Jump to content

Infected Windows XP laptop won't run HJT


Recommended Posts

I'm trying to clean a friend's laptop running Windows XP. Whenever I try to go to any antivirus or anti-malware sites the browser shuts down. I transferred MBAM, Avira Antivirus and HJT to the machine via a USB stick but when I tried to run them they immediately shut down. (from Windows Task Manager I could see the app come up for a second then go away)

I was able to get Combofix to run a couple days ago and I attached the logfile so hopefully that will help.

Any help is much appreciated.

Thanks!

ComboFix.txt

ComboFix.txt

Link to post
Share on other sites

  • Staff

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Ok, I downloaded a fresh mbam-setup.exe from your link (it was the same version 1.40.0.0 I had tried running before) but same as last time the machine just doesn't run it or HJT. When I run mbam-setup I get the initial window to select the language (English) but after clicking ok the window goes away and nothing more.

So...no logs to post since I can't get mbam or hjt to run. :)

What next?

Link to post
Share on other sites

  • Staff

Hi,

First please take a look and see if any of these posts help you to get MBAM running or not.

Potential Malware infection issues to review to get MBAM running

If none of above apply in your case, then try if Malwarebytes works when you rename mbam.exe. This is the file located in the Program Files\Malwarebytes' Anti-Malware folder. So rename mbam.exe to blah.exe (or so). It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so these include system important processes. So that's why it may be a good idea to rename mbam.exe to explorer.exe or so.

Also try to run Mbam from Windows Safe mode.

Link to post
Share on other sites

Hi,

Sorry to take so long. I tried the suggestions:

- I've never been able to get MBAM installed so there is no MBAM folder in the Program Files directory

- I renamed procexp.exe to winlogon.exe and ran it. I didn't find any of the files listed (SystemSecurity with the randomnumber.exe, av360.exe, tsc.exe)

I did a save from ProcessExplorer - this is the text file. One thing that looks suspicious is "KOfcpfwSvcs.exe" listed as "autorun Microsoft ???????"

ProcessExplorer listing:

Process PID CPU Description Company Name

System Idle Process 0 93.85

Interrupts n/a Hardware Interrupts

DPCs n/a Deferred Procedure Calls

System 4

SMSS.EXE 596 Windows NT Session Manager Microsoft Corporation

CSRSS.EXE 676 Client Server Runtime Process Microsoft Corporation

WINLOGON.EXE 700 4.62 Windows NT Logon Application Microsoft Corporation

SERVICES.EXE 744 1.54 Services and Controller app Microsoft Corporation

SVCHOST.EXE 896 Generic Host Process for Win32 Services Microsoft Corporation

UNSECAPP.EXE 1348 WMI Microsoft Corporation

WMIPRVSE.EXE 1516 WMI Microsoft Corporation

SVCHOST.EXE 956 Generic Host Process for Win32 Services Microsoft Corporation

SVCHOST.EXE 1012 Generic Host Process for Win32 Services Microsoft Corporation

WSCNTFY.EXE 856 Windows Security Center Notification App Microsoft Corporation

wuauclt.exe 2804 Windows Update Automatic Updates Microsoft Corporation

SVCHOST.EXE 1068 Generic Host Process for Win32 Services Microsoft Corporation

SVCHOST.EXE 1200 Generic Host Process for Win32 Services Microsoft Corporation

VSMON.EXE 1284 TrueVector Service Check Point Software Technologies LTD

AAWService.exe 1992 Ad-Aware Service Application Lavasoft

SPOOLSV.EXE 152 Spooler SubSystem App Microsoft Corporation

SVCHOST.EXE 260 Generic Host Process for Win32 Services Microsoft Corporation

AppleMobileDeviceService.exe 300 Apple Mobile Device Service Apple Inc.

AskService.exe 400

LSSrvc.exe 628 Hewlett-Packard Company

SVCHOST.EXE 860 Generic Host Process for Win32 Services Microsoft Corporation

ALG.EXE 680 Application Layer Gateway Service Microsoft Corporation

iPodService.exe 3852 iPodService Module Apple Inc.

LSASS.EXE 756 LSA Shell (Export Version) Microsoft Corporation

taskmgr.exe 1864 Windows TaskManager Microsoft Corporation

EXPLORER.EXE 1528 Windows Explorer Microsoft Corporation

SynTPLpr.exe 2076 TouchPad Driver Helper Application Synaptics, Inc.

SynTPEnh.exe 2084 Synaptics TouchPad Enhancements Synaptics, Inc.

SOUNDMAN.EXE 2092 Realtek Sound Manager Realtek Semiconductor Corp.

AGRSMMSG.exe 2100 SoftModem Messaging Applet Agere Systems

rundll32.exe 2112 Run a DLL as an App Microsoft Corporation

Keyhook.exe 2120 SiS Compatible Super VGA Keyboard Daemon Silicon Integrated Systems Corporation

QtZgAcer.EXE 2244 Launch Manager Dritek System Inc.

dlbtbmgr.exe 2268 Dell Dell 922 Button Manager

dlbtbmon.exe 2316 Dell Dell 922 Button Monitor

mafwTray.exe 2296 M-Audio FW Tray Application

daemon.exe 2312 Virtual DAEMON Manager DAEMON'S HOME

DVDTray.exe 2360 HP DVD Tray Hewlett-Packard Company

PDVDServ.exe 2376 PowerDVD RC Service Cyberlink Corp.

KOfcpfwSvcs.exe 2392 autorun Microsoft ???????

iTunesHelper.exe 2432 iTunesHelper Module Apple Inc.

AAWTray.exe 2440 Ad-Aware Tray Application Lavasoft

zlclient.exe 2468 ZoneAlarm Client Check Point Software Technologies LTD

msmsgs.exe 2488 Windows Messenger Microsoft Corporation

ctfmon.exe 2496 CTF Loader Microsoft Corporation

GoogleToolbarNotifier.exe 2556 GoogleToolbarNotifier Google Inc.

sistray.exe 2628 SiS Compatible Super VGA Tray Application Silicon Integrated Systems Corporation

winlogon.exe 3000 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

Monitor.exe 3432 Monitor acer Inc.

Link to post
Share on other sites

  • Staff

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Hi,

I ran ComboFix but couldn't get HJT to run (I tried renaming it iexplore but it would only pop up a window and immediately go away).

Thanks!

ComboFix 09-08-10.06 - Mike Peck 08/12/2009 22:22.2.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.59 [GMT -5:00]

Running from: c:\documents and settings\Mike Peck\Desktop\Combo-Fix.exe

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))

.

2009-08-08 07:48 . 2009-08-08 07:48 -------- d-sh--w- C:\FOUND.001

2009-08-07 04:03 . 2009-08-07 04:03 -------- d-----w- c:\program files\Trend Micro

2009-08-03 06:03 . 2009-08-03 06:03 -------- d-----w- c:\windows\system32\ZoneLabs

2009-08-03 06:03 . 2009-08-03 06:03 -------- d-----w- c:\program files\Zone Labs

2009-08-03 06:00 . 2009-08-03 06:00 -------- d-----w- c:\windows\Internet Logs

2009-08-02 21:46 . 2009-08-02 21:46 0 ----a-w- c:\windows\nsreg.dat

2009-08-02 21:45 . 2009-08-02 21:45 -------- d-----w- c:\documents and settings\Mike Peck\Local Settings\Application Data\Mozilla

2009-08-02 21:33 . 2009-08-02 21:33 -------- d-----w- c:\program files\CCleaner

2009-08-02 12:33 . 2009-08-02 12:33 -------- d-sh--w- C:\FOUND.000

2009-07-22 04:15 . 2009-07-22 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\program files\NCH Software

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\program files\NCH Swift Sound

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\documents and settings\Mike Peck\Application Data\NCH Swift Sound

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-08 07:45 . 2009-08-08 07:48 163840 ------w- c:\windows\Internet Logs\xDB1.tmp

2009-08-03 06:45 . 2009-08-03 06:04 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2009-08-03 06:06 . 2009-08-03 06:06 -------- d-----w- c:\program files\AskBarDis

