Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange HJT entry after malware removal that results in blue screen of death


  • This topic is locked This topic is locked
12 replies to this topic

#1 jonjag

jonjag

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 30 June 2009 - 04:49 PM

Earlier today I was infected with tons of malware. I booted up in safe mode and ran MBAM and Combofix. I thought that I had removed everything except for 1 rootkit which mbam schedules to remove at start up, but doesn't remove) that I was going to use a rootkit scanner to remove. (I've had the same rootkit before str.sys) Upon rebooting and logging on in normal mode I get the stop: 0x0000008E error. I then rebooted in safe mode again and ran HJT. I noticed some strange entries that I associated with the blue screen. I was able to delete all but one that keeps coming back after a reboot. I don't know what to do, I've never had this much trouble removing an infection before. Thank you in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:09 PM, on 6/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-us
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Google Update Service (gupdate1c9a81e4d5ce0ac) (gupdate1c9a81e4d5ce0ac) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4355 bytes

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 04 July 2009 - 05:08 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jonjag

jonjag
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 05 July 2009 - 05:16 PM

Thank you for taking the time to respond. After installing unhackme I was since able to get my computer to boot normally. But there's still some kind of errors. My firewall is disabled and I can't bring up the user interface. And this entry is still present: "mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k "

DDS (Ver_09-06-26.01) - NTFSx86
Run by Jon at 18:10:31.17 on Sun 07/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.550 [GMT -4:00]

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Jon\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\r27bma1g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-24 16384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-6-30 34760]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-21 353672]
S2 awouqpig;Volume Manager Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-12-24 105472]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S4 EE;EE;c:\docume~1\jon\locals~1\temp\EE.exe [2009-6-30 564096]
S4 TLEVSOALXTO;TLEVSOALXTO;c:\docume~1\jon\locals~1\temp\TLEVSOALXTO.exe [2009-6-30 383872]

=============== Created Last 30 ================

2009-06-30 21:49 <DIR> --d----- C:\RootkitNO
2009-06-30 21:48 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-06-30 21:48 32,480 a------- c:\windows\system32\Partizan.exe
2009-06-30 21:48 2 a--shrot c:\windows\winstart.bat
2009-06-30 21:47 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-06-30 21:47 <DIR> --d----- c:\program files\UnHackMe
2009-06-30 16:36 <DIR> --d----- c:\documents and settings\jon\DoctorWeb
2009-06-30 14:48 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-30 14:40 161,792 a------- c:\windows\SWREG.exe
2009-06-30 14:40 155,136 a------- c:\windows\PEV.exe
2009-06-30 14:40 98,816 a------- c:\windows\sed.exe
2009-06-30 13:29 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-06-30 13:29 103,360 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-06-30 13:29 60,800 a------- c:\windows\system32\drivers\arp1394.sys
2009-06-30 13:29 14,336 a------- c:\windows\system32\drivers\asyncmac.sys
2009-06-30 13:29 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-24 03:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-06-24 03:31 <DIR> --d----- c:\docume~1\jon\applic~1\DAEMON Tools Pro
2009-06-24 03:15 <DIR> --d----- c:\program files\DAEMON Tools Pro
2009-06-24 03:12 685,816 a------- c:\windows\system32\drivers\sptd.sys
2009-06-23 16:21 <DIR> --d----- c:\program files\uTorrent
2009-06-23 16:20 <DIR> --d----- c:\docume~1\jon\applic~1\uTorrent
2009-06-21 21:57 <DIR> --d----- c:\program files\PowerISO
2009-06-21 21:33 <DIR> --d----- c:\program files\WinISO
2009-06-21 21:18 <DIR> --d----- c:\program files\MagicISO
2009-06-08 22:53 <DIR> --d----- c:\program files\FlashFXP
2009-06-08 22:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FlashFXP
2009-06-08 01:57 <DIR> --d----- c:\program files\1964
2009-06-08 01:54 <DIR> --d----- c:\program files\Project64 1.6

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-12 16:46 2,876,719 a------- c:\documents and settings\jon\mbam-setup.exe.pif
2009-01-06 01:21 47,360 a------- c:\docume~1\jon\applic~1\pcouffin.sys
2009-02-28 12:32 88 ---shr-- c:\windows\system32\BEB3C63199.sys
2009-02-28 12:33 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-16 15:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011620090117\index.dat

============= FINISH: 18:10:38.25 ===============

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 07 July 2009 - 06:59 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.


I see evidence of infections left, though it may not be active.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 jonjag

jonjag
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 09 July 2009 - 01:05 AM

I haven't really made any changes. My computer wouldn't boot up normally until I installed unhackme in safe mode. Thank you for assisting me. Here are the logs. I must say that Gmer has one of the longest scan times of any utility I've ever used.

ComboFix 09-07-08.02 - Jon 07/08/2009 17:03.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.741 [GMT -4:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\160392.msi
c:\windows\Installer\17140474.msi
c:\windows\Installer\248d02.msi
c:\windows\Installer\cee60.msi
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\mdm.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_pcmstub


