Jump to content

Still Infected? I don't know?!?


Recommended Posts

I was infected with something called Sysguard several weeks ago - it disabled McAfee and did popups for antivirus, redireced browser, etc. I tried several antivirus with no success before using malwarebytes which removed Vundo. I also uninstalled Mcafee and installed Avira.

My problem is I have been reinfected with two other trojans since, and also have an annoying logoff every third or fourth reboot - I can logon after the first logoff. I think evreything is gone, but I thought that before as well. Is it gone? Here are the Malwarebytes and Hijack logs:

Malwarebytes' Anti-Malware 1.36

Database version: 1979

Windows 5.1.2600 Service Pack 2

4/13/2009 8:49:38 PM

mbam-log-2009-04-13 (20-49-38).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 169743

Time elapsed: 51 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijack this:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:08:36 PM, on 4/13/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O15 - Trusted Zone: http://*.turbotax.com

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://heva.solidworks.com/htdocs/pdownloa...elsStandard.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {29003a7a-8283-4553-9ae7-2fca2e1b95d2} - (no file)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5256 bytes

Link to post
Share on other sites

Hi and Welcome!

Yes, you are definitely still infected!

Clean the clutter:

ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click

  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Follow the instructions to install and scan with the Malicious Software Removal Tool (MSRT):

http://www.pchell.com/virus/malicioussoftw...movaltool.shtml

When the MSRT finishes - follow the instructions to open the MSRT log below and post in your next reply:

1) Click on Start, Run

2) Type the following and Press Enter

notepad c:\windows\debug\mrt.log

Uninstall your current copy of Malwarebytes' Anti-Malware (MBAM.

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from:

BestTechie.net

http://www.besttechie.net/tools/mbam-setup.exe

or

MajorGeeks.com:

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

Rename the installer as you download it from mbam-setup.exe to aurina-setup.exe.

Double-click aurina-setup.exe and follow the prompts to install the program. At the end of the install, UNCHECK the following two options:

  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • Close MBAM and rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\aurina.exe"
  • Now relaunch MBAM by double-clicking aurina.exe in the MBAM folder.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Download DDS and save it to your desktop from here or here

dds_scr.gif

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop

    [*]Please copy and paste both logs into your next reply,

===============================================================

Please post the MBAM log, The MSRT log, the DDS scan reports attached, and a new HJT log.

Link to post
Share on other sites

Any way to tell what the virus is doing? Do I need to be worried re: id theft etc?

That program is just a rogue but there is no way of telling until I see what buddies it has on board. But your blocking is quite severe.

Since a new Malicious Software Removal Tool was released today, it would be better if you can download that new version to portable media (ie USB flash) from here:

http://www.microsoft.com/downloads/details...;displaylang=en

Then rename the extracted EXE from mrt.exe -> begone.exe

Transfer begone.exe to the infected PC and run a complete scan. by double-clicking begone.exe.

Two antiviruses will cause a conflict - keep either McAfee or Avira, but not both!

OK, I am at work so will try this afternoon US EST. Any way to tell what the virus is doing? Do I need to be worried re: id theft etc?
Link to post
Share on other sites

OK, hope I did this right. I have MBAM, MSRT, DDS and Attach and finally HJT. I did have one issue - I forgot to rename mrt to begone. There is one file called MRT.EXE - 161A5291.pf in C:\WINDOWS\Prefetch dated 4/14/2009 and the actual app MRT in C:\WINDOWS\system32 dated 4/6/2009. Do I need to do over?

MBAM

Malwarebytes' Anti-Malware 1.36

Database version: 1945

Windows 5.1.2600 Service Pack 2

4/14/2009 8:37:37 PM

mbam-log-2009-04-14 (20-37-37).txt

Scan type: Quick Scan

Objects scanned: 71975

Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MSRT

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.13, February 2006

Started On Sun Mar 19 15:34:45 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sun Mar 19 15:34:59 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.16, May 2006

Started On Tue May 09 21:56:56 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue May 09 21:57:10 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.17, June 2006

Started On Thu Jun 29 22:21:44 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Jun 29 22:22:09 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.18, July 2006

Started On Fri Jul 14 17:09:26 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Jul 14 17:09:51 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.18, July 2006

Started On Mon Jul 17 09:41:37 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Mon Jul 17 09:41:48 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.20, September 2006

Started On Thu Sep 14 05:37:38 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 14 05:38:01 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.21, October 2006

Started On Sat Oct 14 09:54:41 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Oct 14 09:54:58 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.21, October 2006

Started On Thu Nov 02 11:06:18 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Nov 02 11:06:34 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.22, November 2006

Started On Sat Nov 18 05:32:05 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Nov 18 05:32:25 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.23, December 2006

Started On Mon Dec 18 06:42:06 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Mon Dec 18 06:42:27 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.24, January 2007

Started On Wed Jan 10 07:28:29 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 10 07:28:55 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.25, February 2007

Started On Sat Feb 17 08:12:18 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Feb 17 08:12:42 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.27, March 2007

Started On Mon Mar 19 10:44:44 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 19 10:45:00 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.28, April 2007

