Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Windows 10 Screen Sketch App Renamed to Snip & Sketch in Insider Builds

Featured Deal: This Free Course Lets You Achieve Digital Transformation for Your Company

Photo

infected with I don't know what

Started by zippyshorts , Aug 06 2009 10:08 PM

  • This topic is locked This topic is locked
15 replies to this topic

#1 zippyshorts

zippyshorts

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 06 August 2009 - 10:08 PM

my zonealarm sees it but is unable to remove. same with malwarebytes. both say delete on reboot, but not happening.
I am reposting with the DDS and Attach
Sorry for the last post if it was incorrect.
thanks for any help.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Julianna Marie at 22:59:37.48 on Thu 08/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.952 [GMT -4:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julianna Marie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {0BD44AB1-76A7-4E05-92F4-4B065FE72BD6} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {3BEBF2FE-7248-40E2-9752-8163EB6C4038} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://help.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198248217937
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371420.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 23:01:25.04 ===============

Attached Files


BC AdBot (Login to Remove)

 

#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:52 PM

Posted 17 August 2009 - 10:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif

#3 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 20 August 2009 - 02:14 PM

as requested the dds and attach.txt files
I was not sure how to zip and attach.
sorry, I hope you can work with this
thanks,
jmb


DDS (Ver_09-07-30.01) - NTFSx86
Run by Julianna Marie at 15:04:14.57 on Thu 08/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.687 [GMT -4:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julianna Marie\Desktop\dds.scr
C:\Documents and Settings\Julianna Marie\Local Settings\Temporary Internet Files\Content.IE5\0PZEUYA9\dds[1].scr
C:\WINDOWS\system32\findstr.exe

============== Pseudo HJT Report ===============

uSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {0BD44AB1-76A7-4E05-92F4-4B065FE72BD6} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {3BEBF2FE-7248-40E2-9752-8163EB6C4038} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://help.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198248217937
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371420.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-2 150544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-29 353672]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-8-25 38160]
RUnknown pvqb;pvqb; [x]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-08-20 12:22 61,440 a------- c:\windows\system32\drivers\nuxs.sys
2009-08-19 09:46 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-08-19 09:46 <DIR> --d----- c:\program files\Coupons
2009-08-13 17:34 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-13 17:34 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-09 21:07 <DIR> --d----- c:\docume~1\julian~1\applic~1\Otto
2009-08-09 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Otto
2009-08-07 21:49 <DIR> --d----- c:\documents and settings\julianna marie\.housecall6.6
2009-08-06 21:54 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-06 16:48 <DIR> --d----- c:\program files\THQ
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 17:41 687,104 a------- c:\windows\is-BESLF.exe
2009-08-04 17:41 10,498 a------- c:\windows\is-BESLF.msg
2009-08-04 17:41 416 a------- c:\windows\is-BESLF.lst
2009-08-04 15:50 56,320 a------- C:\juliannastuffrepair.doc
2009-08-04 08:44 2,855 a------- c:\windows\system32\desot.PIF
2009-08-04 08:42 <DIR> --d-h--- c:\windows\PIF
2009-08-03 10:54 <DIR> --d----- C:\_OTM
2009-08-02 20:09 <DIR> a-d----- c:\windows\system32\images
2009-08-01 10:56 <DIR> --d----- c:\program files\iPod
2009-07-28 07:02 411,368 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-08-20 11:25 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-12 15:53 350,481,184 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-05-28 19:15 0 a------- c:\program files\temp01
2007-12-17 12:17 302 a------- c:\docume~1\julian~1\applic~1\wklnhst.dat
2007-07-15 18:57 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 15:05:35.15 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/24/2006 7:13:32 PM
System Uptime: 8/20/2009 2:59:51 AM (13 hours ago)

Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
Processor: Intel® Core™2 CPU T5500 @ 1.66GHz | U1 | 1661/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 104.318 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP166: 7/12/2009 3:53:14 PM - System Checkpoint
RP167: 7/12/2009 3:53:14 PM - System Checkpoint
RP168: 7/12/2009 3:53:14 PM - System Checkpoint
RP169: 7/12/2009 3:53:14 PM - System Checkpoint
RP170: 7/12/2009 3:53:15 PM - System Checkpoint
RP171: 7/12/2009 3:53:15 PM - System Checkpoint
RP172: 7/12/2009 3:53:16 PM - Software Distribution Service 3.0
RP173: 7/12/2009 3:53:16 PM - System Checkpoint
RP174: 7/12/2009 3:53:16 PM - System Checkpoint
RP175: 7/12/2009 3:53:17 PM - System Checkpoint
RP176: 7/12/2009 3:53:17 PM - System Checkpoint
RP177: 7/12/2009 3:53:17 PM - System Checkpoint
RP178: 7/12/2009 3:53:17 PM - System Checkpoint
RP179: 7/12/2009 3:53:18 PM - System Checkpoint
RP180: 7/12/2009 3:53:18 PM - System Checkpoint
RP181: 7/12/2009 3:53:18 PM - System Checkpoint
RP182: 7/12/2009 3:53:18 PM - System Checkpoint
RP183: 7/12/2009 3:53:18 PM - System Checkpoint
RP184: 7/12/2009 3:53:19 PM - Software Distribution Service 3.0
RP185: 7/12/2009 3:53:19 PM - System Checkpoint
RP186: 7/12/2009 3:53:20 PM - System Checkpoint
RP187: 7/12/2009 3:53:20 PM - System Checkpoint
RP188: 7/12/2009 3:53:20 PM - System Checkpoint
RP189: 7/12/2009 3:53:20 PM - System Checkpoint
RP190: 7/12/2009 3:53:20 PM - System Checkpoint
RP191: 7/12/2009 3:53:21 PM - System Checkpoint
RP192: 7/12/2009 3:53:21 PM - System Checkpoint
RP193: 7/12/2009 3:53:21 PM - System Checkpoint
RP194: 7/12/2009 3:53:21 PM - System Checkpoint
RP195: 7/12/2009 3:53:22 PM - Software Distribution Service 3.0
RP196: 7/12/2009 3:53:22 PM - System Checkpoint
RP197: 7/12/2009 3:53:23 PM - System Checkpoint
RP198: 7/12/2009 3:53:24 PM - System Checkpoint
RP199: 7/12/2009 3:53:24 PM - System Checkpoint
RP200: 7/12/2009 3:53:25 PM - System Checkpoint
RP201: 7/12/2009 3:53:25 PM - System Checkpoint
RP202: 7/12/2009 3:53:25 PM - System Checkpoint
RP203: 7/12/2009 3:53:25 PM - System Checkpoint
RP204: 7/12/2009 3:53:26 PM - System Checkpoint
RP205: 7/12/2009 3:53:26 PM - System Checkpoint
RP206: 7/12/2009 3:53:26 PM - System Checkpoint
RP207: 7/12/2009 3:53:26 PM - Software Distribution Service 3.0
RP208: 7/12/2009 3:53:26 PM - System Checkpoint
RP209: 7/12/2009 3:53:27 PM - System Checkpoint
RP210: 7/12/2009 3:53:27 PM - System Checkpoint
RP211: 7/12/2009 3:53:27 PM - System Checkpoint
RP212: 7/12/2009 3:53:27 PM - System Checkpoint
RP213: 7/12/2009 3:53:28 PM - System Checkpoint
RP214: 7/12/2009 3:53:28 PM - System Checkpoint
RP215: 7/12/2009 3:53:34 PM - Installed iTunes
RP216: 7/12/2009 3:53:35 PM - Software Distribution Service 3.0
RP217: 7/12/2009 3:53:35 PM - System Checkpoint
RP218: 7/12/2009 3:53:35 PM - System Checkpoint
RP219: 7/12/2009 3:53:36 PM - System Checkpoint
RP220: 7/12/2009 3:53:36 PM - System Checkpoint
RP221: 7/12/2009 3:53:36 PM - Software Distribution Service 3.0
RP222: 7/12/2009 3:53:36 PM - System Checkpoint
RP223: 7/12/2009 3:58:23 PM - System Checkpoint
RP224: 7/12/2009 3:58:24 PM - System Checkpoint
RP225: 7/12/2009 3:58:24 PM - System Checkpoint
RP226: 7/12/2009 3:58:26 PM - System Checkpoint
RP227: 7/12/2009 3:58:27 PM - System Checkpoint
RP228: 7/12/2009 3:58:27 PM - System Checkpoint
RP229: 7/12/2009 3:58:28 PM - System Checkpoint
RP230: 7/16/2009 9:25:03 AM - Software Distribution Service 3.0
RP231: 7/18/2009 9:01:28 AM - System Checkpoint
RP232: 8/1/2009 11:29:51 AM - System Checkpoint
RP233: 8/7/2009 11:13:19 AM - System Checkpoint
RP234: 8/7/2009 8:59:27 PM - Uniblue RegistryBooster 2009
RP235: 8/9/2009 7:16:46 PM - System Checkpoint
RP236: 8/11/2009 7:46:56 AM - System Checkpoint
RP237: 8/13/2009 7:59:45 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.2
Adobe Shockwave Player 11
AOL Coach Version 2.0(Build:20041026.5 en)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Atlantis (Free) (remove only)
Bejeweled 2 Deluxe
Blackhawk Striker 2
Blasterball 2 Revolution
Bluetooth Stack for Windows by Toshiba
Bonjour
CCScore
CD/DVD Drive Acoustic Silencer
Chuzzle Deluxe
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Desktop Dialer
DVD-RAM Driver
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
FATE
fflink
GemMaster Mystic
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Hidden Expedition: Titanic™
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iTunes
Java™ 6 Update 15
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
KODAK EASYSHARE Gallery Upload ActiveX Control
Kodak EasyShare software
Magic Tea (remove only)
Mah Jong Quest
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIWA
mLogView
mMHouse
MobileMe Control Panel
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
netbrdg
Network Magic
Office 2003 Trial Assistant
OfotoXMI
Otto
Peggle Deluxe
Penguins!
Picasa 3
Polar Bowler
Polar Golfer
Pure Networks Platform
QuickTime
RealArcade
RealPlayer Basic
Realtek High Definition Audio Driver
Rhapsody Player Engine
Safari
SCRABBLE
SD Secure Module
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SFR
SHASTA
skin0001
SKINXSDK
Sonic DLA
Sonic Encoders
Sonic RecordNow!
SpongeBob SquarePants - Lights, Camera, Pants!
staticcr
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
tooltips
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
Toshiba Media Center Game Console
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA TV Tuner 4.0.12.73
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
User Agent String Utility
VC 9.0 Runtime
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
VPRINTOL
WebFldrs XP
WildTangent Games
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
ZoneAlarm Anti-virus
Zuma Deluxe 1.0

