Jump to content

browser redirects after being infected by Total PC Defender 2010


Recommended Posts

Hello All,

First, thanks to all volunteers who support this forum selflessly and assist people like me.

On May 5, I was getting popups from Total PC Defender 2010. I updated Malwarebytes(http://www.malwarebytes.org/) on May 5, ran a full scan which caught and deleted lot of malware. It asked for reboot which I did. Ran a full scan after that which detected nothing else so i assumed my machine was clean.

But, my browser(Firefox 3.6.3) is getting redirected from a Google search. It is opening sites like surfing2cash and Stopzilla spyware remover. Opera was also getting redirected, but today it seems normal. Internet Explorer is not redirected.

Ran Spybot search and Destroy(http://www.safer-networking.org/en/) which detected Fraudreg and removed it.

As per the thread http://forums.techguy.org/virus-other-malw...elp-needed.html ran Dirquery(http://ad13.geekstogo.com/DirQuery.exe) typed the following bolded text into that window:

\Device\Ide\IdePort3

Then, hit Enter. The program generated a file on your desktop called DirQuery.txt. Its contents are

Running from: C:\Documents and Settings\Admin\Desktop\DirQuery.exe

Log file at : C:\Documents and Settings\Admin\Desktop\DirQuery.txt

The driver that owns the link:

\Device\Ide\IdePort3

is located at:

atapi.sys

and the device link is:

\Driver\atapi

The path to the driver from the registry is:

system32\drivers\tskA.tmp.

tried to use the Avenger(http://swandog46.geekstogo.com/avenger2/download.php) tool to restore the copy by moving the C:\WINDOWS\ServicePackFiles\i386\atapi.sys to C:\win\system32\drivers, and it said in log, that no rootkits were found and file was moved successfully. But, TDSkiller claims TDSS rootkit is there and hooked to atapi.sys

Looked at the thread http://forums.techguy.org/virus-other-malw...elp-needed.html as I suspect I am infected with a rootkit TDSS. Ran TDSkiller(http://support.kaspersky.com/downloa...tdsskiller.zip) which claims my atapi.sys is infected with TDSS. Says, it will be removed on reboot, but the redirects still persist after rebooting. Ran F-Secure's Blacklight rootkit eliminator(http://www.f-secure.com/en_EMEA/prod...es/blacklight/) which could not find anything. Ran the rkill(http://www.technibble.com/rkill-repa...l-of-the-week/) tool also, but that did not fix the issue.

Ran TrojanRemover(http://www.simplysup.com/tremover/download.html) which also said machine was clean. I ran Combofix in Windows safe mode which deleted some files noted below:

c:\windows\System32\BSTIeprintctl1.dll

c:\windows\system32\Cache

c:\windows\system32\SHELLLNK.TLB

C:\zip.exe

Updated and ran full Superantispyware scan which found a trojan DRV, cleaned it, rebooted it. i inspected the Windows hosts file earlier which has nothing except the standard one line referring 127.0.0.1 to localhost. Download CCleaner from download.com, ran it, rebooted, ran its registry fix. Tried Rootrepeal, rkill which also did not find anything.

Then, as per the instructions at http://forums.malwarebytes.org/index.php?showtopic=9573

I ran Malwarebytes full scan again, after updating it whose log is attached. I am attaching two logs of Malware. One which caught some infections on May 5(May5_malwarebyteslog), and one ran yesterday(May8_malwarebyteslog) which claims my machine is clean, though there are still browser redirects with Firefox. Had Mcafee as my antivirus, removed that, installed Avast, ran a full scan after updating it which did not catch anything.

Used DeFogger but it did not ask reboot my machine after the Finished message and i did not get any error message too. Log is posted as i was not allowed to attach it.

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 16:02 on 08/05/2010 (Admin)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Ran DDS and its log are attached(DDS.txt and DDSAttach.txt).

Tried to run GMER rootkit scanner which was freezing, next time i tried to run it, it rebooted my machine. Am attaching a log(ark.txt) which was produced from as far as it could run.

I had IIS running which i have disabled now. I have also installed Zonealarm's free firewall after i got infected. Initially, I had just the XP's firewall.