Started On Fri Apr 13 16:37:39 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Apr 13 16:37:55 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.29, May 2007

Started On Wed May 09 18:15:00 2007

->Scan ERROR: resource process://pid:3212 (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed May 09 18:15:52 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.30, June 2007

Started On Wed Jun 13 06:20:33 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 13 06:21:31 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.31, July 2007

Started On Wed Jul 11 08:23:54 2007

->Scan ERROR: resource process://pid:208 (code 0x0000054F (1359))

->Scan ERROR: resource process://pid:3956 (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 11 08:25:03 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.32, August 2007

Started On Tue Aug 14 19:24:05 2007

->Scan ERROR: resource process://pid:3624 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:3624 (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Aug 14 19:25:06 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.33, September 2007

Started On Thu Sep 13 09:02:23 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 13 09:03:16 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.34, October 2007

Started On Wed Oct 10 17:45:20 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 10 17:46:21 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.35, November 2007

Started On Tue Nov 13 23:25:51 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Nov 13 23:27:34 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.36, December 2007

Started On Wed Dec 12 06:39:01 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Dec 12 06:39:57 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.37, January 2008

Started On Wed Jan 09 08:06:18 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 09 08:07:14 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.38, February 2008

Started On Thu Feb 14 20:37:00 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Feb 14 20:38:13 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.38, February 2008

Started On Fri Feb 22 19:57:28 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Feb 22 19:58:28 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.39, March 2008

Started On Sat Mar 15 22:10:43 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Mar 15 22:11:51 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008

Started On Fri Apr 11 16:53:47 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Apr 11 16:54:58 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008

Started On Wed Apr 23 13:22:16 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 23 13:23:33 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.41, May 2008

Started On Tue May 20 18:37:05 2008

->Scan ERROR: resource process://pid:3560 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:3560 (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue May 20 18:38:23 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.42, June 2008

Started On Wed Jun 18 18:37:47 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 18 18:39:07 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.0, July 2008

Started On Wed Jul 09 07:21:37 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 09 07:22:53 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.1, August 2008

Started On Wed Aug 13 07:38:29 2008

->Scan ERROR: resource process://pid:2880 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:1144 (code 0x00000057 (87))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 13 07:40:22 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.2, September 2008

Started On Wed Sep 10 06:46:42 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 10 06:48:46 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.3, October 2008

Started On Thu Oct 16 21:37:07 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Oct 16 21:38:34 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.4, November 2008

Started On Wed Dec 03 19:40:29 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Dec 03 19:42:05 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.5, December 2008

Started On Fri Dec 12 17:01:42 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Dec 12 17:03:33 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.6, January 2009

Started On Wed Jan 14 07:22:27 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 14 07:25:27 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.7, February 2009

Started On Thu Feb 19 17:26:20 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Feb 19 17:28:06 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009

Started On Tue Mar 24 22:48:24 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 24 22:50:11 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009

Started On Tue Mar 31 22:50:17 2009

->Scan ERROR: resource process://pid:1412 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:572 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:1412 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:1412 (code 0x00000005 (5))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 31 22:55:50 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.9, April 2009

Started On Tue Apr 14 18:22:53 2009

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:416 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 14 18:25:33 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.9, April 2009

Started On Tue Apr 14 18:26:30 2009

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:416 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 14 18:27:12 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.9, April 2009

Started On Tue Apr 14 18:27:19 2009

Extended Scan Results

----------------

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:416 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:1432 (code 0x00000005 (5))

->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))

->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))

->Scan ERROR: resource file://C:\Program Files\Common Files\Microsoft Shared:TQojrxpyX0RwtMxvZMe3qYr8R (code 0x00000057 (87))

No infection found as part of the extended scan

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 14 20:30:42 2009

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:51:57 PM, on 4/14/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Malwarebytes' Anti-Malware\aurina.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O15 - Trusted Zone: http://*.turbotax.com

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://heva.solidworks.com/htdocs/pdownloa...elsStandard.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {29003a7a-8283-4553-9ae7-2fca2e1b95d2} - (no file)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5440 bytes

Link to post
Share on other sites

You did fine. There is no need to rerun the MSRT (mrt.exe) or do anything over.

This looks peculiar for MSRT results:

Scan ERROR: resource file://C:\Program Files\Common Files\Microsoft Shared:TQojrxpyX0RwtMxvZMe3qYr8R

I cannot find the DDS logs - DDS.txt and attach.txt.

Can you please copy and paste them into your next reply. DDS.txt may shed some more light on that entry. Thank you.

Please open a command prompt (start -> run -> type cmd, and hit Enter)

copy and paste the following in bolded text at the command prompt:

dir /a /o-d "C:\Program Files\Common Files\microsoft shared" > dirlist.txt && notepad dirlist.txt

Please post back the contents of the Notepad TXT file that opens and the DDS logs.

Thanx!

Link to post
Share on other sites

Strange, I wonder what happened on the DDR files. Anyway, below are the directory listing, Attach and DDS.

