464]
S2 BEATUSB;BEATUSB.sys Eratech USB driver;f:\windows\system32\drivers\beatusb.sys [2004-8-25 10988]
S2 TTDec;ATI WDM Teletext Decoder;f:\windows\system32\drivers\atinttxx.sys [2001-9-26 20960]
S3 ati2mpaa;ati2mpaa;f:\windows\system32\drivers\ati2mpaa.sys [2004-6-15 281856]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);f:\windows\system32\drivers\ativxbar.sys [2004-6-15 26624]
S3 cirrus;cirrus;f:\windows\system32\drivers\cirrus.sys [2005-9-7 45696]
S3 DCamVQ110;VQ110 Digital Video Camera;f:\windows\system32\drivers\vq110.sys --> f:\windows\system32\drivers\VQ110.sys [?]
S3 ForteUSB;PERSTEL Chic USB Driver Service;f:\windows\system32\drivers\ForteUSB.sys [2004-6-16 10658]
S3 ICDUSB2;Sony IC Recorder (P);f:\windows\system32\drivers\IcdUsb2.sys [2005-2-3 39048]
S3 RipFlash;RipFlash Digital Music Recoder/Player;f:\windows\system32\drivers\RFlashDX.sys [2004-6-16 11100]
S3 Sflodd;Sflodd; [x]

=============== Created Last 30 ================

2009-06-16 14:23 <DIR> --d----- f:\program files\MSSOAP
2009-06-16 14:23 <DIR> --d----- f:\program files\Webroot
2009-06-16 13:10 10 a------- f:\windows\system32\kr_done1
2009-06-11 15:16 <DIR> --d----- f:\docume~1\zvisch~1\applic~1\Malwarebytes
2009-06-11 15:15 40,160 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 15:15 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 15:15 19,096 a------- f:\windows\system32\drivers\mbam.sys
2009-06-11 15:15 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-06-10 15:29 <DIR> --d----- f:\documents and settings\zvi schiff\DoctorWeb
2009-06-09 19:12 <DIR> a-dshr-- F:\autorun.inf
2009-06-09 14:53 161,792 a------- f:\windows\SWREG.exe
2009-06-09 14:53 155,136 a------- f:\windows\PEV.exe
2009-06-09 14:53 98,816 a------- f:\windows\sed.exe
2009-06-07 13:26 352 a---h--- f:\windows\nod32fixtemdono.reg
2009-06-07 13:25 <DIR> --d----- f:\program files\ESET

==================== Find3M ====================

2009-06-21 15:19 2,000,803,872 a--sh--- f:\windows\system32\drivers\fidbox.dat
2009-06-21 15:00 23,450,240 a--sh--- f:\windows\system32\drivers\fidbox.idx
2009-06-08 15:29 1,744 a------- f:\windows\system32\d3d9caps.dat
2009-04-21 17:09 4,212 a---h--- f:\windows\system32\zllictbl.dat
2009-03-30 16:56 48,728 a---h--- f:\windows\system32\mlfcache.dat
2008-02-12 16:14 32 a------- f:\docume~1\alluse~1\applic~1\ezsid.dat
2006-11-19 19:24 252 a------- f:\documents and settings\zvi schiff\test.dat
2003-05-07 18:13 131,072 a------- f:\windows\inf\DriverInstaller.exe

============= FINISH: 15:20:45.95 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 22 June 2009 - 04:42 PM

Hello.

We'll start off with Combofix.

Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 23 June 2009 - 07:33 AM

Combofix did not ask to install recovery console and my attempts to install it manually before the scan were unsuccessful. It also did not request a restart.
Internet seems faster.
Thanks,
Zvi


ComboFix 09-06-22.08 - Zvi Schiff 23-Jun-09 15:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1023.600 [GMT 3:00]
Running from: f:\documents and settings\Zvi Schiff\Desktop\anti virus\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\windows\system32\kr_done1

