Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected?


  • This topic is locked This topic is locked
14 replies to this topic

#1 gamemaster406

gamemaster406

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 28 June 2009 - 09:14 PM

ZoneAlarm is constantly blocking suspicious sites from China and some other countries all the time, so I was wondering if I have any infection, I have included a DDS log, and attached a zipped Attach.txt, and a HJT log as well.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 21:58:44.91 on Sun 06/28/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1828 [GMT -4:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\PnkBstrB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\The Spoof Net\The ToonTown Spoofer\TTS.exe
C:\Users\Administrator\Desktop\TT\InvasionNotification.exe
C:\Users\Administrator\Desktop\TT\KeepAlive.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\ADMINI~1\AppData\Local\Temp\mozOpenDownload\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Aim6]
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource5\go\CTCMSGoU.exe" /SCB
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\fy8p8z1u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-6-27 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-27 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-6-27 434945]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-27 210216]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\system32\nvSCPAPISvr.exe [2009-6-10 232960]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-5-12 79360]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [2007-5-1 132232]
S3 SaiIFFB5;Immersion's HID USB Driver (FFB5);c:\windows\system32\drivers\SaiIFFB5.sys [2007-5-1 16256]

=============== Created Last 30 ================

2009-06-27 20:30 <DIR> --d----- c:\programdata\Lavasoft
2009-06-27 13:43 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-06-27 13:43 <DIR> --d----- c:\program files\Zone Labs
2009-06-27 13:42 350,192 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-06-27 13:42 293,528 a------- c:\windows\system32\drivers\vsdatant.sys
2009-06-27 13:42 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-06-27 13:41 <DIR> --d----- c:\programdata\CheckPoint
2009-06-27 13:41 <DIR> --d----- c:\progra~2\CheckPoint
2009-06-27 13:41 <DIR> --d----- c:\windows\Internet Logs
2009-06-27 12:51 <DIR> --d----- c:\program files\common files\McAfee
2009-06-27 12:51 <DIR> --d----- c:\program files\McAfee
2009-06-27 12:35 <DIR> --d----- c:\users\admini~1\appdata\roaming\Avira
2009-06-27 12:29 81,984 a------- c:\windows\system32\bdod.bin
2009-06-27 12:29 132 a------- C:\httpdwl.dat
2009-06-27 12:23 850 a------- c:\windows\system32\ProductTweaks.xml
2009-06-27 12:23 385 a------- c:\windows\system32\user_gensett.xml
2009-06-27 12:23 <DIR> --d----- c:\programdata\BitDefender
2009-06-27 12:23 <DIR> --d----- c:\progra~2\BitDefender
2009-06-27 12:21 <DIR> --d----- c:\users\admini~1\appdata\roaming\BitDefender
2009-06-27 12:19 <DIR> --d----- c:\program files\common files\BitDefender
2009-06-27 12:12 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 22:45 <DIR> --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2009-06-26 22:45 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 22:45 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-26 22:45 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-26 22:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 22:45 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-26 22:06 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-26 22:06 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-26 22:05 <DIR> --d----- c:\users\admini~1\appdata\roaming\SUPERAntiSpyware.com
2009-06-26 22:05 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-26 12:30 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-06-26 10:01 <DIR> --d----- c:\programdata\SiteAdvisor
2009-06-26 10:00 <DIR> --d----- c:\programdata\McAfee(26)
2009-06-26 10:00 <DIR> --d----- c:\progra~2\McAfee(26)
2009-06-26 08:12 <DIR> --d----- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-06-24 22:56 <DIR> --d----- c:\users\administrator\CFS3 Add-Ons
2009-06-24 21:51 <DIR> --d----- c:\program files\Bonjour
2009-06-24 17:41 <DIR> --d----- c:\program files\common files\xing shared
2009-06-24 17:41 <DIR> --d----- c:\program files\common files\Real
2009-06-24 00:42 <DIR> --d----- c:\program files\AIMTunes
2009-06-22 20:53 <DIR> --d----- c:\program files\FirePower
2009-06-22 16:37 189,072 a------- c:\windows\system32\PnkBstrB.xtr
2009-06-21 23:25 <DIR> --d----- c:\program files\Fraps
2009-06-19 19:52 <DIR> --d----- c:\program files\Comodo
2009-06-18 10:59 <DIR> --d----- c:\program files\Microsoft
2009-06-16 23:51 <DIR> --d----- c:\program files\FileASSASSIN
2009-06-16 23:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-06-16 22:02 <DIR> --d----- c:\program files\Virtual Earth 3D
2009-06-13 13:48 <DIR> --d----- c:\program files\Activision
2009-06-12 15:20 <DIR> --d----- c:\program files\IObit
2009-06-12 15:14 39,424 a------- c:\windows\zipinst.exe
2009-06-12 15:14 <DIR> --d----- c:\program files\ShellExView