Couple other things - I did uninstall McAfee several weeks ago but there does appear to be a lot of leftover stuff. Also I have old log files from MBAM and Avira if you need any info from them. Major cleanup in MBAM then a couple of detections in Avira and MBAM afterwards. Finally in the HJT logs the gakajuso.dll registry entry is related to the original Vundo infection - I can't find that dll anywhere on my machine now.

Volume in drive C has no label.

Volume Serial Number is 4C3D-67DB

Directory of C:\Program Files\Common Files\microsoft shared

03/24/2009 05:44 AM <DIR> VC

03/08/2009 10:49 PM <DIR> VSTO

03/08/2009 10:49 PM <DIR> VSTA

03/08/2009 10:35 PM <DIR> DevServer

03/08/2009 10:35 PM <DIR> ..

03/08/2009 10:35 PM <DIR> .

03/08/2009 10:29 PM <DIR> WMI

03/08/2009 10:28 PM <DIR> Visual Studio

03/08/2009 10:26 PM <DIR> MSEnv

03/08/2009 10:26 PM <DIR> SQL Debugging

03/08/2009 10:26 PM <DIR> TextTemplating

03/08/2009 10:24 PM <DIR> VsDeploy

03/08/2009 10:24 PM <DIR> VS7Debug

03/08/2009 10:21 PM <DIR> MSI Tools

03/08/2009 10:20 PM <DIR> CoreCon

03/08/2009 10:20 PM <DIR> VSA

03/08/2009 10:17 PM <DIR> OFFICE11

03/08/2009 10:17 PM <DIR> OFFICE12

03/08/2009 10:16 PM <DIR> Source Engine

03/08/2009 10:16 PM <DIR> web server extensions

03/08/2009 10:16 PM <DIR> Portal

03/08/2009 10:16 PM <DIR> TextConv

03/08/2009 10:16 PM <DIR> MSInfo

03/08/2009 10:16 PM <DIR> Smart Tag

03/08/2009 10:16 PM <DIR> EQUATION

03/08/2009 10:16 PM <DIR> Grphflt

03/08/2009 10:14 PM <DIR> Help 9

05/20/2008 06:38 PM <DIR> DAO

04/24/2008 06:28 PM <DIR> VGX

02/22/2008 11:04 PM <DIR> MSDN

02/22/2008 11:04 PM <DIR> Help

02/22/2008 11:04 PM <DIR> MSDesigners8

02/22/2008 11:03 PM <DIR> Visual Database Tools

02/22/2008 11:03 PM <DIR> CAPICOM

01/29/2008 08:12 PM <DIR> Database Replication

01/29/2008 07:56 PM <DIR> VS Help Data

01/29/2008 07:56 PM <DIR> Visual Basic Power Packs

01/29/2008 07:56 PM <DIR> DevHelp

11/01/2007 07:11 AM <DIR> Web Folders

11/01/2007 07:10 AM <DIR> Proof

10/31/2007 07:51 PM <DIR> DW

10/31/2007 06:03 PM <DIR> EURO

12/16/2006 07:58 PM <DIR> 7Bay4AWev7uvvZ

10/31/2006 06:51 AM <DIR> Ekz6pw7MW

10/31/2006 06:51 AM <DIR> Qb6Kj6r8voa6G

05/13/2006 07:33 PM <DIR> Help 8

03/06/2006 07:47 PM <DIR> Reference Titles

03/06/2006 07:47 PM <DIR> MSDesigners98

03/06/2006 07:47 PM <DIR> VBA

03/06/2006 07:47 PM <DIR> Artgalry

03/06/2006 07:47 PM <DIR> Clipart

03/06/2006 07:44 PM <DIR> Themes

01/26/2006 11:21 PM <DIR> Picture It!

01/26/2006 11:16 PM <DIR> Triedit

08/10/2004 03:02 PM <DIR> Stationery

08/10/2004 02:57 PM <DIR> Speech

0 File(s) 0 bytes

56 Dir(s) 120,982,433,792 bytes free

The Attach.txt file:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 1/30/2006 7:28:57 PM

System Uptime: 4/14/2009 5:22:28 AM (15 hours ago)

Motherboard: Dell Inc. | | 0YC523

Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 112.632 GiB free.

D: is CDROM (CDFS)

E: is CDROM ()

F: is FIXED (NTFS) - 298 GiB total, 288.222 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/5/2009 11:35:09 AM - System Checkpoint

RP2: 3/8/2009 9:16:31 PM - Installed Microsoft Visual Studio Web Authoring Component

RP3: 3/24/2009 5:16:33 AM - Restore Operation

RP4: 3/24/2009 5:45:02 AM - Avira AntiVir Personal - 3/24/2009 5:44

RP5: 3/24/2009 9:32:54 PM - Installed SUPERAntiSpyware Free Edition

RP6: 3/24/2009 10:47:38 PM - Software Distribution Service 3.0

RP7: 3/25/2009 8:43:30 PM - Move file to quarantine: {22BF413B-C6D2-4d91-82A9-A0F997BA588C}

RP8: 3/25/2009 8:45:49 PM - Move file to quarantine: {827D3881-317C-442A-B4ED-F576CBA700BB}

RP9: 3/25/2009 8:50:08 PM - Restore Operation

RP10: 3/25/2009 9:00:52 PM - Installed Windows XP KB958644.

