Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus and windows web security 2010 virus


  • This topic is locked This topic is locked
35 replies to this topic

#1 Heavenlyp

Heavenlyp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 19 March 2010 - 11:48 AM

Hi,
I cannot go to my yahoo mail account or I will be redirected to Internet Explorer 8 pop up. In general when I click on a link I am redirected to all sorts of random sites.
Have tried Hitman 3.5 freeware, Cloud panda antivirus, Spybot s&d, IObit Security 360, Malwarebytes free edition, McAfee removal software a few worms and low level threats quarantined but they did not stop the redirecting and freezing of system.
Installed Firefox because I thought it was only IE problem but my system infected Firefox also.
I am only able to download and run DDS and GMER in Safe Mode with Networking because normal mode freezes and reloads all the time.
Pop up stating Internet Explorer .... "0x00000000" memory cannot be read
Pop up stating Firefox ....... "0x00000000" memory cannot be written.


Here is DDS in Safe Mode with networking.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 13:47:15.51 on Thu 03/18/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.103 [GMT -7:00]

AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 3.00\cactusspamfilter.exe" -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\album_a\view\plugin\HPODPCFC.CAB
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\p4l7tjec.default\
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-16 486280]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114312]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-3-16 311568]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
S2 NanoServiceMain;NanoServiceMain;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2009-10-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146952]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 95880]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101512]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2010-03-18 20:35:03 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-03-17 18:41:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-17 18:40:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-03-17 18:40:11 0 d-----w- c:\program files\Hitman Pro 3.5
2010-03-17 09:07:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 06:18:00 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-03-17 06:17:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 06:17:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-17 06:17:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 06:17:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 06:15:31 0 d-----w- c:\program files\Free Security Manager
2010-03-17 05:16:18 0 d-----w- c:\docume~1\owner\applic~1\CheckPoint
2010-03-17 05:15:51 0 d-----w- c:\program files\CheckPoint
2010-03-17 05:15:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-17 05:15:24 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-03-17 05:15:24 0 d-----w- c:\windows\system32\ZoneLabs
2010-03-17 05:15:21 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-03-17 05:15:20 0 d-----w- c:\program files\Zone Labs
2010-03-17 05:12:33 0 d-----w- c:\windows\Internet Logs
2010-03-17 04:11:41 0 d-----w- c:\docume~1\owner\applic~1\Panda Security
2010-03-17 04:05:23 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-03-17 04:04:39 0 d-----w- c:\program files\Panda Security
2010-03-17 04:04:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-03-17 03:40:37 0 d-----w- c:\docume~1\owner\applic~1\Grisoft
2010-03-17 01:32:13 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-03-17 01:32:01 0 d-----w- c:\program files\IObit
2010-03-17 01:30:55 186368 ----a-w- C:\LSPFix.exe
2010-03-16 02:55:02 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-16 02:02:56 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-16 02:02:56 880 ----a-w- c:\windows\RegISSImport.xml
2010-03-16 02:02:55 131 ----a-w- c:\windows\IDB.zip
2010-03-16 02:02:54 1152444 ----a-w- c:\windows\UDB.zip
2010-03-16 01:48:31 0 d-----w- c:\program files\common files\PC Tools
2010-03-16 01:48:24 0 d-----w- c:\program files\Spyware Doctor
2010-03-16 01:46:40 0 ----a-w- c:\documents and settings\owner\;;
2010-03-16 00:12:29 0 d-----w- c:\windows\system32\NtmsData
2010-03-10 04:27:38 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 06:08:45 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cabe85cf2ca8be.mof

==================== Find3M ====================

2010-03-16 06:01:58 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-20 21:16:59 176572 -c--a-w- c:\windows\hpwins19.dat

============= FINISH: 13:48:42.14 ===============

Attached Files


Edited by Heavenlyp, 19 March 2010 - 11:51 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:20 PM

Posted 20 March 2010 - 08:59 AM

Hi Heavenlyp,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved yet please update me abut the current condition of your computer. Also provide new logs if anything is changed or you have run new tools. Otherwise the logs are sufficient and we can start cleaning.