2009-08-02 07:24 . 2004-07-06 00:15 278031 ----a-w- c:\windows\system32\ceabadcccbce.dll

2009-07-25 16:55 . 2009-07-25 16:55 278031 ------w- c:\windows\system32\dffc97ff6abb0759fe995bb6219be1e9.TMP

2009-07-25 16:55 . 2009-07-25 16:55 278031 ------w- c:\windows\system32\422c28a011608771d793a8bb1dbda776.TMP

2009-07-07 02:50 . 2009-07-07 02:50 -------- d-----w- c:\documents and settings\Mike Peck\Application Data\Syntrillium

2009-07-07 02:48 . 2009-07-07 02:48 -------- d-----w- c:\program files\coolpro2

2009-06-29 16:12 . 1980-01-01 05:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 1980-01-01 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 1980-01-01 05:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:55 . 1980-01-01 05:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 1980-01-01 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:27 . 1980-01-01 05:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-30 08:14 . 2009-05-30 17:19 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-05-30 08:14 . 2009-05-30 08:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-05-30 08:14 . 2009-05-30 08:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-05-30 08:14 . 2009-05-30 08:13 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-05-15 17:37 . 2009-05-10 15:21 205842 ----a-w- c:\windows\system32\kusers.dll

2009-01-15 05:41 . 2009-01-15 05:41 766976 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\efvvhgzntr.dll

2007-01-05 16:33 . 2008-01-18 17:09 24576 --sha-w- c:\windows\system32\KOfcpfwSvcs.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-08-02_23.08.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-03 06:45 . 2009-02-16 05:10 97672 c:\windows\system32\ZoneLabs\zlquarantine.dll

+ 2009-08-03 06:45 . 2008-11-17 07:24 51688 c:\windows\system32\ZoneLabs\srescan.sys

+ 2009-08-03 06:44 . 2009-02-16 05:10 94088 c:\windows\system32\ZoneLabs\lib\zvpn.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 20360 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 59272 c:\windows\system32\ZoneLabs\lib\zpdp.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 14216 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 24968 c:\windows\system32\ZoneLabs\lib\zic.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 84872 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 34696 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 17800 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 10120 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 10632 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 13704 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 11656 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 11144 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 29576 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 12168 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 35720 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 38280 c:\windows\system32\ZoneLabs\featuremap.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 98184 c:\windows\system32\ZoneLabs\fbl.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 74632 c:\windows\system32\ZoneLabs\camupd.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 69000 c:\windows\system32\zlcomm.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 35208 c:\windows\system32\vswmi.dll

+ 2009-08-03 06:03 . 2009-02-16 05:10 58248 c:\windows\system32\vsregexp.dll

- 2005-08-28 03:57 . 2007-07-27 14:41 26488 c:\windows\system32\spupdsvc.exe

+ 2005-08-28 03:57 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe

+ 2007-09-11 22:42 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll

- 2007-09-11 22:42 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll

+ 1980-01-01 05:00 . 2009-02-03 20:08 55808 c:\windows\system32\secur32.dll

- 1980-01-01 05:00 . 2004-08-04 10:00 55808 c:\windows\system32\secur32.dll

+ 1980-01-01 05:00 . 2009-02-06 16:54 35328 c:\windows\system32\sc.exe

+ 1980-01-01 05:00 . 2009-06-29 16:12 44544 c:\windows\system32\pngfilt.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 44544 c:\windows\system32\pngfilt.dll

- 1980-01-01 05:00 . 2009-03-15 23:29 59670 c:\windows\system32\perfc009.dat

+ 1980-01-01 05:00 . 2009-08-05 05:20 59670 c:\windows\system32\perfc009.dat

+ 2005-03-07 16:46 . 2008-06-12 14:16 91648 c:\windows\system32\mtxoci.dll

- 1980-01-01 05:00 . 2006-03-01 19:42 66560 c:\windows\system32\mtxclu.dll

+ 1980-01-01 05:00 . 2008-06-12 14:16 66560 c:\windows\system32\mtxclu.dll

- 2007-08-13 23:54 . 2008-12-20 22:15 52224 c:\windows\system32\msfeedsbs.dll

+ 2007-08-13 23:54 . 2009-06-29 16:12 52224 c:\windows\system32\msfeedsbs.dll

- 2005-03-07 16:46 . 2004-08-04 10:00 58880 c:\windows\system32\msdtclog.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 58880 c:\windows\system32\msdtclog.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 27648 c:\windows\system32\jsproxy.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 27648 c:\windows\system32\jsproxy.dll

+ 2007-08-13 23:39 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe

- 2007-08-13 23:39 . 2008-12-19 08:10 13824 c:\windows\system32\ieudinit.exe

- 1980-01-01 05:00 . 2008-12-20 22:15 44544 c:\windows\system32\iernonce.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 44544 c:\windows\system32\iernonce.dll

- 1980-01-01 05:00 . 2008-12-19 08:10 70656 c:\windows\system32\ie4uinit.exe

+ 1980-01-01 05:00 . 2009-06-29 11:07 70656 c:\windows\system32\ie4uinit.exe

- 2007-08-13 23:36 . 2008-12-20 22:15 63488 c:\windows\system32\icardie.dll

+ 2007-08-13 23:36 . 2009-06-29 16:12 63488 c:\windows\system32\icardie.dll

+ 1980-01-01 05:00 . 2009-02-03 20:08 55808 c:\windows\system32\dllcache\secur32.dll

- 1980-01-01 05:00 . 2004-08-04 02:00 55808 c:\windows\system32\dllcache\secur32.dll

+ 1980-01-01 05:00 . 2009-02-06 16:54 35328 c:\windows\system32\dllcache\sc.exe

+ 1980-01-01 05:00 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\pngfilt.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 44544 c:\windows\system32\dllcache\pngfilt.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 91648 c:\windows\system32\dllcache\mtxoci.dll

+ 1980-01-01 05:00 . 2008-06-12 14:16 66560 c:\windows\system32\dllcache\mtxclu.dll

- 1980-01-01 05:00 . 2006-03-01 19:42 66560 c:\windows\system32\dllcache\mtxclu.dll

+ 2008-09-04 19:33 . 2009-06-29 16:12 52224 c:\windows\system32\dllcache\msfeedsbs.dll

- 2008-09-04 19:33 . 2008-12-20 22:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll

- 2005-03-07 16:46 . 2004-08-04 10:00 58880 c:\windows\system32\dllcache\msdtclog.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 58880 c:\windows\system32\dllcache\msdtclog.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 27648 c:\windows\system32\dllcache\jsproxy.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 27648 c:\windows\system32\dllcache\jsproxy.dll

- 2008-09-04 19:33 . 2008-12-19 08:10 13824 c:\windows\system32\dllcache\ieudinit.exe

+ 2008-09-04 19:33 . 2009-06-29 11:07 13824 c:\windows\system32\dllcache\ieudinit.exe

- 1980-01-01 05:00 . 2008-12-20 22:15 44544 c:\windows\system32\dllcache\iernonce.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\iernonce.dll

- 1980-01-01 05:00 . 2007-08-13 23:45 78336 c:\windows\system32\dllcache\ieencode.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 78336 c:\windows\system32\dllcache\ieencode.dll

+ 1980-01-01 05:00 . 2009-06-29 11:07 70656 c:\windows\system32\dllcache\ie4uinit.exe

- 1980-01-01 05:00 . 2008-12-19 08:10 70656 c:\windows\system32\dllcache\ie4uinit.exe

+ 2008-09-04 19:33 . 2009-06-29 16:12 63488 c:\windows\system32\dllcache\icardie.dll

- 2008-09-04 19:33 . 2008-12-20 22:15 63488 c:\windows\system32\dllcache\icardie.dll

+ 1980-01-01 05:00 . 2009-06-16 14:55 82432 c:\windows\system32\dllcache\fontsub.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 17408 c:\windows\system32\dllcache\corpol.dll

- 1980-01-01 05:00 . 2007-08-13 23:42 17408 c:\windows\system32\dllcache\corpol.dll