RP11: 3/27/2009 6:54:33 AM - Avira AntiVir Personal - 3/27/2009 6:54

RP12: 3/27/2009 7:21:38 PM - Move file to quarantine: Drive Letter Access Component

RP13: 3/27/2009 7:22:14 PM - Move file to quarantine: {22BF413B-C6D2-4d91-82A9-A0F997BA588C}

RP14: 3/27/2009 7:22:43 PM - Move file to quarantine: {22BF413B-C6D2-4d91-82A9-A0F997BA588C}

RP15: 3/27/2009 7:23:31 PM - Move file to quarantine: jzwxtj.dll

RP16: 3/27/2009 7:25:39 PM - Move file to quarantine: mm_tray.exe

RP17: 3/27/2009 7:25:56 PM - Move file to quarantine: mimboot.exe

RP18: 3/27/2009 7:48:45 PM - Move file to quarantine: Java 2 Platform Standard Edition bi

RP19: 3/27/2009 7:49:24 PM - Move file to quarantine: {827D3881-317C-442A-B4ED-F576CBA700BB}

RP20: 3/28/2009 11:06:28 AM - Restore Operation

RP21: 3/28/2009 11:09:58 AM - Restore Operation

RP22: 3/30/2009 7:27:57 PM - System Checkpoint

RP23: 3/30/2009 10:23:17 PM - Virus Free?

RP24: 3/31/2009 10:28:34 PM - Software Distribution Service 3.0

RP25: 3/31/2009 10:30:22 PM - Software Distribution Service 3.0

RP26: 3/31/2009 11:43:39 PM - Removed SUPERAntiSpyware Free Edition

RP27: 4/2/2009 6:09:24 AM - April 2 - Clean Registry and WIndows Update Fixed

RP28: 4/3/2009 6:25:19 AM - System Checkpoint

RP29: 4/4/2009 7:11:50 AM - System Checkpoint

RP30: 4/5/2009 9:15:38 AM - System Checkpoint

RP31: 4/7/2009 6:43:56 PM - Installed TaxCut Premium + State + Efile 2008.

RP32: 4/8/2009 7:29:42 PM - System Checkpoint

RP33: 4/9/2009 9:15:53 PM - System Checkpoint

RP34: 4/10/2009 9:43:56 PM - System Checkpoint

RP35: 4/12/2009 9:39:18 PM - System Checkpoint

RP36: 4/14/2009 6:32:59 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Flash Player Plugin

Adobe Reader 7.0.5

Adobe Shockwave Player

AmpliTube2

Andrew Wommack Bible Commentary

AnswerWorks 4.0 Runtime - English

Apple Mobile Device Support

Apple Software Update

ATI Control Panel

ATI Display Driver

Avira AntiVir Personal - Free Antivirus

Bonjour

Business Plan Pro 2005

Business Plan Pro 2005 Sample Plans

Canon Camera Access Library

Canon Camera Support Core Library

Canon Camera Window DC_DV 5 for ZoomBrowser EX

Canon Camera Window DC_DV 6 for ZoomBrowser EX

Canon Camera Window MC 6 for ZoomBrowser EX

Canon G.726 WMP-Decoder

Canon MovieEdit Task for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities EOS Utility

Canon Utilities PhotoStitch

Canon Utilities ZoomBrowser EX

CCScore

Compact Wireless-G USB Adapter

Critical Update for Windows Media Player 11 (KB959772)

Crystal Reports Basic for Visual Studio 2008

Dell Driver Reset Tool

Dell Support 3.1

Dell System Restore

DGOControls

Digidesign D-Fi

Digidesign DINR

Digidesign Maxim

Digidesign Pro Tools

Link to post
Share on other sites

You can try running this McAfee Removal Tool:

http://majorgeeks.com/McAfee_Consumer_Prod...Tool_d5420.html

I spotted a malicious EXE in your DDS log which may be hidden.

c:\windows\system32\zowolage.exe <+ cloaked malware

Please rerun ATF cleaner.

Reboot.

Run this tool as directed-

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Important: Turn off your Antivir Antivirus Guard and any antimalware programs you have running which have active protection components to monitor your system.
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

___________________

Note: You may have to download Combofix on another clean PC and transfer it on portable media to the infected PC, if you have trouble downloading it.

Please download Combofix from one of these locations:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

I want you to rename Combofix.exe as you download it to a name of your choice like such as exodus.exe.

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

These directories look very suspect - do you know what they're for?

12/16/2006 07:58 PM <DIR> 7Bay4AWev7uvvZ

10/31/2006 06:51 AM <DIR> Ekz6pw7MW

10/31/2006 06:51 AM <DIR> Qb6Kj6r8voa6G

Please post back the RootRepeal log and C:\ComboFix.txt

Link to post
Share on other sites

Those dirs looked oddly named and file dates can easily be falsified. It's a common MO for malware to throw you off track.

The MSRT (mrt.exe) seemed to be having trouble with a couple processes but only listed them by PID. I would have liked to have known what those processes were by name.