Any advice would be welcome.

P.S. When I tried to preview the post, I could not see the files I attached so am reattaching them. Don't know if they were removed when i did the preview thread.

May5_Malwarebyteslog.txt

May8_Malwarebyteslog.txt

ark.txt

May5_Malwarebyteslog.txt

May8_Malwarebyteslog.txt

DDS.txt

DDSAttach.txt

ark.txt

Link to post
Share on other sites

  • Staff

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • 1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.When the tool is finished, it will produce a report for you.

Now that you have thrown every tool known to man at this thing

Malwarebytes

DirQuery

Avenger

TDSkiller

Combofix

Blacklight rootkit eliminator

rkill

TrojanRemover

Superantispyware

Spybot search and Destroy

Hitman Pro 3.5

please don't run any more scans unless I ask you to. it makes it very hard to follow what is going on if you do things on your own

extra combofix report

I need to see one of the extra reports combofix makes

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box

C:\ComboFix.txt

  • click ok
  • copy and paste the report into this topic for me to review

I would like to see a new GMER scan please use the settings below

Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    GMER_2.png
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

"information and logs"

  • In your next post I need the following
  1. old Log from Combofix
  2. new log from GMER
  3. let me know of any problems you may have had

  4. NO more running scans on your own!

Gringo

Link to post
Share on other sites

Hello Gringo,

Thanks for your welcome and your selfless contribution to this forum for folks like me.

I will remember all your points and follow them. Sorry, i ran many tools. I thought i had a infection which i could fix by using one of those tools myself which is why i used so many of them.

The combofix report is below and attached also as combofixmay8.txt.

ComboFix 10-05-05.0B - Admin 05/08/2010 18:47:05.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3163 [GMT -4:00]

Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - Kitty had a snack :blink:

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))

.

2010-05-08 02:05 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-08 02:05 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-08 02:05 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-08 02:05 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-08 02:05 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-08 02:05 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-08 02:05 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-08 02:05 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-05-08 02:05 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-08 02:04 . 2010-05-08 02:04 -------- d-----w- c:\program files\Alwil Software

2010-05-08 02:04 . 2010-05-08 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-08 01:13 . 2010-05-08 01:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-05-08 01:13 . 2009-11-22 19:42 69000 ----a-w- c:\windows\system32\zlcomm.dll

2010-05-08 01:13 . 2009-11-22 19:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll

2010-05-08 01:13 . 2010-05-08 01:13 -------- d-----w- c:\windows\system32\ZoneLabs

2010-05-08 01:13 . 2009-11-22 19:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll

2010-05-08 01:13 . 2010-05-08 01:13 -------- d-----w- c:\program files\Zone Labs

2010-05-08 01:12 . 2010-05-08 22:46 -------- d-----w- c:\windows\Internet Logs

2010-05-08 00:46 . 2010-05-08 00:46 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Opera

2010-05-08 00:45 . 2010-05-08 00:46 -------- d-----w- c:\program files\Opera

2010-05-08 00:30 . 2010-05-08 19:49 -------- d-----w- C:\New Folder

2010-05-07 23:51 . 2010-05-07 23:51 127420 ----a-w- C:\ComboFix.zip

2010-05-07 23:09 . 2010-05-07 23:09 -------- d-----w- c:\program files\CCleaner

2010-05-07 22:15 . 2010-05-07 22:15 -------- d-sh--w- c:\documents and settings\Assessment\IETldCache

2010-05-07 22:06 . 2010-05-07 22:06 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-05-07 22:06 . 2010-05-07 22:06 -------- d-----w- c:\program files\HJT

2010-05-07 22:05 . 2010-02-28 00:46 3691384 ----a-w- c:\documents and settings\Admin\Application Data\Simply Super Software\Trojan Remover\dqbF3.exe

2010-05-07 22:01 . 2010-05-07 22:01 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-05-07 21:53 . 2010-05-08 00:12 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-05-07 21:53 . 2010-05-07 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-05-07 21:53 . 2010-05-07 21:53 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-07 00:49 . 2010-05-07 00:49 63488 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-05-07 00:29 . 2010-05-07 00:44 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-05-07 00:28 . 2010-05-07 00:49 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-07 00:28 . 2010-05-07 00:28 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com

