Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware issue


  • This topic is locked This topic is locked
24 replies to this topic

#1 jbudowski

jbudowski

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 08 February 2010 - 05:12 PM

ZoneAlarm found a Trojan and cleaned it but I still have windows popping up. Below are the DDR and GMER logs. Please help. Thanks.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-08 17:10:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jim\LOCALS~1\Temp\pgdoapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB66FA600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB66F3D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB6718040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB66FAE10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB6711D00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB6712120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB671C210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB66FAF80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB66F4C30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB6719750]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB6719130]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB6710E40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xB66ED8E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB671A050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB671A280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xB671C5C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB66F4720]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB6714420]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB6713FF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xB6716470]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB671B400]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB671AA10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB66FA150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB671B0A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB66FA8E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB66F5050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xB6716340]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB671B8B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xB66ED010]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB6718940]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB6712CF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB6712A20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xB66EDD30]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jim at 16:51:21.17 on Mon 02/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1229 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\DOWNLO~1\Manager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Temporary Internet Files\Content.IE5\G4LT3RKS\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [pasesuhim] Rundll32.exe "c:\windows\system32\zodogupe.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d204.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262539076796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: robejaku.dll c:\windows\system32\zodogupe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: paloyalif - {389a116e-3708-4ea0-ab55-8ecab0f73ed4} - c:\windows\system32\zodogupe.dll
STS: tokatiluy: {389a116e-3708-4ea0-ab55-8ecab0f73ed4} - c:\windows\system32\zodogupe.dll
LSA: Notification Packages = scecli mofebese.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-9 128016]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-15 486280]
S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys --> c:\windows\system32\drivers\sonyhcb.sys [?]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [2005-8-28 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [2005-8-28 19456]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys --> c:\windows\system32\drivers\sonyhcs.sys [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2007-1-21 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2007-1-21 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2007-1-21 19904]

=============== Created Last 30 ================

2010-02-08 12:36:42 0 d-----w- c:\program files\Garmin GPS Plugin
2010-02-01 15:03:14 0 d-----w- c:\program files\jZip
2010-01-18 17:31:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK

==================== Find3M ====================

2010-02-08 21:37:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-20 19:35:15 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-04 17:02:32 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-04 17:02:32 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-03 16:35:01 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-11-11 14:17:26 30276 ---ha-w- c:\windows\system32\mlfcache.dat
2002-07-26 22:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\kamileva.exe
2009-10-28 15:30:57 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\mofebese.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\robejaku.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\tubakile.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\weziroze.dll
1601-01-01 00:03:28 93184 --sha-w- c:\windows\system32\zodogupe.dll

============= FINISH: 16:54:19.28 ===============



BC AdBot (Login to Remove)

 


#2 jbudowski

jbudowski
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 10 February 2010 - 07:39 AM

Is there anything else I need to do to get someone to review? Thanks.

#3 jbudowski

jbudowski
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 10 February 2010 - 11:26 AM

I've found mizuyoha.dll which I believe is an issue


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 12 February 2010 - 02:24 PM.


#4 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:45 AM

Posted 15 February 2010 - 11:43 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#5 jbudowski

jbudowski
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 February 2010 - 02:54 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-17 14:51:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jim\LOCALS~1\Temp\pgdoapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB65A1600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB659AD50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB65BF040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB65A1E10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB65B8D00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB65B9120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB65C3210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB65A1F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB659BC30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB65C0750]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB65C0130]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB65B7E40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xB65948E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB65C1050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB65C1280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xB65C35C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB659B720]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB65BB420]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB65BAFF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xB65BD470]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB65C2400]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB65C1A10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB65A1150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB65C20A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB65A18E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB659C050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xB65BD340]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB65C28B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xB6594010]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB65BF940]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB65B9CF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB65B9A20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xB6594D30]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jim at 8:16:23.06 on Wed 02/17/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1400 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jim\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {369f0e9c-23c7-4c9c-beec-1f18509c0879} - zifewiba.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [pasesuhim] Rundll32.exe "c:\windows\system32\zojetiru.dll",a
mRun: [foyigabati] Rundll32.exe "lawireyo.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d204.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262539076796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {71AD6595-48F6-438E-877E-DA9538DC4D7A} = 83.149.115.157,4.2.2.1,192.168.1.1
TCP: {D341929C-E5D4-44CF-9A9D-2034E550D504} = 83.149.115.157,4.2.2.1
AppInit_DLLs: lawireyo.dll c:\windows\system32\mizuyoha.dll c:\windows\system32\zojetiru.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: hutowiyog - {3941437a-6c2b-4b49-aa59-d8d408071f42} - c:\windows\system32\mizuyoha.dll
SSODL: fifoyekav - {f9766744-3992-4f21-a105-7ae01057daaa} - c:\windows\system32\zojetiru.dll
STS: kupuhivus: {3941437a-6c2b-4b49-aa59-d8d408071f42} - c:\windows\system32\mizuyoha.dll
STS: gahurihor: {f9766744-3992-4f21-a105-7ae01057daaa} - c:\windows\system32\zojetiru.dll
LSA: Notification Packages = scecli zifewiba.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\p1wfwac6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-9 128016]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-15 486280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-8 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys --> c:\windows\system32\drivers\sonyhcb.sys [?]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [2005-8-28 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [2005-8-28 19456]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys --> c:\windows\system32\drivers\sonyhcs.sys [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2007-1-21 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2007-1-21 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2007-1-21 19904]