2009-06-11 19:23 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-11 19:23 <DIR> --d----- c:\program files\MSECACHE
2009-06-11 16:29 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-10 08:35 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-06-10 08:35 420,384 a------- c:\windows\system32\nvcpl.cpl
2009-06-10 08:35 1,296,928 a------- c:\windows\system32\nvsvs.dll
2009-06-10 06:33 244,736 a------- c:\windows\system32\nvStInst.exe
2009-06-10 06:33 467,968 a------- c:\windows\system32\nvstlink.exe
2009-06-10 06:33 3,953,152 a------- c:\windows\system32\nvstwiz.exe
2009-06-10 06:33 141,824 a------- c:\windows\system32\nvStereoApiI.dll
2009-06-10 06:33 171,520 a------- c:\windows\system32\nvStereoApiI64.dll
2009-06-10 06:33 232,960 a------- c:\windows\system32\nvSCPAPISvr.exe
2009-06-10 06:32 257,536 a------- c:\windows\system32\nvSCPAPI.dll
2009-06-10 06:32 301,568 a------- c:\windows\system32\nvSCPAPI64.dll
2009-06-10 06:32 3,293,184 a------- c:\windows\system32\nvstres.dll
2009-06-10 06:32 5,847 a------- c:\windows\system32\oglstreg.reg
2009-06-10 06:31 167,424 a------- c:\windows\system32\nvstreg.exe
2009-06-10 06:31 1,718,272 a------- c:\windows\system32\nvsttest.exe
2009-06-10 06:31 1,034,752 a------- c:\windows\system32\nvstview.exe
2009-06-10 06:31 89,088 a------- c:\windows\system32\nvimage.dll
2009-06-10 06:29 1,656 a------- c:\windows\system32\nvstdef.reg
2009-06-10 06:03 10,379,264 a------- c:\windows\system32\nvoglv32.dll
2009-06-10 06:03 9,899,296 a------- c:\windows\system32\drivers\nvlddmkm.sys
2009-06-10 06:03 3,148,288 a------- c:\windows\system32\nvwgf2um.dll
2009-06-10 06:03 1,704,960 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,317,408 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 678,432 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod155.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll
2009-06-10 06:03 10,060 a------- c:\windows\system32\nvdisp.nvu
2009-06-10 06:03 4,224 a------- c:\windows\system32\drivers\nvBridge.kmd
2009-06-08 22:46 <DIR> --d----- c:\users\admini~1\appdata\roaming\IObit
2009-06-06 15:30 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-06 15:30 22,328 a------- c:\users\admini~1\appdata\roaming\PnkBstrK.sys
2009-06-06 15:30 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-06-06 15:30 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-06 15:30 319 a------- c:\windows\game.ini
2009-06-06 14:35 49,015 a------- c:\programdata\nvModes.dat
2009-06-06 14:35 49,015 a------- c:\progra~2\nvModes.dat
2009-06-06 14:31 <DIR> --d----- c:\windows\system32\AGEIA
2009-06-06 14:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-06 13:26 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-06-06 13:12 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-06-06 12:15 53,248 a------- c:\windows\system32\CSVer.dll
2009-06-06 01:02 <DIR> --d----- c:\program files\Windows SteadyState
2009-06-05 23:33 <DIR> --d----- c:\program files\YouTube Downloader
2009-06-05 18:04 <DIR> --d----- c:\program files\iPod
2009-06-05 18:04 <DIR> --d----- c:\program files\iTunes
2009-06-05 15:47 <DIR> --d----- c:\users\administrator\CFS3 Backup
2009-06-04 15:19 <DIR> --d----- c:\users\admini~1\appdata\roaming\GetRightToGo
2009-06-03 17:56 <DIR> --d----- c:\program files\Trend Micro
2009-06-02 18:23 <DIR> --d----- c:\program files\Avira
2009-06-01 22:38 <DIR> --d----- c:\programdata\Comodo
2009-06-01 22:38 <DIR> --d----- c:\progra~2\Comodo
2009-05-30 15:27 <DIR> --d----- C:\Intel
2009-05-30 15:10 <DIR> --d----- c:\users\admini~1\appdata\roaming\Uniblue
2009-05-30 15:10 <DIR> --d----- c:\programdata\DriverScanner
2009-05-30 15:10 <DIR> --d----- c:\progra~2\DriverScanner
2009-05-30 14:53 <DIR> a-d----- c:\programdata\TEMP
2009-05-30 11:52 <DIR> --d----- c:\programdata\Google
2009-05-30 11:35 <DIR> --d----- c:\program files\common files\Futuremark Shared
2009-05-30 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-30 11:11 <DIR> --d----- c:\windows\system32\eu-ES
2009-05-30 11:11 <DIR> --d----- c:\windows\system32\ca-ES
2009-05-30 11:11 <DIR> --d----- c:\windows\system32\vi-VN
2009-05-30 11:10 8,393 a------- c:\windows\system32\CTAPO32.cat
2009-05-30 11:08 <DIR> --d----- c:\windows\system32\SPReview
2009-05-30 11:05 928,768 a------- c:\windows\system32\scavenge.dll
2009-05-30 11:05 57,856 a------- c:\windows\system32\compcln.exe
2009-05-30 11:03 344,698 a------- c:\windows\system32\eaphost.tmf
2009-05-30 11:02 32,198 a------- c:\windows\system32\wbem\IMAPIv2-Base.mof
2009-05-30 11:02 677,376 a------- c:\windows\system32\imapi2fs.dll
2009-05-30 11:02 438,784 a------- c:\windows\system32\IKEEXT.DLL
2009-05-30 11:02 208,896 a------- c:\windows\system32\mfplat.dll
2009-05-30 11:02 98,816 a------- c:\windows\system32\mfps.dll
2009-05-30 11:02 24,576 a------- c:\windows\system32\mfpmp.exe
2009-05-30 11:02 2,048 a------- c:\windows\system32\mferror.dll
2009-05-30 11:02 1,135,104 a------- c:\windows\system32\mfc42.dll
2009-05-30 11:02 2,868,224 a------- c:\windows\system32\mf.dll
2009-05-30 11:02 1,160,704 a------- c:\windows\system32\mfc42u.dll
2009-05-30 11:02 2,012,160 a------- c:\windows\system32\milcore.dll
2009-05-30 11:02 41,984 a------- c:\windows\system32\mimefilt.dll