+ 2009-08-03 06:00 . 2009-08-03 06:00 62464 c:\windows\Installer\16327c2.msi

+ 2009-08-03 06:39 . 2009-08-03 06:40 62464 c:\windows\Installer\12ec5d.msi

+ 2009-08-03 08:02 . 2008-12-20 22:15 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 27648 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll

+ 2009-08-03 08:02 . 2008-12-19 08:10 13824 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe

+ 2009-08-03 08:02 . 2008-12-20 22:15 44544 c:\windows\ie7updates\KB972260-IE7\iernonce.dll

+ 2009-08-03 08:02 . 2007-08-13 23:45 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll

+ 2009-08-03 08:02 . 2008-12-19 08:10 70656 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe

+ 2009-08-03 08:02 . 2008-12-20 22:15 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll

+ 2009-08-03 08:02 . 2007-08-13 23:42 17408 c:\windows\ie7updates\KB972260-IE7\corpol.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 9608 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll

+ 2007-11-07 06:19 . 2007-11-07 06:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll

+ 2007-11-07 06:19 . 2007-11-07 06:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll

+ 2007-11-07 01:23 . 2007-11-07 01:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll

+ 2008-07-29 10:23 . 2008-07-29 10:23 626688 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcr90.dll

+ 2008-07-29 10:23 . 2008-07-29 10:23 856576 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcp90.dll

+ 2008-07-29 08:51 . 2008-07-29 08:51 245760 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcm90.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 108424 c:\windows\system32\ZoneLabs\zlupdate.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 302472 c:\windows\system32\ZoneLabs\zlsre.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 178568 c:\windows\system32\ZoneLabs\zlparser.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 172936 c:\windows\system32\ZoneLabs\vsvault.dll

+ 2009-08-03 06:40 . 2009-02-16 05:10 108424 c:\windows\system32\ZoneLabs\vsdb.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 176520 c:\windows\system32\ZoneLabs\updclient.exe

+ 2009-08-03 06:45 . 2007-10-11 21:51 832984 c:\windows\system32\ZoneLabs\updating.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 431496 c:\windows\system32\ZoneLabs\ssleay32.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 134536 c:\windows\system32\ZoneLabs\scheduler.dll

+ 2009-08-03 06:45 . 2008-11-17 07:23 796128 c:\windows\system32\ZoneLabs\qrsrecl.dll

+ 2009-08-03 06:45 . 2008-11-17 07:23 722400 c:\windows\system32\ZoneLabs\qrbase.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 118664 c:\windows\system32\ZoneLabs\lib\zui.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 151944 c:\windows\system32\ZoneLabs\lib\ztv.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 188808 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 344968 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 136584 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 344456 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll

+ 2009-08-03 06:40 . 2009-02-04 23:27 548128 c:\windows\system32\ZoneLabs\icslta.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 159112 c:\windows\system32\ZoneLabs\httpblocker.dll

+ 2009-08-03 06:03 . 2008-03-17 21:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll

+ 2009-08-03 06:45 . 2009-02-16 05:10 103816 c:\windows\system32\zlcommdb.dll

+ 2005-05-17 00:25 . 2009-04-15 09:24 351744 c:\windows\system32\xpsp3res.dll

- 2005-05-17 00:25 . 2008-02-15 09:06 351744 c:\windows\system32\xpsp3res.dll

+ 1980-01-01 05:00 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll

- 1980-01-01 05:00 . 2004-08-04 10:00 351232 c:\windows\system32\winhttp.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 233472 c:\windows\system32\webcheck.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 233472 c:\windows\system32\webcheck.dll

+ 2005-03-07 16:46 . 2009-02-06 16:39 227840 c:\windows\system32\wbem\wmiprvse.exe

+ 2005-03-07 16:46 . 2009-02-09 10:20 453120 c:\windows\system32\wbem\wmiprvsd.dll

+ 2005-03-07 16:46 . 2009-02-09 10:20 473088 c:\windows\system32\wbem\fastprox.dll

+ 2009-08-03 06:03 . 2009-02-16 05:10 109960 c:\windows\system32\vsxml.dll

+ 2009-08-03 06:40 . 2009-02-16 05:10 482184 c:\windows\system32\vsutil.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 309128 c:\windows\system32\vspubapi.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 107912 c:\windows\system32\vsmonapi.dll

+ 2009-08-03 06:40 . 2009-02-16 05:10 229256 c:\windows\system32\vsinit.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 353672 c:\windows\system32\vsdatant.sys

+ 2009-08-03 06:44 . 2009-02-16 05:10 110472 c:\windows\system32\vsdata.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 105984 c:\windows\system32\url.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 105984 c:\windows\system32\url.dll

+ 1980-01-01 05:00 . 2009-02-06 17:14 110592 c:\windows\system32\services.exe

+ 1980-01-01 05:00 . 2009-02-09 10:20 399360 c:\windows\system32\rpcss.dll

- 1980-01-01 05:00 . 2007-07-09 13:09 584192 c:\windows\system32\rpcrt4.dll

+ 1980-01-01 05:00 . 2009-04-15 15:11 584192 c:\windows\system32\rpcrt4.dll

+ 1980-01-01 05:00 . 2009-08-05 05:20 394206 c:\windows\system32\perfh009.dat

- 1980-01-01 05:00 . 2009-03-15 23:29 394206 c:\windows\system32\perfh009.dat

+ 1980-01-01 05:00 . 2009-03-06 14:44 283648 c:\windows\system32\pdh.dll

- 1980-01-01 05:00 . 2004-08-04 10:00 283648 c:\windows\system32\pdh.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 102912 c:\windows\system32\occache.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 102912 c:\windows\system32\occache.dll

+ 1980-01-01 05:00 . 2009-02-09 10:20 714752 c:\windows\system32\ntdll.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 671232 c:\windows\system32\mstime.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 671232 c:\windows\system32\mstime.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 193024 c:\windows\system32\msrating.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 193024 c:\windows\system32\msrating.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 477696 c:\windows\system32\mshtmled.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 477696 c:\windows\system32\mshtmled.dll

+ 2007-08-13 23:54 . 2009-06-29 16:12 459264 c:\windows\system32\msfeeds.dll

- 2007-08-13 23:54 . 2008-12-20 22:15 459264 c:\windows\system32\msfeeds.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 161792 c:\windows\system32\msdtcuiu.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 956928 c:\windows\system32\msdtctm.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 428032 c:\windows\system32\msdtcprx.dll

+ 1980-01-01 05:00 . 2009-02-09 10:20 723456 c:\windows\system32\lsasrv.dll

+ 1980-01-01 05:00 . 2009-05-07 15:44 344064 c:\windows\system32\localspl.dll

+ 1980-01-01 05:00 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll

+ 2007-08-13 23:34 . 2009-06-29 16:12 268288 c:\windows\system32\iertutil.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 385024 c:\windows\system32\iedkcs32.dll

+ 2007-07-11 17:27 . 2009-06-29 16:12 380928 c:\windows\system32\ieapfltr.dll

- 1980-01-01 05:00 . 2008-12-19 04:23 161792 c:\windows\system32\ieakui.dll

+ 1980-01-01 05:00 . 2009-06-29 08:33 161792 c:\windows\system32\ieakui.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 230400 c:\windows\system32\ieaksie.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 230400 c:\windows\system32\ieaksie.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 153088 c:\windows\system32\ieakeng.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 153088 c:\windows\system32\ieakeng.dll

- 2005-03-07 16:40 . 2009-03-12 08:18 177856 c:\windows\system32\FNTCACHE.DAT

+ 2005-03-07 16:40 . 2009-08-05 05:14 177856 c:\windows\system32\FNTCACHE.DAT

- 1980-01-01 05:00 . 2008-12-20 22:15 133120 c:\windows\system32\extmgr.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 133120 c:\windows\system32\extmgr.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 214528 c:\windows\system32\dxtrans.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 214528 c:\windows\system32\dxtrans.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 347136 c:\windows\system32\dxtmsft.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 347136 c:\windows\system32\dxtmsft.dll

