Jump to content

rsa98

Members
 View Profile  See their activity

  • Posts

    16

  • Joined

  • Last visited

 Content Type 

Everything posted by rsa98

  1. rsa98
    OK so I added the PC Tune Up folder to the exclusions and they no longer show up but I still get the 4 registry keys. I have my detection & protection settings set for PUPs to be treated as malware but the scan log report does not give me the box to check/uncheck to give me the option to add them to the exclusion list. and in the scan log report it shows PUPs as warn NOT enabled. ScanLog121616.txt
  2. rsa98
    After updating ZoneAlarm Extreme Security a month ago, Malwarebytes now (since Nov 17, 2016) tags all the files and registry entries for ZoneAlarm's PC-Tune-up program as PUPs. There are 242 files/keys that are being tagged as PUPs. I've waited this long because I figured that it would be cleared up in the Malwarebytes updates but it still shows up. I've attached the exported scan log from 12/08/2016 Thank you ScanLog120816.txt
  3. rsa98
    I do a full scan every night and a flash scan after every update and all of sudden this shows up in files that have been on my hard drive for a long time. C:\Program Files (x86)\Dolby Home Theater v4\pt-br\pcee4c.resources.dll (Trojan.MSIL) -> Quarantined and deleted successfully. C:\Program Files (x86)\Realtek\Audio\PCEE4\DolbyHomeTheater.msi (Trojan.MSIL) -> Quarantined and deleted successfully. C:\Windows\Installer\fb22c7.msi (Trojan.MSIL) -> Quarantined and deleted successfully. D:\ComputerSetup\Hardware\Gigabyte_UD3R\Drivers\HD_Audio\PCEE4\DolbyAdvancedAudio.msi (Trojan.MSIL) -> Quarantined and deleted successfully. D:\ComputerSetup\Hardware\Gigabyte_UD3R\Drivers\HD_Audio\PCEE4\DolbyHomeTheater.msi (Trojan.MSIL) -> Quarantined and deleted successfully It seems Malwarebytes quarantined them successfully and subsequent scans have been clean. Any ideas? Thank you. R
  4. rsa98
    Another fine job. Quick scan detected no malicious items. PC seems to be running fine. Thank you for your help and quick response. mbam-log-2012-06-14 (16-53-41).txt
  5. rsa98
    Malwarebytes Flash scan run every hour found Trojan.Agent in registry area at 10pm last night. Do the removal and reboot, log says quarantined and deleted sucessfully yet it reaapears on reboot. Registry Keys Detected: 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Trojan.Agent) -> Quarantined and deleted successfully. Zone Alarm does not detect it. Only thing done yeaterday was an update to Mailwasher Pro. Attached are the Malwarebytes Log, DDS Log with Attach.txt log. Thank you. Attach.txt DDS.txt mbam-log-2012-06-13 (22-23-29).txt
  6. rsa98
    Thanks for the quick response. I will tell ZA to ignore this detection and also notify ZA Technical support of the false positive reading.
  7. rsa98
    I am running Zone Alarm Extreme Security and run a nightly virus scan. Last night (05/16/12) the scan tagged 10 files in the Chameleon folder as being infected with "heur trojan downloader win32 generic". No other infections found, PC is running fine, and my nightly Malwarebytes scan is clean. Anybody know what is going on? Thanks for any help.
  8. rsa98
    All set
  9. rsa98
    Computer seems to be running fine. All scans yielding no threats. I never had any real symptoms to start only a hit after a scan with MalwareBytes and it found the Trojan.tdss. I'm going to take some files off the computer and put them on an external hard drive and then format the computer hard drives.