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-06-16 11:23 . 2009-06-16 11:23 -------- d-----w- f:\program files\MSSOAP
2009-06-16 11:23 . 2009-06-16 11:23 -------- d-----w- f:\program files\Webroot
2009-06-11 12:16 . 2009-06-11 12:16 -------- d-----w- f:\documents and settings\Zvi Schiff\Application Data\Malwarebytes
2009-06-11 12:15 . 2009-05-26 10:20 40160 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 12:15 . 2009-06-11 12:15 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 12:15 . 2009-06-11 12:16 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2009-06-11 12:15 . 2009-05-26 10:19 19096 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-06-10 12:29 . 2009-06-10 13:11 -------- d-----w- f:\documents and settings\Zvi Schiff\DoctorWeb
2009-06-07 11:20 . 2009-06-07 11:20 -------- d-----w- f:\documents and settings\Zvi Schiff\Local Settings\Application Data\ESET
2009-06-07 10:26 . 2008-01-07 11:29 352 ---ha-w- f:\windows\nod32fixtemdono.reg
2009-06-07 10:25 . 2009-06-07 10:25 -------- d-----w- f:\program files\ESET
2009-06-07 10:25 . 2009-06-07 10:25 -------- d-----w- f:\documents and settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 12:15 . 2009-03-29 11:30 2003943456 --sha-w- f:\windows\system32\drivers\fidbox.dat
2009-06-23 11:23 . 2005-12-19 13:55 -------- d---a-w- f:\documents and settings\Zvi Schiff\Application Data\OpenOffice.org2
2009-06-22 15:48 . 2009-03-29 11:30 23462168 --sha-w- f:\windows\system32\drivers\fidbox.idx
2009-06-22 13:36 . 2008-06-23 15:43 -------- d-----w- f:\documents and settings\All Users\Application Data\Google Updater
2009-06-16 10:16 . 2008-08-13 13:52 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft
2009-06-11 15:30 . 2006-06-27 14:30 -------- d-----w- f:\program files\DVConversionSuite
2009-06-11 13:25 . 2005-12-04 16:25 -------- d-----w- f:\program files\Shareaza
2009-06-08 12:29 . 2006-10-04 16:53 1744 ----a-w- f:\windows\system32\d3d9caps.dat
2009-06-07 12:16 . 2004-06-16 13:14 -------- d-----w- f:\program files\Spybot - Search & Destroy
2009-06-07 10:24 . 2004-06-15 16:43 -------- d-----w- f:\program files\Symantec
2009-06-07 10:23 . 2004-06-15 16:43 -------- d-----w- f:\program files\Common Files\Symantec Shared
2009-06-07 10:20 . 2008-01-29 15:48 -------- d-----w- f:\documents and settings\Zvi Schiff\Application Data\U3
2009-06-04 13:48 . 2004-06-16 13:14 -------- d---a-w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 12:44 . 2009-04-26 11:05 3385344 ----a-w- f:\windows\Internet Logs\xDB9B.tmp
2009-04-21 14:09 . 2004-06-17 16:43 4212 ---ha-w- f:\windows\system32\zllictbl.dat
2009-04-02 12:02 . 2009-04-02 12:02 152576 ----a-w- f:\documents and settings\Zvi Schiff\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-30 13:56 . 2007-09-11 16:16 48728 ---ha-w- f:\windows\system32\mlfcache.dat
2009-03-26 17:53 . 2009-03-26 17:53 3638 ----a-r- f:\documents and settings\Zvi Schiff\Application Data\Microsoft\Installer\{5393E299-DAED-4F87-99B8-7942091424CC}\_294823.exe
2009-03-26 17:53 . 2009-03-26 17:53 3638 ----a-r- f:\documents and settings\Zvi Schiff\Application Data\Microsoft\Installer\{5393E299-DAED-4F87-99B8-7942091424CC}\_18be6784.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-09_12.04.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-23 11:21 . 2009-06-23 11:21 16384 f:\windows\Temp\Perflib_Perfdata_6dc.dat
- 2004-06-15 14:45 . 2009-06-04 13:04 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-06-15 14:45 . 2009-06-21 11:48 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-06-15 14:45 . 2009-06-04 13:04 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-06-15 14:45 . 2009-06-21 11:48 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-06-15 14:45 . 2009-06-21 11:48 16384 f:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-06-15 14:45 . 2009-06-04 13:04 16384 f:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-16 11:23 . 2009-06-16 11:23 10134 f:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe
+ 2007-10-21 16:38 . 2009-04-06 10:26 511328 f:\windows\system32\capicom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iPlusAgent2"="f:\program files\iriver\iriver plus 2\iAgent2.exe" [2006-04-21 241664]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Microsoft Update Time"="wuam.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMONTRAY"="f:\program files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 32768]
"RegKillElbyCheck"="f:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2001-12-06 45056]
"RegKillTray"="f:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-04-13 49152]
"ISUSPM"="f:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"OSSelectorReinstall"="f:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 2209224]
"AppleSyncNotifier"="f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ZoneAlarm Client"="f:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"egui"="f:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"Microsoft Update Time"="wuam.exe" [BU]