((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-08 19:20 . 2009-07-08 19:20 -------- d-----w- c:\program files\Web Publish
2009-07-03 05:15 . 2009-07-03 05:16 -------- d-----w- c:\documents and settings\Jon\Application Data\vlc
2009-07-01 01:49 . 2009-07-06 23:49 -------- d-----w- C:\RootkitNO
2009-07-01 01:48 . 2009-07-01 01:48 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-07-01 01:48 . 2009-07-01 01:48 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-07-01 01:48 . 2009-07-01 01:48 2 --shatr- c:\windows\winstart.bat
2009-07-01 01:47 . 2008-12-22 19:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-07-01 01:47 . 2009-07-01 01:49 -------- d-----w- c:\program files\UnHackMe
2009-06-30 20:36 . 2009-06-30 20:36 -------- d-----w- c:\documents and settings\Jon\DoctorWeb
2009-06-30 17:29 . 2008-11-12 19:57 103360 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-06-30 17:29 . 2008-04-13 18:57 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2009-06-30 17:29 . 2008-04-13 18:51 60800 ----a-w- c:\windows\system32\drivers\arp1394.sys
2009-06-30 17:29 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2009-06-25 22:16 . 2009-06-25 22:16 -------- d-----w- c:\program files\7-Zip
2009-06-24 07:32 . 2009-06-24 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-06-24 07:31 . 2009-06-24 07:32 -------- d-----w- c:\documents and settings\Jon\Application Data\DAEMON Tools Pro
2009-06-24 07:15 . 2009-06-24 22:53 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-24 07:12 . 2009-06-24 07:12 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-23 20:21 . 2009-06-23 20:21 -------- d-----w- c:\program files\uTorrent
2009-06-23 20:20 . 2009-07-08 20:53 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent
2009-06-22 01:57 . 2009-06-22 01:57 -------- d-----w- c:\program files\PowerISO
2009-06-22 01:33 . 2009-06-22 01:33 -------- d-----w- c:\program files\WinISO
2009-06-22 01:18 . 2009-06-22 01:18 -------- d-----w- c:\program files\MagicISO
2009-06-17 18:26 . 2009-06-17 18:26 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-09 02:53 . 2009-06-25 05:49 -------- d-----w- c:\program files\FlashFXP
2009-06-09 02:53 . 2009-06-09 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FlashFXP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 21:10 . 2008-11-18 23:22 -------- d-----w- c:\program files\DNA
2009-07-08 21:10 . 2008-11-18 23:22 -------- d-----w- c:\documents and settings\Jon\Application Data\DNA
2009-07-08 20:12 . 2009-03-17 05:54 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 23:57 . 2008-08-18 23:49 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 23:48 . 2008-11-10 20:42 8840094 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-07-06 05:54 . 2009-01-06 05:21 -------- d-----w- c:\documents and settings\Jon\Application Data\Vso
2009-07-03 15:03 . 2006-12-07 06:25 -------- d-----w- c:\documents and settings\Jon\Application Data\Aim
2009-07-03 15:02 . 2006-12-07 06:24 -------- d-----w- c:\program files\AIM
2009-07-03 15:02 . 2006-12-07 06:24 -------- d-----w- c:\program files\Viewpoint
2009-07-03 15:02 . 2006-12-07 06:24 -------- d-----w- c:\program files\AOD
2009-07-03 05:02 . 2006-08-12 15:44 -------- d-----w- c:\documents and settings\Jon\Application Data\BitTorrent
2009-06-30 17:29 . 2009-06-30 17:29 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-24 20:05 . 2008-08-19 01:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-17 18:26 . 2009-05-31 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 . 2009-05-31 04:52 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-05-31 04:52 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 00:57 . 2009-03-05 21:41 -------- d-----w- c:\documents and settings\Jon\Application Data\dvdcss
2009-06-08 05:57 . 2009-06-08 05:57 -------- d-----w- c:\program files\1964
2009-06-08 05:55 . 2009-06-08 05:54 -------- d-----w- c:\program files\Project64 1.6
2009-06-08 05:54 . 2009-06-08 05:54 8854 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-06-08 05:54 . 2009-06-08 05:54 40960 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-06-08 05:54 . 2009-06-08 05:54 40960 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-05-27 18:31 . 2008-07-08 00:25 -------- d-----w- c:\program files\Maxis
2009-05-26 05:28 . 2008-12-18 02:43 -------- d-----w- c:\program files\dvdSanta
2009-05-24 14:23 . 2009-05-24 14:23 11410 ----a-w- c:\documents and settings\Jon\Application Data\Corel Photo Album\msgdi.dll
2009-05-24 14:23 . 2009-05-24 14:23 10121 ----a-w- c:\documents and settings\Jon\Application Data\CyberLink\kern.dll
2009-05-24 14:23 . 2009-05-24 14:23 16141 ----a-w- c:\documents and settings\Jon\Application Data\Corel\lego.exe
2009-05-24 14:23 . 2006-11-05 06:47 -------- d-----w- c:\documents and settings\Jon\Application Data\Corel Photo Album
2009-05-24 14:23 . 2006-08-08 09:03 -------- d-----w- c:\documents and settings\Jon\Application Data\CyberLink
2009-05-24 14:23 . 2009-05-24 14:23 422 ----a-w- c:\documents and settings\Jon\Application Data\Apple Computer\socks1.exe
2009-05-24 14:23 . 2009-05-24 14:23 145131 ----a-w- c:\documents and settings\Jon\Application Data\BitTorrent\nomad.exe
2009-05-24 14:23 . 2009-05-24 14:23 13221 ----a-w- c:\documents and settings\Jon\Application Data\AdobeUM\rengo.dll
2009-05-24 14:23 . 2009-05-24 14:23 11232 ----a-w- c:\documents and settings\Jon\Application Data\Adobe\shalom.exe
2009-05-24 14:23 . 2008-09-09 07:07 -------- d-----w- c:\documents and settings\Jon\Application Data\Apple Computer
2009-05-24 14:23 . 2007-03-04 20:43 -------- d-----w- c:\documents and settings\Jon\Application Data\Corel
2009-05-24 14:23 . 2006-08-09 04:03 -------- d-----w- c:\documents and settings\Jon\Application Data\AdobeUM
2009-05-19 16:28 . 2009-05-19 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2009-05-16 06:17 . 2006-08-09 04:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-12 06:30 . 2006-08-08 02:05 39392 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 06:28 . 2009-05-12 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-12 06:19 . 2009-05-12 06:19 -------- d-----w- c:\program files\Adobe Media Player
2009-05-10 21:17 . 2006-08-02 03:18 -------- d-----w- c:\program files\Java
2009-05-10 21:16 . 2009-05-10 21:16 152576 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-02-28 16:32 . 2006-08-14 04:39 88 --sh--r- c:\windows\system32\BEB3C63199.sys
