Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Modem Is Working Behind My Back


  • This topic is locked This topic is locked
18 replies to this topic

#1 novirusplease

novirusplease

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 26 April 2007 - 03:36 PM

I already had this problem a few weeks ago (and also last year).
My PC has probably been infected by a spyware or a similar virus as the modem (ZyXel - adsl) is intermittently active (every 3-4s it becomes active) even when the PC is switched off.
I use Zonealarm and Avira Antivir. AVG (all software are free versions) is also sometimes used. I scanned my PC with Gmer lately but nothing changed.

Rosty posted a procedure to solve the problem in the last topic I initiated.
I must deeply apologize for not replying to this new post. I actually downloaded and run Dr.Web CureIt as it was indicated but I could never go till the end of the scan (in spite of dozens of tries). My PC always freezed before completing the scan. I first thought that my internet phone was involved in this problem as it did not work well at that time. In the end the internet phone worked will and the modem is still working when the PC is off and the phone disconnected. I also thought that I was lacking some RAM (total 642 MB) but the CPU usage in the task manager seemed to infirm it.

This problem is really a pain. I really wish to get rid of it once and for all.

Any guidance is warmly welcome.

Here is the Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 22:20:38, on 26.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\MSTMON_P.EXE
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\system32\MSTMON_P.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162634574265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 30 April 2007 - 11:40 AM

Hi Novirusplease,

no need to appologize.

Hi Novirusplease,

I've helped you before, lets see if I can do it again.

Please run a GMER Rootkit scan:

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply togheter with a new HijackThis log.

If you're having problems with running GMER.exe, try it in safe mode. This tool works in safe mode. Most other rootkit revealers don't.

Regards,

Rosty.

Edited by Rosty, 30 April 2007 - 11:42 AM.

Posted Image
Proud member of ASAP since 2007

#3 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 30 April 2007 - 02:57 PM

Rootkit:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-04-30 21:51:57
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F733E230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F733E230] vsdatant.sys

---- Processes - GMER 1.0.12 ----

Process hidden process (*** hidden *** ) 21880
Process hidden process (*** hidden *** ) 23600

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Dr. Yoshinori SENUMA\Favoris\search engines\Google Recherche avancée.url:favicon
ADS E:\Documents and Settings\Dr. Yoshinori SENUMA\Mes documents\BUSINESS\ALYS\administration\accounting\accounting 2005\1170 TVA: achats de matières et prestations de services
ADS E:\Documents and Settings\Dr. Yoshinori SENUMA\Mes documents\BUSINESS\ALYS\administration\accounting\accounting 2005\1171 TVA: investissements et autres charges d'exploitation

---- EOF - GMER 1.0.12 ----



HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 21:53:36, on 30.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\MSTMON_P.EXE
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\system32\MSTMON_P.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162634574265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 01 May 2007 - 10:54 AM

Hi Novirusplease,

can you run GMER in safe mode please? Post the result here in your next reply.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#5 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 01 May 2007 - 02:26 PM

This is silly...

When I boot in safe mode, the screen resolution is so low that the Scan button is hidden below the bottom bar of the Gmer window. I found no way to make this button appear. The screen resolution cannot be changed and the window (Gmer) cannot be scrolled.

What to do?

#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 03 May 2007 - 03:04 AM

Hi Novirusplease,
sorry for the delay.

Lets try the next:

Please download and unzip Rootkit Revealer to your desktop.
Please leave the defaults set as they are to:
Hide NTFS Metadata Files: this option is on by default
Scan Registry: this option is on by default.

Note: Before performing a scan it is recommended to do the following to ensure the best results for a simpler and clearer log file to analyze:
1) Disconnect from or physically unplug the cable from the PC to the Internet connection.
2) Close down All Scheduling/Updating + Running Background tasks, etc.
3) Disable/turn off any program that might activate during the scan such as screensaver, anti-virus, anti-spyware. Programs that activate during the scan may cause RKR to display inaccurate/misleading log results.
4) Then after starting the scan, DO NOT not use the computer until the scan has completed.
5) When the scan has finished, save the log file and re-enable those programs you closed down, or reboot and then you can reconnect to the Internet.