#3 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 20 March 2010 - 04:47 PM

Farbar,
I am able to go to my email now in safe mode but redirect is still occurring and normal mode is still freezing. I agree not to download, update, scan or install anything unless you tell me to do so.
Thank you

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:20 PM

Posted 20 March 2010 - 05:45 PM

We are going to run ComboFix. We prefer to run it in normal mode, but if the system freezes in normal mode you may run it in Safe Mode with networking but when it reboots the computer let it reboot to normal mode and wait until it opens the log. Don't forget to disable your antivirus and ZoneAlarm before running ComboFix. You may enable them after ComboFix produced its log. run ComboFix just once.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 20 March 2010 - 09:26 PM

I ran combofix in safe network mode it has been an hour since combofix rebooted in normal mode and the log report has not been prepared yet. What should I do?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:20 PM

Posted 20 March 2010 - 09:27 PM

Is the ComboFix window open?

#7 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 20 March 2010 - 09:40 PM

Yes it is.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:20 PM

Posted 20 March 2010 - 09:41 PM

In case the system has stopped responding I suggest uninstall ZoneAlarm, enable Windows firewall on the Control Panel. Download a fresh copy of Combofix and run it. It should work this time.

When we are done I'll recommend you a better firewall that consumes a little of system resources. If you like Zonealarm you can install it again when we are done.

#9 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 20 March 2010 - 10:53 PM

I appreciate any suggestions. No sentimental ties to zonealarm smile.gif
It worked, here is Combofix log in normal mode.

ComboFix 10-03-20.01 - Owner 03/20/2010 20:18:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.174 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\K416Ws.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Mq46I.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\P1067M4.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\S7dY03XMd.jpg
c:\windows\system32\dumphive.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 02:49 . 2010-03-21 02:49 -------- d-----w- c:\windows\Internet Logs
2010-03-17 18:41 . 2010-03-20 18:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-17 18:40 . 2010-03-17 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-17 18:40 . 2010-03-17 18:40 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-03-17 18:00 . 2010-03-17 18:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-03-17 09:38 . 2010-03-17 09:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-03-17 09:07 . 2010-03-17 09:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 06:18 . 2010-03-17 06:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-17 06:17 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 06:17 . 2010-03-17 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 06:17 . 2010-03-17 06:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 06:17 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 06:15 . 2010-03-17 06:15 -------- d-----w- c:\program files\Free Security Manager
2010-03-17 05:16 . 2010-03-17 05:16 -------- d-----w- c:\documents and settings\Owner\Application Data\CheckPoint
2010-03-17 05:15 . 2010-03-21 02:48 -------- d-----w- c:\program files\CheckPoint
2010-03-17 05:15 . 2010-03-17 05:15 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-17 04:11 . 2010-03-21 00:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2010-03-17 04:04 . 2010-03-21 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-03-17 03:40 . 2010-03-17 03:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Grisoft
2010-03-17 01:32 . 2010-03-17 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-03-17 01:32 . 2010-03-17 01:32 -------- d-----w- c:\program files\IObit
2010-03-17 01:30 . 2002-08-14 03:42 186368 ----a-w- C:\LSPFix.exe
2010-03-16 09:26 . 2010-03-16 09:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2010-03-16 05:04 . 2010-03-16 05:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-16 02:55 . 2010-03-16 02:55 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-16 02:02 . 2008-11-26 19:08 131 ----a-w- c:\windows\IDB.zip
2010-03-16 02:02 . 2009-10-28 08:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-16 01:48 . 2010-03-16 02:54 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-16 01:48 . 2010-03-16 02:56 -------- d-----w- c:\program files\Spyware Doctor
2010-03-16 00:12 . 2010-03-16 00:16 -------- d-----w- c:\windows\system32\NtmsData
2010-03-10 04:27 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 20:06 . 2010-02-14 07:29 -------- d-----w- c:\program files\Diablo II
2010-03-16 06:01 . 2006-08-07 05:33 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-15 23:02 . 2006-08-08 22:57 63384 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 04:43 . 2010-01-16 20:04 -------- d-----w- c:\program files\Linksys
2010-03-05 23:34 . 2006-08-07 06:14 -------- d-----w- c:\program files\Pure Networks
2010-03-05 23:33 . 2010-01-16 19:53 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-02-15 07:37 . 2009-12-31 03:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-01-22 04:41 . 2009-01-12 22:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-12 16:17 . 2004-08-26 18:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-05 10:00 . 2006-08-07 05:36 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-08-07 05:33 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-08-07 05:33 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-08-07 05:35 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2004-11-03 21:03 . 2004-11-03 21:03 125528 c:\program files\Common Files\AOL\1154931251\EE\bak\AOLHostManager.exe