f:\documents and settings\Zvi Schiff\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - f:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=f:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vousiadavn"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SansaDispatch"=f:\documents and settings\Zvi Schiff\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
"ctfmon.exe"=f:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iHP-100"=f:\program files\iRiver\iHP100\iHPDetect.exe
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="f:\program files\QuickTime Alternative\QTTask.exe" -atboottime
"Microsoft Update Time"=wuam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft DirectX"=PDSched.exe
"Microsoft Update Time"=wuam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\ICQLite\\ICQLite.exe"=
"f:\\Documents and Settings\\Zvi Schiff\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:TCP"= 137:TCP:smb
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 IFP900;iriver Internet Audio Player IFP-900;f:\windows\system32\drivers\Ifp900.sys [19-Jul-05 3:02 PM 14531]
R1 epfwtdir;epfwtdir;f:\windows\system32\drivers\epfwtdir.sys [21-Dec-07 8:21 AM 33800]
R2 ekrn;Eset Service;f:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21-Dec-07 8:21 AM 468224]
R3 RegKill;RegKill;f:\windows\system32\drivers\RegKill.sys [10-Mar-02 6:37 AM 6144]
S2 AtiBt829;ATI WDM Bt829 Video;f:\windows\system32\drivers\atinbtxx.sys [26-Sep-01 9:22 PM 60464]
S2 BEATUSB;BEATUSB.sys Eratech USB driver;f:\windows\system32\drivers\beatusb.sys [25-Aug-04 6:58 PM 10988]
S2 TTDec;ATI WDM Teletext Decoder;f:\windows\system32\drivers\atinttxx.sys [26-Sep-01 9:22 PM 20960]
S3 ati2mpaa;ati2mpaa;f:\windows\system32\drivers\ati2mpaa.sys [15-Jun-04 7:26 PM 281856]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);f:\windows\system32\drivers\ativxbar.sys [15-Jun-04 7:27 PM 26624]
S3 cirrus;cirrus;f:\windows\system32\drivers\cirrus.sys [07-Sep-05 4:38 PM 45696]
S3 DCamVQ110;VQ110 Digital Video Camera;f:\windows\system32\DRIVERS\VQ110.sys --> f:\windows\system32\DRIVERS\VQ110.sys [?]
S3 ForteUSB;PERSTEL Chic USB Driver Service;f:\windows\system32\drivers\ForteUSB.sys [16-Jun-04 7:03 PM 10658]
S3 ICDUSB2;Sony IC Recorder (P);f:\windows\system32\drivers\IcdUsb2.sys [03-Feb-05 5:55 PM 39048]
S3 RipFlash;RipFlash Digital Music Recoder/Player;f:\windows\system32\drivers\RFlashDX.sys [16-Jun-04 5:42 PM 11100]
S3 Sflodd;Sflodd; [x]
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 10:34]

2009-06-23 f:\windows\Tasks\Google Software Updater.job
- f:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-04 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to AMV Convert Tool... - f:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - f:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
TCP: {79F5B094-2307-4D8F-8CBA-6CA6F12997D2} = 192.116.202.222,192.115.106.10
FF - ProfilePath -

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-23 15:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-1708537768-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8b,6a,a7,73,bf,7f,ad,81,18,9a,4b,34,05,e7,f7,90,6c,4e,4b,e8,4f,
f9,b7,48,90,34,eb,8f,1f,01,83,fc,ca,a4,de,9b,b8,d8,22,ee,86,75,8c,65,ff,1f,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8b,6a,a7,73,bf,7f,ad,81,18,9a,4b,34,05,e7,f7,90,6c,4e,4b,e8,4f,
f9,b7,48,90,34,eb,8f,1f,01,83,fc,ca,a4,de,9b,b8,d8,22,ee,86,75,8c,65,ff,1f,\
.
Completion time: 2009-06-23 15:17
ComboFix-quarantined-files.txt 2009-06-23 12:17
ComboFix2.txt 2009-06-09 12:12

Pre-Run: 85,886,595,072 bytes free
Post-Run: 85,856,747,520 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,7
190 --- E O F --- 2009-05-26 14:08

#6 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 23 June 2009 - 08:24 AM

I was able to install recovery console manually. It ran ComboFix again so I'm sending the new log in case it's useful.
Zvi