+ 2005-03-07 16:46 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe

+ 2005-03-07 16:46 . 2009-02-06 16:39 227840 c:\windows\system32\dllcache\wmiprvse.exe

+ 2005-03-07 16:46 . 2009-02-09 10:20 453120 c:\windows\system32\dllcache\wmiprvsd.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 827392 c:\windows\system32\dllcache\wininet.dll

+ 1980-01-01 05:00 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll

- 1980-01-01 05:00 . 2004-08-04 02:00 351232 c:\windows\system32\dllcache\winhttp.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 233472 c:\windows\system32\dllcache\webcheck.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 233472 c:\windows\system32\dllcache\webcheck.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 105984 c:\windows\system32\dllcache\url.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 105984 c:\windows\system32\dllcache\url.dll

+ 1980-01-01 05:00 . 2009-06-16 14:55 119808 c:\windows\system32\dllcache\t2embed.dll

+ 1980-01-01 05:00 . 2009-02-06 17:14 110592 c:\windows\system32\dllcache\services.exe

+ 1980-01-01 05:00 . 2009-02-09 10:20 399360 c:\windows\system32\dllcache\rpcss.dll

+ 1980-01-01 05:00 . 2009-04-15 15:11 584192 c:\windows\system32\dllcache\rpcrt4.dll

- 1980-01-01 05:00 . 2007-07-09 13:09 584192 c:\windows\system32\dllcache\rpcrt4.dll

- 1980-01-01 05:00 . 2004-08-04 10:00 283648 c:\windows\system32\dllcache\pdh.dll

+ 1980-01-01 05:00 . 2009-03-06 14:44 283648 c:\windows\system32\dllcache\pdh.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 102912 c:\windows\system32\dllcache\occache.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 102912 c:\windows\system32\dllcache\occache.dll

+ 1980-01-01 05:00 . 2009-02-09 10:20 714752 c:\windows\system32\dllcache\ntdll.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 671232 c:\windows\system32\dllcache\mstime.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 671232 c:\windows\system32\dllcache\mstime.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 193024 c:\windows\system32\dllcache\msrating.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 193024 c:\windows\system32\dllcache\msrating.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 477696 c:\windows\system32\dllcache\mshtmled.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 477696 c:\windows\system32\dllcache\mshtmled.dll

- 2008-09-04 19:33 . 2008-12-20 22:15 459264 c:\windows\system32\dllcache\msfeeds.dll

+ 2008-09-04 19:33 . 2009-06-29 16:12 459264 c:\windows\system32\dllcache\msfeeds.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 161792 c:\windows\system32\dllcache\msdtcuiu.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 956928 c:\windows\system32\dllcache\msdtctm.dll

+ 2005-03-07 16:46 . 2008-06-12 14:16 428032 c:\windows\system32\dllcache\msdtcprx.dll

+ 1980-01-01 05:00 . 2009-02-09 10:20 723456 c:\windows\system32\dllcache\lsasrv.dll

+ 1980-01-01 05:00 . 2009-05-07 15:44 344064 c:\windows\system32\dllcache\localspl.dll

+ 1980-01-01 05:00 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\kernel32.dll

+ 2005-03-07 16:47 . 2009-06-29 08:35 634632 c:\windows\system32\dllcache\iexplore.exe

+ 2008-09-04 19:33 . 2009-06-29 16:12 268288 c:\windows\system32\dllcache\iertutil.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 385024 c:\windows\system32\dllcache\iedkcs32.dll

+ 2008-09-04 19:33 . 2009-06-29 16:12 380928 c:\windows\system32\dllcache\ieapfltr.dll

+ 1980-01-01 05:00 . 2009-06-29 08:33 161792 c:\windows\system32\dllcache\ieakui.dll

- 1980-01-01 05:00 . 2008-12-19 04:23 161792 c:\windows\system32\dllcache\ieakui.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 230400 c:\windows\system32\dllcache\ieaksie.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 230400 c:\windows\system32\dllcache\ieaksie.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 153088 c:\windows\system32\dllcache\ieakeng.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 153088 c:\windows\system32\dllcache\ieakeng.dll

+ 2005-03-07 16:46 . 2009-02-09 10:20 473088 c:\windows\system32\dllcache\fastprox.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 133120 c:\windows\system32\dllcache\extmgr.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 133120 c:\windows\system32\dllcache\extmgr.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 214528 c:\windows\system32\dllcache\dxtrans.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 214528 c:\windows\system32\dllcache\dxtrans.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 347136 c:\windows\system32\dllcache\dxtmsft.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 347136 c:\windows\system32\dllcache\dxtmsft.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 124928 c:\windows\system32\dllcache\advpack.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 124928 c:\windows\system32\dllcache\advpack.dll

+ 1980-01-01 05:00 . 2009-02-09 10:20 616960 c:\windows\system32\dllcache\advapi32.dll

- 1980-01-01 05:00 . 2004-08-04 02:00 616960 c:\windows\system32\dllcache\advapi32.dll

- 1980-01-01 05:00 . 2008-12-20 22:15 124928 c:\windows\system32\advpack.dll

+ 1980-01-01 05:00 . 2009-06-29 16:12 124928 c:\windows\system32\advpack.dll

- 1980-01-01 05:00 . 2004-08-04 10:00 616960 c:\windows\system32\advapi32.dll

+ 1980-01-01 05:00 . 2009-02-09 10:20 616960 c:\windows\system32\advapi32.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 826368 c:\windows\ie7updates\KB972260-IE7\wininet.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 233472 c:\windows\ie7updates\KB972260-IE7\webcheck.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 105984 c:\windows\ie7updates\KB972260-IE7\url.dll

+ 2009-08-03 08:02 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll

+ 2009-08-03 08:02 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe

+ 2009-08-03 08:02 . 2008-12-20 22:15 102912 c:\windows\ie7updates\KB972260-IE7\occache.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 671232 c:\windows\ie7updates\KB972260-IE7\mstime.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 193024 c:\windows\ie7updates\KB972260-IE7\msrating.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 477696 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll

+ 2009-08-03 08:02 . 2008-12-19 04:25 634024 c:\windows\ie7updates\KB972260-IE7\iexplore.exe

+ 2009-08-03 08:02 . 2008-12-20 22:15 267776 c:\windows\ie7updates\KB972260-IE7\iertutil.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 384512 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll

+ 2009-08-03 08:02 . 2008-12-19 04:23 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 230400 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 153088 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 133120 c:\windows\ie7updates\KB972260-IE7\extmgr.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 347136 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 124928 c:\windows\ie7updates\KB972260-IE7\advpack.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 1221512 c:\windows\system32\zpeng25.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 1648520 c:\windows\system32\ZoneLabs\vsruledb.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 2402184 c:\windows\system32\ZoneLabs\vsmon.exe

+ 2009-08-03 06:45 . 2008-11-17 07:23 1512928 c:\windows\system32\ZoneLabs\srescan.dll

+ 2009-08-03 06:44 . 2009-02-16 05:10 1536392 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll

+ 1980-01-01 05:00 . 2009-04-17 09:58 1846656 c:\windows\system32\win32k.sys

+ 1980-01-01 05:00 . 2009-06-29 16:12 1159680 c:\windows\system32\urlmon.dll

+ 1980-01-01 05:00 . 2009-02-06 17:24 2180480 c:\windows\system32\ntoskrnl.exe

- 2004-08-04 03:59 . 2008-08-14 08:22 2057728 c:\windows\system32\ntkrnlpa.exe

+ 2004-08-04 03:59 . 2009-02-06 16:49 2057728 c:\windows\system32\ntkrnlpa.exe

+ 1980-01-01 05:00 . 2009-07-19 13:33 3597824 c:\windows\system32\mshtml.dll

+ 2007-08-13 23:54 . 2009-07-19 13:33 6067200 c:\windows\system32\ieframe.dll

+ 2007-02-12 21:10 . 2009-06-29 08:33 2452872 c:\windows\system32\ieapfltr.dat

+ 1980-01-01 05:00 . 2009-04-17 09:58 1846656 c:\windows\system32\dllcache\win32k.sys