==== Event Viewer Messages From Past Week ========

8/19/2009 4:28:02 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
8/13/2009 6:55:00 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0018DEB3E793. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/13/2009 5:30:17 PM, error: LDMS [3023] - The Logical Disk Manager Service failed while registering for device handle notifications on device \\?\ide#cdrompioneer_dvd-rw__dvr-k16a________________1.63____#46_0444a364c303033365737204c202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. Win32 Error: 1381.

==== End Of File ===========================

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Florida
  • Local time:02:52 PM

Posted 22 August 2009 - 09:31 AM

Hello zippyshorts :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.









Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 22 August 2009 - 11:10 AM

here's the scan! thank you for your help! I hope we can resolve this soon . .



GMER 1.0.15.15077 [jr4qnf1s.exe] - http://www.gmer.net
Rootkit scan 2009-08-22 12:07:44
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8A1DE3B0 ZwEnumerateKey
Code 8A1DE2D8 ZwFlushInstructionCache
Code 8A1DE68E IofCallDriver
Code 8A1A7D7E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8A1DE693
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A1A7D83
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 8A1DE3B4
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8A1DE2DC
? system32\drivers\fczycc.sys The system cannot find the path specified. !
? system32\drivers\nuxs.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Julianna Marie\Desktop\jr4qnf1s.exe[120] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\svchost.exe[132] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0076000A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\DVDRAMSV.exe[724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007B000A
.text C:\WINDOWS\eHome\ehmsas.exe[796] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1732] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe[1804] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1888] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0077000A
.text C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe[2240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe[2272] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\WINDOWS\AGRSMMSG.exe[2328] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A936DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A936D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A936E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A936BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A936BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A936DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A936D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A936E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A936DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A936BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A936E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A936D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A936E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A936D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A936DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A936BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A936DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A936D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A936E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [A936E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [A936D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [A936BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [A936DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [A9386B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A936DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A936BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A936E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A936D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [A93668D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [A9366A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [A93665E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [A9366980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2172] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2480] @ C:\WINDOWS\system32\Iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Cdfs \Cdfs A8E02400
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:2708] A786C1F0
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Documents and Settings\Julianna Marie\Desktop\jr4qnf1s.exe [120] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [132] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [196] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [248] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [300] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [512] 0x00960000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [620] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\DVDRAMSV.exe [724] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehmsas.exe [796] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [812] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehRecvr.exe [844] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [896] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [944] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [956] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe [1008] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [1024] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe [1040] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\RAMASST.exe [1172] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ c:\TOSHIBA\IVP\swupdate\swupdtmr.exe [1200] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\TPSBattM.exe [1316] 0x00A40000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [1360] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1440] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1464] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [1504] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe [1584] 0x003F0000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [1604] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1712] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1732] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe [1804] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [1888] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1900] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1992] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [2024] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\ehome\mcrdsvc.exe [2064] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2172] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe [2240] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2248] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe [2272] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\AGRSMMSG.exe [2328] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2480] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [2552] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [2572] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\nmapp.exe [2684] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [2796] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe [2812] 0x003F0000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3008] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe [3028] 0x00A40000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [3704] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [3864] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\ehome\ehtray.exe [3956] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiseqxtkbc.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [4036] 0x10000000