ComboFix 09-06-22.08 - Zvi Schiff 23-Jun-09 16:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1023.549 [GMT 3:00]
Running from: f:\documents and settings\Zvi Schiff\Desktop\anti virus\ComboFix.exe
Command switches used :: f:\documents and settings\Zvi Schiff\Desktop\anti virus\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-06-23 12:15 . 2009-06-23 12:15 -------- dc----w- f:\windows\system32\dllcache\cache
2009-06-16 11:23 . 2009-06-16 11:23 -------- d-----w- f:\program files\MSSOAP
2009-06-16 11:23 . 2009-06-16 11:23 -------- d-----w- f:\program files\Webroot
2009-06-11 12:16 . 2009-06-11 12:16 -------- d-----w- f:\documents and settings\Zvi Schiff\Application Data\Malwarebytes
2009-06-11 12:15 . 2009-05-26 10:20 40160 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 12:15 . 2009-06-11 12:15 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 12:15 . 2009-06-11 12:16 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2009-06-11 12:15 . 2009-05-26 10:19 19096 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-06-10 12:29 . 2009-06-10 13:11 -------- d-----w- f:\documents and settings\Zvi Schiff\DoctorWeb
2009-06-07 11:20 . 2009-06-07 11:20 -------- d-----w- f:\documents and settings\Zvi Schiff\Local Settings\Application Data\ESET
2009-06-07 10:26 . 2008-01-07 11:29 352 ---ha-w- f:\windows\nod32fixtemdono.reg
2009-06-07 10:25 . 2009-06-07 10:25 -------- d-----w- f:\program files\ESET
2009-06-07 10:25 . 2009-06-07 10:25 -------- d-----w- f:\documents and settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 13:21 . 2009-03-29 11:30 2006325280 --sha-w- f:\windows\system32\drivers\fidbox.dat
2009-06-23 11:23 . 2005-12-19 13:55 -------- d---a-w- f:\documents and settings\Zvi Schiff\Application Data\OpenOffice.org2
2009-06-22 15:48 . 2009-03-29 11:30 23462168 --sha-w- f:\windows\system32\drivers\fidbox.idx
2009-06-22 13:36 . 2008-06-23 15:43 -------- d-----w- f:\documents and settings\All Users\Application Data\Google Updater
2009-06-16 10:16 . 2008-08-13 13:52 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft
2009-06-11 15:30 . 2006-06-27 14:30 -------- d-----w- f:\program files\DVConversionSuite
2009-06-11 13:25 . 2005-12-04 16:25 -------- d-----w- f:\program files\Shareaza
2009-06-08 12:29 . 2006-10-04 16:53 1744 ----a-w- f:\windows\system32\d3d9caps.dat
2009-06-07 12:16 . 2004-06-16 13:14 -------- d-----w- f:\program files\Spybot - Search & Destroy
2009-06-07 10:24 . 2004-06-15 16:43 -------- d-----w- f:\program files\Symantec
2009-06-07 10:23 . 2004-06-15 16:43 -------- d-----w- f:\program files\Common Files\Symantec Shared
2009-06-07 10:20 . 2008-01-29 15:48 -------- d-----w- f:\documents and settings\Zvi Schiff\Application Data\U3
2009-06-04 13:48 . 2004-06-16 13:14 -------- d---a-w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 12:44 . 2009-04-26 11:05 3385344 ----a-w- f:\windows\Internet Logs\xDB9B.tmp
2009-04-21 14:09 . 2004-06-17 16:43 4212 ---ha-w- f:\windows\system32\zllictbl.dat
2009-04-02 12:02 . 2009-04-02 12:02 152576 ----a-w- f:\documents and settings\Zvi Schiff\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-30 13:56 . 2007-09-11 16:16 48728 ---ha-w- f:\windows\system32\mlfcache.dat
2009-03-26 17:53 . 2009-03-26 17:53 3638 ----a-r- f:\documents and settings\Zvi Schiff\Application Data\Microsoft\Installer\{5393E299-DAED-4F87-99B8-7942091424CC}\_294823.exe
2009-03-26 17:53 . 2009-03-26 17:53 3638 ----a-r- f:\documents and settings\Zvi Schiff\Application Data\Microsoft\Installer\{5393E299-DAED-4F87-99B8-7942091424CC}\_18be6784.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-09_12.04.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-23 11:21 . 2009-06-23 11:21 16384 f:\windows\Temp\Perflib_Perfdata_6dc.dat
+ 2009-06-23 12:15 . 2008-10-16 12:09 51224 f:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-23 12:15 . 2008-04-14 00:12 82432 f:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-23 12:15 . 2008-04-14 00:12 26112 f:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-23 12:15 . 2008-04-14 00:12 14336 f:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-23 12:15 . 2008-04-14 00:12 57856 f:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-23 12:15 . 2008-04-14 00:12 17408 f:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-23 12:15 . 2008-04-14 00:12 13312 f:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-23 12:15 . 2008-04-13 18:39 24576 f:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-23 12:15 . 2008-04-13 18:53 36608 f:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-23 12:15 . 2008-04-14 00:12 15360 f:\windows\system32\dllcache\cache\ctfmon.exe
+ 2004-06-15 14:45 . 2009-06-21 11:48 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-06-15 14:45 . 2009-06-04 13:04 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-06-15 14:45 . 2009-06-21 11:48 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-06-15 14:45 . 2009-06-04 13:04 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-06-15 14:45 . 2009-06-04 13:04 16384 f:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-06-15 14:45 . 2009-06-21 11:48 16384 f:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-16 11:23 . 2009-06-16 11:23 10134 f:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe
+ 2009-06-23 12:15 . 2008-04-14 00:12 507904 f:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-23 12:15 . 2009-02-20 08:10 666112 f:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-23 12:15 . 2008-04-14 00:12 578560 f:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-23 12:15 . 2008-04-14 00:12 295424 f:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-23 12:15 . 2008-06-20 11:51 361600 f:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-23 12:15 . 2009-02-06 11:11 110592 f:\windows\system32\dllcache\cache\services.exe
+ 2009-06-23 12:15 . 2008-04-13 19:20 182656 f:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-23 12:15 . 2009-03-21 14:06 989696 f:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-23 12:15 . 2008-04-14 00:11 110080 f:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-23 12:15 . 2008-04-14 00:11 167936 f:\windows\system32\dllcache\cache\appmgmts.dll
+ 2007-10-21 16:38 . 2009-04-06 10:26 511328 f:\windows\system32\capicom.dll
+ 2009-06-23 12:15 . 2008-04-14 00:12 1614848 f:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-23 12:15 . 2009-02-06 11:06 2145280 f:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-23 12:15 . 2009-02-06 10:32 2023936 f:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-23 12:15 . 2008-04-14 00:12 1033728 f:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iPlusAgent2"="f:\program files\iriver\iriver plus 2\iAgent2.exe" [2006-04-21 241664]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Microsoft Update Time"="wuam.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMONTRAY"="f:\program files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 32768]
"RegKillElbyCheck"="f:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2001-12-06 45056]
"RegKillTray"="f:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-04-13 49152]
"ISUSPM"="f:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"OSSelectorReinstall"="f:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 2209224]
"AppleSyncNotifier"="f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ZoneAlarm Client"="f:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"egui"="f:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"Microsoft Update Time"="wuam.exe" [BU]