=============== Created Last 30 ================

2010-02-17 12:45:28 0 d-----w- C:\Internet Files
2010-02-17 12:23:15 93696 ----a-w- c:\windows\system32\zojetiru.dll
2010-02-17 12:23:15 45568 ----a-w- c:\windows\system32\matizava.dll
2010-02-10 17:28:15 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-10 17:28:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-10 13:08:07 51720 ----a-w- c:\program files\adb9_32.exe
2010-02-08 12:36:42 0 d-----w- c:\program files\Garmin GPS Plugin
2010-02-01 15:03:14 0 d-----w- c:\program files\jZip
2010-01-18 17:31:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK

==================== Find3M ====================

2010-02-17 12:37:16 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-20 19:35:15 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-04 17:02:32 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-04 17:02:32 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-03 16:35:01 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2002-07-26 22:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\dusatalo.exe
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\fuhubuga.dll
1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\gamibuyo.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\hakurevi.dll
1601-01-01 00:03:28 45568 --sha-w- c:\windows\system32\hobokuzu.dll
1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\kamileva.exe
2009-10-28 15:30:57 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\lawireyo.dll
1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\nomajuzu.exe
1601-01-01 00:03:28 53760 --sha-w- c:\windows\system32\norozuse.dll
1601-01-01 00:03:28 66560 --sha-w- c:\windows\system32\numuligi.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\tubakile.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\vebikosi.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\vonibusa.dll
1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\woyobizi.exe
1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\zifewiba.dll
1601-01-01 00:03:28 93184 --sha-w- c:\windows\system32\zodogupe.dll

============= FINISH: 8:17:38.84 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/18/2005 2:44:32 PM
System Uptime: 2/17/2010 8:03:54 AM (0 hours ago)

Motherboard: Dell Inc. | | 0C5668
Processor: Intel® Pentium® M processor 2.00GHz | Microprocessor | 1995/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 89 GiB total, 14.05 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\SCSIADAPTER\0000
Manufacturer:
Name:
PNP Device ID: ROOT\SCSIADAPTER\0000
Service:

==== System Restore Points ===================

RP357: 11/23/2009 11:23:08 AM - System Checkpoint
RP358: 11/30/2009 10:41:16 AM - System Checkpoint
RP359: 12/7/2009 11:47:26 AM - System Checkpoint
RP360: 12/7/2009 2:28:30 PM - Installed WinZip 14.0
RP361: 12/14/2009 11:11:45 AM - System Checkpoint
RP362: 12/16/2009 2:29:13 PM - System Checkpoint
RP363: 1/3/2010 9:25:26 AM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP364: 1/3/2010 11:07:55 AM - Removed iS3 STOPzilla Toolbar
RP365: 1/3/2010 12:08:34 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP366: 1/3/2010 12:11:12 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP367: 1/3/2010 12:13:02 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP368: 1/3/2010 12:24:04 PM - Software Distribution Service 3.0
RP369: 1/4/2010 8:48:14 AM - OTL Restore Point
RP370: 1/4/2010 9:23:39 AM - OTL Restore Point
RP371: 1/4/2010 11:13:35 AM - OTL Restore Point
RP372: 1/20/2010 11:26:03 AM - System Checkpoint
RP373: 1/25/2010 11:53:39 AM - System Checkpoint
RP374: 1/27/2010 11:45:53 AM - System Checkpoint
RP375: 2/1/2010 9:49:06 AM - Removed WinZip 14.0
RP376: 2/3/2010 2:44:02 PM - System Checkpoint
RP377: 2/8/2010 12:57:22 PM - System Checkpoint
RP378: 2/10/2010 12:09:16 PM - Installed Windows XP KB915865.
RP379: 2/10/2010 12:10:26 PM - Installed Windows NLSDownlevelMapping.
RP380: 2/10/2010 12:11:07 PM - Installed Windows IDNMitigationAPIs.
RP381: 2/10/2010 12:11:35 PM - Installed Windows Internet Explorer 7.