2010-05-06 19:08 . 2010-05-06 19:08 -------- d-----w- C:\ERDNT

2010-05-06 19:08 . 2010-05-06 19:08 -------- d-----w- C:\regbackupmay62010

2010-05-06 18:14 . 2006-06-19 16:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-05-06 18:14 . 2006-05-25 18:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-05-06 18:14 . 2005-08-26 04:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-05-06 18:14 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-05-06 18:14 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-05-06 18:14 . 2010-05-06 18:14 -------- d-----w- c:\program files\Trojan Remover

2010-05-06 18:14 . 2010-05-06 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-05-06 18:14 . 2010-05-06 18:14 -------- d-----w- c:\documents and settings\Admin\Application Data\Simply Super Software

2010-05-06 16:09 . 2010-05-06 16:09 0 ----a-w- C:\backup.reg

2010-05-06 15:46 . 2010-05-06 16:09 574 ----a-w- C:\cleanup.bat

2010-04-29 12:52 . 2010-04-29 12:52 755096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe

2010-04-28 14:53 . 2010-04-28 14:53 -------- d-----w- c:\program files\Unstoppable Copier

2010-04-28 14:52 . 2010-05-07 22:07 -------- d-----w- c:\documents and settings\Admin\Application Data\TeraCopy

2010-04-28 14:52 . 2010-04-28 14:52 -------- d-----w- c:\program files\TeraCopy

2010-04-26 23:06 . 2010-04-26 23:06 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\hfemtwkxt

2010-04-22 13:26 . 2010-04-25 16:52 -------- d-----w- C:\offmcbkup

2010-04-20 19:30 . 2010-04-20 19:30 -------- d-----w- C:\Radia

2010-04-18 16:24 . 2010-04-18 16:24 -------- d-----w- c:\windows\system32\DRM

2010-04-15 12:52 . 2010-04-15 12:52 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll

2010-04-10 20:07 . 2010-04-10 20:07 -------- d-----w- c:\program files\PHP

2010-04-10 20:06 . 2010-04-10 20:06 -------- d-----w- c:\program files\Apache Software Foundation

2010-04-10 19:52 . 2010-04-10 19:52 -------- d-----w- c:\program files\ImageMagick-6.6.1-Q16

2010-04-08 23:07 . 2010-04-08 23:09 -------- d-----w- C:\xampplite

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-08 22:57 . 2009-12-14 20:09 -------- d-----w- c:\program files\Common Files\Akamai

2010-05-08 22:45 . 2010-05-08 02:15 2544703 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-05-08 21:54 . 2009-08-24 13:03 -------- d-----w- c:\documents and settings\Admin\Application Data\EditPlus 3

2010-05-08 19:34 . 2010-05-08 19:34 98045 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_05_08_15_28_23_small.dmp.zip

2010-05-08 19:28 . 2010-05-08 19:29 287744 ----a-w- c:\windows\Internet Logs\xDB1.tmp

2010-05-08 19:28 . 2010-05-08 19:29 1587712 ----a-w- c:\windows\Internet Logs\xDB2.tmp

2010-05-08 02:20 . 2009-06-15 21:29 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-08 02:03 . 2009-06-11 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-08 00:20 . 2009-11-11 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-07 22:16 . 2009-06-15 21:29 117760 ----a-w- c:\documents and settings\Assessment\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-07 22:05 . 2009-11-11 19:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-06 21:23 . 2009-09-17 20:26 -------- d-----w- c:\program files\Trend Micro

2010-05-06 19:10 . 2006-02-28 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-05-06 12:52 . 2010-02-18 13:52 443344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-05-06 12:40 . 2010-03-15 18:53 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-05-05 22:11 . 2009-11-11 23:19 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2010-05-05 22:07 . 2010-02-06 02:34 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-05-05 21:08 . 2009-08-26 18:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF

2010-04-29 19:39 . 2009-11-11 23:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-11-11 23:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 19:24 . 2009-08-25 22:04 -------- d-----w- c:\documents and settings\Admin\Application Data\Nitro PDF