Process Explorer can easily identify them by both name and PID:

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

It's an excellent substitute for task manager.

I noticed thoes directories as well - 2006? yikes! I have saved off the Combofix (as exodus) and Root Repeal to a CD at work. Won't get home until 6:30 or 7 EST but will get right on this when I get home. Thanks for the help - this is definitely beyond my scope.
Link to post
Share on other sites

OK, did it. Looks like COmbo Fix found some stuff. I forgot to run Firefox with ATF-Cleaner until after Combo fix (did run Main). I will download the process manager now.

Rootrepeal

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/04/15 18:45

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\Internet Logs\fwpktlog.txt

Status: Size mismatch (API: 5774, Raw: 5414)

Path: C:\WINDOWS\Internet Logs\tvDebug.log

Status: Size mismatch (API: 3149172, Raw: 3148982)

Path: C:\WINDOWS\system32\config\system.LOG

Status: Size mismatch (API: 1024, Raw: 69632)

Path: C:\WINDOWS\system32\wbem\Logs\wbemess.log

Status: Size mismatch (API: 32409, Raw: 31839)

Path: C:\Documents and Settings\Steve\Local Settings\Apps\2.0\L3E38VO9.ETE\VR3WJZQE.7Q5\manifests\clickonce_bootstrap.exe.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Steve\Local Settings\Apps\2.0\L3E38VO9.ETE\VR3WJZQE.7Q5\manifests\clickonce_bootstrap.exe.manifest

Status: Locked to the Windows API!

Combo Fix

ComboFix 09-04-15.08 - Steve 04/15/2009 19:20.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.736 [GMT -4:00]

Running from: c:\documents and settings\Steve\Desktop\exodus.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

FW: ZoneAlarm Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\bszip.dll

c:\windows\system32\msvcsv60.dll

.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))

.

2009-04-15 22:49 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-15 22:49 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-15 22:49 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll

2009-04-15 22:49 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 22:49 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 22:49 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-15 22:49 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 22:49 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 22:49 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 22:48 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe

2009-04-15 22:24 . 2009-04-15 22:24 0 ----a-w c:\documents and settings\Steve\settings.dat

2009-04-15 00:32 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-15 00:32 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-09 00:26 . 2009-04-09 00:26 -------- d-----w c:\documents and settings\Steve\Local Settings\Application Data\H&R Block

2009-04-07 22:44 . 2009-04-07 22:44 -------- d-----w c:\documents and settings\Steve\Application Data\TaxCut

2009-04-07 22:43 . 2009-04-07 22:43 -------- d-----w c:\documents and settings\All Users\Application Data\TaxCut

2009-03-27 11:17 . 2009-03-27 11:17 4212 ---ha-w c:\windows\system32\zllictbl.dat

2009-03-27 11:17 . 2009-02-16 04:10 1221512 ----a-w c:\windows\system32\zpeng25.dll

2009-03-27 11:17 . 2009-03-27 11:17 -------- d-----w c:\windows\system32\ZoneLabs

2009-03-27 11:17 . 2009-04-15 23:17 350192 ----a-w c:\windows\system32\vsconfig.xml

2009-03-27 11:16 . 2009-04-15 23:09 -------- d-----w c:\windows\Internet Logs

2009-03-26 00:36 . 2009-04-15 01:35 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan

2009-03-25 01:33 . 2009-03-25 01:33 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-25 01:32 . 2009-04-01 03:43 -------- d-----w c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com

2009-03-24 09:45 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-03-24 09:45 . 2009-03-24 09:45 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-15 22:27 . 2009-04-15 22:26 19123437 ----a-w c:\windows\Internet Logs\vsmon_on_demand_thread_2009_04_15_18_20_38_full.dmp.zip

2009-04-15 01:51 . 2009-04-05 12:40 2378262 ----a-w c:\windows\Internet Logs\tvDebug.Zip

2009-04-15 01:35 . 2009-03-26 00:34 -------- d-----w c:\program files\Security Task Manager

2009-04-15 00:33 . 2009-02-26 22:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-13 22:27 . 2009-04-13 22:27 -------- d-----w c:\program files\Trend Micro

2009-04-09 00:26 . 2009-04-09 00:26 -------- d-----w c:\program files\Common Files\TXText

2009-04-09 00:26 . 2009-04-09 00:26 -------- d-----w c:\program files\WILLPower v6

2009-04-07 22:53 . 2009-04-07 22:44 -------- d-----w c:\program files\TaxCut08

2009-04-07 22:44 . 2009-04-07 22:44 -------- d-----w c:\program files\PDF995

2009-04-02 00:04 . 2009-04-01 22:29 -------- d-----w c:\program files\RegCleaner

2009-04-01 03:43 . 2009-03-25 01:32 -------- d-----w c:\program files\SUPERAntiSpyware

2009-03-27 11:17 . 2009-03-27 11:17 -------- d-----w c:\program files\Zone Labs

2009-03-27 10:54 . 2006-02-12 23:07 -------- d-----w c:\documents and settings\Steve\Application Data\Lavasoft

