Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS logs needing review for unknown virus/malware/adware


  • This topic is locked This topic is locked
42 replies to this topic

#1 Prising

Prising

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 16 April 2010 - 10:55 PM

Hello, I have a problem with my system but have no idea what type of problem. My inital post can be seen at http://www.bleepingcomputer.com/forums/t/308964/virusmalware-problems/ and I do want to thank Trollocks for all the assistance. During the exchange with Trollocks, I got a popup from my ISP stating unusual activity was noticed on my PC and I should consider that my PC might be infected. They suggested using Combofix and MBAM, which I did. But as my CPU usage still jumps to 100% and things are sluggish, I think something may still be hiding. Also, somewhere along the line, my PC decided it would no longer acknowledge the E: (CD/DVD) drive.

Here's the DDS.txt report:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 15:35:06.01 on Fri 04/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1573 [GMT -4:00]

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.k9cd.com/doberman.htm"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: aol.com\www
Trusted Zone: aquabid.com\www
Trusted Zone: bitdefender.com
Trusted Zone: ebay.com\www
Trusted Zone: f-secure.com
Trusted Zone: iwon.com\www
Trusted Zone: pandasecurity.com\www
Trusted Zone: pineconeresearch.com\media
Trusted Zone: trendmicro.com\housecall
Trusted Zone: yahoo.com\www
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-12 486280]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-11 266240]
S1 hcb66c4;hcb66c4;c:\windows\system32\drivers\hcb66c4.sys --> c:\windows\system32\drivers\hcb66c4.sys [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-3-8 44928]

=============== Created Last 30 ================

2010-04-16 19:30:59 0 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable
2010-04-16 13:18:19 0 d-----w- c:\program files\ESET
2010-04-14 04:04:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 04:04:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 21:45:53 0 d-----w- C:\MCombo-Fix
2010-04-13 20:43:26 98816 ----a-w- c:\windows\sed.exe
2010-04-13 20:43:26 77312 ----a-w- c:\windows\MBR.exe
2010-04-13 20:43:26 261632 ----a-w- c:\windows\PEV.exe
2010-04-13 20:43:26 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 16:22:28 0 d-----w- c:\documents and settings\compaq_owner\DoctorWeb
2010-04-12 06:20:10 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-12 06:20:10 0 d-----w- c:\windows\system32\ZoneLabs
2010-04-12 06:20:08 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-04-12 06:20:08 0 d-----w- c:\program files\Zone Labs
2010-04-12 03:38:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-12 03:36:27 0 d-----w- c:\windows\Internet Logs
2010-04-12 01:28:52 0 d-sh--w- c:\documents and settings\compaq_owner\IECompatCache
2010-04-11 21:00:38 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-11 21:00:38 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-11 20:23:45 0 d-----w- c:\docume~1\compaq~1\applic~1\ElevatedDiagnostics
2010-04-11 19:25:09 0 d--h--w- c:\windows\PIF
2010-04-11 17:35:21 0 d-----w- c:\program files\Trend Micro
2010-04-11 02:33:44 4108080 ----a-w- c:\windows\pfirewall.log.old
2010-04-11 02:30:15 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-10 08:28:00 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2010-04-10 08:27:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-10 08:27:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 02:38:22 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2005-12-31 21:03:44 22 -csha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 15:35:35.73 ===============


I have attached the Attach file from DDS.

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 PM

Posted 21 April 2010 - 11:14 AM


Hello Prising smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.






I will need the log ComboFix generated. It can be found at C:\ComboFix.txt









Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Prising

Prising
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 21 April 2010 - 02:07 PM

Hello thewall!

I see three Combo text logs....so will post all three.