2010-04-27 00:04 . 2009-10-09 14:28 -------- d-----w- c:\documents and settings\Admin\Application Data\HPAppData

2010-04-26 19:47 . 2009-11-05 16:48 -------- d-----w- c:\documents and settings\Admin\Application Data\Download Manager

2010-04-24 19:43 . 2010-01-17 20:33 -------- d-----w- c:\program files\Files

2010-04-24 01:03 . 2009-12-08 23:53 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc

2010-04-20 14:31 . 2009-06-16 18:48 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-20 00:45 . 2009-08-25 13:19 88744 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-19 20:10 . 2009-06-11 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-07 18:49 . 2009-12-01 15:54 -------- d-----w- c:\documents and settings\Admin\Application Data\XnView

2010-04-07 18:43 . 2010-04-07 18:43 -------- d-----w- c:\program files\XnView

2010-04-05 15:56 . 2010-04-05 15:55 -------- d-----w- c:\documents and settings\scan\Application Data\HPAppData

2010-04-02 15:45 . 2009-11-11 20:09 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 20:26 . 2010-03-24 20:26 -------- d-----w- c:\documents and settings\Admin\Application Data\dvdcss

2010-03-24 19:33 . 2010-03-24 19:33 -------- d-----w- c:\documents and settings\Admin\Application Data\IndigoRose

2010-03-24 19:33 . 2010-03-24 19:33 -------- d-----w- c:\program files\AutoPlay Media Studio 7.0 Trial

2010-03-24 19:32 . 2009-08-25 21:29 -------- d-----w- c:\documents and settings\Admin\Application Data\Downloaded Installations

2010-03-19 18:25 . 2009-06-11 17:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-19 18:24 . 2010-03-19 18:24 -------- d-----w- c:\program files\R_MANUAL_AD

2010-03-19 15:10 . 2010-03-19 15:10 -------- d-----w- c:\program files\Common Files\RDPrint

2010-03-19 15:10 . 2010-03-19 15:10 2255 ----a-w- c:\windows\PmData.Dat

2010-03-19 15:10 . 2010-03-19 15:10 -------- d-----w- c:\program files\RDS

2010-03-15 18:53 . 2010-03-15 18:53 -------- d-----w- c:\documents and settings\Admin\Application Data\Thunderbird

2010-03-11 15:20 . 2010-03-11 15:19 -------- d-----w- c:\program files\Common Files\Gravic

2010-03-11 15:20 . 2010-03-04 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Gravic

2010-03-11 15:20 . 2010-03-11 15:20 -------- d-----w- c:\program files\Gravic

2010-03-11 15:19 . 2010-03-11 15:19 -------- d-----w- c:\program files\Principia Products

2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-18 13:52 . 2010-02-18 13:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-18 13:52 . 2010-02-18 13:52 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys

2010-02-18 13:52 . 2010-02-18 13:52 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2010-02-18 13:52 . 2010-02-18 19:36 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-18 13:52 . 2010-02-18 13:52 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2010-02-18 13:52 . 2010-02-18 13:52 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2010-02-17 19:30 . 2010-02-17 19:30 107913 ----a-w- c:\windows\News Rover Uninstaller.exe

2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( SnapShot_2010-05-07_22.49.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll

+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll

+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll

+ 2010-05-08 22:45 . 2010-05-08 22:45 16384 c:\windows\temp\Perflib_Perfdata_3b8.dat

+ 2010-05-08 01:13 . 2009-11-22 19:42 99208 c:\windows\system32\ZoneLabs\zlquarantine.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 65928 c:\windows\system32\ZoneLabs\zatray.exe

+ 2010-05-08 01:13 . 2009-11-22 19:43 20872 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 14216 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 43912 c:\windows\system32\ZoneLabs\lib\zfde.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 85384 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 37256 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1488.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1487.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1486.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 18824 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 10120 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 11144 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 14216 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12168 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 11144 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 29064 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 35720 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 38280 c:\windows\system32\ZoneLabs\featuremap.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 98184 c:\windows\system32\ZoneLabs\fbl.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 74632 c:\windows\system32\ZoneLabs\camupd.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 41864 c:\windows\system32\vswmi.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 58248 c:\windows\system32\vsregexp.dll