2009-03-24 09:45 . 2009-03-24 09:45 -------- d-----w c:\program files\Avira

2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll

2009-03-13 16:30 . 2006-02-04 23:03 72904 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-03-09 02:54 . 2009-03-09 02:54 -------- d-----w c:\program files\Business Objects

2009-03-09 02:54 . 2008-01-29 23:56 -------- d-----w c:\program files\Microsoft Visual Studio 9.0

2009-03-09 02:53 . 2009-03-09 02:53 -------- d-----w c:\program files\Microsoft Device Emulator

2009-03-09 02:53 . 2009-03-09 02:51 -------- d-----w c:\program files\Windows Mobile 5.0 SDK R2

2009-03-09 02:48 . 2006-05-13 23:31 -------- d-----w c:\program files\Microsoft.NET

2009-03-09 02:41 . 2006-05-13 23:31 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-03-09 02:36 . 2009-03-09 02:20 -------- d-----w c:\program files\Common Files\Merge Modules

2009-03-09 02:35 . 2009-03-09 02:35 -------- d-----w c:\documents and settings\All Users\Application Data\PreEmptive Solutions

2009-03-09 02:29 . 2009-03-09 02:20 -------- d-----w c:\program files\HTML Help Workshop

2009-03-09 02:28 . 2008-01-29 23:43 -------- d-----w c:\program files\MSBuild

2009-03-09 02:20 . 2009-03-09 02:20 -------- d-----w c:\program files\CE Remote Tools

2009-03-09 02:17 . 2009-03-09 02:16 -------- d-----w c:\program files\Microsoft Web Designer Tools

2009-03-06 14:00 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2006-05-10 05:25 826368 ------w c:\windows\system32\dllcache\wininet.dll

2009-03-03 00:18 . 2004-08-10 18:51 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-28 04:54 . 2007-08-13 22:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe

2009-02-26 22:56 . 2009-02-26 22:56 -------- d-----w c:\documents and settings\Steve\Application Data\Malwarebytes

2009-02-26 22:56 . 2009-02-26 22:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-26 16:03 . 2009-02-26 16:03 2713 --sh--w c:\windows\system32\zowolage.exe

2009-02-26 16:03 . 2009-02-26 16:03 2713 --sh--w c:\windows\system32\zowolage.exe

2009-02-25 03:51 . 2008-02-06 02:21 -------- d-----w c:\documents and settings\Steve\Application Data\Skype

2009-02-25 03:13 . 2008-02-06 02:41 -------- d-----w c:\documents and settings\Steve\Application Data\skypePM

2009-02-20 10:20 . 2007-08-13 22:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2009-02-20 10:20 . 2007-05-09 19:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe

2009-02-20 05:14 . 2007-08-13 21:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll

2009-02-10 22:31 . 2009-02-10 22:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-09 10:19 . 2004-08-10 18:51 1846272 ----a-w c:\windows\system32\win32k.sys

2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-02-09 10:01 . 2004-08-10 18:51 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 10:01 . 2004-08-10 18:51 728576 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 10:01 . 2004-08-10 18:50 617984 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 10:01 . 2004-08-10 18:51 715264 ----a-w c:\windows\system32\ntdll.dll

2009-02-06 10:32 . 2006-12-19 16:51 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-06 10:29 . 2006-12-19 16:49 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-06 10:29 . 2004-08-10 18:51 2142720 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-06 10:22 . 2004-08-10 18:51 110592 ----a-w c:\windows\system32\services.exe

2009-02-06 09:54 . 2004-08-10 18:51 35328 ----a-w c:\windows\system32\sc.exe

2009-02-06 09:49 . 2006-12-19 16:12 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-06 09:49 . 2004-08-04 04:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-06 09:49 . 2006-12-19 16:12 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll

2009-02-03 20:08 . 2004-08-10 18:51 55808 ----a-w c:\windows\system32\secur32.dll

2008-02-06 02:41 . 2008-02-06 02:41 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-01-30 01:56 . 2008-01-29 23:43 162472 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2006-02-10 11:17 . 2006-02-10 11:17 128 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\fusioncache.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI1"= diomidi.dll

"wave1"= Digi32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Palo Alto Software Update Manager 8.0.lnk

backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Steve\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2008-07-10 13:47 116040 ----a-w c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2005-08-06 03:05 344064 ----a-w c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2004-12-06 07:05 127035 ----a-w c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-03-05 13:44 133104 ----atw c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2005-06-17 13:56 139264 ----a-w c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-06-10 16:44 249856 ----a-w c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 16:44 81920 ----a-w c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-07-10 14:51 289064 ----a-w c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 14:50 413696 ----a-w c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2005-11-10 17:03 36975 ----a-w c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2005-03-23 06:20 339968 ----a-w c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WmiApSrv"=3 (0x3)

"WmdmPmSN"=3 (0x3)

"VSS"=3 (0x3)

"UPS"=3 (0x3)

"TrkWks"=2 (0x2)

"Themes"=2 (0x2)

"TermService"=3 (0x3)

"TapiSrv"=3 (0x3)

"SysmonLog"=3 (0x3)