ComboFix3:
ComboFix 10-04-13.02 - Compaq_Owner 04/13/2010 16:45:32.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1727 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\CMombo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\recycler\S-1-5-21-117609710-484061587-682003330-1003
c:\recycler\S-1-5-21-2672498493-3861160903-3380400916-1009
c:\windows\system32\ide.txt
c:\windows\system32\qks.txt
c:\windows\system32\Thumbs.db
c:\windows\system32\xef.txt
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-12 16:22 . 2010-04-12 16:22 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2010-04-12 06:20 . 2009-11-22 19:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-12 03:36 . 2010-04-13 20:54 -------- d-----w- c:\windows\Internet Logs
2010-04-12 01:28 . 2010-04-12 01:28 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
2010-04-11 21:00 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-11 21:00 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-11 20:23 . 2010-04-11 20:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\ElevatedDiagnostics
2010-04-11 19:25 . 2010-04-11 19:25 -------- d--h--w- c:\windows\PIF
2010-04-11 17:35 . 2010-04-11 17:35 -------- d-----w- c:\program files\Trend Micro
2010-04-11 02:30 . 2010-04-11 02:30 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-11 00:45 . 2010-04-11 02:09 -------- d-s---w- c:\documents and settings\Administrator.YOUR-27E1513D96
2010-04-10 08:28 . 2010-04-10 08:28 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-04-10 08:27 . 2010-04-10 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 08:27 . 2010-04-13 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 02:38 . 2010-04-09 02:38 -------- d-----w- C:\spoolerlogs
2010-04-09 02:04 . 2010-04-09 02:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 23:59 . 2010-04-08 23:59 49152 ----a-w- c:\windows\system32\hsrfyd46.dll
2010-04-08 23:59 . 2010-04-08 23:59 138272 ----a-w- c:\windows\system32\drivers\hcb66c4.sys
2010-04-08 23:59 . 2010-04-08 23:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 20:39 . 2010-04-13 20:54 3138560 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-04-13 20:33 . 2008-11-05 22:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 20:32 . 2008-11-09 22:06 -------- d-----w- c:\program files\Panda Security
2010-04-13 06:21 . 2010-04-12 15:41 8706940 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-12 06:20 . 2010-04-12 03:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-12 06:20 . 2010-04-12 06:20 -------- d-----w- c:\program files\Zone Labs
2010-03-23 05:38 . 2005-12-30 16:44 38200 -c--a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-12-31 21:03 . 2005-12-31 19:03 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gamerlog.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Gamerlog.lnk
backup=c:\windows\pss\Gamerlog.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PreCast Monitor.lnk]
path=
backup=c:\windows\pss\PreCast Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Demonstone Registration.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Demonstone Registration.lnk
backup=c:\windows\pss\Demonstone Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-03-14 17:45 2521464 -c--a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 -c--a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 -c--a-w- c:\documents and settings\Compaq_Owner\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 -c--a-w- c:\program files\Common Files\AOL\1175820672\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 -c--a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 14:11 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2005-05-11 00:50 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-05-07 21:54 99480 -c--a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2005-01-24 02:56 544768 -c--a-w- c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 -c--a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SNMP"=2 (0x2)
"AOL ACS"=2 (0x2)
"Alerter"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"wuauserv"=2 (0x2)
"LmHosts"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\system32\\lsass.exe"=

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/11/2009 5:58 PM 266240]
S1 hcb66c4;hcb66c4;c:\windows\system32\drivers\hcb66c4.sys [4/8/2010 7:59 PM 138272]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [3/8/2008 6:17 PM 44928]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6ED4CB34-CBF5-435A-AE2F-38BF10EEF56D}]
2010-04-08 23:59 49152 ----a-w- c:\windows\system32\hsrfyd46.dll
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: aol.com\www
Trusted Zone: aquabid.com\www
Trusted Zone: bitdefender.com
Trusted Zone: ebay.com\www
Trusted Zone: f-secure.com
Trusted Zone: iwon.com\www
Trusted Zone: pandasecurity.com\www
Trusted Zone: pineconeresearch.com\media
Trusted Zone: trendmicro.com\housecall
Trusted Zone: yahoo.com\www
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
.
- - - - ORPHANS REMOVED - - - -

BHO-{0B55DB04-1ADB-40EB-ABA7-F3F59FFA7F55} - (no file)
Notify-Notify - (no file)
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-cleansweep - c:\cleansweep.exe\cleansweep.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-MsXSLT - c:\windows\system32\msxslt3.exe
MSConfigStartUp-NetMeter - c:\program files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-reader_s - c:\documents and settings\Compaq_Owner\reader_s.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-Regedit32 - c:\windows\system32\regedit.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-syncman - c:\documents and settings\compaq_owner\wuaucldt.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 16:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-569660269-4189796892-4034175367-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\locator.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-04-13 16:58:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-13 20:58