==== Installed Programs ======================

3GP Player 2009
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11.5
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
ArcSoft Software Suite
Banctec Service Agreement
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Management Programs 2
C-Major Audio
Cakewalk VST Adapter 4.4.4.0
Canon CanoScan 4400F User Registration
Canon CanoScan Toolbox 5.0
CanoScan 4400F
CCleaner
Color Efex Pro 3.0 Corel Sampler
Conexant D110 MDC V.9x Modem
Corel MediaOne
Corel Paint Shop Pro Photo X2
Corel Painter Photo Essentials 4
Critical Update for Windows Media Player 11 (KB959772)
Dell Support 3.1
Dell System Restore
Digital Line Detect
DreamStation DXi2
Free M4a to MP3 Converter 6.1
FTP Commander
Garmin City Navigator North America NT 2009.11 Update
Garmin City Navigator North America NT 2010.20
Garmin City Navigator North America NT 2010.40
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hoyle Casino 2006 (remove only)
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
ImageSkill Background Remover 3
Intel® PROSet/Wireless Software
Internal Network Card Power Management
Internet Explorer Default Page
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 12
Java™ 6 Update 7
jZip
Macromedia Flash Player
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Live Meeting 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
MobileMe Control Panel
Modem Helper
MotionDV STUDIO 5.6E LE for DV
Mozilla Firefox (3.6)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
mToolkit
mWlsSafe
mWMI
My Memories Suite 1.1.2
My Way Search Assistant
mZConfig
NetWaiting
NVIDIA Drivers
Photodex Presenter
PHOTORECOVERY LE
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Presto! PageManager 7.15.14
ProShow Gold
Quick Movie Magic 1.0E
QuickSet
QuickTime
RealPlayer Basic
Roxio RecordNow Data
ScanSoft OmniPage SE 4.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SONAR Home Studio 4
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic Update Manager
Sony DVD Architect Studio 3.0
Sony Vegas Movie Studio Platinum 6.0
SpiceMASTER 2.5 TFX for Vegas
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
US-122L / US-144 driver
VC 9.0 Runtime
Viewpoint Media Player
Virtual Sound Canvas DXi
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
ZoneAlarm Security Suite

==== Event Viewer Messages From Past Week ========

2/17/2010 8:06:50 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a74d020, parameter3 8a74d194, parameter4 805c8c8a.
2/10/2010 9:23:25 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/10/2010 6:15:14 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
2/10/2010 2:08:57 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
2/10/2010 12:58:57 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a79dda0, parameter3 8a79df14, parameter4 805c8c8a.
2/10/2010 12:52:21 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'bu_tosave.rdb' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
2/10/2010 10:36:07 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
2/10/2010 1:50:35 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a750370, parameter3 8a7504e4, parameter4 805c8c8a.
2/10/2010 1:20:15 PM, error: System Error [1003] - Error code 1000000a, parameter1 c79d6000, parameter2 00000002, parameter3 00000000, parameter4 8055f47b.
2/10/2010 1:20:02 PM, error: Service Control Manager [7034] - The TrueVector Internet Monitor service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================




#6 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:45 AM

Posted 18 February 2010 - 07:07 PM

Hello jbudowski

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#7 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:45 AM

Posted 20 February 2010 - 05:33 AM

Hello jbudowski,

I see you have Viewpoint Media Player and My Way Search Assistant installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I also see you are using the My Way Search Assistant.

My Way is ususally preinstalled on Dell computers and is generally considered foistware/adware as it is installed without the users consent and sends back information on browsing habits without the users knowledge. See here and here

QUOTE
Adware.MyWay is a toolbar and may be installed bundled in with screensaver installers. It installs on all user accounts without the user's consent and does not provide a functional uninstaller. Adware.MyWay also collects keywords from searches in the toolbar.