Now launch rootkit revealer on the system and press the Scan button.
Please post the log here in this thread using Add Reply
(please double check that it has all been posted as it may be too long for one post)
Posted Image
Proud member of ASAP since 2007

#7 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 04 May 2007 - 12:36 AM

SCAN with PC disconnected:

HKU\.DEFAULT\Control Panel\International 31.01.2007 14:02 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-21-606747145-1060284298-839522115-1003\Control Panel\International 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-21-606747145-1060284298-839522115-1003\Control Panel\International\Geo 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-21-606747145-1060284298-839522115-1003\Software\Microsoft\Command Processor 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 31.01.2007 14:02 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 28.10.2006 17:53 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 28.10.2006 17:53 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 31.01.2007 14:02 0 bytes Security mismatch.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Aide CSA .lnk 29.10.2006 19:49 425 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Ajouter icône plateau CSA .lnk 29.10.2006 19:49 473 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Lisez-moi.lnk 29.10.2006 19:49 429 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez l'icône Plateau CSA .lnk 29.10.2006 19:49 455 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez le driver modem ADSL .lnk 29.10.2006 19:49 469 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Aide CSA .lnk 29.10.2006 20:49 425 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Ajouter icône plateau CSA .lnk 29.10.2006 20:49 473 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Lisez-moi.lnk 29.10.2006 20:49 429 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez l'icône Plateau CSA .lnk 29.10.2006 20:49 455 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez le driver modem ADSL .lnk 29.10.2006 20:49 469 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Aide CSA .lnk 30.06.2005 13:08 425 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Ajouter icône plateau CSA .lnk 30.06.2005 13:08 473 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Lisez-moi.lnk 30.06.2005 13:08 429 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez l'icône Plateau CSA .lnk 30.06.2005 13:08 455 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez le driver modem ADSL .lnk 30.06.2005 13:08 469 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Aide CSA .lnk 30.06.2005 13:08 425 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Ajouter icône plateau CSA .lnk 30.06.2005 13:08 473 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Lisez-moi.lnk 30.06.2005 13:08 429 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez l'icône Plateau CSA .lnk 30.06.2005 13:08 455 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez le driver modem ADSL .lnk 30.06.2005 13:08 469 bytes Visible in Windows API, but not in MFT or directory index.


-----
SCAN in normal state:

HKU\.DEFAULT\Control Panel\International 31.01.2007 14:02 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-21-606747145-1060284298-839522115-1003\Control Panel\International 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-21-606747145-1060284298-839522115-1003\Control Panel\International\Geo 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-21-606747145-1060284298-839522115-1003\Software\Microsoft\Command Processor 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 31.01.2007 14:02 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 31.01.2007 14:02 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 28.10.2006 17:53 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 28.10.2006 17:53 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 31.01.2007 14:02 0 bytes Security mismatch.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Aide CSA .lnk 29.10.2006 19:49 425 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Ajouter icône plateau CSA .lnk 29.10.2006 19:49 473 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Lisez-moi.lnk 29.10.2006 19:49 429 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez l'icône Plateau CSA .lnk 29.10.2006 19:49 455 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez le driver modem ADSL .lnk 29.10.2006 19:49 469 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Aide CSA .lnk 29.10.2006 20:49 425 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Ajouter icône plateau CSA .lnk 29.10.2006 20:49 473 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Lisez-moi.lnk 29.10.2006 20:49 429 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez l'icône Plateau CSA .lnk 29.10.2006 20:49 455 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez le driver modem ADSL .lnk 29.10.2006 20:49 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Dr. Yoshinori SENUMA\Application Data\Mozilla\Firefox\Profiles\gggf2rlf.default\parent.lock 03.05.2007 22:09 0 bytes Hidden from Windows API.
C:\Documents and Settings\Dr. Yoshinori SENUMA\Application Data\Mozilla\Firefox\Profiles\gggf2rlf.default\sessionstore.js 03.05.2007 22:10 470 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Aide CSA .lnk 30.06.2005 13:08 425 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Ajouter icône plateau CSA .lnk 30.06.2005 13:08 473 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Lisez-moi.lnk 30.06.2005 13:08 429 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez l'icône Plateau CSA .lnk 30.06.2005 13:08 455 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL \Supprimez le driver modem ADSL .lnk 30.06.2005 13:08 469 bytes Hidden from Windows API.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Aide CSA .lnk 30.06.2005 13:08 425 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Ajouter icône plateau CSA .lnk 30.06.2005 13:08 473 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Lisez-moi.lnk 30.06.2005 13:08 429 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez l'icône Plateau CSA .lnk 30.06.2005 13:08 455 bytes Visible in Windows API, but not in MFT or directory index.
E:\Documents and Settings\All Users\Menu Démarrer\Programmes\Driver modem ADSL\Supprimez le driver modem ADSL .lnk 30.06.2005 13:08 469 bytes Visible in Windows API, but not in MFT or directory index.

#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 04 May 2007 - 05:20 AM

Hi Novirusplease,

My PC has probably been infected by a spyware or a similar virus as the modem (ZyXel - adsl) is intermittently active (every 3-4s it becomes active) even when the PC is switched off.

and

In the end the internet phone worked will and the modem is still working when the PC is off and the phone disconnected.

Can you explain this please?

If I interpret this correctly, then the router/modem is still active when the computer is turned off. This is normal, but if you are afraid it is hijacked reset the hardware.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#9 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 12 May 2007 - 01:31 AM

Indeed, the modem is still active when the computer is turned off. To my view, there is no reason that it is active if I am not using the Internet access.