==================== Find3M ====================

2009-06-27 13:43 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-27 13:43 51,200 a------- c:\windows\inf\infpub.dat
2009-06-27 13:43 86,016 a------- c:\windows\inf\infstor.dat
2009-06-21 14:02 162,944 a------- c:\windows\system32\drivers\RT25USBAP.SYS
2009-06-21 14:02 4,350 a------- c:\windows\system32\drivers\RT25USBAP.CAT
2009-06-10 08:34 3,123,744 a------- c:\windows\system32\nvwss.dll
2009-06-10 08:34 4,045,344 a------- c:\windows\system32\nvvitvs.dll
2009-06-10 08:34 4,028,960 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:34 3,516,960 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:34 1,288,736 a------- c:\windows\system32\nvmobls.dll
2009-06-10 08:34 211,488 a------- c:\windows\system32\nvvsvc.exe
2009-06-10 08:34 195,104 a------- c:\windows\system32\nvmccss.dll
2009-06-10 08:34 13,785,632 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:34 768,544 a------- c:\windows\system32\nvsvc.dll
2009-06-10 08:34 143,360 a------- c:\windows\system32\nvshext.dll
2009-06-10 08:34 92,704 a------- c:\windows\system32\nvmctray.dll
2009-06-10 06:03 7,611,904 a------- c:\windows\system32\nvd3dum.dll
2009-06-10 06:03 989,696 a------- c:\windows\system32\nvapi.dll
2009-06-04 16:39 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-05-30 11:11 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-13 20:35 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-05-12 22:01 166,386 a------- c:\windows\hpoins28.dat
2009-05-12 21:50 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-05-12 21:50 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-05-12 20:21 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod146.dll
2009-04-28 09:55 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-04-23 08:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 07:39 2,034,688 a------- c:\windows\system32\win32k.sys
2009-04-10 23:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-10 23:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-10 23:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-10 23:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-10 23:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-10 23:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-10 23:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-10 23:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-10 23:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-10 23:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-10 23:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-10 23:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-10 23:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-10 23:27 526,336 a------- c:\windows\system32\RMActivate_isv.exe
2009-04-10 23:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-10 23:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-10 22:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-10 22:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-10 21:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-10 21:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-10 21:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-10 21:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-10 21:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-10 18:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:59:52.97 ===============