+ 1980-01-01 05:00 . 2009-06-29 16:12 1159680 c:\windows\system32\dllcache\urlmon.dll

+ 1980-01-01 05:00 . 2009-06-03 19:27 1290752 c:\windows\system32\dllcache\quartz.dll

+ 2007-02-28 09:10 . 2009-02-06 17:24 2180480 c:\windows\system32\dllcache\ntoskrnl.exe

+ 2007-02-28 08:38 . 2009-02-06 16:49 2015744 c:\windows\system32\dllcache\ntkrpamp.exe

- 2007-02-28 08:38 . 2008-08-14 08:22 2015744 c:\windows\system32\dllcache\ntkrpamp.exe

+ 2007-02-28 08:38 . 2009-02-06 16:49 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe

- 2007-02-28 08:38 . 2008-08-14 08:22 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe

- 2007-02-28 09:08 . 2008-08-14 08:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe

+ 2007-02-28 09:08 . 2009-02-06 17:22 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe

+ 1980-01-01 05:00 . 2009-07-19 13:33 3597824 c:\windows\system32\dllcache\mshtml.dll

+ 2008-09-04 19:33 . 2009-07-19 13:33 6067200 c:\windows\system32\dllcache\ieframe.dll

+ 2008-09-04 19:33 . 2009-06-29 08:33 2452872 c:\windows\system32\dllcache\ieapfltr.dat

+ 2009-08-03 08:02 . 2008-12-20 22:15 1160192 c:\windows\ie7updates\KB972260-IE7\urlmon.dll

+ 2009-08-03 08:02 . 2009-01-17 02:35 3594752 c:\windows\ie7updates\KB972260-IE7\mshtml.dll

+ 2009-08-03 08:02 . 2008-12-20 22:15 6066688 c:\windows\ie7updates\KB972260-IE7\ieframe.dll

+ 2009-08-03 08:02 . 2007-04-17 09:32 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat

+ 2009-08-03 06:45 . 2008-12-15 06:11 10465257 c:\windows\system32\ZoneLabs\zlasdbup.dat

+ 2009-08-03 06:45 . 2008-12-15 06:11 10465257 c:\windows\system32\ZoneLabs\spyware.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-10-16 23:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]

"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]

"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]

"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]

"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]

"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]

"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2005-09-20 155648]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"KOfcpfwSvcs.exe"="c:\windows\system32\KOfcpfwSvcs.exe" [2007-01-05 24576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-11 520024]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-23 77824]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-10-08 88363]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-02-26 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-7 331776]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ceabadcccbce]

2009-08-02 07:24 278031 ----a-w- c:\windows\system32\ceabadcccbce.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/30/2009 3:15 AM 64160]

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/3/2009 1:06 AM 464264]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]

.

Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 08:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

FF - ProfilePath - c:\documents and settings\Mike Peck\Application Data\Mozilla\Firefox\Profiles\auqtwocn.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-12 22:31

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\windows\system32\ceabadcccbce.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2540)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-08-13 22:34

ComboFix-quarantined-files.txt 2009-08-13 03:34

ComboFix2.txt 2009-08-02 23:16

Pre-Run: 7,278,919,680 bytes free

Post-Run: 7,278,280,704 bytes free

494 --- E O F --- 2009-08-08 09:12

Link to post
Share on other sites

  • Staff

Hi,

I see you have used Combofix more than once - this is confusing since I don't know what it deleted previously.

In anyway, I see you are dealing with a stubborn infection which may cause your PC inbootable, so I suggest you backup any of your important data first before you proceed.

First of all, please uninstall the Ask Toolbar via software > add& remove programs since this one is not recommended.

Also, I suggest you temporary uninstall Zonealarm, because I know it causes a lot of problems when running Combofix and other removal tools. Disabling is not enough, it should be uninstalled.

Then reboot after uninstall.

When we are done here and you reinstall Zonealarm again, please UNCHECK to install the Ask Toolbar during install.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\ceabadcccbce.dll

c:\windows\system32\KOfcpfwSvcs.exe

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\efvvhgzntr.dll

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ceabadcccbce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"KOfcpfwSvcs.exe"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Ok, I will do these things and post the log.

You mentioned that I had run combofix before. I did run it earlier (on 8/2/2009) and here is the log from that first run. I will post the new combofix log after removing the Ask toolbar and uninstalling Zonealarm, etc.

***** THIS IS THE *OLD* LOG FROM THE 8/2/2009 COMBOFIX. I WILL POST THE NEW LOG AFTER ****

***** FYI - THIS IS THE OLD LOG *****

ComboFix 09-08-01.09 - Mike Peck 08/02/2009 17:55.1.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.69 [GMT -5:00]

Running from: d:\downloads\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll

c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe

c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys

c:\documents and settings\All Users\Application Data\winlogon.exe

c:\documents and settings\Mike Peck\Start Menu\Programs\Spyware Guard 2008

c:\windows\system32\autorun.ini

c:\windows\system32\winscenter.exe

.

((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))

.

2009-08-02 21:46 . 2009-08-02 21:46 0 ----a-w- c:\windows\nsreg.dat

2009-08-02 21:45 . 2009-08-02 21:45 -------- d-----w- c:\documents and settings\Mike Peck\Local Settings\Application Data\Mozilla

2009-08-02 21:33 . 2009-08-02 21:33 -------- d-----w- c:\program files\CCleaner

2009-08-02 12:33 . 2009-08-02 12:33 -------- d-sh--w- C:\FOUND.000

2009-07-22 04:15 . 2009-07-22 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\program files\NCH Software

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\program files\NCH Swift Sound

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\documents and settings\Mike Peck\Application Data\NCH Swift Sound

2009-07-07 02:50 . 2009-07-07 02:50 -------- d-----w- c:\documents and settings\Mike Peck\Application Data\Syntrillium

2009-07-07 02:50 . 2001-10-19 19:40 438608 ----a-w- c:\windows\system32\wmv8dmod.dll

2009-07-07 02:50 . 2001-10-19 19:40 665424 ----a-w- c:\windows\system32\wmv8dmoe.dll

2009-07-07 02:50 . 2001-10-19 19:40 1683792 ----a-w- c:\windows\system32\wmvcore2.dll

2009-07-07 02:50 . 2001-10-19 19:39 572752 ----a-w- c:\windows\system32\wmvdmoe.dll

2009-07-07 02:48 . 2009-07-07 02:48 -------- d-----w- c:\program files\coolpro2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-02 07:24 . 2004-07-06 00:15 278031 ----a-w- c:\windows\system32\ceabadcccbce.dll

2009-07-25 16:55 . 2009-07-25 16:55 278031 ------w- c:\windows\system32\dffc97ff6abb0759fe995bb6219be1e9.TMP

2009-07-25 16:55 . 2009-07-25 16:55 278031 ------w- c:\windows\system32\422c28a011608771d793a8bb1dbda776.TMP

2009-05-30 08:14 . 2009-05-30 17:19 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-05-30 08:14 . 2009-05-30 08:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-05-30 08:14 . 2009-05-30 08:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-05-30 08:14 . 2009-05-30 08:13 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-05-15 17:37 . 2009-05-10 15:21 205842 ----a-w- c:\windows\system32\kusers.dll

2009-05-11 16:20 . 2009-05-11 16:20 278033 ------w- c:\windows\system32\c93d678954e246c460b582e25766806b.TMP

2009-05-08 18:13 . 2009-05-08 18:13 278033 ------w- c:\windows\system32\0ce7acd4d93c5310b3ded80d5b2f4049.TMP

2009-01-15 05:41 . 2009-01-15 05:41 766976 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\efvvhgzntr.dll

2009-07-15 20:30 . 2009-08-02 21:44 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2007-01-05 16:33 . 2008-01-18 17:09 24576 --sha-w- c:\windows\system32\KOfcpfwSvcs.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]

"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]

"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]

"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]

"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]

"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]

"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2005-09-20 155648]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"KOfcpfwSvcs.exe"="c:\windows\system32\KOfcpfwSvcs.exe" [2007-01-05 24576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-11 520024]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-23 77824]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-10-08 88363]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-02-26 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-7 331776]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ceabadcccbce]

2009-08-02 07:24 278031 ----a-w- c:\windows\system32\ceabadcccbce.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/30/2009 3:15 AM 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]

.

Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 08:16]

.

- - - - ORPHANS REMOVED - - - -

Notify-feefecaadbc - c:\windows\system32\feefecaadbc.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

FF - ProfilePath - c:\documents and settings\Mike Peck\Application Data\Mozilla\Firefox\Profiles\auqtwocn.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-02 18:05

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\ceabadcccbce.dll

c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3852)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE

c:\program files\BONJOUR\MDNSRESPONDER.EXE

c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE

c:\windows\SYSTEM32\RUNDLL32.EXE

c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\acer\eRecovery\Monitor.exe

.

**************************************************************************

.

Completion time: 2009-08-02 18:16 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-02 23:16

Pre-Run: 8,191,557,632 bytes free

Post-Run: 8,267,350,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

213 --- E O F --- 2009-04-08 07:35

Link to post
Share on other sites

Ok,

I looked for the Ask Toolbar in Add/Remove Programs but I didn't see it listed. I tried removing the Google toolbar instead but each time I got a window pop up that said there was a problem and the program needed to close and asked if I wanted to send details about the problem to Microsoft (I clicked Don't Send).

I uninstalled ZoneAlarm and rebooted, then dragged the cfscript onto combofix. Towards the end of the scan it connected to the internet to send details of the scan to the combofix server (I think).

Here is the new log:

ComboFix 09-08-10.06 - Mike Peck 08/14/2009 0:36.3.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.80 [GMT -5:00]

Running from: c:\documents and settings\Mike Peck\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mike Peck\Desktop\CFScript.txt

FILE ::

"c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\efvvhgzntr.dll"

"c:\windows\system32\ceabadcccbce.dll"

"c:\windows\system32\KOfcpfwSvcs.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\efvvhgzntr.dll

c:\windows\system32\ceabadcccbce.dll

c:\windows\system32\KOfcpfwSvcs.exe

c:\windows\system32\ceabadcccbce.dll . . . . failed to delete

.

((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))

.

2009-08-08 07:48 . 2009-08-08 07:48 -------- d-sh--w- C:\FOUND.001

2009-08-07 04:03 . 2009-08-07 04:03 -------- d-----w- c:\program files\Trend Micro

2009-08-03 06:06 . 2009-08-03 06:06 -------- d-----w- c:\program files\AskBarDis

2009-08-03 06:04 . 2009-08-03 06:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2009-08-03 06:03 . 2009-08-03 06:03 -------- d-----w- c:\program files\Zone Labs

2009-08-03 06:00 . 2009-08-03 06:00 -------- d-----w- c:\windows\Internet Logs

2009-08-02 21:46 . 2009-08-02 21:46 0 ----a-w- c:\windows\nsreg.dat

2009-08-02 21:45 . 2009-08-02 21:45 -------- d-----w- c:\documents and settings\Mike Peck\Local Settings\Application Data\Mozilla

2009-08-02 21:33 . 2009-08-02 21:33 -------- d-----w- c:\program files\CCleaner

2009-08-02 12:33 . 2009-08-02 12:33 -------- d-sh--w- C:\FOUND.000

2009-07-22 04:15 . 2009-07-22 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\program files\NCH Software

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\program files\NCH Swift Sound

2009-07-22 04:14 . 2009-07-22 04:14 -------- d-----w- c:\documents and settings\Mike Peck\Application Data\NCH Swift Sound

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-14 05:50 . 2004-07-06 00:15 278031 ----a-w- c:\windows\system32\ceabadcccbce.dll

2009-08-14 05:47 . 2004-07-06 00:15 278031 ------w- c:\windows\system32\8edabceecd927cb8d836e0468423b2f5.TMP

2009-07-25 16:55 . 2009-07-25 16:55 278031 ------w- c:\windows\system32\dffc97ff6abb0759fe995bb6219be1e9.TMP

2009-07-25 16:55 . 2009-07-25 16:55 278031 ------w- c:\windows\system32\422c28a011608771d793a8bb1dbda776.TMP

2009-07-07 02:50 . 2009-07-07 02:50 -------- d-----w- c:\documents and settings\Mike Peck\Application Data\Syntrillium

2009-07-07 02:48 . 2009-07-07 02:48 -------- d-----w- c:\program files\coolpro2

2009-06-29 16:12 . 1980-01-01 05:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 1980-01-01 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 1980-01-01 05:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:55 . 1980-01-01 05:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 1980-01-01 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:27 . 1980-01-01 05:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-30 08:14 . 2009-05-30 17:19 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-05-30 08:14 . 2009-05-30 08:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-05-30 08:14 . 2009-05-30 08:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-05-30 08:14 . 2009-05-30 08:13 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

.

((((((((((((((((((((((((((((( SnapShot_2009-08-13_03.31.34 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-10-16 23:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]

"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]

"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]

"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]

"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]

"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]

"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2005-09-20 155648]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-11 520024]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-23 77824]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-10-08 88363]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-02-26 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-7 331776]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ceabadcccbce]

2009-08-14 05:50 278031 ----a-w- c:\windows\system32\ceabadcccbce.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/30/2009 3:15 AM 64160]

.

Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 08:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

FF - ProfilePath - c:\documents and settings\Mike Peck\Application Data\Mozilla\Firefox\Profiles\auqtwocn.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-14 00:47

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\ceabadcccbce.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3512)

c:\windows\system32\WININET.dll

c:\program files\CyberLink\Shared Files\CLRCEngine.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\AAWService.exe

c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE

c:\program files\ASKBARDIS\BAR\BIN\ASKSERVICE.EXE

c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\windows\SYSTEM32\WSCNTFY.EXE

c:\windows\system32\rundll32.exe

c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\acer\eRecovery\Monitor.exe

.

**************************************************************************

.

Completion time: 2009-08-14 0:59 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-14 05:59

ComboFix2.txt 2009-08-02 23:16

Pre-Run: 7,280,394,240 bytes free

Post-Run: 7,235,993,600 bytes free

216 --- E O F --- 2009-08-13 03:48

Link to post
Share on other sites

  • Staff

Hi,

In your case it may be called the Zonealarm Spyblocker toolbar, so please uninstall that one.

I see Combofix failed to delete a file here, so let's try again.

Please create this CFScript again:

File::

c:\windows\system32\ceabadcccbce.dll

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ceabadcccbce]

Use the same instructions as in my previous post. This will run Combofix again and create a log. Please look in your log and in case you still see c:\windows\system32\ceabadcccbce.dll . . . . failed to delete in the deletion part in Combofix, then we have to use the recovery console instead...

Please print this out; because you don't have access here in the Recovery Console.

I also suggest you create a backup first of the files you don't want to lose. This because deleting something via the recovery console is really powerful and you cannot afford to make mistakes.

Then,

1. Restart your computer

2. Before Windows loads, you will be prompted to choose which Operating System to start

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press enter.

5. At the C:\Windows prompt, type the following bolded commands, and press Enter after each command:

del c:\windows\system32\ceabadcccbce.dll

exit

Windows will now begin loading.

Don't worry if you get an error for some files that they don't exist.

After reboot, RESCAN with hijackthis and post a new HijackThislog in your next reply.

Link to post
Share on other sites

Hi!

After following your last instructions I was finally able to get HJT to run so that's a good thing. :rolleyes:

Here is the logfile:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:29:58 AM, on 8/15/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\WINDOWS\system32\MAFWTray.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\acer\eRecovery\Monitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE

O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe

O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: ceabadcccbce - C:\WINDOWS\system32\ceabadcccbce.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--

End of file - 6765 bytes

Link to post
Share on other sites

Hi,

Ok- I checked the box and fixed it. Things seem ok I think - I'm able to get to antivirus, etc websites without the browser shutting down.