I suggest you remove both programs now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player and My Way Search Assistant.

Step 1.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy
Step 2.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Step 3.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please include the following:

MBAM log
ComboFix.txt

Thanks!!
PW

#8 jbudowski

jbudowski
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 21 February 2010 - 08:16 AM

Malwarebytes' Anti-Malware 1.44
Database version: 3766
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/21/2010 7:48:17 AM
mbam-log-2010-02-21 (07-48-03).txt

Scan type: Quick Scan
Objects scanned: 122085
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix 10-02-20.04 - Jim 02/21/2010 7:50.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1602 [GMT -5:00]
Running from: c:\documents and settings\Jim\My Documents\Downloads\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Tasks\nqqtfnue.job

----- BITS: Possible infected sites -----

hxxp://85.12.18.119
.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-21 11:36 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-02-21 11:36 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-20 11:10 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 11:10 . 2010-02-20 11:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 11:10 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 12:45 . 2010-02-17 12:45 -------- d-----w- C:\Internet Files
2010-02-10 17:28 . 2010-02-20 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 17:24 . 2010-02-10 17:24 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Mozilla
2010-02-10 12:40 . 2010-02-20 13:53 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\vodwab
2010-02-08 12:36 . 2010-02-08 12:36 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-02-01 15:10 . 2010-02-01 15:11 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\jZip
2010-02-01 15:03 . 2010-02-01 15:04 -------- d-----w- c:\program files\jZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 12:37 . 2005-08-12 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-21 12:31 . 2007-07-30 23:36 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-20 11:55 . 2005-08-19 00:14 36208 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 20:16 . 2010-02-17 20:24 6647808 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-02-17 20:16 . 2010-02-17 20:24 224768 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-02-10 23:32 . 2008-09-27 11:31 13797728 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-10 18:15 . 2010-02-10 18:17 76800 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-02-10 18:15 . 2010-02-10 18:17 6578176 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-02-10 16:50 . 2010-02-10 16:51 6533120 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-02-10 16:50 . 2010-02-10 16:51 42496 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-02-10 16:31 . 2010-02-10 16:32 1810944 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-02-08 22:29 . 2009-03-19 14:36 -------- d-----w- c:\documents and settings\Jim\Application Data\Download Manager
2010-02-08 13:46 . 2008-11-19 13:57 -------- d-----w- c:\documents and settings\Jim\Application Data\GARMIN
2010-02-08 13:25 . 2009-03-19 14:33 -------- d-----w- c:\program files\Garmin
2010-01-20 19:35 . 2009-01-08 15:30 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-20 19:35 . 2009-01-08 15:30 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-18 17:31 . 2010-01-18 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-01-04 17:02 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-03 16:35 . 2010-01-03 16:34 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-03 15:54 . 2010-01-03 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-03 14:25 . 2010-01-03 14:25 -------- d-----w- c:\program files\Common Files\iS3
2010-01-03 13:20 . 2010-01-03 13:21 421888 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-12-16 00:03 . 2009-12-16 19:01 2692608 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-12-16 00:03 . 2009-12-16 19:01 6042624 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2002-07-26 22:02 . 2005-11-25 17:45 153088 ----a-w- c:\program files\UNWISE.EXE
2009-10-28 15:30 . 2009-01-08 16:37 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-01 4636672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys --> c:\windows\system32\DRIVERS\sonyhcb.sys [?]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [8/28/2005 5:55 PM 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [8/28/2005 5:55 PM 19456]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys --> c:\windows\system32\DRIVERS\sonyhcs.sys [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [1/21/2007 11:32 AM 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [1/21/2007 11:32 AM 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [1/21/2007 11:32 AM 19904]
.
Contents of the 'Scheduled Tasks' folder

2008-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\p1wfwac6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{369f0e9c-23c7-4c9c-beec-1f18509c0879} - zifewiba.dll
SharedTaskScheduler-{3941437a-6c2b-4b49-aa59-d8d408071f42} - (no file)
SharedTaskScheduler-{f9766744-3992-4f21-a105-7ae01057daaa} - (no file)
SharedTaskScheduler-{69d3872a-8766-4a6b-aff7-4722b24e5a4f} - (no file)
SSODL-hutowiyog-{3941437a-6c2b-4b49-aa59-d8d408071f42} - (no file)
SSODL-fifoyekav-{f9766744-3992-4f21-a105-7ae01057daaa} - (no file)
SSODL-firegokug-{69d3872a-8766-4a6b-aff7-4722b24e5a4f} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 07:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1772)
c:\windows\system32\WININET.dll
c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mlfhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-02-21 08:06:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 13:06

Pre-Run: 21,068,718,080 bytes free
Post-Run: 20,901,793,792 bytes free

- - End Of File - - B727523F92BC49002B6B87745E3300BC





#9 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:45 AM

Posted 21 February 2010 - 10:22 PM

Hello jbudowski,

Do you use this IP address located in The Netherlands? EuroAccess Network Operations
85.12.18.119

Step 1.