Attached Files


Edited by gamemaster406, 29 June 2009 - 03:24 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:43 AM

Posted 02 July 2009 - 11:37 AM

Hello gamemaster406 and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 gamemaster406

gamemaster406
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 02 July 2009 - 12:27 PM

So far I don't think the problem is still persisting, but I just want to be sure. Originally my computer was infected with 24 pieces of spyware that SUPERAntiSpyware managed to get rid of, but I'm not entirely sure if my machine is fully clean yet as my Firefox browser loads slowly, (not as slow when I had the infection). I believe the infection was 19 pieces of Adware.HBHelper and 5 pieces of Browser Hijacker.Deskbar.


Here is my new DDS log and I attatched the Attatch log in a zipped folder as the instructions told me to do so.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 13:23:54.14 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1656 [GMT -4:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Users\Administrator\Desktop\dds.pif
C:\Users\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Aim6]
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\fy8p8z1u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-6-27 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-27 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-6-27 434945]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-27 210216]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\system32\nvSCPAPISvr.exe [2009-6-10 232960]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-5-12 79360]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [2007-5-1 132232]
S3 SaiIFFB5;Immersion's HID USB Driver (FFB5);c:\windows\system32\drivers\SaiIFFB5.sys [2007-5-1 16256]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-01 18:59 380,928 -----r-- c:\windows\system32\pSOAP32.dll
2009-07-01 18:59 188,416 -----r-- c:\windows\system32\pocketHTTP.dll
2009-07-01 18:59 110,676 -----r-- c:\windows\system32\psDime.dll
2009-07-01 18:59 73,728 -----r-- c:\windows\system32\psProxy.dll
2009-06-30 23:35 <DIR> --d----- c:\users\admini~1\appdata\roaming\flightgear.org
2009-06-30 23:33 <DIR> --d----- c:\program files\FlightGear
2009-06-30 18:46 <DIR> --d----- c:\users\admini~1\appdata\roaming\SuperAdBlocker.com
2009-06-30 18:45 <DIR> --d----- c:\windows\system32\URTTemp
2009-06-30 18:45 <DIR> --d----- c:\program files\SuperAdBlocker.com
2009-06-27 20:30 <DIR> --d----- c:\programdata\Lavasoft
2009-06-27 13:43 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-06-27 13:43 <DIR> --d----- c:\program files\Zone Labs
2009-06-27 13:42 350,192 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-06-27 13:42 293,528 a------- c:\windows\system32\drivers\vsdatant.sys
2009-06-27 13:42 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-06-27 13:41 <DIR> --d----- c:\programdata\CheckPoint
2009-06-27 13:41 <DIR> --d----- c:\progra~2\CheckPoint
2009-06-27 13:41 <DIR> --d----- c:\windows\Internet Logs
2009-06-27 12:51 <DIR> --d----- c:\program files\common files\McAfee
2009-06-27 12:51 <DIR> --d----- c:\program files\McAfee
2009-06-27 12:35 <DIR> --d----- c:\users\admini~1\appdata\roaming\Avira
2009-06-27 12:29 81,984 a------- c:\windows\system32\bdod.bin
2009-06-27 12:29 132 a------- C:\httpdwl.dat
2009-06-27 12:23 850 a------- c:\windows\system32\ProductTweaks.xml
2009-06-27 12:23 385 a------- c:\windows\system32\user_gensett.xml
2009-06-27 12:23 <DIR> --d----- c:\programdata\BitDefender
2009-06-27 12:23 <DIR> --d----- c:\progra~2\BitDefender
2009-06-27 12:21 <DIR> --d----- c:\users\admini~1\appdata\roaming\BitDefender
2009-06-27 12:19 <DIR> --d----- c:\program files\common files\BitDefender
2009-06-27 12:12 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 22:45 <DIR> --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2009-06-26 22:45 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 22:45 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-26 22:45 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-26 22:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 22:45 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-26 22:06 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-26 22:06 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-26 22:05 <DIR> --d----- c:\users\admini~1\appdata\roaming\SUPERAntiSpyware.com
2009-06-26 22:05 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-26 12:30 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-06-26 10:01 <DIR> --d----- c:\programdata\SiteAdvisor