  10. rsa98
    ESET found no threats DDS (Ver_09-07-30.01) - NTFSx86 Run by rsa at 23:34:28.72 on Thu 09/03/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1329 [GMT -4:00] AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\rsa\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File mRun: [RTHDCPL] RTHDCPL.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241814190093 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\rsa\applic~1\mozilla\firefox\profiles\owhohht4.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=01020 FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-11 365448] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] S?1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-9-2 150544] =============== Created Last 30 ================ 2009-09-03 01:17 <DIR> --d----- c:\docume~1\rsa\applic~1\Malwarebytes 2009-09-02 16:56 <DIR> a-dshr-- C:\cmdcons 2009-09-02 16:35 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-09-02 16:07 229,888 a------- c:\windows\PEV.exe 2009-09-02 16:07 98,816 a------- c:\windows\sed.exe 2009-09-01 21:17 299,008 a------- c:\windows\system32\regxplor.dll 2009-09-01 17:00 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-09-01 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-08-30 17:53 <DIR> --d----- c:\program files\Trend Micro 2009-08-30 09:51 1,221,512 a------- c:\windows\system32\zpeng25.dll 2009-08-30 04:53 <DIR> --d----- c:\program files\ESET 2009-08-30 04:42 <DIR> --d----- c:\program files\SpywareBlaster 2009-08-23 14:12 1,312 a------- c:\windows\ST6UNST.000 2009-08-23 13:58 249,856 -------- c:\windows\Setup1.exe 2009-08-23 13:58 73,216 a------- c:\windows\ST6UNST.EXE 2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle FaceCreator 2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle Puzzle and Board Games 2009-08-17 19:36 <DIR> --d----- c:\program files\common files\Datalode 2009-08-10 08:14 <DIR> --d----- c:\program files\ReflexiveArcade 2009-08-10 08:10 <DIR> --d----- c:\program files\THQ 2009-08-10 07:56 <DIR> --d----- c:\program files\Rockstar Games ==================== Find3M ==================== 2009-09-03 23:34 399,116,064 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-09-03 23:32 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-09-03 06:26 298,064 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-08-29 18:41 156,672 a------- c:\windows\system32\rmc_fixasf.exe 2009-08-29 18:41 237,568 a------- c:\windows\system32\rmc_rtspdl.dll 2009-08-29 18:41 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL 2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-27 23:32 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-06-26 17:45 0 a------- c:\docume~1\rsa\applic~1\CopyToGo.dat 2009-06-21 08:46 485,920 a------- c:\windows\system32\NVUNINST.EXE 2009-06-10 16:21 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll 2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll 2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll 2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe 2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe 2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll 2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll 2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll 2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll 2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll 2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin 2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll 2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll 2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll 2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe 2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll 2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll 2009-05-11 09:08 8 ---shr-- c:\docume~1\alluse~1\applic~1\121009EB70.sys 2008-08-12 17:33 47,360 a------- c:\docume~1\rsa\applic~1\pcouffin.sys ============= FINISH: 23:35:28.87 =============== Attach.zip
  11. rsa98
    Looking in regedit, I found HKEY_LOCAL_MACHINE\System\ControlSet002\Services\skynetpwixtbdw HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kungsfbekxvrbn Which were found by combofix - ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_kungsfbekxvrbn -------\Legacy_SKYNETpwixtbdw -------\Service_kungsfbekxvrbn -------\Service_SKYNETpwixtbdw and Rootrepeal - Hidden Services ------------------- Service Name: kungsfbekxvrbn Image Path: C:\WINDOWS\system32\drivers\kungsfmtbyoewq.sys Service Name: SKYNETpwixtbdw Image Path: C:\WINDOWS\system32\drivers\SKYNEToeeftoij.sys Do I still have a problem?