2009-02-28 16:33 . 2006-08-14 04:39 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_18.46.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-08 21:09 . 2009-07-08 21:09 16384 c:\windows\temp\Perflib_Perfdata_e4.dat
+ 1998-06-12 04:00 . 1998-06-12 04:00 30720 c:\windows\system32\WINDBVER.EXE
+ 1998-06-16 04:00 . 1998-06-16 04:00 24990 c:\windows\system32\VFP6RUN.EXE
+ 1998-05-06 04:00 . 1998-05-06 04:00 57344 c:\windows\system32\VBAME.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 89360 c:\windows\system32\VB5DB.DLL
+ 2006-08-09 04:38 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2006-08-09 04:38 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 1998-04-24 04:00 . 1998-04-24 04:00 32256 c:\windows\system32\SELFREG.DLL
+ 1998-03-24 04:00 . 1998-03-24 04:00 15872 c:\windows\system32\SCP32.DLL
+ 1998-06-10 04:00 . 1998-06-10 04:00 15120 c:\windows\system32\REPUTIL.DLL
+ 1998-04-30 04:00 . 1998-04-30 04:00 13072 c:\windows\system32\REGCLADM.EXE
+ 1998-06-18 04:00 . 1998-06-18 04:00 32768 c:\windows\system32\RACREG32.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 61440 c:\windows\system32\RACMGR32.EXE
+ 1998-05-14 18:36 . 1998-05-14 18:36 98496 c:\windows\system32\POSTWPP.DLL
+ 1998-02-23 17:42 . 1998-02-23 17:42 50816 c:\windows\system32\PIPARSE.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 16896 c:\windows\system32\ODKOB32.DLL
+ 1998-05-31 04:00 . 1998-05-31 04:00 72704 c:\windows\system32\ODBCTL32.DLL
+ 1998-04-29 00:29 . 1998-04-29 00:29 62224 c:\windows\system32\nwapi32.dll
+ 1998-06-17 04:00 . 1998-06-17 04:00 94285 c:\windows\system32\MSVCIRTD.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 94208 c:\windows\system32\MSSTKPRP.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 24848 c:\windows\system32\MSJTER35.DLL
+ 1998-05-25 04:00 . 1998-05-25 04:00 10062 c:\windows\system32\MSDBGEN.DLL
+ 1998-05-25 04:00 . 1998-05-25 04:00 69120 c:\windows\system32\MSDBG.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 77824 c:\windows\system32\MSBIND.DLL
+ 1998-06-17 04:00 . 1998-06-17 04:00 41013 c:\windows\system32\MFCN42D.DLL
+ 1998-06-20 04:00 . 1998-06-20 04:00 65200 c:\windows\system32\MDT2FW95.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 31744 c:\windows\system32\HLP95EN.DLL
+ 1998-02-23 17:42 . 1998-02-23 17:42 98960 c:\windows\system32\FTPWPP.DLL
+ 1998-05-14 18:36 . 1998-05-14 18:36 91920 c:\windows\system32\FPWPP.DLL
+ 1998-06-17 04:00 . 1998-06-17 04:00 24649 c:\windows\system32\DEVTLDC.DLL
+ 1998-06-24 04:00 . 1998-06-24 04:00 11536 c:\windows\system32\DBMSSOCN.DLL
+ 1998-06-24 04:00 . 1998-06-24 04:00 16656 c:\windows\system32\DBMSSHRN.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 45056 c:\windows\system32\DBADAPT.DLL
+ 2009-06-24 19:18 . 2009-06-30 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-24 19:18 . 2009-06-30 18:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-08-08 01:32 . 2009-06-30 18:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-08-08 01:32 . 2009-06-30 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-08 01:32 . 2009-06-30 18:44 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-08-08 01:32 . 2009-06-30 21:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 1998-04-24 04:00 . 1998-04-24 04:00 57344 c:\windows\system32\COMMTB32.DLL
+ 1998-05-07 04:00 . 1998-05-07 04:00 86528 c:\windows\system\VI30WRP.DLL
+ 1998-05-25 04:00 . 1998-05-25 04:00 84225 c:\windows\system\VI30AUT.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 98576 c:\windows\system\FP30TXT.DLL
+ 2008-12-06 04:55 . 2008-12-06 04:55 62464 c:\windows\Installer\c902b2.msi
+ 2009-05-12 06:19 . 2009-05-12 06:19 23552 c:\windows\Installer\761f88.msi
+ 2009-05-09 02:16 . 2009-05-09 02:16 22528 c:\windows\Installer\734bd21.msi
+ 2009-03-27 15:25 . 2009-03-27 15:25 62464 c:\windows\Installer\283f2cb.msi
+ 2006-08-02 03:28 . 2006-08-02 03:28 72704 c:\windows\Installer\12006.msi
+ 1998-02-23 17:42 . 1998-02-23 17:42 109504 c:\windows\system32\WPWIZDLL.DLL
+ 1998-02-23 17:42 . 1998-02-23 17:42 145360 c:\windows\system32\WEBPOST.DLL
+ 1998-06-16 04:00 . 1998-06-16 04:00 934672 c:\windows\system32\vfpodbc.dll
+ 1998-06-16 04:00 . 1998-06-16 04:00 875520 c:\windows\system32\VFP6RENU.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 368912 c:\windows\system32\VBAR332.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 102912 c:\windows\system32\VB6STKIT.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 153600 c:\windows\system32\TLBINF32.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 118784 c:\windows\system32\SQLPARSE.DLL
+ 1998-06-05 04:00 . 1998-06-05 04:00 178609 c:\windows\system32\SCRIPTLE.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 151552 c:\windows\system32\RDOCURS.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 184070 c:\windows\system32\PDM.DLL
+ 1998-06-17 04:00 . 1998-06-17 04:00 385100 c:\windows\system32\MSVCRTD.DLL
+ 2002-01-05 08:37 . 2002-12-18 21:46 344064 c:\windows\system32\msvcr70.dll
- 2002-01-05 08:37 . 2002-01-05 09:37 344064 c:\windows\system32\msvcr70.dll
+ 1998-06-17 04:00 . 1998-06-17 04:00 516173 c:\windows\system32\MSVCP60D.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 118784 c:\windows\system32\MSSTDFMT.DLL
+ 1998-06-10 04:00 . 1998-06-10 04:00 175256 c:\windows\system32\MSSDM.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 407312 c:\windows\system32\MSREPL35.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 393216 c:\windows\system32\MSRDO20.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 252176 c:\windows\system32\MSRD2X35.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 123664 c:\windows\system32\MSJINT35.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 299008 c:\windows\system32\MSDBRPTR.DLL
+ 1998-06-18 04:00 . 1998-06-18 04:00 311296 c:\windows\system32\MSDBRPT.DLL
+ 1998-06-17 04:00 . 1998-06-17 04:00 798773 c:\windows\system32\MFCO42D.DLL
+ 1998-06-17 04:00 . 1998-06-17 04:00 274485 c:\windows\system32\MFCD42D.DLL
+ 1998-06-17 04:00 . 1998-06-17 04:00 929844 c:\windows\system32\MFC42D.DLL
+ 1998-06-12 04:00 . 1998-06-12 04:00 230861 c:\windows\system32\JAVALE.DLL
+ 1998-06-01 04:00 . 1998-06-01 04:00 182226 c:\windows\system32\HTMUTIL.DLL
+ 2004-08-10 17:51 . 2008-06-20 11:51 361600 c:\windows\system32\drivers\tcpip.sys
+ 2004-08-10 17:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 1998-02-23 17:42 . 1998-02-23 17:42 120960 c:\windows\system32\CRSWPP.DLL