---- EOF - GMER 1.0.15 ----

#6 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 22 August 2009 - 11:17 AM

FYI:
I will be gone for 7 days starting tomorrow morning.
please do not delete (close) topic if we don't have a fix by morning.
thanks.

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Florida
  • Local time:02:52 PM

Posted 22 August 2009 - 12:19 PM

You're welcome. We'll see what we can do to get it cleared up, you just never know how long it will take but sometimes it's fairly straight forward.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 22 August 2009 - 02:19 PM

Here's the log from COMBOFIX


ComboFix 09-08-21.02 - Julianna Marie 08/22/2009 14:42.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.810 [GMT -4:00]
Running from: c:\documents and settings\Julianna Marie\Desktop\ComboFix.exe
AV: ZoneAlarm Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3868997124-911790988-508925577-500
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\236763.msp
c:\windows\Installer\5fd3ee9f.msp
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\hjgruiwferdiph.sys
c:\windows\system32\hjgruilmkmsiol.dll
c:\windows\system32\hjgruirsbqaete.dat
c:\windows\system32\hjgruiseqxtkbc.dll
c:\windows\system32\hjgruiwroklpdl.dll
c:\windows\system32\hjgruixcekuybu.dat
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiyqdtunbe
-------\Legacy_hjgruiyqdtunbe