2006-08-07 06:04 . 2005-01-12 10:01 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2005-08-27 12:09 . 2005-08-27 12:09 139264 c:\program files\Digital Media Reader\bak\readericon45G.exe

2004-02-12 20:38 . 2004-02-12 20:38 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2007-10-15 04:17 . 2007-10-15 04:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-08-07 06:15 . 2006-08-07 06:15 98304 c:\program files\QuickTime\bak\qttask.exe
2009-05-27 00:18 . 2009-05-27 00:18 413696 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]
"com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 3.00\cactusspamfilter.exe" [2009-11-08 1053184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-04-08 467240]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure]
2009-08-07 19:36 3993368 -c--a-w- c:\program files\ParetoLogic\DriverCure\DriverCure.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service

S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [3/16/2010 6:32 PM 311568]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [3/17/2010 11:41 AM 15944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4l7tjec.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6} - c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
ShellIconOverlayIdentifiers-{0847B599-9191-4A27-BD61-DE11598D3B1B} - c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
ShellIconOverlayIdentifiers-{9AE343CB-BA45-4618-AF6A-0230EE6FC793} - c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-20 20:35:20
ComboFix-quarantined-files.txt 2010-03-21 03:35

Pre-Run: 97,126,371,328 bytes free
Post-Run: 97,093,132,288 bytes free

- - End Of File - - 914A8E8F92362857C4F427E9C6BFC456


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:20 PM

Posted 21 March 2010 - 06:01 AM

Well done. thumbup2.gif

Initially you had an antivirus (Panda cloud) and now you have a rogue software (IObit Security 360).
  1. Please go to Add/Remove programs and uninstall: IObit Security 360

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
    • In the left pane click Status. In the right pane click Scan system now.
    • After the scan finished let it remove what it finds and then Click Report.
    • You can get the last report also by clicking on Reports on the left pane.
    • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
    • A window opens, click on Report file.
    • Copy and paste the content of the report to your reply.


#11 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 21 March 2010 - 01:05 PM

Thank you Farbar
The redirecting has stopped.
Don't forget about the firewall recommendation



Malwarebytes' Anti-Malware 1.44
Database version: 3891
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/21/2010 9:02:00 AM
mbam-log-2010-03-21 (09-02-00).txt

Scan type: Quick Scan
Objects scanned: 130537
Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Avira AntiVir Personal
Report file date: Sunday, March 21, 2010 09:30

Scanning for 1879445 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ELECTRICHAYWARD

Version information:
BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 18:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 16:17:25
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 16:17:51
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 16:18:02
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:18:19
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 16:18:19
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 16:18:19
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 16:18:19
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 16:18:20
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 16:18:20
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 16:18:20
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 16:18:20
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 16:18:20
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 16:18:22
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 16:18:24
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 16:18:26
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 16:18:28
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 16:18:30
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 16:18:32
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 16:18:34
VBASE020.VDF : 7.10.5.139 2048 Bytes 3/18/2010 16:18:35
VBASE021.VDF : 7.10.5.140 2048 Bytes 3/18/2010 16:18:35
VBASE022.VDF : 7.10.5.141 2048 Bytes 3/18/2010 16:18:35
VBASE023.VDF : 7.10.5.142 2048 Bytes 3/18/2010 16:18:35
VBASE024.VDF : 7.10.5.143 2048 Bytes 3/18/2010 16:18:36
VBASE025.VDF : 7.10.5.144 2048 Bytes 3/18/2010 16:18:36
VBASE026.VDF : 7.10.5.145 2048 Bytes 3/18/2010 16:18:36
VBASE027.VDF : 7.10.5.146 2048 Bytes 3/18/2010 16:18:36
VBASE028.VDF : 7.10.5.147 2048 Bytes 3/18/2010 16:18:37
VBASE029.VDF : 7.10.5.148 2048 Bytes 3/18/2010 16:18:37
VBASE030.VDF : 7.10.5.149 2048 Bytes 3/18/2010 16:18:37
VBASE031.VDF : 7.10.5.155 59392 Bytes 3/19/2010 16:18:38
Engineversion : 8.2.1.196
AEVDF.DLL : 8.1.1.3 106868 Bytes 3/21/2010 16:19:14
AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/21/2010 16:19:13
AESCN.DLL : 8.1.5.0 127347 Bytes 3/21/2010 16:19:08
AESBX.DLL : 8.1.2.1 254323 Bytes 3/21/2010 16:19:16
AERDL.DLL : 8.1.4.3 541043 Bytes 3/21/2010 16:19:07
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/21/2010 16:19:03
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/21/2010 16:19:00
AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/21/2010 16:18:57
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/21/2010 16:18:46
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/21/2010 16:18:43
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 14:38:26
AECORE.DLL : 8.1.12.3 188789 Bytes 3/21/2010 16:18:40
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 14:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 22:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 3/21/2010 16:19:18
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 22:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 22:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 19:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, March 21, 2010 09:30