"SwPrv"=3 (0x3)

"stisvc"=2 (0x2)

"SSDPSRV"=3 (0x3)

"SQLWriter"=2 (0x2)

"SolidWorks Licensing Service"=3 (0x3)

"ShellHWDetection"=2 (0x2)

"SENS"=2 (0x2)

"SCardSvr"=3 (0x3)

"RSVP"=3 (0x3)

"RioMSC"=2 (0x2)

"PolicyAgent"=2 (0x2)

"NtLmSsp"=3 (0x3)

"MSSQL$SQLEXPRESS"=2 (0x2)

"MSDTC"=3 (0x3)

"iPod Service"=3 (0x3)

"IDriverT"=3 (0x3)

"IAANTMon"=2 (0x2)

"HTTPFilter"=3 (0x3)

"HidServ"=2 (0x2)

"helpsvc"=2 (0x2)

"FontCache3.0.0.0"=3 (0x3)

"FastUserSwitchingCompatibility"=3 (0x3)

"ERSvc"=2 (0x2)

"Dnscache"=2 (0x2)

"dmserver"=3 (0x3)

"dmadmin"=3 (0x3)

"CiSvc"=3 (0x3)

"CCALib8"=2 (0x2)

"Bonjour Service"=2 (0x2)

"ATI Smart"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"WUSB54GCSVC"=2 (0x2)

"mnmsrvc"=3 (0x3)

"mcupdmgr.exe"=3 (0x3)

"McDetect.exe"=2 (0x2)

"Netlogon"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Schwab\\SSPro\\SSPro.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [2002-07-02 19296]

R3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2005-04-12 74752]

R3 L6PODLV;PODxt Live Service;c:\windows\system32\Drivers\L6PODLV.sys [2006-09-29 472832]

S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2005-04-12 15872]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]

.

Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-251440420-3783459419-2218919248-1006.job

- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-05 13:44]

2006-01-31 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 11:00]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-4c3d6774 - c:\windows\system32\vunefiho.dll

MSConfigStartUp-CPM4f0e54e8 - c:\windows\system32\wekusuje.dll

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

MSConfigStartUp-Lvidu - c:\windows\Pjoroyemuyosamav.dll

MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

MSConfigStartUp-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

MSConfigStartUp-system tool - c:\windows\sysguard.exe

MSConfigStartUp-yoyudowuma - c:\windows\system32\gakajuso.dll

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: dailygraphs.com\www

Trusted Zone: internet

Trusted Zone: investors.com\www

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\35je6040.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npaxctrl.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.mcafee.com

O15 - Trusted Zone: http://*.turbotax.com

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://heva.solidworks.com/htdocs/pdownloa...elsStandard.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 4633 bytes

Link to post
Share on other sites

Good job!

Make hidden files and folders visible:

Click Start > Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:

http://www.malwarebytes.org/forums/index.p...amp;#entry73528

Browse to this file:

c:\windows\system32\zowolage.exe

Click 'Send File'

Delete the file afterward.

Let me know how that worked out.

---------------------

Run an online virus scan called Kaspersky from HERE using Internet Explorer.

Please disable Avira Antivir before scanning for the best results, and re-enable it afterward.

1. At the main page. Press on "Accept". After reading the contents.

2. At the next window Select Update. Allow the Database to update.

Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.

3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.

4. Select Scan Report.

5. If any threats were found they will appear in the report

6. Select "Save error report as"

Then in the file name just type in kaspersky

Under "save as type" select text .txt

Save it to your Desktop.

Please post the KAV log and tell me how your computer is behaving.

Link to post
Share on other sites

that didn't work too well - I ran the scan but no Scan Report. There was a message about popup blockers being turned on so I turned them off. No effect. No Report. I guess I will re run tomorrow as I need to do some other things tonight. frustrating .... any ideas what that zowolage.exe thing does?

Link to post
Share on other sites

Important: Please relaunch MBAM by double-clicking aurina.exe in the MBAM folder.

  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

______________________________________

Do you recall any threats were detected by Kaspersky (KAV)?

Here's another scanner you can try:

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the boxes the following two boxes:
    • enable "Remove found threats"
    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.
    • Now open a run line by clicking Start >> Run...
    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

I looked at zowolage.exe and it is a very small file that doesn't contain executable code:

Here's the virustotal scan results for you:

http://www.virustotal.com/analisis/0b71667...dff95d9821355fb

Link to post
Share on other sites

I wound up trying Eset, but didn't complete a scan - I forgot to shut down Avira the first run and the Guard detected something called TR/Crypt.XPACK.Gen. Same thing Avira removed back in March. I am thinking my actual initial infection was Feb 26.

I played with it a little more but I accidentally stopped the scan and was getting late so I decided to restart this am with Kaspersky. I will let it run today (no Avira/internet disconnected) and see what is there tonight.

Do you have any interest in seeing this XPACK thing? Or do you think it is a false positive?

Link to post
Share on other sites

Kaspersky "Save As" file and new HJT ...