We need to have a file checked.
  1. Click on this link--> virustotal

    Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

    c:\windows\system32\drivers\kgpcpy.cfg

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

    Step 2.


    We need to run a Combofix Script

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
    3. Open notepad and copy/paste the text in the codebox below into it:

    CODE
    Folder::
    c:\documents and settings\Jim\Local Settings\Application Data\vodwab
    c:\documents and settings\All Users\Application Data\Kaspersky SDK

    Domains::
    Trusted Zone: turbotax.com

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000000


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Refering to the picture above, drag CFScript into ComboFix.exe

    If Combofix prompts you to update the program please allow it to do so.

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 3.

    I'd like us to scan your machine with ESET OnlineScan
    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
    4. Click on to download the ESET Smart Installer. Save it to your desktop.
    5. Double click on the icon on your desktop.
  2. Check
  3. Click the button.
  4. Accept any security warnings from your browser.
  5. Check
  6. Push the Start button.
  7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  8. When the scan completes, push
  9. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  10. Push the button.
  11. Push

IP information
VirusTotal scan results
combofix.txt
ESET results[/b]

How is your computer running? Any problems/questions?

Thanks!!!
PW

#10 jbudowski

jbudowski
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 22 February 2010 - 10:06 AM

I don't use that IP in the Netherlands.
The logs are all below.
I was able to look in the forums and clean a bunch of stuff up before your last two suggestions. That definitely sped up my computer. I am having issues with IE, it would load a blamk page or hang. I uninstalled and reinstalled both IE7 and IE8 with no luck. I'm currently using Firefox. I also notice that my screen looks like a lower resolution and in some windows it looks as if graphics or applets are missing. Things are definitely much better, as far as performance goes.



Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.22 -
AhnLab-V3 5.0.0.2 2010.02.22 -
AntiVir 8.2.1.172 2010.02.22 -
Antiy-AVL 2.0.3.7 2010.02.22 -
Authentium 5.2.0.5 2010.02.21 -
Avast 4.8.1351.0 2010.02.22 -
AVG 9.0.0.730 2010.02.22 -
BitDefender 7.2 2010.02.22 -
CAT-QuickHeal 10.00 2010.02.22 -
ClamAV 0.96.0.0-git 2010.02.22 -
Comodo 4023 2010.02.22 -
DrWeb 5.0.1.12222 2010.02.22 -
eSafe 7.0.17.0 2010.02.21 -
eTrust-Vet 35.2.7315 2010.02.20 -
F-Prot 4.5.1.85 2010.02.21 -
F-Secure 9.0.15370.0 2010.02.22 -
GData 19 2010.02.22 -
Ikarus T3.1.1.80.0 2010.02.22 -
Jiangmin 13.0.900 2010.02.22 -
K7AntiVirus 7.10.979 2010.02.20 -
Kaspersky 7.0.0.125 2010.02.22 -
McAfee 5899 2010.02.21 -
McAfee+Artemis 5899 2010.02.21 -
McAfee-GW-Edition 6.8.5 2010.02.22 -
Microsoft 1.5406 2010.02.22 -
NOD32 4886 2010.02.22 -
Norman 6.04.08 2010.02.21 -
nProtect 2009.1.8.0 2010.02.22 -
Panda 10.0.2.2 2010.02.21 -
PCTools 7.0.3.5 2010.02.22 -
Prevx 3.0 2010.02.22 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.22 -
Sunbelt 5692 2010.02.22 -
Symantec 20091.2.0.41 2010.02.22 -
TheHacker 6.5.1.6.204 2010.02.22 -
TrendMicro 9.120.0.1004 2010.02.22 -
VBA32 3.12.12.2 2010.02.21 -
ViRobot 2010.2.22.2196 2010.02.22 -
VirusBuster 5.0.27.0 2010.02.21 -
Additional information
File size: 744 bytes
MD5...: 9b06051cfb6e7dca8a8b5b5f86d13243
SHA1..: 2698d979a5c2368d4b0dd7f533f868e14e373514
SHA256: b51c3b5ce8d6a017317e2708366e17cec7d94279afedb2f9d849ca91d8cf9098
ssdeep: 12:lnTgDkUojBFWjbGh6NW2DHXgDkUou8JsuS/hnSnWb5jElv6YRgjUx8+psXW/n
YkS:1OoNcGh0h3OoX9SJSnWbCYYR18FGvTdc
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