+ 1998-05-31 04:00 . 1998-05-31 04:00 140288 c:\windows\system32\AUTPRX32.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 153088 c:\windows\system32\AUTMGR32.EXE
+ 1998-04-29 00:29 . 1998-04-29 00:29 119056 c:\windows\system32\adsnw.dll
+ 1998-04-29 00:29 . 1998-04-29 00:29 153360 c:\windows\system32\adsnds.dll
+ 1998-04-24 04:00 . 1998-04-24 04:00 706832 c:\windows\system\FP30WEL.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 408848 c:\windows\system\FP30WEC.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 435984 c:\windows\system\FP30UTL.DLL
+ 2008-08-18 21:46 . 2004-08-04 10:00 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-08-18 21:46 . 2004-08-04 10:00 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2008-07-24 20:04 . 2008-07-24 20:04 289792 c:\windows\Installer\9afe0.msi
+ 2009-03-15 04:12 . 2009-03-15 04:12 598016 c:\windows\Installer\7cf3605.msi
+ 2008-11-14 18:07 . 2008-11-14 18:07 432640 c:\windows\Installer\79cf1a6.msi
+ 2004-08-10 18:08 . 2004-08-10 18:08 264704 c:\windows\Installer\7506.msi
+ 2006-09-16 00:34 . 2006-09-16 00:34 187904 c:\windows\Installer\73bc9f.msi
+ 2006-08-02 03:18 . 2006-08-02 03:18 621056 c:\windows\Installer\5a035.msi
+ 2006-11-17 08:01 . 2006-11-17 08:01 428544 c:\windows\Installer\3f8580.msi
+ 2009-03-01 00:18 . 2009-03-01 00:18 236032 c:\windows\Installer\1982a6f.msi
+ 2006-08-02 03:46 . 2006-08-02 03:46 634880 c:\windows\Installer\18a72.msi
+ 2007-08-16 16:30 . 2007-08-16 16:30 431104 c:\windows\Installer\122d32f5.msi
+ 2006-08-02 03:42 . 2006-08-02 03:42 636416 c:\windows\Installer\121cd.msi
+ 2006-08-02 03:39 . 2006-08-02 03:39 259584 c:\windows\Installer\121c3.msi
+ 2006-08-02 03:38 . 2006-08-02 03:38 285696 c:\windows\Installer\12083.msi
+ 2006-08-02 03:32 . 2006-08-02 03:32 655360 c:\windows\Installer\1204f.msi
+ 2006-08-02 03:31 . 2006-08-02 03:31 157184 c:\windows\Installer\12034.msi
+ 2006-08-02 03:31 . 2006-08-02 03:31 198144 c:\windows\Installer\1201c.msi
+ 2006-08-02 03:28 . 2006-08-02 03:28 721408 c:\windows\Installer\12011.msi
+ 2006-08-02 03:28 . 2006-08-02 03:28 656896 c:\windows\Installer\1200b.msi
+ 2006-08-02 03:27 . 2006-08-02 03:27 669696 c:\windows\Installer\12001.msi
+ 2006-08-02 03:26 . 2006-08-02 03:26 256000 c:\windows\Installer\11ff7.msi
+ 2006-08-02 03:23 . 2006-08-02 03:23 574464 c:\windows\Installer\11fdc.msi
+ 2009-06-08 05:54 . 2009-06-08 05:54 257024 c:\windows\Installer\10d8d90.msi
+ 2006-08-09 03:11 . 2006-09-02 06:55 794624 c:\windows\Downloaded Installations\{CD31D4AF-BFF2-4AD2-8314-C5CD83A8DAC3}\InterLok Driver Kit.msi
+ 2006-08-02 03:25 . 2006-08-02 03:25 413428 c:\windows\Downloaded Installations\{3AE813DE-06D6-4C11-AB7D-3832AA721F16}\Get High Speed Internet!.msi
+ 2004-08-10 17:51 . 2004-08-04 10:00 1326080 c:\windows\system32\webfldrs.msi
+ 1998-06-16 04:00 . 1998-06-16 04:00 3370768 c:\windows\system32\VFP6R.DLL
+ 1998-05-31 04:00 . 1998-05-31 04:00 1233680 c:\windows\system32\MSJT4JLT.DLL
+ 1998-04-24 04:00 . 1998-04-24 04:00 1045776 c:\windows\system32\MSJET35.DLL
+ 2006-08-08 01:38 . 2006-08-02 03:17 9946112 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}\Java 2 Runtime Environment, SE v1.4.2_03.msi
+ 2008-08-18 21:48 . 2004-08-04 10:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-08-18 21:47 . 2004-08-04 10:00 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 16:08 . 2007-05-25 16:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2009-01-22 01:23 . 2009-01-22 01:23 2727936 c:\windows\Installer\9bf9f1d.msi
+ 2004-08-10 18:09 . 2004-08-10 18:10 3443712 c:\windows\Installer\50c4.msi
+ 2008-09-09 07:07 . 2008-09-09 07:07 3379712 c:\windows\Installer\3184dee7.msi
+ 2008-09-09 07:06 . 2008-09-09 07:06 1635328 c:\windows\Installer\3184dee3.msi
+ 2008-09-09 07:06 . 2008-09-09 07:06 8984576 c:\windows\Installer\3184dedd.msi
+ 2008-09-09 07:05 . 2008-09-09 07:05 1549312 c:\windows\Installer\3184deab.msi
+ 2008-09-09 07:04 . 2008-09-09 07:04 3174912 c:\windows\Installer\3184dea5.msi
+ 2008-08-19 01:31 . 2009-03-03 05:37 1038848 c:\windows\Installer\1f746e1.msi
+ 2006-08-12 22:55 . 2006-08-12 22:55 5864960 c:\windows\Installer\1be3fb.msp
+ 2009-05-15 11:44 . 2009-05-15 11:44 1401344 c:\windows\Installer\1921ce0.msi
+ 2006-08-02 03:38 . 2006-08-02 03:38 4995584 c:\windows\Installer\1208c.msi
+ 2006-08-02 03:33 . 2006-08-02 03:33 4410368 c:\windows\Installer\12054.msi
+ 2006-08-02 03:32 . 2006-08-02 03:32 9649152 c:\windows\Installer\12044.msi
+ 2006-08-02 03:31 . 2006-08-02 03:31 1102848 c:\windows\Installer\1202e.msi
+ 2006-08-02 03:31 . 2006-08-02 03:31 1096192 c:\windows\Installer\12028.msi
+ 2006-08-02 03:31 . 2006-08-02 03:31 1094656 c:\windows\Installer\12022.msi
+ 2006-08-02 03:23 . 2006-08-02 03:23 5156332 c:\windows\Downloaded Installations\BMP\{77976D5E-C17A-49E5-A91B-D7BFA08301CB}\BACS.msi
+ 2007-07-11 07:00 . 2007-07-11 07:00 15256576 c:\windows\Installer\5b32bd1.msp
+ 2004-08-10 18:10 . 2004-08-10 18:10 19204096 c:\windows\Installer\1599f.msp
+ 2006-02-27 12:29 . 2006-02-27 12:29 43459072 c:\windows\Installer\121be.msp
+ 2006-02-27 12:27 . 2006-02-27 12:27 49756672 c:\windows\Installer\1212c.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-1 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-03 22:39 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton Ghost"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"GEARSecurity"=2 (0x2)
"DigiRefresh"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [12/24/2006 8:22 PM 16384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [6/30/2009 9:48 PM 34760]
S2 awouqpig;Volume Manager Monitor;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 1:51 PM 14336]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [12/24/2006 8:19 PM 105472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S4 EE;EE;c:\docume~1\Jon\LOCALS~1\Temp\EE.exe --> c:\docume~1\Jon\LOCALS~1\Temp\EE.exe [?]
S4 TLEVSOALXTO;TLEVSOALXTO;c:\docume~1\Jon\LOCALS~1\Temp\TLEVSOALXTO.exe --> c:\docume~1\Jon\LOCALS~1\Temp\TLEVSOALXTO.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
awouqpig
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\r27bma1g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 17:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-08 17:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 21:14
ComboFix2.txt 2009-06-30 18:49
ComboFix3.txt 2009-06-24 19:08