f:\documents and settings\Zvi Schiff\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - f:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=f:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vousiadavn"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SansaDispatch"=f:\documents and settings\Zvi Schiff\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
"ctfmon.exe"=f:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iHP-100"=f:\program files\iRiver\iHP100\iHPDetect.exe
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="f:\program files\QuickTime Alternative\QTTask.exe" -atboottime
"Microsoft Update Time"=wuam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft DirectX"=PDSched.exe
"Microsoft Update Time"=wuam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\ICQLite\\ICQLite.exe"=
"f:\\Documents and Settings\\Zvi Schiff\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:TCP"= 137:TCP:smb
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 IFP900;iriver Internet Audio Player IFP-900;f:\windows\system32\drivers\Ifp900.sys [19-Jul-05 3:02 PM 14531]
R1 epfwtdir;epfwtdir;f:\windows\system32\drivers\epfwtdir.sys [21-Dec-07 8:21 AM 33800]
R2 ekrn;Eset Service;f:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21-Dec-07 8:21 AM 468224]
R3 RegKill;RegKill;f:\windows\system32\drivers\RegKill.sys [10-Mar-02 6:37 AM 6144]
S2 AtiBt829;ATI WDM Bt829 Video;f:\windows\system32\drivers\atinbtxx.sys [26-Sep-01 9:22 PM 60464]
S2 BEATUSB;BEATUSB.sys Eratech USB driver;f:\windows\system32\drivers\beatusb.sys [25-Aug-04 6:58 PM 10988]
S2 TTDec;ATI WDM Teletext Decoder;f:\windows\system32\drivers\atinttxx.sys [26-Sep-01 9:22 PM 20960]
S3 ati2mpaa;ati2mpaa;f:\windows\system32\drivers\ati2mpaa.sys [15-Jun-04 7:26 PM 281856]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);f:\windows\system32\drivers\ativxbar.sys [15-Jun-04 7:27 PM 26624]
S3 cirrus;cirrus;f:\windows\system32\drivers\cirrus.sys [07-Sep-05 4:38 PM 45696]
S3 DCamVQ110;VQ110 Digital Video Camera;f:\windows\system32\DRIVERS\VQ110.sys --> f:\windows\system32\DRIVERS\VQ110.sys [?]
S3 ForteUSB;PERSTEL Chic USB Driver Service;f:\windows\system32\drivers\ForteUSB.sys [16-Jun-04 7:03 PM 10658]
S3 ICDUSB2;Sony IC Recorder (P);f:\windows\system32\drivers\IcdUsb2.sys [03-Feb-05 5:55 PM 39048]
S3 RipFlash;RipFlash Digital Music Recoder/Player;f:\windows\system32\drivers\RFlashDX.sys [16-Jun-04 5:42 PM 11100]
S3 Sflodd;Sflodd; [x]
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 10:34]

2009-06-23 f:\windows\Tasks\Google Software Updater.job
- f:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-04 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to AMV Convert Tool... - f:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - f:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
TCP: {79F5B094-2307-4D8F-8CBA-6CA6F12997D2} = 192.116.202.222,192.115.106.10
FF - ProfilePath -

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-23 16:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-1708537768-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8b,6a,a7,73,bf,7f,ad,81,18,9a,4b,34,05,e7,f7,90,6c,4e,4b,e8,4f,
f9,b7,48,90,34,eb,8f,1f,01,83,fc,ca,a4,de,9b,b8,d8,22,ee,86,75,8c,65,ff,1f,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8b,6a,a7,73,bf,7f,ad,81,18,9a,4b,34,05,e7,f7,90,6c,4e,4b,e8,4f,
f9,b7,48,90,34,eb,8f,1f,01,83,fc,ca,a4,de,9b,b8,d8,22,ee,86,75,8c,65,ff,1f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2424)
f:\program files\iTunes\iTunesMiniPlayer.dll
f:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
f:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-23 16:24
ComboFix-quarantined-files.txt 2009-06-23 13:24
ComboFix2.txt 2009-06-23 12:17
ComboFix3.txt 2009-06-09 12:12

Pre-Run: 85,823,242,240 bytes free
Post-Run: 85,793,869,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,7
228 --- E O F --- 2009-05-26 14:08

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 24 June 2009 - 09:26 AM

Hello.

Please continue with the following.