ComboFix 10-02-21.02 - Jim 02/22/2010 7:50.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1631 [GMT -5:00]
Running from: c:\documents and settings\Jim\My Documents\Downloads\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-21 11:36 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-02-21 11:36 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-20 11:10 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 11:10 . 2010-02-20 11:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 11:10 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 12:45 . 2010-02-17 12:45 -------- d-----w- C:\Internet Files
2010-02-10 17:28 . 2010-02-20 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 17:24 . 2010-02-10 17:24 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Mozilla
2010-02-10 12:40 . 2010-02-20 13:53 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\vodwab
2010-02-08 12:36 . 2010-02-08 12:36 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-02-01 15:10 . 2010-02-01 15:11 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\jZip
2010-02-01 15:03 . 2010-02-01 15:04 -------- d-----w- c:\program files\jZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 12:43 . 2007-07-30 23:36 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-21 12:37 . 2005-08-12 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-20 11:55 . 2005-08-19 00:14 36208 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 20:16 . 2010-02-17 20:24 6647808 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-02-17 20:16 . 2010-02-17 20:24 224768 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-02-10 23:32 . 2008-09-27 11:31 13797728 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-10 18:15 . 2010-02-10 18:17 76800 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-02-10 18:15 . 2010-02-10 18:17 6578176 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-02-10 16:50 . 2010-02-10 16:51 6533120 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-02-10 16:50 . 2010-02-10 16:51 42496 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-02-10 16:31 . 2010-02-10 16:32 1810944 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-02-08 22:29 . 2009-03-19 14:36 -------- d-----w- c:\documents and settings\Jim\Application Data\Download Manager
2010-02-08 13:46 . 2008-11-19 13:57 -------- d-----w- c:\documents and settings\Jim\Application Data\GARMIN
2010-02-08 13:25 . 2009-03-19 14:33 -------- d-----w- c:\program files\Garmin
2010-01-20 19:35 . 2009-01-08 15:30 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-20 19:35 . 2009-01-08 15:30 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-18 17:31 . 2010-01-18 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-01-04 17:02 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-03 16:35 . 2010-01-03 16:34 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-03 15:54 . 2010-01-03 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-03 14:25 . 2010-01-03 14:25 -------- d-----w- c:\program files\Common Files\iS3
2010-01-03 13:20 . 2010-01-03 13:21 421888 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-12-16 00:03 . 2009-12-16 19:01 2692608 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-12-16 00:03 . 2009-12-16 19:01 6042624 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2002-07-26 22:02 . 2005-11-25 17:45 153088 ----a-w- c:\program files\UNWISE.EXE
2009-10-28 15:30 . 2009-01-08 16:37 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-01 4636672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys --> c:\windows\system32\DRIVERS\sonyhcb.sys [?]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [8/28/2005 5:55 PM 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [8/28/2005 5:55 PM 19456]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys --> c:\windows\system32\DRIVERS\sonyhcs.sys [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [1/21/2007 11:32 AM 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [1/21/2007 11:32 AM 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [1/21/2007 11:32 AM 19904]
.
Contents of the 'Scheduled Tasks' folder

2008-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\p1wfwac6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 07:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(884)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-22 07:59:32
ComboFix-quarantined-files.txt 2010-02-22 12:59
ComboFix2.txt 2010-02-21 13:06

Pre-Run: 20,640,575,488 bytes free
Post-Run: 20,656,254,976 bytes free

- - End Of File - - 07D98E35D26D5FAFAAADFC0E0291B542


Nothing was found during the ESET Scan.



#11 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:45 AM

Posted 22 February 2010 - 04:50 PM

Hello jbudowski,

QUOTE
I was able to look in the forums and clean a bunch of stuff up before your last two suggestions.

From my post #6
QUOTE
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.