Here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:42:51 AM, on 8/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\WINDOWS\system32\MAFWTray.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\acer\eRecovery\Monitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE

O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe

O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--

End of file - 6708 bytes

Link to post
Share on other sites

  • Staff

Hi

This looks OK again :rolleyes:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :D

Link to post
Share on other sites

THANKS SO MUCH for your help!! :rolleyes: I will definitely check out your links on prevention/performance etc.

I've installed Avira AntiVir Personal now and did a system scan. It found 60 infections (see the log below).

I have a question - I have two other computers that I've been turning off (hibernating) whenever the infected laptop was turned on to prevent contamination from being on the same (secured) wifi. I'm concerned that a couple of times I forgot to turn them off and they seem sluggish. Can I send a scan from one of them under this thread please?

Avira AntiVir Personal

Report file date: Sunday, August 16, 2009 11:14

Scanning for 1639416 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : LEVIATHON

Version information:

BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00

AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 15:14:48

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:26

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:50

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:54

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:38

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 16:09:00

ANTIVIR2.VDF : 7.1.5.88 2668032 Bytes 8/10/2009 16:09:38

ANTIVIR3.VDF : 7.1.5.117 290304 Bytes 8/14/2009 16:09:42

Engineversion : 8.2.1.1

AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 17:52:06

AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/16/2009 16:10:08

AESCN.DLL : 8.1.2.4 127348 Bytes 8/16/2009 16:10:04

AERDL.DLL : 8.1.2.4 430452 Bytes 8/16/2009 16:10:04

AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 22:07:22

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 8/16/2009 16:10:00

AEHEUR.DLL : 8.1.0.154 1917302 Bytes 8/16/2009 16:10:00

AEHELP.DLL : 8.1.5.3 233846 Bytes 8/16/2009 16:09:48

AEGEN.DLL : 8.1.1.56 356725 Bytes 8/16/2009 16:09:48

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40

AECORE.DLL : 8.1.7.6 184694 Bytes 8/16/2009 16:09:44

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:48:00

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:16

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:30

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:10

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:42

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:10

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:50

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:34

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:12

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:40:00

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:50

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Sunday, August 16, 2009 11:14

Starting search for hidden objects.

'37481' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'Rundll32.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'WUAUCLT.EXE' - '1' Module(s) have been scanned

Scan process 'Monitor.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'unsecapp.exe' - '1' Module(s) have been scanned

Scan process 'sistray.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'AAWTray.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned

Scan process 'dlbtbmon.exe' - '1' Module(s) have been scanned

Scan process 'DVDTray.exe' - '1' Module(s) have been scanned

Scan process 'daemon.exe' - '1' Module(s) have been scanned

Scan process 'mafwTray.exe' - '1' Module(s) have been scanned

Scan process 'dlbtbmgr.exe' - '1' Module(s) have been scanned

Scan process 'QtZgAcer.EXE' - '1' Module(s) have been scanned

Scan process 'Keyhook.exe' - '1' Module(s) have been scanned

Scan process 'Rundll32.exe' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned

Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned

Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned

Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned

Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned

Scan process 'AAWService.exe' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'LSASS.EXE' - '1' Module(s) have been scanned

Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned

Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned

Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned

Scan process 'SMSS.EXE' - '1' Module(s) have been scanned

49 processes with 49 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '68' files ).

Starting the file scan:

Begin scan in 'C:\' <ACER>

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\WINDOWS\system32\kusers.dll

[DETECTION] Is the TR/BHO.szc Trojan

C:\WINDOWS\system32\d3afd1c068006fcb963cddc34d2a4c78.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\faaf66efe9981eb14ae4ab26409d408b.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\dffc97ff6abb0759fe995bb6219be1e9.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

C:\WINDOWS\system32\5be7cc86718f1d8077e296cc27889cb6.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\129788b7036a5344b778af8a5707fe25.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\b19bed027a9589a331f79b09f60b5aed.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\feefecaadbc(2).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\feefecaadbc(3).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\feefecaadbc(4).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\feefecaadbc(5).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\d018ee258a80a9986b444da3f2f917a1.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\dc2aeb5518b0a0b1dfc6cfb2c90aa1de.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\29a47769c322c02c5a856b4b218357cf.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\0ce7acd4d93c5310b3ded80d5b2f4049.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\c93d678954e246c460b582e25766806b.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

C:\WINDOWS\system32\422c28a011608771d793a8bb1dbda776.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063643.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063649.dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063653.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063657.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063661.dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0064655.DLL

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0064663.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064681.dll

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064682.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064685.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.Gen back-door program

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064687.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066482.dll

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066483.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Pcclient.WI.1 back-door program

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066484.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066494.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0066689.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0066699.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0066700.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067777.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067789.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067790.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\Qoobox\Quarantine\[4]-Submit_2009-08-14_00.35.51.zip

[0] Archive type: ZIP

--> Collect_efvvhgzntr.dll.vir

[DETECTION] Is the TR/Dropper.Gen Trojan

--> Collect_ceabadcccbce.dll.vir

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> Collect_KOfcpfwSvcs.exe.vir

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Pcclient.WI.1 back-door program

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\winlogon.exe.vir

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.Gen back-door program

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll.vir

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll.vir

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\efvvhgzntr.dll.vir

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\winscenter.exe.vir

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\KOfcpfwSvcs.exe.vir

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Pcclient.WI.1 back-door program

C:\Qoobox\Quarantine\C\WINDOWS\system32\ceabadcccbce.dll.vir

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\_ceabadcccbce_.dll.zip

[0] Archive type: ZIP

--> ceabadcccbce.dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.1

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.2

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.3

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

--> ceabadcccbce.dll.4

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.5

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.6

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.7

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.8

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.9

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.10

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

--> ceabadcccbce.dll.11

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

Begin scan in 'D:\' <ACERDATA>

D:\Downloads\zaSetup_80_065_000_en.exe

[0] Archive type: ZIP SFX (self extracting)

--> SWITCHUNINST_44ZONE LABS.EXE

[1] Archive type: RSRC

--> WINDOWS6.0-KB929547-V2-X64.MSU

[1] Archive type: CAB (Microsoft)

--> Windows6.0-KB929547-v2-x64.cab

[WARNING] No further files can be extracted from this archive. The archive will be closed

Beginning disinfection:

C:\WINDOWS\system32\kusers.dll

[DETECTION] Is the TR/BHO.szc Trojan

[NOTE] The file was moved to '4afb393d.qua'!

C:\WINDOWS\system32\d3afd1c068006fcb963cddc34d2a4c78.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4ae938fc.qua'!

C:\WINDOWS\system32\faaf66efe9981eb14ae4ab26409d408b.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4ae9392a.qua'!

C:\WINDOWS\system32\dffc97ff6abb0759fe995bb6219be1e9.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

[NOTE] The file was moved to '4aee392f.qua'!

C:\WINDOWS\system32\5be7cc86718f1d8077e296cc27889cb6.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4aed392b.qua'!

C:\WINDOWS\system32\129788b7036a5344b778af8a5707fe25.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4ac138fb.qua'!

C:\WINDOWS\system32\b19bed027a9589a331f79b09f60b5aed.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4ac138fa.qua'!

C:\WINDOWS\system32\feefecaadbc(2).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4aed392e.qua'!

C:\WINDOWS\system32\feefecaadbc(3).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '495609bf.qua'!

C:\WINDOWS\system32\feefecaadbc(4).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4f922b7f.qua'!

C:\WINDOWS\system32\feefecaadbc(5).dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4f6d2337.qua'!

C:\WINDOWS\system32\d018ee258a80a9986b444da3f2f917a1.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4ab938f9.qua'!

C:\WINDOWS\system32\dc2aeb5518b0a0b1dfc6cfb2c90aa1de.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4aba392c.qua'!

C:\WINDOWS\system32\29a47769c322c02c5a856b4b218357cf.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4ae93902.qua'!