2009-06-26 10:00 <DIR> --d----- c:\programdata\McAfee(26)
2009-06-26 10:00 <DIR> --d----- c:\progra~2\McAfee(26)
2009-06-24 22:56 <DIR> --d----- c:\users\administrator\CFS3 Add-Ons
2009-06-24 21:51 <DIR> --d----- c:\program files\Bonjour
2009-06-24 17:41 <DIR> --d----- c:\program files\common files\xing shared
2009-06-24 17:41 <DIR> --d----- c:\program files\common files\Real
2009-06-24 00:42 <DIR> --d----- c:\program files\AIMTunes
2009-06-22 20:53 <DIR> --d----- c:\program files\FirePower
2009-06-22 16:37 189,448 a------- c:\windows\system32\PnkBstrB.xtr
2009-06-21 23:25 <DIR> --d----- c:\program files\Fraps
2009-06-19 19:52 <DIR> --d----- c:\program files\Comodo
2009-06-18 10:59 <DIR> --d----- c:\program files\Microsoft
2009-06-16 23:51 <DIR> --d----- c:\program files\FileASSASSIN
2009-06-16 23:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-06-16 22:02 <DIR> --d----- c:\program files\Virtual Earth 3D
2009-06-13 13:48 <DIR> --d----- c:\program files\Activision
2009-06-12 15:20 <DIR> --d----- c:\program files\IObit
2009-06-12 15:14 39,424 a------- c:\windows\zipinst.exe
2009-06-12 15:14 <DIR> --d----- c:\program files\ShellExView
2009-06-11 19:23 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-11 19:23 <DIR> --d----- c:\program files\MSECACHE
2009-06-11 16:29 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-10 08:35 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-06-10 08:35 420,384 a------- c:\windows\system32\nvcpl.cpl
2009-06-10 08:35 1,296,928 a------- c:\windows\system32\nvsvs.dll
2009-06-10 06:33 244,736 a------- c:\windows\system32\nvStInst.exe
2009-06-10 06:33 467,968 a------- c:\windows\system32\nvstlink.exe
2009-06-10 06:33 3,953,152 a------- c:\windows\system32\nvstwiz.exe
2009-06-10 06:33 141,824 a------- c:\windows\system32\nvStereoApiI.dll
2009-06-10 06:33 171,520 a------- c:\windows\system32\nvStereoApiI64.dll
2009-06-10 06:33 232,960 a------- c:\windows\system32\nvSCPAPISvr.exe
2009-06-10 06:32 257,536 a------- c:\windows\system32\nvSCPAPI.dll
2009-06-10 06:32 301,568 a------- c:\windows\system32\nvSCPAPI64.dll
2009-06-10 06:32 3,293,184 a------- c:\windows\system32\nvstres.dll
2009-06-10 06:32 5,847 a------- c:\windows\system32\oglstreg.reg
2009-06-10 06:31 167,424 a------- c:\windows\system32\nvstreg.exe
2009-06-10 06:31 1,718,272 a------- c:\windows\system32\nvsttest.exe
2009-06-10 06:31 1,034,752 a------- c:\windows\system32\nvstview.exe
2009-06-10 06:31 89,088 a------- c:\windows\system32\nvimage.dll
2009-06-10 06:29 1,656 a------- c:\windows\system32\nvstdef.reg
2009-06-10 06:03 10,379,264 a------- c:\windows\system32\nvoglv32.dll
2009-06-10 06:03 9,899,296 a------- c:\windows\system32\drivers\nvlddmkm.sys
2009-06-10 06:03 3,148,288 a------- c:\windows\system32\nvwgf2um.dll
2009-06-10 06:03 1,704,960 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,317,408 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 678,432 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod155.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll
2009-06-10 06:03 10,060 a------- c:\windows\system32\nvdisp.nvu
2009-06-10 06:03 4,224 a------- c:\windows\system32\drivers\nvBridge.kmd
2009-06-08 22:46 <DIR> --d----- c:\users\admini~1\appdata\roaming\IObit
2009-06-06 15:30 138,016 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-06 15:30 22,328 a------- c:\users\admini~1\appdata\roaming\PnkBstrK.sys
2009-06-06 15:30 189,448 a------- c:\windows\system32\PnkBstrB.exe
2009-06-06 15:30 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-06 15:30 319 a------- c:\windows\game.ini
2009-06-06 14:35 81,527 a------- c:\programdata\nvModes.dat
2009-06-06 14:35 81,527 a------- c:\progra~2\nvModes.dat
2009-06-06 14:31 <DIR> --d----- c:\windows\system32\AGEIA
2009-06-06 14:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-06 13:26 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-06-06 13:12 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-06-06 12:15 53,248 a------- c:\windows\system32\CSVer.dll
2009-06-06 01:02 <DIR> --d----- c:\program files\Windows SteadyState
2009-06-05 23:33 <DIR> --d----- c:\program files\YouTube Downloader
2009-06-05 18:04 <DIR> --d----- c:\program files\iPod
2009-06-05 18:04 <DIR> --d----- c:\program files\iTunes
2009-06-05 15:47 <DIR> --d----- c:\users\administrator\CFS3 Backup
2009-06-04 15:19 <DIR> --d----- c:\users\admini~1\appdata\roaming\GetRightToGo
2009-06-03 17:56 <DIR> --d----- c:\program files\Trend Micro
2009-06-02 18:23 <DIR> --d----- c:\program files\Avira