The CFScript did not run. Let's try again. Please make sure Combofix is saved to the desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad by going to Start | Run and typing notepad. Copy/paste the text in the codebox below into it:

Please Do Not include the word "Code".

CODE
Folder::
c:\documents and settings\Jim\Local Settings\Application Data\vodwab
c:\documents and settings\All Users\Application Data\Kaspersky SDK

Domains::
Trusted Zone: turbotax.com

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe.




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply please include the following:

ComboFix.txt



Thanks!!
PW

#12 jbudowski

jbudowski
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 24 February 2010 - 08:42 AM

ComboFix 10-02-23.04 - Jim 02/24/2010 8:19.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1540 [GMT -5:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Kaspersky SDK
c:\documents and settings\All Users\Application Data\Kaspersky SDK\storage51F.dat
c:\documents and settings\Jim\Local Settings\Application Data\vodwab

.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-24 12:40 . 2007-02-12 16:41 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-02-24 12:40 . 2007-02-12 16:40 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-02-22 20:54 . 2010-02-22 21:07 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-02-22 20:52 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-02-22 20:52 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-02-22 20:50 . 2005-07-26 04:39 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2010-02-21 11:36 . 2009-12-22 05:35 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-20 11:10 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 11:10 . 2010-02-20 11:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 11:10 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 12:45 . 2010-02-17 12:45 -------- d-----w- C:\Internet Files
2010-02-10 17:28 . 2010-02-20 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 17:24 . 2010-02-10 17:24 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Mozilla
2010-02-08 12:36 . 2010-02-08 12:36 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-02-01 15:10 . 2010-02-01 15:11 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\jZip
2010-02-01 15:03 . 2010-02-01 15:04 -------- d-----w- c:\program files\jZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 13:10 . 2007-07-30 23:36 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-24 12:41 . 2009-11-11 19:39 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-02-21 12:37 . 2005-08-12 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-20 11:55 . 2005-08-19 00:14 36208 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 20:16 . 2010-02-17 20:24 6647808 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-02-17 20:16 . 2010-02-17 20:24 224768 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-02-10 23:32 . 2008-09-27 11:31 13797728 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-10 18:15 . 2010-02-10 18:17 76800 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-02-10 18:15 . 2010-02-10 18:17 6578176 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-02-10 16:50 . 2010-02-10 16:51 6533120 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-02-10 16:50 . 2010-02-10 16:51 42496 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-02-10 16:31 . 2010-02-10 16:32 1810944 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-02-08 22:29 . 2009-03-19 14:36 -------- d-----w- c:\documents and settings\Jim\Application Data\Download Manager
2010-02-08 13:46 . 2008-11-19 13:57 -------- d-----w- c:\documents and settings\Jim\Application Data\GARMIN
2010-02-08 13:25 . 2009-03-19 14:33 -------- d-----w- c:\program files\Garmin
2010-01-20 19:35 . 2009-01-08 15:30 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-20 19:35 . 2009-01-08 15:30 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-03 16:35 . 2010-01-03 16:34 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-03 15:54 . 2010-01-03 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-03 14:25 . 2010-01-03 14:25 -------- d-----w- c:\program files\Common Files\iS3
2010-01-03 13:20 . 2010-01-03 13:21 421888 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-12-31 16:14 . 2008-05-24 10:44 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:35 . 2004-08-11 22:00 668672 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 00:03 . 2009-12-16 19:01 2692608 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-12-16 00:03 . 2009-12-16 19:01 6042624 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2009-12-14 07:35 . 2008-05-24 10:44 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-04 14:41 . 2008-05-24 10:44 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-11 22:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-11 22:00 28672 ------w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-11 22:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-18 03:36 8704 ------w- c:\windows\system32\tsbyuv.dll
2002-07-26 22:02 . 2005-11-25 17:45 153088 ----a-w- c:\program files\UNWISE.EXE
2009-10-28 15:30 . 2009-01-08 16:37 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-01 4636672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys --> c:\windows\system32\DRIVERS\sonyhcb.sys [?]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [8/28/2005 5:55 PM 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [8/28/2005 5:55 PM 19456]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys --> c:\windows\system32\DRIVERS\sonyhcs.sys [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [1/21/2007 11:32 AM 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [1/21/2007 11:32 AM 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [1/21/2007 11:32 AM 19904]
.
Contents of the 'Scheduled Tasks' folder

2008-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
IE: {{9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldietool.com/redirect.php
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\p1wfwac6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
Notify-dimsntfy - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 08:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1932)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-02-24 08:38:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-24 13:38
ComboFix2.txt 2010-02-21 13:06

Pre-Run: 19,373,699,072 bytes free
Post-Run: 19,323,539,456 bytes free

- - End Of File - - 8F258EE9277E87BDB8F18066F202C0AB


#13 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:45 AM

Posted 25 February 2010 - 05:20 PM

Hello jbudowski,

Do you have Zone Alarm Firewall disabled on purpose?