C:\WINDOWS\system32\0ce7acd4d93c5310b3ded80d5b2f4049.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4aed392c.qua'!

C:\WINDOWS\system32\c93d678954e246c460b582e25766806b.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wik worm

[NOTE] The file was moved to '4abb3902.qua'!

C:\WINDOWS\system32\422c28a011608771d793a8bb1dbda776.TMP

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

[NOTE] The file was moved to '4aba38fb.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063643.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to '4ab838fa.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063649.dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

[NOTE] The file was moved to '4f3158db.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063653.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4f344f83.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063657.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to '49117a9b.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0063661.dll

[DETECTION] Contains recognition pattern of the WORM/Autorun.wpa worm

[NOTE] The file was moved to '4f325f13.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0064655.DLL

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to '4f36bff3.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP77\A0064663.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to '4f33574b.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064681.dll

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4ab838fb.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064682.dll

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to '4ab838fc.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064685.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.Gen back-door program

[NOTE] The file was moved to '4cad5a35.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064687.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4cae526d.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066482.dll

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4caf4aa5.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066483.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Pcclient.WI.1 back-door program

[NOTE] The file was moved to '4f3547bd.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066484.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4ca1b915.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066494.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4ca2b14d.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0066689.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4cab5a75.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0066699.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4f29a69d.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0066700.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4ab838fd.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067777.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4f2b950e.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067789.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4f2c8d46.qua'!

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067790.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4f2d857e.qua'!

C:\Qoobox\Quarantine\[4]-Submit_2009-08-14_00.35.51.zip

[NOTE] The file was moved to '4ae53901.qua'!

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\winlogon.exe.vir

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.Gen back-door program

[NOTE] The file was moved to '4af63936.qua'!

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll.vir

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4ad53932.qua'!

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll.vir

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to '4aec393c.qua'!

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\efvvhgzntr.dll.vir

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4afe3933.qua'!

C:\Qoobox\Quarantine\C\WINDOWS\system32\winscenter.exe.vir

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4f6fe597.qua'!

C:\Qoobox\Quarantine\C\WINDOWS\system32\KOfcpfwSvcs.exe.vir

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Pcclient.WI.1 back-door program

[NOTE] The file was moved to '4aee391c.qua'!

C:\Qoobox\Quarantine\C\WINDOWS\system32\ceabadcccbce.dll.vir

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4ae93933.qua'!

C:\Qoobox\Quarantine\C\WINDOWS\system32\_ceabadcccbce_.dll.zip

[NOTE] The file was moved to '4aed3931.qua'!

End of the scan: Sunday, August 16, 2009 11:50

Used time: 34:21 Minute(s)

The scan has been done completely.

6987 Scanned directories

197673 Files were scanned

60 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

47 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

197612 Files not concerned

6692 Archives were scanned

2 Warnings

48 Notes

37481 Objects were scanned with rootkit scan

0 Hidden objects were found

Link to post
Share on other sites

  • Staff

Hi,

I forgot you to uninstall Combofix before. That explains why Avira still find a lot since what it found was in Combofix quarantine. Uninstalling Combofix also deletes the quarantine :rolleyes:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi,

I'm trying to uninstall Combofix and I'm getting windows pop up that say:

Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

with the following filenames in the window headers:

32788R22FWJFW\lsm.exe

32788R22FWJFW\n.pif

32788R22FWJFW\hidec.exe

32788R22FWJFW\nircmd.cfexe

I had removed Avira and Online Armor and installed the Comodo anti-virus/firewall combo instead. I disabled Comodo while uninstalling Combofix. Also, the laptop runs extremely slow. :(

Any ideas?

Thanks!

Link to post
Share on other sites

I ran the combofix uninstall several more times, each time getting those windows pop up about the inaccessible files.

I ran a Comodo scan and here is the log file:

ApplicUnsaf.Win32.Hide.~AB@5325787 D:\Downloads\ComboFix.exe

UnclassifiedMalware@8417164 D:\Downloads\ComboFix.exe

Application.Win32.Nircmd.~@16774100 D:\Downloads\ComboFix.exe

Application.Win32.Nircmd.~@16774100 D:\Downloads\ComboFix.exe

Heur.Packed.Unknown C:\WINDOWS\Uninstall.exe

Application.Win32.Nircmd.~@16774100 C:\WINDOWS\NIRCMD.exe

ApplicUnsaf.Win32.Hide.~AB@5325787 C:\Documents and Settings\Mike Peck\Desktop\Combo-Fix.exe

Application.Win32.Nircmd.~@16774100 C:\Documents and Settings\Mike Peck\Desktop\Combo-Fix.exe

UnclassifiedMalware@8417164 C:\Documents and Settings\Mike Peck\Desktop\Combo-Fix.exe

Application.Win32.Nircmd.~@16774100 C:\Documents and Settings\Mike Peck\Desktop\Combo-Fix.exe

Application.Win32.Nircmd.~@16774100 C:\Documents and Settings\Mike Peck\Desktop\Combo-Fix.exe

Heur.Suspicious@22600404 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064751.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064744.pif

TrojWare.Win32.Rootkit.TDSS.oie@15058248 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP78\A0064683.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP84\A0066293.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP85\A0066346.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP85\A0066354.pif

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP85\A0066361.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066469.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066578.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066588.pif

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP86\A0066595.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0066676.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067730.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067739.pif

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067746.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067764.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067874.exe

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067884.pif

Application.Win32.Nircmd.~@16774100 C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP87\A0067891.exe

TrojWare.Win32.Rootkit.TDSS.oie@15058248 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe.vir

ApplicUnsaf.Win32.Hide.~AB@5325787 C:\32788R22FWJFW\hidec.exe

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW\lsm.exe

UnclassifiedMalware@8417164 C:\32788R22FWJFW\ForceLibrary.dll

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW\NirCmd.cfexe

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW\n.pif

ApplicUnsaf.Win32.Hide.~AB@5325787 C:\32788R22FWJFW.0.tmp\hidec.exe

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW.0.tmp\lsm.exe

UnclassifiedMalware@8417164 C:\32788R22FWJFW.0.tmp\ForceLibrary.dll

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW.0.tmp\NirCmd.cfexe

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW.0.tmp\n.pif

ApplicUnsaf.Win32.Hide.~AB@5325787 C:\32788R22FWJFW.1.tmp\hidec.exe

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW.1.tmp\lsm.exe

UnclassifiedMalware@8417164 C:\32788R22FWJFW.1.tmp\ForceLibrary.dll

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW.1.tmp\NirCmd.cfexe

Application.Win32.Nircmd.~@16774100 C:\32788R22FWJFW.1.tmp\n.pif

Link to post
Share on other sites

  • Staff

Hi,

The Nircmd detection is nothing to worry about. That's one of the main reasons why we ask to disable AV, because it blocks this commandline tool.

Anyway, please delete Combofix manually. To do this, delete the Combofix.exe from the desktop and the C:\Qoobox, C:\Combofix and C:\32788R22FWJFW folder.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

I have another piece of information - automatic updates had downloaded four updates and I tried to install two of them. It tried and failed to install them. They were:

KB954430 - Security update for Micrsoft XML Core Services 4.0 Service Pack 2

KB890830 - Windows Malicious Software Removal Tool

Seems odd the security updates wouldn't install.....I'm hoping I'm not still infected. :(

I do have the Comodo Internet Security enabled and set as follows:

Antivirus security level: Stateful

Firewall security level: Safe mode

Defense+ security level: Clean PC mode

Link to post
Share on other sites

  • Staff

Hi,

I'm pretty sure it's actually your Comodo interfering with the updates :(

If you still were infected, you wouldn't even be able to access updates.

I used to have the same as well when I tried Comodo. Comodo can be really stubborn here, so best way to test is to temporary uninstall Comodo, then reboot and then install the updates again.

Link to post
Share on other sites

Hi,

Ok - I tried uninstalling Comodo and rebooting - it appeared to be installing the security updates but it failed each time. I tried several times on each update but it would not install. I downloaded Comodo again and am about to reinstall. Do you have any ideas why Windows security updates won't install??

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.