  12. rsa98
    First may I say a big thank you to you extremeboy for all your help (and apologies for the posting goofs). I wasn't experiencing any problems with my system, at least nothing that was noticable or suspicious. That's what was so confusing about it. I was doing a scan with MalwareBytes when the Trojan.TDSS showed up and wouldn't go away. Still can't figure out how it happened with zone alarm running all the time. Here are the GMER and DDS logs along with the attach.zip. Malwarebytes scan didn't find anything. Thanks again. GMER 1.0.15.15077 [652o3op8.exe] - http://www.gmer.net Rootkit scan 2009-09-02 19:21:09 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB4CE8C30] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB4CE54F0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB4D00090] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB4CE9320] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB4CFD760] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB4CFD970] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB4D02310] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB4CE9410] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB4CE5D20] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB4D00E90] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB4D00AB0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB4CFD0E0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xB4CE1130] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB4D01560] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB4D015E0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xB4D02590] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB4CE5A80] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB4CFF070] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB4CFEE30] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB4D01DD0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB4D017A0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB4CE8840] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB4D01C20] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB4CE8E80] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB4CE5F90] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xB4CE0BB0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB4D005C0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB4CFE0F0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB4CFDF70] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xB4CE13E0] INT 0x20 srescan.sys B87F3CB0 Code \??\C:\DOCUME~1\rsa\LOCALS~1\Temp\catchme.sys pIofCallDriver ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ---- EOF - GMER 1.0.15 ---- DDS (Ver_09-07-30.01) - NTFSx86 Run by rsa at 19:26:33.60 on Wed 09/02/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1553 [GMT -4:00] AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\explorer.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Documents and Settings\rsa\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File mRun: [RTHDCPL] RTHDCPL.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241814190093 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\rsa\applic~1\mozilla\firefox\profiles\owhohht4.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=01020 FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-30 150544] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-11 365448] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032] R3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] =============== Created Last 30 ================ 2009-09-02 16:56 <DIR> a-dshr-- C:\cmdcons 2009-09-02 16:35 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-09-02 16:07 229,888 a------- c:\windows\PEV.exe 2009-09-02 16:07 161,792 a------- c:\windows\SWREG.exe 2009-09-02 16:07 98,816 a------- c:\windows\sed.exe 2009-09-01 21:17 299,008 a------- c:\windows\system32\regxplor.dll 2009-09-01 17:00 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-09-01 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-08-30 17:53 <DIR> --d----- c:\program files\Trend Micro 2009-08-30 09:51 1,221,512 a------- c:\windows\system32\zpeng25.dll 2009-08-30 04:53 <DIR> --d----- c:\program files\ESET 2009-08-30 04:42 <DIR> --d----- c:\program files\SpywareBlaster 2009-08-23 14:12 1,312 a------- c:\windows\ST6UNST.000 2009-08-23 13:58 249,856 -------- c:\windows\Setup1.exe 2009-08-23 13:58 73,216 a------- c:\windows\ST6UNST.EXE 2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle FaceCreator 2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle Puzzle and Board Games 2009-08-17 19:36 <DIR> --d----- c:\program files\common files\Datalode 2009-08-10 08:14 <DIR> --d----- c:\program files\ReflexiveArcade 2009-08-10 08:10 <DIR> --d----- c:\program files\THQ 2009-08-10 07:56 <DIR> --d----- c:\program files\Rockstar Games ==================== Find3M ==================== 2009-09-02 19:25 14,819,872 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-09-02 19:21 