Step 1.

I see you have Download Manager installed.
This Program corresponds to a program that is either malware, installs malware, or is bundled with malware
http://www.bleepingcomputer.com/uninstall/...ad-Manager.html

Please navigate to c:\documents and settings\Jim\Application Data\Download Manager and delete that folder.

Step 2.

Your Adobe Reader is out of date. Please go here to update.
http://get.adobe.com/reader/

Step 3.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Step 4.

Please go to Start | Control Panel | Network Connections
  • Open Network Connections
  • Right click your default connection.
  • Click on Properties
Under the General tab in the Local Area Connection Properties Window
  • Double Click Internet Protocol (TCP/IP)
  • Click the two radio buttons that say
    • Obtain an IP address automatically
    • Obtain DNS server address automatically
  • Click OK
  • Click OK

Step 5.

I need to see another DDS log
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

How is your computer running? Any problems?

Thanks!!
PW

#14 jbudowski

jbudowski
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 27 February 2010 - 07:49 AM

I had ZoneAlarm On-access Scanning off because of performance issues, I have since turned it back on.

I was already getting IP and DNS automatically.

Java and Adobe have been updated.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Jim at 7:43:45.46 on Sat 02/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1483 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jim\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d204.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262539076796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\p1wfwac6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-9 128016]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-15 486280]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys --> c:\windows\system32\drivers\sonyhcb.sys [?]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [2005-8-28 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [2005-8-28 19456]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys --> c:\windows\system32\drivers\sonyhcs.sys [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2007-1-21 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2007-1-21 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2007-1-21 19904]

=============== Created Last 30 ================

2010-02-27 12:34:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-24 18:40:27 0 dc-h--w- c:\windows\ie8
2010-02-24 14:03:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK
2010-02-24 12:40:21 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-02-24 12:40:21 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-02-22 20:54:54 0 d-----w- c:\windows\system32\CatRoot_bak
2010-02-22 20:52:47 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-02-22 20:52:47 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-02-22 20:50:56 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2010-02-21 12:49:17 98816 ----a-w- c:\windows\sed.exe
2010-02-21 12:49:17 77312 ----a-w- c:\windows\MBR.exe
2010-02-21 12:49:17 261632 ----a-w- c:\windows\PEV.exe
2010-02-21 12:49:17 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 11:10:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 11:10:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 11:10:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 14:24:10 3566 ----a-w- c:\windows\system32\iecavp
2010-02-17 12:45:28 0 d-----w- C:\Internet Files
2010-02-10 17:28:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-08 12:36:42 0 d-----w- c:\program files\Garmin GPS Plugin
2010-02-01 15:03:14 0 d-----w- c:\program files\jZip

==================== Find3M ====================

2010-02-27 12:34:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-27 12:12:31 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-24 12:41:59 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-20 19:35:15 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-03 16:35:01 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:35:10 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:35:05 55808 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-22 05:35:05 1054208 ----a-w- c:\windows\system32\dllcache\danim.dll
2009-12-22 05:35:04 151040 ----a-w- c:\windows\system32\dllcache\cdfview.dll
2009-12-22 05:35:04 1024000 ----a-w- c:\windows\system32\dllcache\browseui.dll
2009-12-16 13:35:58 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 08:59:48 474112 ----a-w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55 453760 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys
2002-07-26 22:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
2009-10-28 15:30:57 952 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 7:45:37.45 ===============





#15 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:45 AM

Posted 28 February 2010 - 02:54 PM

Hello jbudowski,

Step 1.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\iecavp

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Step 2.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:
CODE
DDS::
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88}
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}

File::
c:\windows\system32\drivers\kl1.sys
c:\docume~1\alluse~1\applic~1\Kaspersky SDK

Driver::
kl1


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note:

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

In your next reply please include the following:

Jotti Scan report
ComboFix.txt


Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users