Pre-Run: 23,717,773,312 bytes free
Post-Run: 23,712,296,960 bytes free

364 --- E O F --- 2009-07-01 03:15



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 01:43:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF74060D0]
SSDT sptd.sys ZwEnumerateKey [0xF740BFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF740C340]
SSDT sptd.sys ZwOpenKey [0xF74060B0]
SSDT sptd.sys ZwQueryKey [0xF740C418]
SSDT sptd.sys ZwQueryValueKey [0xF740C298]
SSDT sptd.sys ZwSetValueKey [0xF740C4AA]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F649F8AC 5 Bytes JMP 82FDE770
? System32\Drivers\ae9kgoy7.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7406AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7406C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7406B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7407748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F740761E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F741C29A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 831631E8

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)

Device \FileSystem\Fastfat \FatCdrom 825C44E8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 82FC0790
Device \Driver\usbuhci \Device\USBPDO-1 82FC0790
Device \Driver\usbuhci \Device\USBPDO-2 82FC0790
Device \Driver\usbuhci \Device\USBPDO-3 82FC0790
Device \Driver\NetBT \Device\NetBT_Tcpip_{5B58ABF6-5CE1-4D49-A1E3-5AFA28B0785C} 828371E8
Device \Driver\usbehci \Device\USBPDO-4 82FA85F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 831D21E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 831D21E8
Device \Driver\Cdrom \Device\CdRom0 82FA9790
Device \Driver\Cdrom \Device\CdRom1 82FA9790
Device \Driver\Ftdisk \Device\HarddiskVolume3 831D21E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 831D21E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 828371E8
Device \Driver\NetBT \Device\NetbiosSmb 828371E8
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{C01516F1-6844-4F87-B776-FDCCF4724764} 828371E8
Device \Driver\usbuhci \Device\USBFDO-0 82FC0790
Device \Driver\PCI_NTPNP7152 \Device\0000006d sptd.sys
Device \Driver\usbuhci \Device\USBFDO-1 82FC0790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D32460
Device \Driver\usbuhci \Device\USBFDO-2 82FC0790
Device \Driver\usbuhci \Device\USBFDO-3 82FC0790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D32460
Device \Driver\Ftdisk \Device\FtControl 831D21E8
Device \Driver\usbehci \Device\USBFDO-4 82FA85F8
Device \Driver\ae9kgoy7 \Device\Scsi\ae9kgoy71Port2Path0Target0Lun0 82EF5790
Device \Driver\ae9kgoy7 \Device\Scsi\ae9kgoy71 82EF5790
Device \FileSystem\Fastfat \Fat 825C44E8

AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 82DD8790
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2E 0xC3 0x2C 0x39 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1B 0x19 0xCD 0x84 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x37 0xDF 0x9E 0x35 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2E 0xC3 0x2C 0x39 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1B 0x19 0xCD 0x84 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x37 0xDF 0x9E 0x35 ...

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 09 July 2009 - 08:19 AM

Hello.

Posted ImageBackdoor Threat
I'm sorry to say that your computer was infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire, BitTorrent and uTorrent.). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\drivers\\svchost.exe"=-
    
    Driver::
    awouqpig
    EE
    TLEVSOALXTO
    
    NetSvc::
    awouqpig
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (one only) free anti-virus program from one of the trusted venders below (in no particular order):After installing, update the database, run a full system scan and remove any items found.

Please take a new DDS log from after installing. Include the Attach.txt.

Any problems at the moment?

With Regards,
The Panda

#7 jonjag

jonjag
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 10 July 2009 - 02:37 AM

No problems at the moment. I was aware that I had been infected by a backdoor but I had thought that malwarebytes had removed it. I downloaded Avira Antivir again even though I'm not too keen on antivirus products. I never really had much success with Avg, and I've used Antivir before and it gives me tons of false positives. But thank you for the heads up. I've considered formatting and starting over clean before, but when I purchased my computer it didn't come with any backup discs. Which I think it was a terrible idea to sell computers to customers and not include any kind of backup discs. And upon calling the supposed tech support they just advise to do a system restore. So my only option is to try to clean it up as best as possible. Thank you for your help panda.


ComboFix 09-07-09.07 - Jon 07/10/2009 2:42.10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.682 [GMT -4:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon\Desktop\Cfscript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AWOUQPIG
-------\Legacy_EE
-------\Legacy_TLEVSOALXTO
-------\Service_awouqpig
-------\Service_EE
-------\Service_TLEVSOALXTO