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-09-02 16:48 183,320 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-08-29 18:41 156,672 a------- c:\windows\system32\rmc_fixasf.exe 2009-08-29 18:41 237,568 a------- c:\windows\system32\rmc_rtspdl.dll 2009-08-29 18:41 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL 2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-27 23:32 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-06-26 17:45 0 a------- c:\docume~1\rsa\applic~1\CopyToGo.dat 2009-06-21 08:46 485,920 a------- c:\windows\system32\NVUNINST.EXE 2009-06-10 16:21 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll 2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll 2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll 2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe 2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe 2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll 2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll 2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll 2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll 2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll 2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin 2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll 2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll 2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll 2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe 2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll 2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll 2009-06-05 06:35 410,984 a------- c:\windows\system32\deploytk.dll 2009-05-11 09:08 8 ---shr-- c:\docume~1\alluse~1\applic~1\121009EB70.sys 2008-08-12 17:33 47,360 a------- c:\docume~1\rsa\applic~1\pcouffin.sys ============= FINISH: 19:27:12.39 =============== Attach.zip
  13. rsa98
    ComboFix 09-09-01.04 - rsa 09/02/2009 16:24.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1687 [GMT -4:00] Running from: c:\documents and settings\rsa\Desktop\Combo-Fix.exe AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\rsa\Application Data\inst.exe c:\documents and settings\rsa\rsa c:\windows\Installer\WMEncoder.msi . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_kungsfbekxvrbn -------\Legacy_SKYNETpwixtbdw -------\Service_kungsfbekxvrbn -------\Service_SKYNETpwixtbdw ((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 ))))))))))))))))))))))))))))))) . 2009-09-02 01:17 . 2002-07-02 13:15 299008 ----a-w- c:\windows\system32\regxplor.dll 2009-09-01 21:00 . 2009-09-01 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-01 21:00 . 2009-09-01 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-30 21:53 . 2009-08-30 21:53 -------- d-----w- c:\program files\Trend Micro 2009-08-30 13:52 . 2009-05-29 00:25 69000 ----a-w- c:\windows\system32\zlcomm.dll 2009-08-30 13:52 . 2009-05-29 00:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll 2009-08-30 13:51 . 2009-05-29 00:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll 2009-08-30 08:53 . 2009-08-30 08:53 -------- d-----w- c:\program files\ESET 2009-08-30 08:42 . 2009-08-30 08:44 -------- d-----w- c:\program files\SpywareBlaster 2009-08-30 07:45 . 2009-08-30 07:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-23 17:58 . 2009-08-23 18:17 249856 ------w- c:\windows\Setup1.exe 2009-08-23 17:58 . 2009-08-23 18:16 73216 ----a-w- c:\windows\ST6UNST.EXE 2009-08-17 23:43 . 2009-08-17 23:44 -------- d-----w- c:\documents and settings\rsa\Application Data\Hoyle FaceCreator 2009-08-17 23:43 . 2009-08-31 02:06 -------- d-----w- c:\documents and settings\rsa\Application Data\Hoyle Puzzle and Board Games 2009-08-17 23:36 . 2009-08-17 23:36 -------- d-----w- c:\program files\Common Files\Datalode 2009-08-10 12:14 . 2009-08-10 12:14 -------- d-----w- c:\program files\ReflexiveArcade 2009-08-10 12:10 . 2009-08-10 12:10 -------- d-----w- c:\program files\THQ 2009-08-10 11:56 . 2009-08-10 11:56 -------- d-----w- c:\program files\Rockstar Games . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-02 20:34 . 2009-06-28 22:04 13160480 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-09-02 20:32 . 2008-08-11 04:19 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2009-09-02 20:28 . 2009-06-28 22:04 177272 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-09-02 09:51 . 2008-08-11 05:02 -------- d-----w- c:\documents and settings\rsa\Application Data\MailWasherPro 2009-09-01 20:50 . 2009-01-28 05:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-31 17:23 . 2008-08-12 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro 2009-08-31 17:20 . 2008-08-12 21:33 -------- d-----w- c:\documents and settings\rsa\Application Data\Vso 2009-08-29 23:06 . 2009-06-25 23:37 -------- d-----w- c:\program files\Replay Media Catcher 2009-08-29 22:41 . 2009-06-25 23:40 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe 2009-08-29 22:41 . 2009-06-25 23:40 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll 2009-08-29 22:41 . 