Starting search for hidden objects.
An ARK library instance is already running.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hpqgpc01.exe' - '1' Module(s) have been scanned
Scan process 'hpqbam08.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'nmsrvc.exe' - '1' Module(s) have been scanned
Scan process 'ULCDRSvr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'cactusspamfilter.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'nmapp.exe' - '1' Module(s) have been scanned
Scan process 'nmctxth.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Owner\Desktop\zaSetup_91_007_002_en.exe
[0] Archive type: ZIP SFX (self extracting)
--> SWITCHUNINST_44ZONE LABS.EXE
[1] Archive type: RSRC
--> WINDOWS6.0-KB929547-V2-X64.MSU
[1] Archive type: CAB (Microsoft)
--> Windows6.0-KB929547-v2-x64.cab
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\Corrine Bailey Rae - Put Your Records On.wma
[DETECTION] Is the TR/Dldr.WMA.Wima.24 Trojan
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\linksys srx200.zip
[0] Archive type: ZIP
--> Setup.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Documents and Settings\Owner\Shared\Ice Cube - Steady Mobbin.wma
[DETECTION] Is the TR/Dldr.Age.1171323 Trojan
C:\Documents and Settings\Owner\Shared\LeRoy Hutson - Never know what you can do (Give a try).wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan
C:\Documents and Settings\Owner\Shared\The Boys\im not addicted to sex neyo sugarbabes.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.BF Trojan
C:\Documents and Settings\Owner\Shared\The Boys\TOTALLY HIP TRACK.wma
[DETECTION] Is the TR/Dldr.Age.3566386 Trojan
C:\Documents and Settings\Owner\Start Menu\03 Track 3.wma
[DETECTION] Is the TR/Dldr.Age.3566386 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir
[DETECTION] Is the TR/Patched.Gen Trojan
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP942\A0128429.exe
[DETECTION] Is the TR/FakeRean.A.277 Trojan
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP942\A0128430.exe
[DETECTION] Is the TR/FakeRean.A.284 Trojan
Begin scan in 'D:\' <RECOVERY>

Beginning disinfection:
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\Corrine Bailey Rae - Put Your Records On.wma
[DETECTION] Is the TR/Dldr.WMA.Wima.24 Trojan
[NOTE] The file was moved to '4c185d13.qua'!
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\linksys srx200.zip
[NOTE] The file was moved to '4c145d0e.qua'!
C:\Documents and Settings\Owner\Shared\Ice Cube - Steady Mobbin.wma
[DETECTION] Is the TR/Dldr.Age.1171323 Trojan
[NOTE] The file was moved to '4c0b5d08.qua'!
C:\Documents and Settings\Owner\Shared\LeRoy Hutson - Never know what you can do (Give a try).wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan
[NOTE] The file was moved to '4bf85d0a.qua'!
C:\Documents and Settings\Owner\Shared\The Boys\im not addicted to sex neyo sugarbabes.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.BF Trojan
[NOTE] The file was moved to '4bc65d12.qua'!
C:\Documents and Settings\Owner\Shared\The Boys\TOTALLY HIP TRACK.wma
[DETECTION] Is the TR/Dldr.Age.3566386 Trojan
[NOTE] The file was moved to '4bfa5cf4.qua'!
C:\Documents and Settings\Owner\Start Menu\03 Track 3.wma
[DETECTION] Is the TR/Dldr.Age.3566386 Trojan
[NOTE] The file was moved to '4bc65cd9.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4c075d1c.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP942\A0128429.exe
[DETECTION] Is the TR/FakeRean.A.277 Trojan
[NOTE] The file was moved to '4bd75cd8.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP942\A0128430.exe
[DETECTION] Is the TR/FakeRean.A.284 Trojan
[NOTE] The file was moved to '4bd75cd9.qua'!