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 08:26 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-07-09 08:26 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-07-09 08:26 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-07-09 02:02 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 02:02 . 2009-07-09 02:02 -------- d-----w- c:\documents and settings\Jon\Malwarebytes' Anti-Malware
2009-07-09 02:02 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 21:35 . 2009-07-08 21:35 -------- d-----w- c:\program files\YouTube Downloader
2009-07-08 19:20 . 2009-07-08 19:20 -------- d-----w- c:\program files\Web Publish
2009-07-03 05:15 . 2009-07-03 05:16 -------- d-----w- c:\documents and settings\Jon\Application Data\vlc
2009-07-01 01:49 . 2009-07-06 23:49 -------- d-----w- C:\RootkitNO
2009-07-01 01:48 . 2009-07-01 01:48 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-07-01 01:48 . 2009-07-01 01:48 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-07-01 01:48 . 2009-07-01 01:48 2 --shatr- c:\windows\winstart.bat
2009-07-01 01:47 . 2008-12-22 19:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-07-01 01:47 . 2009-07-01 01:49 -------- d-----w- c:\program files\UnHackMe
2009-06-30 20:36 . 2009-06-30 20:36 -------- d-----w- c:\documents and settings\Jon\DoctorWeb
2009-06-30 17:29 . 2008-11-12 19:57 103360 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-06-30 17:29 . 2008-04-13 18:57 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2009-06-30 17:29 . 2008-04-13 18:51 60800 ----a-w- c:\windows\system32\drivers\arp1394.sys
2009-06-30 17:29 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2009-06-25 22:16 . 2009-06-25 22:16 -------- d-----w- c:\program files\7-Zip
2009-06-24 07:32 . 2009-06-24 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-06-24 07:31 . 2009-06-24 07:32 -------- d-----w- c:\documents and settings\Jon\Application Data\DAEMON Tools Pro
2009-06-24 07:15 . 2009-06-24 22:53 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-24 07:12 . 2009-06-24 07:12 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-23 20:21 . 2009-06-23 20:21 -------- d-----w- c:\program files\uTorrent
2009-06-23 20:20 . 2009-07-10 05:59 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent
2009-06-22 01:57 . 2009-06-22 01:57 -------- d-----w- c:\program files\PowerISO
2009-06-22 01:33 . 2009-06-22 01:33 -------- d-----w- c:\program files\WinISO
2009-06-22 01:18 . 2009-06-22 01:18 -------- d-----w- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 06:50 . 2008-11-18 23:22 -------- d-----w- c:\program files\DNA
2009-07-10 06:50 . 2008-11-18 23:22 -------- d-----w- c:\documents and settings\Jon\Application Data\DNA
2009-07-10 06:06 . 2009-03-17 05:54 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-09 08:27 . 2008-08-21 07:29 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-06 23:57 . 2008-08-18 23:49 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 23:48 . 2008-11-10 20:42 8840094 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-07-06 05:54 . 2009-01-06 05:21 -------- d-----w- c:\documents and settings\Jon\Application Data\Vso
2009-07-03 15:03 . 2006-12-07 06:25 -------- d-----w- c:\documents and settings\Jon\Application Data\Aim
2009-07-03 15:02 . 2006-12-07 06:24 -------- d-----w- c:\program files\AIM
2009-07-03 15:02 . 2006-12-07 06:24 -------- d-----w- c:\program files\Viewpoint
2009-07-03 15:02 . 2006-12-07 06:24 -------- d-----w- c:\program files\AOD
2009-07-03 05:02 . 2006-08-12 15:44 -------- d-----w- c:\documents and settings\Jon\Application Data\BitTorrent
2009-06-30 17:29 . 2009-06-30 17:29 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-25 05:49 . 2009-06-09 02:53 -------- d-----w- c:\program files\FlashFXP
2009-06-24 20:05 . 2008-08-19 01:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-17 00:57 . 2009-03-05 21:41 -------- d-----w- c:\documents and settings\Jon\Application Data\dvdcss
2009-06-09 02:53 . 2009-06-09 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FlashFXP
2009-06-08 05:57 . 2009-06-08 05:57 -------- d-----w- c:\program files\1964
2009-06-08 05:55 . 2009-06-08 05:54 -------- d-----w- c:\program files\Project64 1.6
2009-06-08 05:54 . 2009-06-08 05:54 8854 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-06-08 05:54 . 2009-06-08 05:54 40960 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-06-08 05:54 . 2009-06-08 05:54 40960 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-05-27 18:31 . 2008-07-08 00:25 -------- d-----w- c:\program files\Maxis
2009-05-26 05:28 . 2008-12-18 02:43 -------- d-----w- c:\program files\dvdSanta
2009-05-24 14:23 . 2009-05-24 14:23 11410 ----a-w- c:\documents and settings\Jon\Application Data\Corel Photo Album\msgdi.dll
2009-05-24 14:23 . 2009-05-24 14:23 10121 ----a-w- c:\documents and settings\Jon\Application Data\CyberLink\kern.dll
2009-05-24 14:23 . 2009-05-24 14:23 16141 ----a-w- c:\documents and settings\Jon\Application Data\Corel\lego.exe
2009-05-24 14:23 . 2006-11-05 06:47 -------- d-----w- c:\documents and settings\Jon\Application Data\Corel Photo Album
2009-05-24 14:23 . 2006-08-08 09:03 -------- d-----w- c:\documents and settings\Jon\Application Data\CyberLink
2009-05-24 14:23 . 2009-05-24 14:23 422 ----a-w- c:\documents and settings\Jon\Application Data\Apple Computer\socks1.exe
2009-05-24 14:23 . 2009-05-24 14:23 145131 ----a-w- c:\documents and settings\Jon\Application Data\BitTorrent\nomad.exe
2009-05-24 14:23 . 2009-05-24 14:23 13221 ----a-w- c:\documents and settings\Jon\Application Data\AdobeUM\rengo.dll
2009-05-24 14:23 . 2009-05-24 14:23 11232 ----a-w- c:\documents and settings\Jon\Application Data\Adobe\shalom.exe
2009-05-24 14:23 . 2008-09-09 07:07 -------- d-----w- c:\documents and settings\Jon\Application Data\Apple Computer
2009-05-24 14:23 . 2007-03-04 20:43 -------- d-----w- c:\documents and settings\Jon\Application Data\Corel
2009-05-24 14:23 . 2006-08-09 04:03 -------- d-----w- c:\documents and settings\Jon\Application Data\AdobeUM
2009-05-19 16:28 . 2009-05-19 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2009-05-16 06:17 . 2006-08-09 04:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-12 06:30 . 2006-08-08 02:05 39392 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 06:28 . 2009-05-12 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-12 06:19 . 2009-05-12 06:19 -------- d-----w- c:\program files\Adobe Media Player
2009-05-10 21:16 . 2009-05-10 21:16 152576 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-02-28 16:32 . 2006-08-14 04:39 88 --sh--r- c:\windows\system32\BEB3C63199.sys
2009-02-28 16:33 . 2006-08-14 04:39 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-07-08_21.09.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 06:49 . 2009-07-10 06:49 16384 c:\windows\temp\Perflib_Perfdata_268.dat
+ 2009-07-09 08:26 . 2009-02-16 04:10 97672 c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2009-07-09 08:27 . 2008-11-17 06:24 51688 c:\windows\system32\ZoneLabs\srescan.sys
+ 2009-07-09 08:26 . 2009-02-16 04:10 94088 c:\windows\system32\ZoneLabs\lib\zvpn.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 20360 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 59272 c:\windows\system32\ZoneLabs\lib\zpdp.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 14216 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 24968 c:\windows\system32\ZoneLabs\lib\zic.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 84872 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 34696 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 17800 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 10120 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 10632 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 13704 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 11656 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 11144 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 29576 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 12168 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 35720 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 38280 c:\windows\system32\ZoneLabs\featuremap.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 98184 c:\windows\system32\ZoneLabs\fbl.dll
+ 2009-07-09 08:27 . 2009-02-16 04:10 74632 c:\windows\system32\ZoneLabs\camupd.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 35208 c:\windows\system32\vswmi.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 58248 c:\windows\system32\vsregexp.dll
- 2006-08-09 04:38 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2006-08-09 04:38 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 9608 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 108424 c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 302472 c:\windows\system32\ZoneLabs\zlsre.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 178568 c:\windows\system32\ZoneLabs\zlparser.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 172936 c:\windows\system32\ZoneLabs\vsvault.dll
+ 2009-07-09 08:24 . 2009-02-16 04:10 108424 c:\windows\system32\ZoneLabs\vsdb.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 176520 c:\windows\system32\ZoneLabs\updclient.exe
+ 2009-07-09 08:26 . 2007-10-11 20:51 832984 c:\windows\system32\ZoneLabs\updating.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 431496 c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 134536 c:\windows\system32\ZoneLabs\scheduler.dll
+ 2009-07-09 08:26 . 2008-11-17 06:23 796128 c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2009-07-09 08:26 . 2008-11-17 06:23 722400 c:\windows\system32\ZoneLabs\qrbase.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 118664 c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 151944 c:\windows\system32\ZoneLabs\lib\ztv.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 188808 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 344968 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 136584 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 344456 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2009-07-09 08:24 . 2009-02-04 22:27 548128 c:\windows\system32\ZoneLabs\icslta.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 159112 c:\windows\system32\ZoneLabs\httpblocker.dll
+ 2009-07-09 08:27 . 2008-03-17 20:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 109960 c:\windows\system32\vsxml.dll
+ 2009-07-09 08:24 . 2009-02-16 04:10 482184 c:\windows\system32\vsutil.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 309128 c:\windows\system32\vspubapi.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 107912 c:\windows\system32\vsmonapi.dll
+ 2009-07-09 08:24 . 2009-02-16 04:10 229256 c:\windows\system32\vsinit.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 353672 c:\windows\system32\vsdatant.sys
+ 2009-07-09 08:24 . 2009-02-16 04:10 110472 c:\windows\system32\vsdata.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 1648520 c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 2402184 c:\windows\system32\ZoneLabs\vsmon.exe
+ 2009-07-09 08:26 . 2008-11-17 06:23 1512928 c:\windows\system32\ZoneLabs\srescan.dll
+ 2009-07-09 08:26 . 2009-02-16 04:10 1536392 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
- 2009-06-10 17:09 . 2008-07-09 14:25 2455488 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\ieapfltr.dat
+ 2009-07-09 08:27 . 2008-12-15 05:11 10465257 c:\windows\system32\ZoneLabs\zlasdbup.dat
+ 2009-07-09 08:26 . 2008-12-15 05:11 10465257 c:\windows\system32\ZoneLabs\spyware.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-1 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-03 22:39 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton Ghost"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"GEARSecurity"=2 (0x2)
"DigiRefresh"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [12/24/2006 8:22 PM 16384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [6/30/2009 9:48 PM 34760]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [12/24/2006 8:19 PM 105472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - UnHackMeDrv
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\r27bma1g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 02:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-10 2:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 06:54
ComboFix2.txt 2009-07-08 21:14
ComboFix3.txt 2009-06-30 18:49
ComboFix4.txt 2009-06-24 19:08