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-21 16:05 . 2009-08-21 16:05 127872 ----a-w- c:\documents and settings\Julianna Marie\Application Data\Move Networks\uninstall.exe
2009-08-19 13:46 . 2009-08-19 13:46 -------- d-----w- c:\program files\Coupons
2009-08-13 21:34 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 01:07 . 2009-08-10 01:07 -------- d-----w- c:\documents and settings\Julianna Marie\Application Data\Otto
2009-08-10 01:07 . 2009-08-10 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Otto
2009-08-08 01:49 . 2009-08-08 11:44 -------- d-----w- c:\documents and settings\Julianna Marie\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 18:55 . 2007-01-29 17:02 3921692 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-22 18:55 . 2007-01-29 17:02 350481184 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-22 18:24 . 2007-01-29 16:57 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-21 16:05 . 2008-03-10 23:42 -------- d-----w- c:\documents and settings\Julianna Marie\Application Data\Move Networks
2009-08-21 16:05 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Julianna Marie\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-08-20 23:51 . 2009-08-20 23:52 401408 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2009-08-20 16:18 . 2008-08-25 12:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 11:04 . 2009-08-12 11:21 920576 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-08-12 11:04 . 2009-08-12 11:21 3432448 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2009-08-08 01:12 . 2007-03-01 14:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\yahoo!
2009-08-07 01:54 . 2009-07-28 11:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-07 01:54 . 2006-02-16 09:28 -------- d-----w- c:\program files\Java
2009-08-07 01:53 . 2009-08-07 01:53 152576 ----a-w- c:\documents and settings\Julianna Marie\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-07 01:50 . 2009-03-18 20:58 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-07 00:57 . 2009-02-13 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-07 00:57 . 2009-02-13 21:29 -------- d-----w- c:\program files\NOS
2009-08-06 20:48 . 2009-08-06 20:48 -------- d-----w- c:\program files\THQ
2009-08-06 20:48 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2006-02-15 14:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:41 . 2009-08-04 21:41 687104 ----a-w- c:\windows\is-BESLF.exe
2009-08-04 12:44 . 2009-08-04 12:44 2855 ----a-w- c:\windows\system32\desot.PIF
2009-08-03 17:36 . 2008-08-25 12:21 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-08-25 12:21 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 14:28 . 2009-08-03 14:33 3334656 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-08-03 12:17 . 2007-03-08 23:04 14647178 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-03 02:40 . 2007-07-22 15:58 -------- d-----w- c:\program files\FlashGet
2009-08-03 02:11 . 2009-08-03 02:23 2699776 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-08-03 02:06 . 2009-08-03 02:06 35633 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_08_02_21_27_45_small.dmp.zip
2009-08-01 15:01 . 2008-12-24 13:31 -------- d-----w- c:\program files\Safari
2009-08-01 14:56 . 2007-12-19 14:19 -------- d-----w- c:\program files\iTunes
2009-08-01 14:56 . 2009-08-01 14:56 -------- d-----w- c:\program files\iPod
2009-08-01 14:56 . 2007-12-19 14:16 -------- d-----w- c:\program files\Common Files\Apple
2009-08-01 14:50 . 2009-08-01 14:50 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-28 11:02 . 2006-05-13 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-22 23:57 . 2006-02-18 15:56 -------- d-----w- c:\program files\Google
2009-07-17 19:01 . 2006-02-15 14:02 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2006-02-15 14:05 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2006-02-15 14:04 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-15 14:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-15 14:02 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 20:14 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-06-18 11:42 . 2009-06-18 11:43 2336256 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-06-16 14:36 . 2006-02-15 14:04 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-02-15 14:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Julianna Marie\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-12 12:31 . 2006-02-15 14:04 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-02-15 14:04 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-02-15 14:02 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-02-15 15:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-02-15 14:04 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-05-01 14:46 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2007-12-19 14:17 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2006-02-15 14:03 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-05-28 23:15 . 2008-05-28 23:15 0 ----a-w- c:\program files\temp01
2007-07-15 22:57 . 2007-07-15 22:57 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 23:24 . 2008-02-22 23:24 1098 c:\program files\FlashGet\bak\fgbhocfg.ini
2007-07-22 15:59 . 2007-07-22 15:59 1098 c:\program files\FlashGet\fgbhocfg.ini

2008-02-22 23:24 . 2008-08-12 00:09 673 c:\program files\FlashGet\bak\fgres1.ini
2007-07-22 15:59 . 2008-01-30 22:49 684 c:\program files\FlashGet\fgres1.ini

2008-02-22 23:24 . 2009-02-09 00:52 20 c:\program files\FlashGet\bak\FGUpdate1.ini
2007-07-22 15:59 . 2008-01-29 16:58 20 c:\program files\FlashGet\FGUpdate1.ini

2008-02-22 23:24 . 2008-08-12 11:19 20 c:\program files\FlashGet\bak\FGUpdate2.ini
2007-07-22 15:59 . 2008-01-29 16:58 20 c:\program files\FlashGet\FGUpdate2.ini

2008-02-22 23:24 . 2009-02-09 00:52 275 c:\program files\FlashGet\bak\FGUpdate3.ini
2007-07-22 15:59 . 2008-01-29 16:58 275 c:\program files\FlashGet\FGUpdate3.ini

2008-12-26 15:11 . 2008-12-26 15:11 0 c:\program files\FlashGet\bak\FlashGet-000A94CD.dmp

2008-12-26 15:11 . 2008-12-26 15:11 715 c:\program files\FlashGet\bak\FlashGet-000A94CD.rpt

2008-12-26 15:11 . 2008-12-26 15:11 0 c:\program files\FlashGet\bak\FlashGet-000AFFFA.dmp

2008-12-26 15:11 . 2008-12-26 15:11 715 c:\program files\FlashGet\bak\FlashGet-000AFFFA.rpt

2008-12-26 15:11 . 2008-12-26 15:11 0 c:\program files\FlashGet\bak\FlashGet-000B51A4.dmp

2008-12-26 15:11 . 2008-12-26 15:11 715 c:\program files\FlashGet\bak\FlashGet-000B51A4.rpt

2008-12-26 22:42 . 2008-12-26 22:42 0 c:\program files\FlashGet\bak\FlashGet-00101D00.dmp

2008-12-26 22:42 . 2008-12-26 22:42 715 c:\program files\FlashGet\bak\FlashGet-00101D00.rpt