==================== Find3M ====================

2009-06-27 13:43 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-27 13:43 51,200 a------- c:\windows\inf\infpub.dat
2009-06-27 13:43 86,016 a------- c:\windows\inf\infstor.dat
2009-06-21 14:02 162,944 a------- c:\windows\system32\drivers\RT25USBAP.SYS
2009-06-21 14:02 4,350 a------- c:\windows\system32\drivers\RT25USBAP.CAT
2009-06-10 08:34 3,123,744 a------- c:\windows\system32\nvwss.dll
2009-06-10 08:34 4,045,344 a------- c:\windows\system32\nvvitvs.dll
2009-06-10 08:34 4,028,960 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:34 3,516,960 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:34 1,288,736 a------- c:\windows\system32\nvmobls.dll
2009-06-10 08:34 211,488 a------- c:\windows\system32\nvvsvc.exe
2009-06-10 08:34 195,104 a------- c:\windows\system32\nvmccss.dll
2009-06-10 08:34 13,785,632 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:34 768,544 a------- c:\windows\system32\nvsvc.dll
2009-06-10 08:34 143,360 a------- c:\windows\system32\nvshext.dll
2009-06-10 08:34 92,704 a------- c:\windows\system32\nvmctray.dll
2009-06-10 06:03 7,611,904 a------- c:\windows\system32\nvd3dum.dll
2009-06-10 06:03 989,696 a------- c:\windows\system32\nvapi.dll
2009-06-04 16:39 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-05-30 11:11 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 20:35 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-05-12 22:01 166,386 a------- c:\windows\hpoins28.dat
2009-05-12 20:21 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod146.dll
2009-04-28 09:55 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-04-23 08:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 07:39 2,034,688 a------- c:\windows\system32\win32k.sys
2009-04-10 23:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-10 23:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-10 23:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-10 23:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-10 23:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-10 23:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-10 23:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-10 23:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-10 23:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-10 23:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-10 23:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-10 23:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-10 23:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-10 23:27 526,336 a------- c:\windows\system32\RMActivate_isv.exe
2009-04-10 23:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-10 23:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-10 22:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-10 22:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-10 21:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-10 21:55 2,048 a------- c:\windows\system32\mferror.dll
2009-04-10 21:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-10 21:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-10 21:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-10 21:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-10 18:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:24:36.73 ===============

Attached Files


Edited by gamemaster406, 02 July 2009 - 12:31 PM.


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 04 July 2009 - 09:05 AM

Hello gamemaster406 :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need to get a little different look at your system so please perform the following:



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.





In your next reply please include both the ESET and GMER report


Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 gamemaster406

gamemaster406
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 04 July 2009 - 04:36 PM

Hi, I've tried everything, but I can't seem to get the signature updates when I try to do the ESET Online Scan, first try it gave me error 2003, and second try it couldn't connect to the servers, and thought I was using a proxy which I am not... Maybe its a temporary problem on their servers, or maybe its me, I'm not sure. I'll have to try later and see if I can actually get the signature updates so I can even run the scan.