Pre-Run: 137,046,425,600 bytes free
Post-Run: 137,266,458,624 bytes free

- - End Of File - - 918582A3E55B176AF9552BE9E3A9E75E

=============

ComboFix 2:
ComboFix 10-04-13.02 - Compaq_Owner 04/13/2010 17:01:07.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1311 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\CMombo-Fix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hsrfyd46.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-12 16:22 . 2010-04-12 16:22 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2010-04-12 06:20 . 2009-11-22 19:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-12 03:36 . 2010-04-13 21:05 -------- d-----w- c:\windows\Internet Logs
2010-04-12 01:28 . 2010-04-12 01:28 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
2010-04-11 21:00 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-11 21:00 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-11 20:23 . 2010-04-11 20:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\ElevatedDiagnostics
2010-04-11 19:25 . 2010-04-11 19:25 -------- d--h--w- c:\windows\PIF
2010-04-11 17:35 . 2010-04-11 17:35 -------- d-----w- c:\program files\Trend Micro
2010-04-11 02:30 . 2010-04-11 02:30 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-11 00:45 . 2010-04-11 02:09 -------- d-s---w- c:\documents and settings\Administrator.YOUR-27E1513D96
2010-04-10 08:28 . 2010-04-10 08:28 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-04-10 08:27 . 2010-04-10 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 08:27 . 2010-04-13 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 02:38 . 2010-04-09 02:38 -------- d-----w- C:\spoolerlogs
2010-04-09 02:04 . 2010-04-09 02:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 23:59 . 2010-04-08 23:59 138272 ----a-w- c:\windows\system32\drivers\hcb66c4.sys
2010-04-08 23:59 . 2010-04-08 23:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 20:39 . 2010-04-13 20:54 3138560 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-04-13 20:33 . 2008-11-05 22:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 20:32 . 2008-11-09 22:06 -------- d-----w- c:\program files\Panda Security
2010-04-13 06:21 . 2010-04-12 15:41 8706940 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-12 06:20 . 2010-04-12 03:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-12 06:20 . 2010-04-12 06:20 -------- d-----w- c:\program files\Zone Labs
2010-03-23 05:38 . 2005-12-30 16:44 38200 -c--a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-12-31 21:03 . 2005-12-31 19:03 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gamerlog.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Gamerlog.lnk
backup=c:\windows\pss\Gamerlog.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PreCast Monitor.lnk]
path=
backup=c:\windows\pss\PreCast Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Demonstone Registration.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Demonstone Registration.lnk
backup=c:\windows\pss\Demonstone Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-03-14 17:45 2521464 -c--a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 -c--a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 -c--a-w- c:\documents and settings\Compaq_Owner\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 -c--a-w- c:\program files\Common Files\AOL\1175820672\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 -c--a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 14:11 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2005-05-11 00:50 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-05-07 21:54 99480 -c--a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2005-01-24 02:56 544768 -c--a-w- c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 -c--a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SNMP"=2 (0x2)
"AOL ACS"=2 (0x2)
"Alerter"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"wuauserv"=2 (0x2)
"LmHosts"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\system32\\lsass.exe"=

S1 hcb66c4;hcb66c4;c:\windows\system32\drivers\hcb66c4.sys [4/8/2010 7:59 PM 138272]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/11/2009 5:58 PM 266240]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [3/8/2008 6:17 PM 44928]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: aol.com\www
Trusted Zone: aquabid.com\www
Trusted Zone: bitdefender.com
Trusted Zone: ebay.com\www
Trusted Zone: f-secure.com
Trusted Zone: iwon.com\www
Trusted Zone: pandasecurity.com\www
Trusted Zone: pineconeresearch.com\media
Trusted Zone: trendmicro.com\housecall
Trusted Zone: yahoo.com\www
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{6ED4CB34-CBF5-435A-AE2F-38BF10EEF56D} - hsrfyd46.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 17:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-569660269-4189796892-4034175367-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-13 17:06:46
ComboFix-quarantined-files.txt 2010-04-13 21:06
ComboFix2.txt 2010-04-13 20:58

Pre-Run: 137,264,345,088 bytes free
Post-Run: 137,241,223,168 bytes free

- - End Of File - - DFA239A8A059736943F422BFE5BFCF38

==========

ComboFix Quarantine Files:

2010-04-13 21:06:01 . 2010-04-13 21:06:01 264 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ActiveSetup-{6ED4CB34-CBF5-435A-AE2F-38BF10EEF56D}.reg.dat
2010-04-13 20:57:31 . 2010-04-13 20:57:31 712 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-updateMgr.reg.dat
2010-04-13 20:57:31 . 2010-04-13 20:57:31 608 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-syncman.reg.dat
2010-04-13 20:57:31 . 2010-04-13 20:57:31 592 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SVCHOST.reg.dat
2010-04-13 20:57:31 . 2010-04-13 20:57:31 648 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SUPERAntiSpyware.reg.dat
2010-04-13 20:57:30 . 2010-04-13 20:57:30 570 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Regedit32.reg.dat
2010-04-13 20:57:30 . 2010-04-13 20:57:30 642 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RealTray.reg.dat
2010-04-13 20:57:30 . 2010-04-13 20:57:30 610 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-reader_s.reg.dat
2010-04-13 20:57:30 . 2010-04-13 20:57:30 622 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-QuickTime Task.reg.dat
2010-04-13 20:57:30 . 2010-04-13 20:57:30 644 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-NetMeter.reg.dat
2010-04-13 20:57:30 . 2010-04-13 20:57:30 564 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MsXSLT.reg.dat
2010-04-13 20:57:30 . 2010-04-13 20:57:30 620 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MsnMsgr.reg.dat
2010-04-13 20:57:29 . 2010-04-13 20:57:29 586 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-cleansweep.reg.dat
2010-04-13 20:57:29 . 2010-04-13 20:57:29 668 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AOL Spyware Protection.reg.dat
2010-04-13 20:57:26 . 2010-04-13 20:57:26 266 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-Notify.reg.dat
2010-04-13 20:57:14 . 2010-04-13 20:57:14 157 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{0B55DB04-1ADB-40EB-ABA7-F3F59FFA7F55}.reg.dat
2010-04-13 20:54:37 . 2004-05-01 03:01:14 53 ----a-w- C:\Qoobox\Quarantine\D\Autorun.inf.vir
2010-04-13 20:51:30 . 2010-04-13 21:03:54 9,511 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-04-13 20:43:18 . 2010-04-13 21:00:33 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-04-10 19:22:02 . 2010-04-10 19:22:02 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xef.txt.vir
2010-04-10 19:21:59 . 2010-04-10 19:21:59 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ide.txt.vir
2010-04-10 19:21:59 . 2010-04-10 19:21:59 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\qks.txt.vir
2010-04-08 23:59:19 . 2010-04-08 23:59:19 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\hsrfyd46.dll.vir
2009-08-22 13:29:17 . 2006-01-02 22:19:32 104 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Internet Explorer.lnk.vir
2007-04-04 14:16:50 . 2007-08-22 03:52:36 8,704 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Thumbs.db.vir
2004-08-04 12:00:00 . 2010-04-09 00:02:42 212,480 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 PM