Download and Run OTM
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    Sflodd
    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"=-
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • If OTM requires are reboot, please allow it to do so.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Take a new DDS run afterwards and post back with the logs.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 25 June 2009 - 10:57 AM

Done.
here are the logs.
If you have the time I would a appreciate some explanation of what I had and where it came from. I think I was infected from a disk on key but dont really know.
Thanks for your time and efforts.
Zvi


��A

��A

Edited by zschiff, 25 June 2009 - 10:59 AM.


#9 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 25 June 2009 - 11:00 AM

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 3

25-Jun-09 5:01:21 PM
mbam-log-2009-06-25 (17-01-21).txt

Scan type: Quick Scan
Objects scanned: 84623
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Time (Backdoor.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Time (Backdoor.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update Time (Backdoor.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft DirectX (Backdoor.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by zschiff, 25 June 2009 - 11:01 AM.


#10 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 25 June 2009 - 11:04 AM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-25 18:49:12
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF375AFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF3757C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF3772170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF375B580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF376F900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF376FB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF3773B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF375B670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF3758210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF37729F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF37727A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF376F280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF3772F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF3772F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF3758070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF3771180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF3770F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF37736F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF3773150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF375ABE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF3773540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF375B190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF3758440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF37724E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF3770200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF3770080]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----

#11 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 25 June 2009 - 11:08 AM

All processes killed
========== SERVICES/DRIVERS ==========

Service\Driver Sflodd deleted successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Update Time deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Update Time deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 213126 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: Zvi Schiff
File delete failed. F:\Documents and Settings\Zvi Schiff\Local Settings\Temp\~DFDEB9.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 196608 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 7650691 bytes
->FireFox cache emptied: 54463515 bytes
->Apple Safari cache emptied: 1919841 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3334748 bytes
%systemroot%\System32 .tmp files removed: 3925009 bytes
File delete failed. F:\WINDOWS\temp\ZLT04a7d.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied: 739 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 68.45 mb


OTM by OldTimer - Version 3.0.0.2 log created on 06252009_153224

Files moved on Reboot...
F:\Documents and Settings\Zvi Schiff\Local Settings\Temp\~DFDEB9.tmp moved successfully.
File F:\WINDOWS\temp\ZLT04a7d.TMP not found!

Registry entries deleted on Reboot...



DDS (Ver_09-05-14.01) - NTFSx86
Run by Zvi Schiff at 18:50:32.34 on 25-Jun-09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1023.548 [GMT 3:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Documents and Settings\Zvi Schiff\Desktop\anti virus\thurs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - f:\program files\ws_ftp pro\wsbho2k0.dll
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - f:\program files\agat\agform\AGFormsHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - f:\program files\agat\agform\AGForms.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [iPlusAgent2] "f:\program files\iriver\iriver plus 2\iAgent2.exe"
uRun: [SpybotSD TeaTimer] "f:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [IMONTRAY] "f:\program files\intel\intel® active monitor\imontray.exe"
mRun: [RegKillElbyCheck] "f:\program files\elaborate bytes\dvd region killer\ElbyCheck.exe" /L RegKill
mRun: [RegKillTray] "f:\program files\elaborate bytes\dvd region killer\RegKillTray.exe"
mRun: [ISUSPM] "f:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [OSSelectorReinstall] "f:\program files\common files\acronis\acronis disk director\oss_reinstall.exe"
mRun: [AppleSyncNotifier] "f:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "f:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [egui] "f:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRunOnce: [Malwarebytes' Anti-Malware] f:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: f:\docume~1\zvisch~1\startm~1\programs\startup\openof~1.lnk - f:\program files\openoffice.org 2.4\program\quickstart.exe
IE: Add to AMV Convert Tool... - f:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - f:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120170377109
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140612129937
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://192.168.10.253:50000/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
TCP: {79F5B094-2307-4D8F-8CBA-6CA6F12997D2} = 192.116.202.222,192.115.106.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\zvisch~1\applic~1\mozilla\firefox\profiles\mlsjzv2i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_27.dll
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: f:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: f:\program files\picasa2\npPicasa2.dll

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 IFP900;iriver Internet Audio Player IFP-900;f:\windows\system32\drivers\Ifp900.sys [2005-7-19 14531]
R1 epfwtdir;epfwtdir;f:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 KLIF;KLIF;f:\windows\system32\drivers\klif.sys [2009-3-29 148496]
R1 vsdatant;vsdatant;f:\windows\system32\vsdatant.sys [2004-6-17 353672]
R2 ekrn;Eset Service;f:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 vsmon;TrueVector Internet Monitor;f:\windows\system32\zonelabs\vsmon.exe -service --> f:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 RegKill;RegKill;f:\windows\system32\drivers\RegKill.sys [2002-3-10 6144]
S2 AtiBt829;ATI WDM Bt829 Video;f:\windows\system32\drivers\atinbtxx.sys [2001-9-26 60464]
S2 BEATUSB;BEATUSB.sys Eratech USB driver;f:\windows\system32\drivers\beatusb.sys [2004-8-25 10988]
S2 TTDec;ATI WDM Teletext Decoder;f:\windows\system32\drivers\atinttxx.sys [2001-9-26 20960]
S3 ati2mpaa;ati2mpaa;f:\windows\system32\drivers\ati2mpaa.sys [2004-6-15 281856]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);f:\windows\system32\drivers\ativxbar.sys [2004-6-15 26624]
S3 cirrus;cirrus;f:\windows\system32\drivers\cirrus.sys [2005-9-7 45696]
S3 DCamVQ110;VQ110 Digital Video Camera;f:\windows\system32\drivers\vq110.sys --> f:\windows\system32\drivers\VQ110.sys [?]
S3 ForteUSB;PERSTEL Chic USB Driver Service;f:\windows\system32\drivers\ForteUSB.sys [2004-6-16 10658]
S3 ICDUSB2;Sony IC Recorder (P);f:\windows\system32\drivers\IcdUsb2.sys [2005-2-3 39048]
S3 RipFlash;RipFlash Digital Music Recoder/Player;f:\windows\system32\drivers\RFlashDX.sys [2004-6-16 11100]