2009-06-25 23:39 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL 2009-08-26 23:20 . 2009-03-25 19:18 54 ---h--w- c:\windows\popcreg.dat 2009-08-26 23:20 . 2009-03-25 19:18 16 ----a-w- c:\windows\popcinfot.dat 2009-08-25 05:29 . 2009-05-07 09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-17 23:34 . 2008-08-15 00:18 -------- d-----w- c:\program files\Encore 2009-08-17 20:59 . 2008-08-12 01:00 16 ----a-w- c:\windows\popcinfo.dat 2009-08-12 20:18 . 2008-09-21 21:12 16071835 ----a-w- c:\windows\Internet Logs\tvDebug.zip 2009-08-10 12:11 . 2008-08-11 03:59 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-07 03:29 . 2009-06-19 01:20 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-08-03 17:36 . 2009-05-07 09:55 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 17:36 . 2009-05-07 09:55 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-02 19:59 . 2009-08-02 19:58 -------- d-----w- c:\program files\Secret Of Monkey Island SE 2009-07-25 10:27 . 2009-07-25 10:26 -------- d-----w- c:\program files\Revistronic 2009-07-20 14:18 . 2009-07-20 14:19 25088 ----a-w- c:\windows\Internet Logs\xDBF.tmp 2009-07-20 14:14 . 2009-07-20 14:15 2624512 ----a-w- c:\windows\Internet Logs\xDBD.tmp 2009-07-20 14:14 . 2009-07-20 14:15 3842560 ----a-w- c:\windows\Internet Logs\xDBE.tmp 2009-07-19 19:34 . 2008-08-16 01:43 -------- d-----w- c:\program files\Combined Community Codec Pack 2009-07-19 15:59 . 2009-07-19 15:59 -------- d-----w- c:\program files\Windows Media Connect 2 2009-07-15 23:26 . 2009-07-15 23:26 -------- d-----w- c:\documents and settings\rsa\Application Data\LucasArts 2009-07-08 23:56 . 2008-10-27 15:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-08 23:55 . 2008-10-27 15:35 -------- d-----w- c:\program files\AGEIA Technologies 2009-07-08 22:19 . 2009-07-08 22:19 -------- d-----w- c:\program files\Telltale Games 2009-07-08 20:35 . 2009-07-08 20:35 -------- d-----w- c:\program files\Samsung 2009-07-04 02:35 . 2009-07-04 02:36 3159552 ----a-w- c:\windows\Internet Logs\xDBB.tmp 2009-07-04 02:35 . 2009-07-04 02:36 3567104 ----a-w- c:\windows\Internet Logs\xDBC.tmp 2009-06-29 06:56 . 2008-08-11 04:17 45632 ----a-w- c:\documents and settings\rsa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-28 03:32 . 2008-08-11 03:51 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-06-26 21:45 . 2009-06-26 21:45 0 ----a-w- c:\documents and settings\rsa\Application Data\CopyToGo.dat 2009-06-21 12:46 . 2008-08-11 04:12 485920 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-06-10 20:21 . 2009-05-11 13:08 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2009-06-10 20:21 . 2009-05-11 13:08 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll 2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll 2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll 2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe 2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe 2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll 2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll 2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin 2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll 2009-06-10 10:03 . 2009-03-27 14:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll 2009-06-10 10:03 . 2008-08-11 04:14 457248 ----a-w- c:\windows\system32\nvudisp.exe 2009-06-10 10:03 . 2007-12-05 05:41 1720320 ----a-w- c:\windows\system32\nvcuda.dll 2009-06-10 10:03 . 2007-06-28 16:43 9998336 ----a-w- c:\windows\system32\nvoglnt.dll 2009-06-10 10:03 . 2007-06-28 16:43 815104 ----a-w- c:\windows\system32\nvapi.dll 2009-06-10 10:03 . 2007-06-28 16:43 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2009-06-10 10:03 . 2007-06-28 16:43 5908608 ----a-w- c:\windows\system32\nv4_disp.dll 2009-06-10 10:03 . 2007-06-28 16:43 151552 ----a-w- c:\windows\system32\nvcodins.dll 2009-06-10 10:03 . 2007-06-28 16:43 151552 ----a-w- c:\windows\system32\nvcod.dll 2009-06-05 10:35 . 2009-04-26 02:29 410984 ----a-w- c:\windows\system32\deploytk.dll 2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-11-22 16858112] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376] "NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2009-06-10 86016] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"= "c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"= "c:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032] . Contents of the 'Scheduled Tasks' folder 2009-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 17:42] . . ------- Supplementary Scan ------- . uStart Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab FF - ProfilePath - c:\documents and settings\rsa\Application Data\Mozilla\Firefox\Profiles\owhohht4.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=01020 FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 16:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-527237240-1532298954-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:19,41,de,94,4c,5f,c8,2a,9b,ce,da,20,e4,2e,32,35,5b,fe,c8,b3,97,bb,1a, 9c,8d,1e,b9,13,47,bd,60,78,c4,bf,da,82,93,1f,29,4f,cc,96,22,6d,0e,66,4b,e5,\ "??"