Pre-Run: 24,829,779,968 bytes free
Post-Run: 25,004,544,000 bytes free

280 --- E O F --- 2009-07-09 08:45






DDS (Ver_09-06-26.01) - NTFSx86
Run by Jon at 3:12:03.25 on Fri 07/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.590 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Documents and Settings\Jon\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\r27bma1g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-24 16384]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-9 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 55640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-6-30 34760]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-12-24 105472]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

=============== Created Last 30 ================

2009-07-10 03:08 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 03:07 <DIR> --d----- c:\program files\Avira
2009-07-10 03:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-09 04:26 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-08 22:02 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 22:02 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 22:02 <DIR> --d----- c:\documents and settings\jon\Malwarebytes' Anti-Malware
2009-07-08 17:35 <DIR> --d----- c:\program files\YouTube Downloader
2009-07-08 15:24 126 a------- c:\windows\mdm.ini
2009-07-08 15:23 288 a------- c:\windows\ODBC.INI
2009-07-08 15:20 <DIR> --d----- c:\program files\Web Publish
2009-07-08 01:53 5 a------- c:\windows\VS98ENT.MIF
2009-07-06 19:49 123 a------- c:\windows\rootkitno.ini
2009-06-30 21:49 <DIR> --d----- C:\RootkitNO
2009-06-30 21:48 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-06-30 21:48 32,480 a------- c:\windows\system32\Partizan.exe
2009-06-30 21:48 2 a--shrot c:\windows\winstart.bat
2009-06-30 21:47 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-06-30 21:47 <DIR> --d----- c:\program files\UnHackMe
2009-06-30 16:36 <DIR> --d----- c:\documents and settings\jon\DoctorWeb
2009-06-30 14:48 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-30 14:40 161,792 a------- c:\windows\SWREG.exe
2009-06-30 14:40 98,816 a------- c:\windows\sed.exe
2009-06-30 13:29 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-06-30 13:29 103,360 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-06-30 13:29 60,800 a------- c:\windows\system32\drivers\arp1394.sys
2009-06-30 13:29 14,336 a------- c:\windows\system32\drivers\asyncmac.sys
2009-06-30 13:29 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-24 03:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-06-24 03:31 <DIR> --d----- c:\docume~1\jon\applic~1\DAEMON Tools Pro
2009-06-24 03:15 <DIR> --d----- c:\program files\DAEMON Tools Pro
2009-06-24 03:12 685,816 a------- c:\windows\system32\drivers\sptd.sys
2009-06-23 16:21 <DIR> --d----- c:\program files\uTorrent
2009-06-23 16:20 <DIR> --d----- c:\docume~1\jon\applic~1\uTorrent
2009-06-21 21:57 <DIR> --d----- c:\program files\PowerISO
2009-06-21 21:33 <DIR> --d----- c:\program files\WinISO
2009-06-21 21:18 <DIR> --d----- c:\program files\MagicISO

==================== Find3M ====================

2009-07-09 04:27 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-06 19:57 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-12 16:46 2,876,719 a------- c:\documents and settings\jon\mbam-setup.exe.pif
2009-01-06 01:21 47,360 a------- c:\docume~1\jon\applic~1\pcouffin.sys
2009-02-28 12:32 88 ---shr-- c:\windows\system32\BEB3C63199.sys
2009-02-28 12:33 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-16 15:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011620090117\index.dat

============= FINISH: 3:12:28.81 ===============

Attached Files



#8 jonjag

jonjag
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 10 July 2009 - 02:42 AM

Sorry to double post but what's with these entries? Are there policies enabling and disabling the firewall at the same time?


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

Edited by jonjag, 10 July 2009 - 02:43 AM.


#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 10 July 2009 - 07:43 AM

Hello.

Those policies are both disabling the firewall.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=-
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.


Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please also take a new DDS.txt log.

With Regards,
The Panda

#10 jonjag

jonjag
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 10 July 2009 - 01:25 PM

Alright panda I have done all the suggested tasks. I also downloaded the java update and am planning on installing after this post. I ran a scan with Avira last night and it found alot of viruses. But most of it looks like false positives or files that are in the combofix quarantine. I have a hard time believing that all those infected files could have slipped past Malwarebytes or SAS scans. So I could use some help discerning which are false positives as I have yet to delete anything from the Avira quarantine yet. And once again thank you for your time and help.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 15:45:04
Records in database: 2456799
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Jon\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 50606
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:15:03


File name / Threat name / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

The selected area was scanned.