Posted 21 April 2010 - 03:04 PM

Let's try GMER again. If it is still on your system you can skip the download part. Be sure to run it by the instructions I have below with respect to what needs to be unchecked:





Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.






Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries






If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Prising

Prising
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 21 April 2010 - 10:08 PM

First attempt to run GMER gave a "Page fault in non-paged area" error. Next two attempts resulted in the pc freezing. Below is the log of everything except IAT/EAT, Registry, and Files(ADS). I reran GMER only on files and it stated no modifications were found. I will next attempt to get a GMER log on the registry (but think this is where the page error may be).


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 20:04:49
Windows 5.1.2600 Service Pack 3
Running: Dogmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\kftyqfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB5269D80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB528E070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB526AC60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB528F780]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB528F160]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB5290080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB52902B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB526A750]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB5291430]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB5290A40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB52910D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB526B080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB52918E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB528E970]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes JMP 4144FD69

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

---- EOF - GMER 1.0.15 ----


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 PM

Posted 21 April 2010 - 10:44 PM

We need to check a file.
  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/index.php?showtopic=310393&view=findpost&p=1726518
  • Click Browse and select the c:\windows\system32\hsrfyd46.dll
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Prising

Prising
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 April 2010 - 12:00 AM

There is no hsrfyd46.dll file on this system.

I've been unable to save the registry portion of the GMER log...each time I try to save it give the "page fault in non paged area" error. Next time I will try to take a snapshot of the log and attach it.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 PM

Posted 22 April 2010 - 09:51 AM

If you can't get it right now don't worry about it. Let's run the following scan but for the time being uncheck where it says to remove found threats.



I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Prising

Prising
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 April 2010 - 03:39 PM

Here's the result of the ESET scan:

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\ASP\setup.exe probably a variant of Win32/Agent trojan
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application

#10 Prising

Prising
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 April 2010 - 03:39 PM

Here's the result of the ESET scan:

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\ASP\setup.exe probably a variant of Win32/Agent trojan
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 PM

Posted 22 April 2010 - 03:55 PM

Those will be OK to take off. You can run it again now and have it remove what it finds.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Prising

Prising
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 April 2010 - 07:53 PM

I did as you suggested then decided to scan one additional time. Is there any reason why two new items would be found? I had the ESET delete these even though I know the first one was just a screenmate. The second, I have no idea what it was.


C:\Documents and Settings\All Users\Documents\AOL Downloads\America Online 9.0\felix.zip Win32/Joke.ScreenMate application deleted - quarantined
C:\RECYCLER\S-1-5-21-569660269-4189796892-4034175367-1009\Dc6.exe a variant of Win32/Adware.ADON application deleted - quarantined

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 PM

Posted 22 April 2010 - 09:49 PM

The second is Adware. It's a problem but not in the nature of Trojans and the like.

Tell you what. Why don't you open MalwareBytes do an update and a Quick Scan to see if it finds anything else.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 Prising

Prising
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 23 April 2010 - 04:02 PM

It agains seems clean (log is below) but I'm still getting spikes of 100%. Also I noticed the NT had been changed on the 10th and the Administrator folder was modified on the 13th. Is this something to be concerned with?

MAMB LOG:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4024

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/23/2010 4:46:00 PM
mbam-log-2010-04-23 (16-46-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 176112
Time elapsed: 35 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 PM

Posted 23 April 2010 - 05:10 PM

No the changes by themselves don't really signify anything. Let's delete the version of ComboFix you had and download a new one and run it from the link below:



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users