=hex:cf,66,88,dc,66,2a,e5,0c,43,8d,13,c1,a6,1c,78,9b [HKEY_USERS\S-1-5-21-527237240-1532298954-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:9d,3d,59,c4,96,34,3b,cf,19,f2,49,98,4c,f4,f3,fa,7f,ce,44,84,48, 44,75,06,9c,a1,80,1e,32,db,bd,97,1d,c1,f6,78,e1,9e,a9,85,fa,fb,b2,f2,a6,c4,\ "rkeysecu"=hex:c5,f7,8e,72,38,44,f9,80,66,f4,7a,88,ed,bd,42,07 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3228) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\HPZipm12.exe c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-02 16:36 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-02 20:36 Pre-Run: 42,599,469,056 bytes free Post-Run: 42,395,619,328 bytes free 206
  14. rsa98
    ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/01 19:02 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB4BB2000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79DF000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB1916000 Size: 49152 File Visible: No Signed: - Status: - Name: srescan.sys Image Path: srescan.sys Address: 0xB87EC000 Size: 81920 File Visible: No Signed: - Status: - SSDT ------------------- #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd2c30 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccf4f0 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cea090 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd3320 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce7760 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce7970 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cec310 #: 056 Function Name: NtCreateWaitablePort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd3410 #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccfd20 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceae90 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceaab0 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce70e0 #: 098 Function Name: NtLoadKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceb560 #: 099 Function Name: NtLoadKey2 Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceb5e0 #: 108 Function Name: NtMapViewOfSection Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cec590 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccfa80 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce9070 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce8e30 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cebdd0 #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceb7a0 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd2840 #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cebc20 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd2e80 #: 224 Function Name: NtSetInformationFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccff90 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cea5c0 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce80f0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce7f70 Hidden Services ------------------- Service Name: kungsfbekxvrbn Image Path: C:\WINDOWS\system32\drivers\kungsfmtbyoewq.sys Service Name: SKYNETpwixtbdw Image Path: C:\WINDOWS\system32\drivers\SKYNEToeeftoij.sys ==EOF== DDS (Ver_09-07-30.01) - NTFSx86 Run by rsa at 19:59:24.10 on Tue 09/01/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1570 [GMT -4:00] AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Documents and Settings\rsa\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241814190093 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\rsa\applic~1\mozilla\firefox\profiles\owhohht4.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=01020 FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-30 150544] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-11 365448] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032] S?2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] ============== File Associations =============== scrfile="%1" %* =============== Created Last 30 ================ 2009-09-01 17:00 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-09-01 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-08-30 17:53 <DIR> --d----- c:\program files\Trend Micro 2009-08-30 09:51 1,221,512 a------- c:\windows\system32\zpeng25.dll 2009-08-30 04:53 <DIR> --d----- c:\program files\ESET 2009-08-30 04:42 <DIR> --d----- c:\program files\SpywareBlaster 2009-08-23 14:12 1,312 a------- c:\windows\ST6UNST.000 2009-08-23 13:58 249,856 -------- c:\windows\Setup1.exe 2009-08-23 13:58 73,216 a------- c:\windows\ST6UNST.EXE 2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle FaceCreator 2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle Puzzle and Board Games 2009-08-17 19:36 <DIR> --d----- c:\program files\common files\Datalode 2009-08-10 08:14 <DIR> --d----- c:\program files\ReflexiveArcade 2009-08-10 08:10 <DIR> --d----- c:\program files\THQ 