Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crazy Infection

  • This topic is locked This topic is locked
3 replies to this topic

#1 Michaela1


  • Members
  • 8 posts
  • Local time:02:44 AM

Posted 12 March 2012 - 03:27 PM

Hello Boopme!

Thanks for jumping on board here with me. I appreciate your quick response. All logs went well. Today has been a quiet day on the unit compared to most. I have been taking it slow and sneaking programs in here and there...lol. It is almost like there are times "It" is awake and other times asleep. I had an error this morning that said, it lost the "autochk.exe" and would be skipped. Windows would just run circles at log on and did not succeed. I tried coping the file off of the xp Cd and It didn't take. Ended up repairing.

This is the first time I have used Zone Alarm. The last firewall I had was Personal Firewall. It was shredded along with malwarebytes, and several anti-virus. When I do a fresh install of Windows and at the install screen on the desktop with ohhh, about 10 minutes left, two minimized black windows will flash down where the taskbar would be. This also happens with programs being installed, but larger windows. They will flash real quick and maybe leave a black shadow that disappears as soon as it comes up. I have used Iolo and Drive erase to scrub the drive. I just really felt like this thing was in the MBR. With Iolo the start up screen would change as time went on. Talked about Free Dos and Turbo Disk. Sometimes it would have 10 questions before running the scrub asking about installing 20 files and 20 clones, asking about an echo, etc. It was odd that these things didn't show up all the time. I don't know if "It" was manipulating the programs on the disk or what. I find it hard to believe, but it sure seemed like it. Programs downloaded off the net, cd or a sandisk would go threw the whole process and then just fall apart. I would find pieces of the programs in folders like "Recycler". The scan was running but, it wasn't really. I came back clean all the time. Malwarebytes was the first sign that we were infected. It threw a huge fit.

Not getting the MBR cleaned I thought the infection had to go deeper so I have flashed the bios on this computer and bought a new hard-drive for one of the other computers only left in disappointment. The way this thing has infected computers in the house I wouldn't doubt if it got my microwave also...just kidding.

I have ran Gemer in the past and didn't know what to do with it. This log looks a lot more active than what I have seen in the past. I have followed several threads on Bleeping trying to get rid of this. This attempt I started with a clean computer installing service pack 3 only (for the reason normally I get all updates and "It" crashes the system) and Autoruns. Autoruns seemed to run smoother than anything in the past keeping it at bay and then ran the unhooker. So thats a summary of where it is at. Hope I didn't ramble to much. Thank You again for your help.