I do however have the GMER report posted below.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-04 17:36:19
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x8EB6E880]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x8EB6E4E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8EB6B828]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8EB81D9C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x8EB6EC36]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8EB7FAF8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8EB7FD12]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8EB83780]
SSDT 8176A6D4 ZwCreateThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x8EB6ECDE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8EB6BD0A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8EB82698]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8EB82414]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8EB7F4F8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8EB82BC6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8EB82C3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8EB82D2E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8EB6BBA2]
SSDT 8176A6C0 ZwOpenProcess
SSDT 8176A6C5 ZwOpenThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8EB83370]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8EB82DA6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x8EB6E16A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8EB831B0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8EB6E680]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8EB6BEF8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8EB8211A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8EB80486]
SSDT 8176A6CF ZwTerminateProcess
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8EB7FF30]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 13D 81EFC880 4 Bytes CALL 2B0F573B
.text ntkrnlpa.exe!KeSetEvent + 1C1 81EFC904 4 Bytes [E0, E4, B6, 8E] {LOOPNZ 0xffffffffffffffe6; MOV DH, 0x8e}
.text ntkrnlpa.exe!KeSetEvent + 1D9 81EFC91C 4 Bytes [28, B8, B6, 8E]
.text ntkrnlpa.exe!KeSetEvent + 1E9 81EFC92C 4 Bytes [9C, 1D, B8, 8E]
.text ntkrnlpa.exe!KeSetEvent + 205 81EFC948 12 Bytes [36, EC, B6, 8E, F8, FA, B7, ...]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73687817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [736DA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7368BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7367F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [736875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7367E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [736B8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7368DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7367FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7367FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [736771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7370CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [736AC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7367D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73676853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7367687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2100] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73682AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by gamemaster406, 04 July 2009 - 04:39 PM.


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 04 July 2009 - 08:30 PM

If you can't get it just let me know and we'll do something else.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 gamemaster406

gamemaster406
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 05 July 2009 - 02:03 PM

If you can't get it just let me know and we'll do something else.



Nope, it still cannot connect to their servers, so I think its their problem not mine.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 05 July 2009 - 03:39 PM

Try Kaspersky:

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 gamemaster406

gamemaster406
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 06 July 2009 - 02:44 PM

Here is the Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 6, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 06, 2009 20:02:47
Records in database: 2433336
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 108604
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:12:54

No malware has been detected. The scan area is clean.

The selected area was scanned.

Edited by gamemaster406, 06 July 2009 - 02:44 PM.


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 06 July 2009 - 03:12 PM

That looked good and Kaspersky is one of our better scanners. Does everything still seem to be running OK?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 gamemaster406

gamemaster406
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 06 July 2009 - 03:33 PM

That looked good and Kaspersky is one of our better scanners. Does everything still seem to be running OK?


My computer has been running up to normal speed, which definitely wasn't the case when I first posted this topic. What I originally did, before I posted this topic I got rid of about 20 infections with SUPERAntiSpyware, so I posted here to see what your thoughts were if I still had any infection, but since both the GMER and KAS scans came up clean, I think the infection is gone. :thumbup2:

-Mike

Edited by gamemaster406, 06 July 2009 - 03:36 PM.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 06 July 2009 - 04:20 PM

That sounds great. Looks like you are good to go. :thumbup2:

I didn't see your Avira showing up in the last DDS scan header. I saw the service running so just want to make sure it is enabled.


Uninstalling GMER:

for XP
Start ---> Run, copy/paste C:\WINDOWS\gmer_uninstall.cmd in the Run window and click Okay

for Vista, the command needs to be run from a command prompt with elevated permissions.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and enable system restore here: Windows Vista System Restore Guide
    Re-enable system restore with instructions from tutorial above.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :)


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 gamemaster406

gamemaster406
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 06 July 2009 - 05:07 PM

That sounds great. Looks like you are good to go. :thumbup2:

I didn't see your Avira showing up in the last DDS scan header. I saw the service running so just want to make sure it is enabled.


Uninstalling GMER:

for XP
Start ---> Run, copy/paste C:\WINDOWS\gmer_uninstall.cmd in the Run window and click Okay

for Vista, the command needs to be run from a command prompt with elevated permissions.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

  • Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and enable system restore here: Windows Vista System Restore Guide
    Re-enable system restore with instructions from tutorial above.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date
If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :)


thewall


Thank you for your help, I appreciate it!

-Mike

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 06 July 2009 - 05:43 PM

You're very welcome! :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 07 July 2009 - 08:11 AM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users