2009-08-10 07:56 <DIR> --d----- c:\program files\Rockstar Games ==================== Find3M ==================== 2009-09-01 19:59 9,977,888 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-09-01 19:55 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-09-01 18:33 131,672 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-08-29 18:41 156,672 a------- c:\windows\system32\rmc_fixasf.exe 2009-08-29 18:41 237,568 a------- c:\windows\system32\rmc_rtspdl.dll 2009-08-29 18:41 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL 2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-27 23:32 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-06-26 17:45 0 a------- c:\docume~1\rsa\applic~1\CopyToGo.dat 2009-06-21 08:46 485,920 a------- c:\windows\system32\NVUNINST.EXE 2009-06-10 16:21 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll 2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll 2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll 2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe 2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe 2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll 2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll 2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll 2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll 2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll 2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin 2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll 2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll 2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll 2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe 2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll 2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll 2009-06-05 06:35 410,984 a------- c:\windows\system32\deploytk.dll 2009-05-11 09:08 8 ---shr-- c:\docume~1\alluse~1\applic~1\121009EB70.sys 2008-08-12 17:33 87,608 a------- c:\docume~1\rsa\applic~1\inst.exe 2008-08-12 17:33 47,360 a------- c:\docume~1\rsa\applic~1\pcouffin.sys ============= FINISH: 19:59:32.50 =============== Attach.zip
  15. rsa98
    Malwarebytes finds Trojan.TDSS in my computer. Here is from the log : Registry Keys Infected : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw (Trojan.TDSS) -> Quarantined and deleted successfully. Say the PC must reboot to complete the cleaning so I click yes. Computer reboots, I rescan and it's back. Same exact error. Using Regedit I found the key SKYNETpwixtbdw in 4 registry entries : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw HKEY_LOCAL_MACHINE\System\ControlSet001\Services\skynetpwixtbdw HKEY_LOCAL_MACHINE\System\ControlSet002\Services\skynetpwixtbdw HKEY_LOCAL_MACHINE\System\ControlSet003\Services\skynetpwixtbdw The CurrentControlSet is the only key showing the Trojan.TDSS infection Also, I cannot delete (or rename) any of these keys manually. RegEdit says : error in deleting key In researching at Symantec, I also don't seem to have any of the files associated with the Trojan.TDSS or the SKYNET registry entries on my hard drives (search from windows including hidden and system files) Here are the full MalwareBytes and HijackThis logs Malwarebytes' Anti-Malware 1.40 Database version: 2719 Windows 5.1.2600 Service Pack 3 8/30/2009 6:09:17 PM mbam-log-2009-08-30 (18-09-17).txt Scan type: Quick Scan Objects scanned: 134251 Time elapsed: 3 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw (Trojan.TDSS) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ________________________________________________________________________________ ________________________________________________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:15:41 PM, on 8/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1241814190093 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 4438 bytes Thanks for any help.
  16. rsa98
    Malwarebytes finds Trojan.TDSS in my computer. Here is from the log : Registry Keys Infected : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw (Trojan.TDSS) -> Quarantined and deleted successfully. Say the PC must reboot to complete the cleaning so I click yes. Computer reboots, I rescan and it's back. Same exact error. Using Regedit I found the key SKYNETpwixtbdw in 4 registry entries : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw HKEY_LOCAL_MACHINE\System\ControlSet001\Services\skynetpwixtbdw HKEY_LOCAL_MACHINE\System\ControlSet002\Services\skynetpwixtbdw HKEY_LOCAL_MACHINE\System\ControlSet003\Services\skynetpwixtbdw The CurrentControlSet is the only key showing the Trojan.TDSS infection Also, I cannot delete (or rename) any of these keys manually. RegEdit says : error in deleting key In researching at Symantec, I also don't seem to have any of the files associated with the Trojan.TDSS or the SKYNET registry entries on my hard drives (search from windows including hidden and system files) Help, please.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.