KASPERSKY ONLINE SCANNER 7.0 REPORT

Friday, April 17, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Friday, April 17, 2009 10:10:12

Records in database: 2053377

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

Scan area My Computer

C:\

D:\

E:\

F:\

Scan statistics

Files scanned 99688

Threat name 0

Infected objects 0

Suspicious objects 0

Duration of the scan 02:01:30

No malware has been detected. The scan area is clean.

The selected area was scanned.

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:00:27 PM, on 4/17/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Documents and Settings\Steve\Local Settings\temp\jkos-Steve\binaries\ScanningProcess.exe

C:\Documents and Settings\Steve\Local Settings\temp\jkos-Steve\binaries\ScanningProcess.exe

c:\program files\avira\antivir desktop\avcenter.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O15 - Trusted Zone: http://*.turbotax.com

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://heva.solidworks.com/htdocs/pdownloa...elsStandard.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u1...=javadl.sun.com

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5742 bytes

Link to post
Share on other sites

I'm glad you were finally able to complete a scan with KAV and with a very good result, no less.

I wound up trying Eset, but didn't complete a scan - I forgot to shut down Avira the first run and the Guard detected something called TR/Crypt.XPACK.Gen. Same thing Avira removed back in March. I am thinking my actual initial infection was Feb 26.

I think what may have happened is ESET scanned a threat in Avira's quarantine stores which then caused an alert to pop up. It would be helpful if you could go into Avira's quarantine and see what file name including the path is referenced for TR/Crypt.XPACK.Gen.

Do you have any interest in seeing this XPACK thing? Or do you think it is a false positive?

Assuming this is a true threat and not a false positive (FP) - without the companion registry startup to load the threat, it should not become active if it were dequarantined. It could very well be a false positive since components of Combofix are often flagged as threats by AVs.

If it is a true threat locked away in Avira's quarantine stores, you could restore the file from quarantine, and then locate the TR/Crypt.XPACK.Gen file in its restored location. When found, right-click it, and select "Scan with Malwarebytes' Antimalware". If it is not detected as a threat by MBAM, then you can upload it to my submission submission channel - the same way you did with zowolage.exe. Delete it afterward, and then empty your recycle bin. However, it's probably best to determine the exact name of the threat in quarantine before making a decision about what to do with it.

I am satisfied that you are clean now. So once you get back to me about the TR/Crypt.XPACK.Gen file, we'll do some final cleanup/prevention steps.

I almost forgot, is this a scanner that you renamed. I ask because ZA IS has an AV by that process name:

C:\Documents and Settings\Steve\Local Settings\temp\jkos-Steve\binaries\ScanningProcess.exe

Link to post
Share on other sites

So ScanningProcess.exe is something Zone Alarm put in that folder. I did not rename anything in that folder.

The names of the files that triggered Avira were C:\Documents and Settings\Steve\Local Settings\temp\NODE618.tmp and C:\Documents and Settings\Steve\Local Settings\temp\NODE568.tmp.

The only strange behavior at this point is the being logged off on reboot. I know there are virus that do that, but in my case it doesn't happen every time I reboot and after it logs you off it is possible to successfully retry.

Link to post
Share on other sites

So ScanningProcess.exe is something So ScanningProcess.exe is something Zone Alarm put in that folder. I did not rename anything in that folder. put in that folder. I did not rename anything in that folder.

Zone Alarm Security Suite has a antipsyware/antivirus component, which is part of Zone Alarm called ScanningProcess.exe. If you do not have the suite and only have the firewall, then that is a reason for concern. Please let me know.

Download FixPolicies, a self-extracting ZIP file, and save it to your desktop:

http://downloads.malwareremoval.com/BillCa...FixPolicies.exe

  • Double-click FixPolicies.exe

  • Click the "Install" button on the bottom toolbar of the box that opens.

  • The program will create a new Folder called FixPolicies.

  • Double-click to open the new Folder, and then double-click the file Fix_Policies.cmd located within this folder.

  • A black box (command Window) will briefly appear and then close.

Let's try the following program also:

1. Download Dial-a-fix:

http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip

2. Unzip it to a new folder in your root directory for example C:\Dialafix

3. Double click on Dial-a-fix.exe located with in the C:\Dialafix\ folder to launch the program

4. Click the policies button and uncheck "Hide disabled Policies"

Then remove restrictive policies found by clicking the Remove button.

Please download RunScanner

  • Save it to your desktop and unzip it to a folder you create such as C:\Runscanner

  • Double click RunScanner.exe to launch it.

  • Choose Beginner mode and click "OK"

  • Place a checkmark next to "Save a binary .run file"

  • Click the "Scan Computer" button on the upper left side of the screen.

  • In the "file name," name it rssteveksfp.

  • Save the .run file to your desktop.

  • Please zip rssteveksfp.run and attach/upload it to your next reply.

  • Note: I do NOT want to see the log file - I want only the .run file (zipped) and uploaded.

Link to post
Share on other sites

You have quite a bag of tricks :D At one time I had the paid version of ZoneAlarm, but it has been some time. Maybe before I had this computer? Not sure how to figure that out. I ran Avira and MBAM quickscan today - no detections. I will do a few reboots to see if the problem is cleared up.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.