=============== Created Last 30 ================

2009-06-25 15:32 <DIR> --d----- F:\_OTM
2009-06-23 16:15 <DIR> a-dshr-- F:\cmdcons
2009-06-23 15:15 <DIR> -cd----- f:\windows\system32\dllcache\cache
2009-06-16 14:23 <DIR> --d----- f:\program files\MSSOAP
2009-06-16 14:23 <DIR> --d----- f:\program files\Webroot
2009-06-11 15:16 <DIR> --d----- f:\docume~1\zvisch~1\applic~1\Malwarebytes
2009-06-11 15:15 38,160 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 15:15 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 15:15 19,096 a------- f:\windows\system32\drivers\mbam.sys
2009-06-11 15:15 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-06-10 15:29 <DIR> --d----- f:\documents and settings\zvi schiff\DoctorWeb
2009-06-09 19:12 <DIR> a-dshr-- F:\autorun.inf
2009-06-09 14:53 161,792 a------- f:\windows\SWREG.exe
2009-06-09 14:53 155,136 a------- f:\windows\PEV.exe
2009-06-09 14:53 98,816 a------- f:\windows\sed.exe
2009-06-07 13:26 352 a---h--- f:\windows\nod32fixtemdono.reg
2009-06-07 13:25 <DIR> --d----- f:\program files\ESET

==================== Find3M ====================

2009-06-25 18:50 2,008,100,896 a--sh--- f:\windows\system32\drivers\fidbox.dat
2009-06-25 15:33 23,528,768 a--sh--- f:\windows\system32\drivers\fidbox.idx
2009-06-08 15:29 1,744 a------- f:\windows\system32\d3d9caps.dat
2009-04-21 17:09 4,212 a---h--- f:\windows\system32\zllictbl.dat
2009-03-30 16:56 48,728 a---h--- f:\windows\system32\mlfcache.dat
2008-02-12 16:14 32 a------- f:\docume~1\alluse~1\applic~1\ezsid.dat
2006-11-19 19:24 252 a------- f:\documents and settings\zvi schiff\test.dat
2003-05-07 18:13 131,072 a------- f:\windows\inf\DriverInstaller.exe

============= FINISH: 18:51:19.93 ===============

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 25 June 2009 - 04:40 PM

Hello.

You had a backdoor. Appears to be only leftovers, but you still should know about this infection.

Let me know.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 29 June 2009 - 10:51 AM

I would like to continue with the cleaning.
Any idea how I got it?

Edited by zschiff, 29 June 2009 - 10:53 AM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 29 June 2009 - 12:44 PM

Hello.

Please post a new DDS log then.

Thanks

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 zschiff

zschiff
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 30 June 2009 - 09:16 AM

DDS (Ver_09-05-14.01) - NTFSx86
Run by Zvi Schiff at 15:19:44.51 on 30-Jun-09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1023.505 [GMT 3:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
F:\Program Files\iriver\iriver plus 2\iAgent2.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\OpenOffice.org 2.4\program\soffice.exe
F:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
F:\Program Files\iPod\bin\iPodService.exe
F:\Documents and Settings\Zvi Schiff\Desktop\anti virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - f:\program files\ws_ftp pro\wsbho2k0.dll
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - f:\program files\agat\agform\AGFormsHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - f:\program files\agat\agform\AGForms.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [iPlusAgent2] "f:\program files\iriver\iriver plus 2\iAgent2.exe"
uRun: [SpybotSD TeaTimer] "f:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Microsoft Update Time] wuam.exe
mRun: [IMONTRAY] "f:\program files\intel\intel® active monitor\imontray.exe"
mRun: [RegKillElbyCheck] "f:\program files\elaborate bytes\dvd region killer\ElbyCheck.exe" /L RegKill
mRun: [RegKillTray] "f:\program files\elaborate bytes\dvd region killer\RegKillTray.exe"
mRun: [ISUSPM] "f:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [OSSelectorReinstall] "f:\program files\common files\acronis\acronis disk director\oss_reinstall.exe"
mRun: [AppleSyncNotifier] "f:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "f:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [egui] "f:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Microsoft Update Time] wuam.exe
mRunServices: [Microsoft DirectX] PDSched.exe
mRunServices: [Microsoft Update Time] wuam.exe
StartupFolder: f:\docume~1\zvisch~1\startm~1\programs\startup\openof~1.lnk - f:\program files\openoffice.org 2.4\program\quickstart.exe
IE: Add to AMV Convert Tool... - f:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - f:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120170377109
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140612129937
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://192.168.10.253:50000/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
TCP: {79F5B094-2307-4D8F-8CBA-6CA6F12997D2} = 192.116.202.222,192.115.106.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\zvisch~1\applic~1\mozilla\firefox\profiles\mlsjzv2i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_27.dll
FF - component: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: f:\documents and settings\zvi schiff\application data\mozilla\firefox\profiles\mlsjzv2i.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: f:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: f:\program files\picasa2\npPicasa2.dll