I have tried to download the software but it seems that the link is not correct: "The requested URL '/sUBs/combofix.exe' was not found on this server."



Note: sorry for the delay in replying, I was expecting an e-mail notification as for the first post.

#10 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 12 May 2007 - 03:38 AM

Hi Novirusplease,

Indeed, the modem is still active when the computer is turned off. To my view, there is no reason that it is active if I am not using the Internet access.

You can try to reset the hardware, if you don't trust it.

Note: sorry for the delay in replying, I was expecting an e-mail notification as for the first post.

Don't worry about the delay. Do you see this under your post: "You are currently receiving email notification of replies "?

As for the download link, please try this one: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Posted Image
Proud member of ASAP since 2007

#11 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 12 May 2007 - 12:00 PM

I can see see this under my post: "You are currently receiving email notification of replies "


Here is the log fileComboFix:



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-04-19 11:36 43,584 --a------ C:\WINDOWS\system32\drivers\avipbb.sys
2007-04-19 11:36 28,352 --a------ C:\WINDOWS\system32\drivers\ssmdrv.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 16:41:38 -------- d-----w C:\Program Files\PeerGuardian2
2007-05-10 12:34:11 -------- d-----w C:\Program Files\WinPhone
2007-05-04 04:57:41 -------- d-----w C:\DOCUME~1\DR4708~1.YOS\APPLIC~1\Canon
2007-03-25 16:50:30 445,016 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-03-25 16:50:29 63,614 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-03-21 15:56:33 -------- d-----w C:\Program Files\VaudTax2006
2007-03-19 17:20:10 1,289 ----a-w C:\WINDOWS\mozver.dat
2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 18:15:42 -------- d-----w C:\DOCUME~1\DR4708~1.YOS\APPLIC~1\FileZilla
2007-03-15 18:13:27 -------- d-----w C:\Program Files\FileZilla Client
2007-03-14 17:47:26 -------- d--h--w C:\Program Files\Zero G Registry
2007-03-14 17:40:29 -------- d-----w C:\DOCUME~1\DR4708~1.YOS\APPLIC~1\AdobeUM
2007-03-08 15:37:50 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:37:50 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:37:50 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:58 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-06 06:29:01 0 ----a-w C:\WINDOWS\nsreg.dat
2007-02-05 20:19:06 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"AME_CSA"="rundll32 amecsa.cpl,RUN_DLL"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"Logitech Utility"="Logi_MwX.Exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"KONICA MINOLTA magicolor2300WStatusDisplay"="C:\\WINDOWS\\system32\\MSTMON_P.EXE"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Edition Découverte\\3.0\\Apps\\apdproxy.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PGFILTER

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 18:41:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-12 18:41:58
C:\ComboFix-quarantined-files.txt ... 2007-05-12 18:41
C:\ComboFix2.txt ... 2007-01-31 14:02

#12 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 14 May 2007 - 04:20 AM

can you disable your protection software for the moment and rescan with DrWebCureIt, please?
Post the log from Drweb. After scanning with DrWebCureIt please re-enable your protection software.
Posted Image
Proud member of ASAP since 2007

#13 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 17 May 2007 - 10:46 AM

Here you are:

aasetup.exe\data002;E:\Documents and Settings\Dr. Yoshinori SENUMA\Mes documents\downloaded programs\aasetup.exe;Adware.TimeSink;;
aasetup.exe;E:\Documents and Settings\Dr. Yoshinori SENUMA\Mes documents\downloaded programs;Archive contains infected objects;Moved.;
RheoExplorer.exe;E:\Program Files\Reologica\Rheoexplorer;Win32.KME.based;Incurable.Moved.;
A0041393.exe\data002;E:\System Volume Information\_restore{2946EBDE-CFE0-4183-8920-237ECECA6B24}\RP212\A0041393.exe;Adware.TimeSink;;
A0041393.exe;E:\System Volume Information\_restore{2946EBDE-CFE0-4183-8920-237ECECA6B24}\RP212;Archive contains infected objects;Moved.;
A0041394.exe;E:\System Volume Information\_restore{2946EBDE-CFE0-4183-8920-237ECECA6B24}\RP212;Win32.KME.based;Incurable.Moved.;

#14 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 18 May 2007 - 02:56 AM

Hi Novirusplease,

how are things running know?
Posted Image
Proud member of ASAP since 2007

#15 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 25 May 2007 - 03:18 AM

The modem is still active when the PC is off (as before).

I am somehow worried about this. It does not make feel good to know that my private data (including bank accounts and passwords) might be seen by unknown people.

Sincerely yours,


---
Note: I do not receive e-mail notifications of replies (not every time at least) although it is stated in the post options "You are currently receiving email notification of replies".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users