2008-03-11 22:20 . 2008-03-11 22:20 0 c:\program files\FlashGet\bak\FlashGet-001CCC40.dmp

2008-03-11 22:20 . 2008-03-11 22:20 715 c:\program files\FlashGet\bak\FlashGet-001CCC40.rpt

2008-03-11 22:23 . 2008-03-11 22:23 0 c:\program files\FlashGet\bak\FlashGet-001F6C01.dmp

2008-03-11 22:23 . 2008-03-11 22:23 715 c:\program files\FlashGet\bak\FlashGet-001F6C01.rpt

2008-03-13 15:19 . 2008-03-13 15:19 0 c:\program files\FlashGet\bak\FlashGet-08AD4BBB.dmp

2008-03-13 15:19 . 2008-03-13 15:19 714 c:\program files\FlashGet\bak\FlashGet-08AD4BBB.rpt

2008-02-23 16:06 . 2008-02-23 16:06 0 c:\program files\FlashGet\bak\FlashGet-0E09CB1B.dmp

2008-02-23 16:06 . 2008-02-23 16:06 714 c:\program files\FlashGet\bak\FlashGet-0E09CB1B.rpt

2008-02-23 16:06 . 2008-02-23 16:06 0 c:\program files\FlashGet\bak\FlashGet-0E0A048A.dmp

2008-02-23 16:06 . 2008-02-23 16:06 714 c:\program files\FlashGet\bak\FlashGet-0E0A048A.rpt

2008-02-23 20:38 . 2008-02-23 20:38 0 c:\program files\FlashGet\bak\FlashGet-0E0A9EC7.dmp

2008-02-23 20:38 . 2008-02-23 20:38 714 c:\program files\FlashGet\bak\FlashGet-0E0A9EC7.rpt

2008-02-28 13:46 . 2008-02-28 13:46 0 c:\program files\FlashGet\bak\FlashGet-0E94A38A.dmp

2008-02-28 13:46 . 2008-02-28 13:46 714 c:\program files\FlashGet\bak\FlashGet-0E94A38A.rpt

2008-02-28 13:47 . 2008-02-28 13:47 0 c:\program files\FlashGet\bak\FlashGet-0E950707.dmp

2008-02-28 13:47 . 2008-02-28 13:47 714 c:\program files\FlashGet\bak\FlashGet-0E950707.rpt

2008-02-28 15:22 . 2008-02-28 15:22 0 c:\program files\FlashGet\bak\FlashGet-0E9626B0.dmp

2008-02-28 15:22 . 2008-02-28 15:22 714 c:\program files\FlashGet\bak\FlashGet-0E9626B0.rpt

2008-02-28 17:12 . 2008-02-28 17:12 0 c:\program files\FlashGet\bak\FlashGet-0F514BFD.dmp

2008-02-28 17:12 . 2008-02-28 17:12 714 c:\program files\FlashGet\bak\FlashGet-0F514BFD.rpt

2008-02-28 17:56 . 2008-02-28 17:56 0 c:\program files\FlashGet\bak\FlashGet-0F51762A.dmp

2008-02-28 17:56 . 2008-02-28 17:56 714 c:\program files\FlashGet\bak\FlashGet-0F51762A.rpt

2008-02-28 21:11 . 2008-02-28 21:11 0 c:\program files\FlashGet\bak\FlashGet-0F7B4123.dmp

2008-02-28 21:11 . 2008-02-28 21:11 714 c:\program files\FlashGet\bak\FlashGet-0F7B4123.rpt

2008-03-10 23:42 . 2008-03-10 23:42 0 c:\program files\FlashGet\bak\FlashGet-0F9357B4.dmp

2008-03-10 23:42 . 2008-03-10 23:42 714 c:\program files\FlashGet\bak\FlashGet-0F9357B4.rpt

2008-02-28 22:55 . 2008-02-28 22:55 0 c:\program files\FlashGet\bak\FlashGet-102BBDED.dmp

2008-02-28 22:55 . 2008-02-28 22:55 714 c:\program files\FlashGet\bak\FlashGet-102BBDED.rpt

2008-02-29 01:41 . 2008-02-29 01:41 0 c:\program files\FlashGet\bak\FlashGet-10B237B5.dmp

2008-02-29 01:41 . 2008-02-29 01:41 714 c:\program files\FlashGet\bak\FlashGet-10B237B5.rpt