End of the scan: Sunday, March 21, 2010 10:51
Used time: 1:20:11 Hour(s)

The scan has been done completely.

10061 Scanned directories
544278 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
544266 Files not concerned
15485 Archives were scanned
3 Warnings
12 Notes



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:20 PM

Posted 21 March 2010 - 01:22 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. Empty all p2p download folders. They might contain infected files. Avira found and removed some of them.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  3. I recommend using the following firewall, it is light weighted and has a user manual too:
    Sunbelt-Kerio

    You may install it.

  4. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt. Also tell me how is your computer running.




#13 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 21 March 2010 - 07:10 PM

I tried to install sunbelt firewall but kept getting Error message during install.

Error 1720.There is a problem with this window installer package.
A script required for this install to complete could not be run. contact
your support personnel or package vendor, custom action Driver
install script error 2147024770 line 8 colmn 2
when I click OK the install rolls back and terminates

What can I do farbar?

here is DDS


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 16:41:05.57 on Sun 03/21/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.122 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 3.00\cactusspamfilter.exe" -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\album_a\view\plugin\HPODPCFC.CAB
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\p4l7tjec.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-21 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-21 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-21 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-21 56816]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-3-17 15944]

=============== Created Last 30 ================

2010-03-21 23:21:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-21 16:14:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-21 16:14:27 0 d-----w- c:\program files\Avira
2010-03-21 16:14:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-03-21 02:49:36 0 d-----w- c:\windows\Internet Logs
2010-03-21 00:47:31 0 d-sha-r- C:\cmdcons
2010-03-21 00:45:15 98816 ----a-w- c:\windows\sed.exe
2010-03-21 00:45:15 77312 ----a-w- c:\windows\MBR.exe
2010-03-21 00:45:15 261632 ----a-w- c:\windows\PEV.exe
2010-03-21 00:45:15 161792 ----a-w- c:\windows\SWREG.exe
2010-03-18 20:35:03 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-03-17 18:41:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-17 18:40:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-03-17 18:40:11 0 d-----w- c:\program files\Hitman Pro 3.5
2010-03-17 09:07:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 06:18:00 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-03-17 06:17:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 06:17:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-17 06:17:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 06:17:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 06:15:31 0 d-----w- c:\program files\Free Security Manager
2010-03-17 05:16:18 0 d-----w- c:\docume~1\owner\applic~1\CheckPoint
2010-03-17 05:15:51 0 d-----w- c:\program files\CheckPoint
2010-03-17 05:15:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-17 04:11:41 0 d-----w- c:\docume~1\owner\applic~1\Panda Security
2010-03-17 04:04:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-03-17 03:40:37 0 d-----w- c:\docume~1\owner\applic~1\Grisoft
2010-03-17 01:32:13 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-03-17 01:32:01 0 d-----w- c:\program files\IObit
2010-03-17 01:30:55 186368 ----a-w- C:\LSPFix.exe
2010-03-16 02:55:02 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-16 02:02:56 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-16 02:02:56 880 ----a-w- c:\windows\RegISSImport.xml
2010-03-16 02:02:55 131 ----a-w- c:\windows\IDB.zip
2010-03-16 02:02:54 1152444 ----a-w- c:\windows\UDB.zip
2010-03-16 01:48:31 0 d-----w- c:\program files\common files\PC Tools
2010-03-16 01:48:24 0 d-----w- c:\program files\Spyware Doctor
2010-03-16 01:46:40 0 ----a-w- c:\documents and settings\owner\;;
2010-03-16 00:12:29 0 d-----w- c:\windows\system32\NtmsData
2010-03-10 04:27:38 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 06:08:45 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cabe85cf2ca8be.mof

==================== Find3M ====================

2010-03-21 23:21:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 06:01:58 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 16:41:47.20 ===============


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:20 PM

Posted 22 March 2010 - 03:09 AM

Remove your downloaded install package and download it again.
Then uninstall Hitman Pro 3.5, and disable Avira.
Install it again.

#15 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 22 March 2010 - 12:59 PM

Sunbelt is up and running.
System is back to normal. All viral /malware activity has ceased.
Thank you for all your help farbar. thumbup.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users