Avira AntiVir Personal
Report file date: Friday, July 10, 2009 03:15

Scanning for 1497280 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : JONJAG

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 07:11:30
ANTIVIR2.VDF : 7.1.4.198 778752 Bytes 7/8/2009 07:11:35
ANTIVIR3.VDF : 7.1.4.213 269312 Bytes 7/9/2009 07:11:38
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/10/2009 07:11:50
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 16:02:01
AERDL.DLL : 8.1.2.2 438642 Bytes 7/10/2009 07:11:49
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/10/2009 07:11:47
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/10/2009 07:11:46
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/10/2009 07:11:40
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/10/2009 07:11:39
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 21:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +PCK,+SPR,

Start of the scan: Friday, July 10, 2009 03:15

Starting search for hidden objects.
'46547' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'hackmon.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'btdna.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
43 processes with 43 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '68' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5a388957
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.1 exploit
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6947e76c
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-55ca0100
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.2 exploit
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-3186f821-2a9dd663.zip
[0] Archive type: ZIP
--> BnnnnBaa.class
[DETECTION] Is the TR/Java.Downloader.Gen Trojan
--> VaannnaaBaa.class
[DETECTION] Is the TR/ClassLoader Trojan
--> Dnnny.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.Bytverify.5 Java virus
--> Bnnnnn.class
[DETECTION] Is the TR/Java.ClassLoader.AS Trojan
--> Den.class
[DETECTION] Is the TR/Exploit.Bytverify Trojan
--> Din.class
[DETECTION] Is the TR/Exploit.Bytverify.A Trojan
--> Dun.class
[DETECTION] Is the TR/Exploit.Bytverify.B Trojan
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-383086e5.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.1 exploit
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-65e13a19.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-584a3391.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.2 exploit
C:\Documents and Settings\Jon\Desktop\ComboFix.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\n.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\Documents and Settings\Jon\Desktop\SmitfraudFix-2.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\Reboot.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
--> SmitfraudFix\restart.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\627d4a09.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0004108.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008093.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\n.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008135.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008208.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008329.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0004131.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0004684.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0004685.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0007028.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\WINDOWS\system32\uqxuhoz.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\D1QT2W40\install2[1].exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <Backup>

Beginning disinfection:
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5a388957
[NOTE] The file was moved to '4a8af6b9.qua'!
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6947e76c
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '4a88f6bc.qua'!
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-55ca0100
[NOTE] The file was moved to '4a8df6ed.qua'!
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-3186f821-2a9dd663.zip
[NOTE] The file was moved to '4acaf6f7.qua'!
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-383086e5.zip
[NOTE] The file was moved to '4ac3f6ff.qua'!
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-65e13a19.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '4ffde2b8.qua'!
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-584a3391.zip
[NOTE] The file was moved to '4ffcea80.qua'!
C:\Documents and Settings\Jon\Desktop\ComboFix.exe
[NOTE] The file was moved to '4ac3f6f9.qua'!
C:\Documents and Settings\Jon\Desktop\SmitfraudFix-2.exe
[NOTE] The file was moved to '4abff6fa.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\627d4a09.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a8df6c3.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0004108.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '4a86f6c1.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008093.exe
[NOTE] The file was moved to '4a86f6c2.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008135.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4f945dbb.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008208.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '49dd7bcb.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008329.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4f9e2ceb.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0004131.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4f224c73.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0004684.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
[NOTE] The file was moved to '4a86f6c3.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0004685.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
[NOTE] The file was moved to '4f9d01b4.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0007028.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4f9a09fc.qua'!
C:\WINDOWS\system32\uqxuhoz.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4acef704.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\D1QT2W40\install2[1].exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '4ac9f706.qua'!


End of the scan: Friday, July 10, 2009 04:06
Used time: 51:26 Minute(s)

The scan has been done completely.

8609 Scanned directories
267983 Files were scanned
25 Viruses and/or unwanted programs were found
7 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
23 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
267949 Files not concerned
3291 Archives were scanned
2 Warnings
24 Notes
46547 Objects were scanned with rootkit scan
0 Hidden objects were found




DDS (Ver_09-06-26.01) - NTFSx86
Run by Jon at 14:13:24.00 on Fri 07/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.530 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jon\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\r27bma1g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-24 16384]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-9 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 55640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-6-30 34760]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-12-24 105472]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

=============== Created Last 30 ================

2009-07-10 03:08 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 03:07 <DIR> --d----- c:\program files\Avira
2009-07-10 03:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-09 04:26 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-08 22:02 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 22:02 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 22:02 <DIR> --d----- c:\documents and settings\jon\Malwarebytes' Anti-Malware
2009-07-08 17:35 <DIR> --d----- c:\program files\YouTube Downloader
2009-07-08 15:24 126 a------- c:\windows\mdm.ini
2009-07-08 15:23 288 a------- c:\windows\ODBC.INI
2009-07-08 15:20 <DIR> --d----- c:\program files\Web Publish
2009-07-08 01:53 5 a------- c:\windows\VS98ENT.MIF
2009-07-06 19:49 123 a------- c:\windows\rootkitno.ini
2009-06-30 21:49 <DIR> --d----- C:\RootkitNO
2009-06-30 21:48 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-06-30 21:48 32,480 a------- c:\windows\system32\Partizan.exe
2009-06-30 21:48 2 a--shrot c:\windows\winstart.bat
2009-06-30 21:47 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-06-30 21:47 <DIR> --d----- c:\program files\UnHackMe
2009-06-30 16:36 <DIR> --d----- c:\documents and settings\jon\DoctorWeb
2009-06-30 14:48 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-30 14:40 161,792 a------- c:\windows\SWREG.exe
2009-06-30 14:40 98,816 a------- c:\windows\sed.exe
2009-06-30 13:29 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-06-30 13:29 103,360 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-06-30 13:29 60,800 a------- c:\windows\system32\drivers\arp1394.sys
2009-06-30 13:29 14,336 a------- c:\windows\system32\drivers\asyncmac.sys
2009-06-30 13:29 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-24 03:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-06-24 03:31 <DIR> --d----- c:\docume~1\jon\applic~1\DAEMON Tools Pro
2009-06-24 03:15 <DIR> --d----- c:\program files\DAEMON Tools Pro
2009-06-24 03:12 685,816 a------- c:\windows\system32\drivers\sptd.sys
2009-06-23 16:21 <DIR> --d----- c:\program files\uTorrent
2009-06-23 16:20 <DIR> --d----- c:\docume~1\jon\applic~1\uTorrent
2009-06-21 21:57 <DIR> --d----- c:\program files\PowerISO
2009-06-21 21:33 <DIR> --d----- c:\program files\WinISO
2009-06-21 21:18 <DIR> --d----- c:\program files\MagicISO

==================== Find3M ====================

2009-07-09 04:27 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-06 19:57 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-12 16:46 2,876,719 a------- c:\documents and settings\jon\mbam-setup.exe.pif
2009-01-06 01:21 47,360 a------- c:\docume~1\jon\applic~1\pcouffin.sys
2009-02-28 12:32 88 ---shr-- c:\windows\system32\BEB3C63199.sys
2009-02-28 12:33 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-16 15:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011620090117\index.dat

============= FINISH: 14:13:52.98 ===============

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 10 July 2009 - 01:34 PM

Hello jonjag.

Yes, the detections were mainly false positives, items in the System Restore cache, and items in quarentine.

Your logs look clean. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#12 jonjag

jonjag
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 12 July 2009 - 03:32 AM

No more questions I can think of, everything looks good. I appreciate all of the time and help everyone from bleepingcomputer puts forth. Thanks again Panda.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 12 July 2009 - 08:37 AM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users