2008-03-04 22:45 . 2008-03-04 22:45 0 c:\program files\FlashGet\bak\FlashGet-111FA188.dmp

2008-03-04 22:45 . 2008-03-04 22:45 714 c:\program files\FlashGet\bak\FlashGet-111FA188.rpt

2008-03-17 15:26 . 2008-03-17 15:26 0 c:\program files\FlashGet\bak\FlashGet-1D4C52D3.dmp

2008-03-17 15:26 . 2008-03-17 15:26 714 c:\program files\FlashGet\bak\FlashGet-1D4C52D3.rpt

2008-03-17 15:26 . 2008-03-17 15:26 0 c:\program files\FlashGet\bak\FlashGet-1D4CA97E.dmp

2008-03-17 15:26 . 2008-03-17 15:26 714 c:\program files\FlashGet\bak\FlashGet-1D4CA97E.rpt

2008-03-07 15:44 . 2008-03-07 15:44 0 c:\program files\FlashGet\bak\FlashGet-1F11D239.dmp

2008-03-07 15:44 . 2008-03-07 15:44 714 c:\program files\FlashGet\bak\FlashGet-1F11D239.rpt

2008-02-22 23:24 . 2008-08-08 18:38 8961 c:\program files\FlashGet\bak\FlashGet_LOGO.gif
2007-10-05 21:53 . 2008-01-18 19:37 22619 c:\program files\FlashGet\FlashGet_LOGO.gif

2008-02-05 13:47 . 2008-02-05 13:47 117 c:\program files\FlashGet\bak\Config\BITS.ini

2008-10-22 23:01 . 2008-12-26 22:57 5189 c:\program files\FlashGet\bak\Config\DHTTable.dat

2008-10-22 22:46 . 2008-12-26 22:54 184 c:\program files\FlashGet\bak\Config\UPnP.ini

2008-02-05 13:47 . 2009-08-03 02:40 2931 c:\program files\FlashGet\bak\FGMule\config\core.cfg

2008-02-05 19:04 . 2008-12-27 01:51 1221 c:\program files\FlashGet\bak\FGMule\config\core.ed2k.svr

2008-02-05 13:47 . 2009-08-03 01:17 37 c:\program files\FlashGet\bak\FGMule\config\FGEMCORE.cfg

2008-02-05 19:04 . 2009-08-03 02:40 704 c:\program files\FlashGet\bak\FGMule\log\stat.db

2008-10-22 22:46 . 2008-10-12 09:32 14468 c:\program files\FlashGet\bak\Torrent\prono.torrent

2008-10-22 22:47 . 2008-10-22 23:38 390 c:\program files\FlashGet\bak\Torrent\prono.torrent.bits

2008-10-22 22:46 . 2008-10-22 23:38 291 c:\program files\FlashGet\bak\Torrent\prono.torrent.filelist

2008-10-22 23:38 . 2008-10-22 23:38 347 c:\program files\FlashGet\bak\Torrent\prono.torrent.seeds

2008-10-22 23:38 . 2008-10-22 23:38 0 c:\program files\FlashGet\bak\Torrent\prono.torrent.~tmp

2008-12-17 17:02 . 2008-11-06 21:49 56785 c:\program files\FlashGet\bak\Torrent\Transsiberian[2008]DvDrip-aXXo.torrent

2008-12-17 17:02 . 2008-12-19 23:04 1098 c:\program files\FlashGet\bak\Torrent\Transsiberian[2008]DvDrip-aXXo.torrent.bits

2008-12-17 17:02 . 2008-12-19 23:04 613 c:\program files\FlashGet\bak\Torrent\Transsiberian[2008]DvDrip-aXXo.torrent.filelist

2005-11-28 19:41 . 2005-11-28 19:41 602182 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe

2005-12-05 20:37 . 2005-12-05 20:37 667718 c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe

2007-12-11 17:10 . 2007-12-11 17:10 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-07-13 18:03 . 2009-07-13 18:03 292128 c:\program files\iTunes\iTunesHelper.exe

2006-11-01 08:04 . 2006-11-01 08:04 321088 c:\program files\Pure Networks\Network Magic\bak\nmapp.exe
2008-01-18 14:32 . 2008-01-18 14:32 451896 c:\program files\Pure Networks\Network Magic\nmapp.exe