Very grateful,

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Owner at 13:34:02 on 2012-03-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1461 [GMT -8:00]
FW: ZoneAlarm Free Firewall *Enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Mozilla Firefox\firefox.exe
============== Pseudo HJT Report ===============
uStart Page = about:blank
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
TCP: DhcpNameServer =
TCP: Interfaces\{F9BC2852-EB60-4FB7-A552-83C7A9B54B3F} : DhcpNameServer =
Notify: igfxcui - igfxsrvc.dll
LSA: Notification Packages = scecli
Hosts: www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\7e8sss5c.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=380920&p=
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
============= SERVICES / DRIVERS ===============
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-12-18 525840]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-12 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-12 74640]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2012-3-12 821592]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2012-3-12 246816]
R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2012-3-12 30368]
R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2012-3-12 16208]
S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-12 36000]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-12 86224]
S2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2012-3-12 463824]
=============== Created Last 30 ================
2012-03-12 20:54:23 -------- d-----w- c:\documents and settings\owner\application data\Avira
2012-03-12 20:52:08 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-03-12 20:52:07 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-12 20:52:05 -------- d-----w- c:\program files\Avira
2012-03-12 20:35:49 -------- d-----w- c:\documents and settings\owner\application data\CheckPoint
2012-03-12 20:35:13 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2012-03-12 18:20:44 159744 ----a-w- c:\windows\system32\igfxres.dll
2012-03-12 18:16:57 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2012-03-12 18:15:59 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2012-03-12 18:15:59 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2012-03-12 18:15:59 15872 -c--a-w- c:\windows\system32\dllcache\chgport.exe
2012-03-12 18:15:59 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2012-03-12 18:15:59 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe
2012-03-12 18:15:58 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2012-03-12 18:15:57 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2012-03-12 18:15:57 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2012-03-12 18:15:47 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2012-03-12 18:15:47 312832 -c--a-w- c:\windows\system32\dllcache\EXCH_aqueue.dll
2012-03-12 18:15:46 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-03-12 18:15:41 2134528 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2012-03-12 18:15:41 175104 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpadm.dll
2012-03-12 18:12:19 67072 ----a-w- c:\windows\system32\rdshost.exe
2012-03-12 18:11:59 58880 ----a-w- c:\windows\system32\licwmi.dll
2012-03-12 17:49:49 741376 ----a-w- c:\program files\common files\microsoft shared\speech\sapi.dll
2012-03-12 17:49:43 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-03-12 17:49:43 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-03-12 17:49:43 146432 ----a-w- c:\windows\system\winspool.drv
2012-03-12 17:49:43 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-03-12 17:49:43 13312 ----a-w- c:\windows\system32\irclass.dll
2012-03-12 17:49:42 74752 ----a-w- c:\windows\system32\storprop.dll
2012-03-12 17:49:23 7046 ----a-r- c:\windows\SET56.tmp
2012-03-12 17:49:21 13608 ----a-r- c:\windows\SET38.tmp
2012-03-12 17:49:18 1086182 ----a-r- c:\windows\SET23.tmp
2012-03-12 17:31:59 -------- d-----w- c:\program files\CheckPoint
2012-03-12 17:23:46 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-03-12 17:14:44 -------- d-----w- c:\program files\msn gaming zone
2012-03-12 16:22:56 -------- d-----w- c:\windows\ServicePackFiles
2012-03-12 16:19:33 19569 ----a-w- c:\windows\003214_.tmp
2012-03-12 16:12:47 19569 ----a-w- c:\windows\003213_.tmp
2012-03-12 15:52:45 6656 ----a-w- c:\windows\system32\SET102D.tmp
2012-03-12 15:52:45 187392 ----a-w- c:\windows\system32\SET102C.tmp
2012-03-12 15:52:45 1135616 ----a-w- c:\windows\system32\SET102E.tmp
2012-03-12 15:49:59 45568 ----a-w- c:\windows\system32\SET387.tmp
2012-03-12 15:48:59 713216 ----a-w- c:\windows\system32\SET16F.tmp
2012-03-12 15:47:01 19569 ----a-w- c:\windows\003207_.tmp
2012-03-12 15:44:59 57344 ----a-w- c:\program files\common files\system\ado\msadrh15.dll
2012-03-12 15:43:59 79872 ----a-w- c:\windows\system32\raschap.dll
2012-03-12 11:45:00 -------- d-----w- c:\documents and settings\owner\application data\IObit
2012-03-12 10:21:00 939368 ----a-w- c:\windows\system32\flash.ocx
2012-03-12 10:20:54 -------- d-----w- c:\documents and settings\owner\local settings\application data\PackageAware
2012-03-12 10:16:04 -------- d-----w- c:\program files\IObit
2012-03-12 09:32:26 -------- d-----w- c:\windows\pss
2012-03-12 09:24:04 -------- d-----w- c:\documents and settings\owner\application data\f-secure
2012-03-12 09:23:38 -------- d-----w- c:\documents and settings\all users\application data\F-Secure
2012-03-12 09:15:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-12 03:34:37 -------- d-----w- c:\windows\system32\NtmsData
2012-03-12 03:25:25 -------- d-----w- c:\documents and settings\owner\local settings\application data\AskToolbar
2012-03-12 03:20:00 -------- d-----w- c:\program files\PC Tools
2012-03-12 03:15:06 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-03-12 03:15:06 -------- d-----w- c:\program files\common files\PC Tools
2012-03-12 03:14:47 -------- d-----w- c:\documents and settings\owner\application data\TestApp
2012-03-12 03:14:47 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-03-12 02:24:32 -------- d-s---w- c:\documents and settings\owner\UserData
2012-03-12 01:12:14 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2012-03-12 01:11:05 -------- d-s---w- c:\windows\system32\Microsoft
2012-03-12 01:05:12 63663 ------w- c:\windows\system32\drivers\ati1rvxx.sys
2012-03-12 01:03:47 19569 ----a-w- c:\windows\002377_.tmp
2012-03-12 01:03:32 -------- d-----w- c:\windows\system32\ReinstallBackups
2012-03-12 01:03:22 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2012-03-12 01:01:35 -------- d-----w- c:\windows\EHome
==================== Find3M ====================
============= FINISH: 13:36:20.60 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Michaela1

  • Topic Starter

  • Members
  • 8 posts
  • Local time:02:44 AM

Posted 13 March 2012 - 04:17 PM

Edit:This reply was originally a separate standalone topic in this forum Titled: what is this and why is it on my comp?. It has been merged to this malware log topic to keep all information in one thread to avoid confusion and possibly conflicting help. ~ Animal

This .ini file was on my desktop along with another. I did not create these nor did I put them there. The attachment is a piece of equipment I found.

WildTangent Games App - acer.lnk=@C:\PROGRA~2\WILDTA~1\TOUCHP~1\acer\MUILink.exe,-105
Acer Registration.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Enregistrement Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Registrazione Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Registro de Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Registratie.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Registrierung.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Registo Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Registrering af Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Rekisteröinti.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer-registrering.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Registrace Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Εγγραφή.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Regisztráció.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Rejestracja — Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Kayıt.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Înregistrare Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Регистрация Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer ユーザー登録.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer 注册.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer 註冊.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Registreerimine.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Registracija.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Reģistrācija.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer Регистрация.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
การลงทะเบียน Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer تسجيل.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer - Registrácia.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Registracija Acer.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101
Acer 등록.lnk=@C:\Program Files (x86)\Acer\Registration\GlobalRegistrationMUI.dll,-101


#3 eddie5659


  • Malware Response Team
  • 127 posts
  • Gender:Male
  • Local time:08:44 AM

Posted 15 March 2012 - 01:00 PM


Thank you for posting the above logs :)

Can you firstly uninstall these:

Ask Toolbar
IObit Malware Fighter

Then, can you run the following tools:

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

Download and scan with SUPERAntiSpyware Free Edition for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Home" button to leave the control center screen.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click Scan your computer.
  • On the left, select all fixed drives.
  • Click "Start Complete Scan" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "Continue".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "Remove Threats" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click View Scan Logs.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • [i][color=green]Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Please include the MBAM log and, SUPERAntiSpyware Scan Log and a fresh HijackThis log in your next reply


#4 eddie5659


  • Malware Response Team
  • 127 posts
  • Gender:Male
  • Local time:08:44 AM

Posted 25 March 2012 - 12:20 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users