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 IFP900;iriver Internet Audio Player IFP-900;f:\windows\system32\drivers\Ifp900.sys [2005-7-19 14531]
R1 epfwtdir;epfwtdir;f:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 KLIF;KLIF;f:\windows\system32\drivers\klif.sys [2009-3-29 148496]
R1 vsdatant;vsdatant;f:\windows\system32\vsdatant.sys [2004-6-17 353672]
R2 ekrn;Eset Service;f:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 vsmon;TrueVector Internet Monitor;f:\windows\system32\zonelabs\vsmon.exe -service --> f:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 RegKill;RegKill;f:\windows\system32\drivers\RegKill.sys [2002-3-10 6144]
S2 AtiBt829;ATI WDM Bt829 Video;f:\windows\system32\drivers\atinbtxx.sys [2001-9-26 60464]
S2 BEATUSB;BEATUSB.sys Eratech USB driver;f:\windows\system32\drivers\beatusb.sys [2004-8-25 10988]
S2 TTDec;ATI WDM Teletext Decoder;f:\windows\system32\drivers\atinttxx.sys [2001-9-26 20960]
S3 ati2mpaa;ati2mpaa;f:\windows\system32\drivers\ati2mpaa.sys [2004-6-15 281856]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);f:\windows\system32\drivers\ativxbar.sys [2004-6-15 26624]
S3 cirrus;cirrus;f:\windows\system32\drivers\cirrus.sys [2005-9-7 45696]
S3 DCamVQ110;VQ110 Digital Video Camera;f:\windows\system32\drivers\vq110.sys --> f:\windows\system32\drivers\VQ110.sys [?]
S3 ForteUSB;PERSTEL Chic USB Driver Service;f:\windows\system32\drivers\ForteUSB.sys [2004-6-16 10658]
S3 ICDUSB2;Sony IC Recorder (P);f:\windows\system32\drivers\IcdUsb2.sys [2005-2-3 39048]
S3 RipFlash;RipFlash Digital Music Recoder/Player;f:\windows\system32\drivers\RFlashDX.sys [2004-6-16 11100]

=============== Created Last 30 ================

2009-06-25 15:32 <DIR> --d----- F:\_OTM
2009-06-23 16:15 <DIR> a-dshr-- F:\cmdcons
2009-06-23 15:15 <DIR> -cd----- f:\windows\system32\dllcache\cache
2009-06-16 14:23 <DIR> --d----- f:\program files\MSSOAP
2009-06-16 14:23 <DIR> --d----- f:\program files\Webroot
2009-06-11 15:16 <DIR> --d----- f:\docume~1\zvisch~1\applic~1\Malwarebytes
2009-06-11 15:15 38,160 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 15:15 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 15:15 19,096 a------- f:\windows\system32\drivers\mbam.sys
2009-06-11 15:15 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-06-10 15:29 <DIR> --d----- f:\documents and settings\zvi schiff\DoctorWeb
2009-06-09 19:12 <DIR> a-dshr-- F:\autorun.inf
2009-06-09 14:53 161,792 a------- f:\windows\SWREG.exe
2009-06-09 14:53 155,136 a------- f:\windows\PEV.exe
2009-06-09 14:53 98,816 a------- f:\windows\sed.exe
2009-06-07 13:26 352 a---h--- f:\windows\nod32fixtemdono.reg
2009-06-07 13:25 <DIR> --d----- f:\program files\ESET

==================== Find3M ====================

2009-06-30 15:19 2,008,506,400 a--sh--- f:\windows\system32\drivers\fidbox.dat
2009-06-25 19:34 23,539,760 a--sh--- f:\windows\system32\drivers\fidbox.idx
2009-06-08 15:29 1,744 a------- f:\windows\system32\d3d9caps.dat
2009-04-21 17:09 4,212 a---h--- f:\windows\system32\zllictbl.dat
2008-02-12 16:14 32 a------- f:\docume~1\alluse~1\applic~1\ezsid.dat
2006-11-19 19:24 252 a------- f:\documents and settings\zvi schiff\test.dat
2003-05-07 18:13 131,072 a------- f:\windows\inf\DriverInstaller.exe

============= FINISH: 15:20:58.64 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users