2007-12-11 15:56 . 2007-12-11 15:56 286720 c:\program files\QuickTime\bak\QTTask.exe
2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe

2006-02-26 10:29 . 2005-12-16 08:32 761945 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2006-02-26 10:29 . 2005-12-16 08:34 82009 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe

2006-02-15 16:25 . 2006-01-05 22:02 352256 c:\program files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe

2006-02-16 09:27 . 2005-04-27 00:13 122880 c:\program files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe

2006-02-15 16:41 . 2005-11-30 20:25 73728 c:\program files\TOSHIBA\Tvs\bak\TvsTray.exe

2006-02-16 09:19 . 2005-03-18 01:37 151552 c:\toshiba\IVP\ISM\bak\pinger.exe

2006-02-16 17:03 . 2005-08-05 21:56 64512 c:\windows\ehome\bak\ehtray.exe
2006-02-16 17:03 . 2005-08-05 21:56 64512 c:\windows\ehome\ehtray.exe

2006-02-15 14:04 . 2004-08-10 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2006-02-15 14:04 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2006-02-18 15:57 . 2005-11-28 05:52 77824 c:\windows\system32\bak\hkcmd.exe

2006-02-18 15:57 . 2005-11-28 05:55 118784 c:\windows\system32\bak\igfxpers.exe

2006-02-18 15:57 . 2005-11-28 05:55 98304 c:\windows\system32\bak\igfxtray.exe

2006-02-16 10:18 . 2005-10-06 13:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-22 39408]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 451896]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 451896]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-05 122368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-07 149280]
"TFncKy"="TFncKy.exe" [N/A]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Julianna Marie^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Julianna Marie\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\WebServer\\bin\\nmraapache.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-08-22 c:\windows\Tasks\ZoneAlarm Security.job
- c:\progra~1\ZONELA~1\ZONEAL~1\zlclient.exe [2008-04-29 23:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371420.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1584)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
c:\program files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
c:\program files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
c:\program files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
c:\program files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
c:\program files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2009-08-22 15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 19:13

Pre-Run: 111,774,031,872 bytes free
Post-Run: 114,753,925,120 bytes free

375 --- E O F --- 2009-08-13 23:18

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Florida
  • Local time:02:52 PM

Posted 22 August 2009 - 03:12 PM

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 22 August 2009 - 09:16 PM

I will post scan results soon and I will be bringing my computer with me so we can continue without interruption of 7 days! Thanks again so much.
Z

#11 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 22 August 2009 - 09:41 PM

Here's the KAS scan.
Finally!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 22, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 22, 2009 22:43:19
Records in database: 2678514
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 114856
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:02:48


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_hjgruiwferdiph_.sys.zip Infected: Trojan.Win32.TDSS.amep 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruilmkmsiol.dll.vir Infected: Trojan.Win32.Tdss.anex 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiseqxtkbc.dll.vir Infected: Trojan.Win32.Agent.crez 1

Selected area has been scanned.

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Florida
  • Local time:02:52 PM

Posted 23 August 2009 - 10:32 AM

You're welcome.

Those are quarantined items which will be removed when we uninstall ComboFix so their nothing to be concerned about.

How is your computer running now and can you tell me what happened with installing the Recovery Console when you were installing ComboFix?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 23 August 2009 - 11:42 AM

My computer's running real good (so far) (I've had little chance to use it due to travel). My search is no longer hijacked! I don't know that it installed recovery console. I just saw the message that this computer didn't have it and then on the log that recovery console was not installed (?) I really don't know what's up with that.
Thanks again, I think I want to go to BC training!! lol
What's next??

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Florida
  • Local time:02:52 PM

Posted 23 August 2009 - 12:21 PM

Looks to me like you are good to go. :thumbup2:

If you are interested in the BC school here's the LINK giving you the information on it. I know it is limited and you have to keep checking because there are more applicants than coaches available to teach them.


We will now uninstall ComboFix:

Go to Start > Run - type in ComboFix /u (case insensitive) >>OK


You can also delete GMER from your Desktop now.





Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :)


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 zippyshorts

zippyshorts
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Female
  • Local time:03:52 PM

Posted 23 August 2009 - 04:34 PM

To TheWall:
Thank you so much for helping me with this! My computer is running very well and I installed Recovery Console before removing Combo Fix.
So Bleeping Computer has another success story today.
Many many thanks!!!
Z
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·