+ 2006-02-28 12:00 . 2010-05-08 22:49 83950 c:\windows\system32\perfc009.dat

+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 141192 c:\windows\system32\ZoneLabs\zlupdate.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 172936 c:\windows\system32\ZoneLabs\vsvault.dll

+ 2010-05-08 01:12 . 2009-11-22 19:42 210824 c:\windows\system32\ZoneLabs\vsdb.dll

+ 2010-05-08 01:13 . 2007-10-11 20:51 832984 c:\windows\system32\ZoneLabs\updating.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 434568 c:\windows\system32\ZoneLabs\ssleay32.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 135048 c:\windows\system32\ZoneLabs\scheduler.dll

+ 2010-05-08 01:13 . 2009-07-14 03:58 722392 c:\windows\system32\ZoneLabs\qrbase.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 119688 c:\windows\system32\ZoneLabs\lib\zui.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 267656 c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 175496 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 368008 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 139144 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 376712 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll

+ 2010-05-08 01:12 . 2009-10-10 00:33 579048 c:\windows\system32\ZoneLabs\icslta.dll

+ 2010-05-08 01:13 . 2008-03-17 20:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 109960 c:\windows\system32\vsxml.dll

+ 2010-05-08 01:12 . 2009-11-22 19:42 621960 c:\windows\system32\vsutil.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 299912 c:\windows\system32\vspubapi.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 107912 c:\windows\system32\vsmonapi.dll

+ 2010-05-08 01:12 . 2009-11-22 19:42 227720 c:\windows\system32\vsinit.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 486280 c:\windows\system32\vsdatant.sys

+ 2010-05-08 01:12 . 2009-11-22 19:42 112008 c:\windows\system32\vsdata.dll

+ 2006-02-28 12:00 . 2010-05-08 22:49 483164 c:\windows\system32\perfh009.dat

+ 2010-01-22 19:43 . 2010-05-07 23:05 219024 c:\windows\system32\inetsrv\MetaBase.bin

+ 2010-05-08 02:05 . 2010-05-08 02:05 219648 c:\windows\Installer\298f7a.msi

+ 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 1789320 c:\windows\system32\ZoneLabs\vsruledb.dll

+ 2010-05-08 01:13 . 2009-11-22 19:44 2384240 c:\windows\system32\ZoneLabs\vsmon.exe

+ 2010-05-08 01:13 . 2009-11-22 19:43 1536392 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll

+ 2010-05-08 00:46 . 2010-05-08 00:46 2631680 c:\windows\Installer\367d6.msi

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

c:\documents and settings\Assessment\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-05-07 00:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Admin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2009-10-03 04:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2009-10-03 09:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2005-01-07 22:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]

2007-08-30 19:08 229481 ----a-w- c:\program files\RDS\RMClient\JobHisInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

2009-08-20 18:25 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]

2007-08-30 19:30 49254 ----a-w- c:\program files\RDS\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-10-30 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-06-13 19:50 16871936 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-08-11 14:47 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

2010-02-28 00:17 1165192 ----a-w- c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NitroDriverReadSpool"=2 (0x2)

"LightScribeService"=3 (0x3)

"JavaQuickStarterService"=3 (0x3)

"IviRegMgr"=2 (0x2)

"Microsoft Office Groove Audit Service"=3 (0x3)

"stllssvr"=3 (0x3)

"sofatnet"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"JRun Default"=2 (0x2)

"JRun Admin"=2 (0x2)

"ColdFusion 8 Search Server"=3 (0x3)

"ColdFusion 8 ODBC Server"=3 (0x3)

"ColdFusion 8 ODBC Agent"=3 (0x3)

"ColdFusion 8 Application Server"=2 (0x2)

"ColdFusion 8 .NET Service"=3 (0x3)

"MySQL"=3 (0x3)

"WinDefend"=2 (0x2)

"Nero BackItUp Scheduler 4.0"=3 (0x3)

"Remark FTP Utility"=3 (0x3)

"Radstgms"=2 (0x2)

"radsched"=2 (0x2)

"radexecd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Files\\nbpro.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3306:TCP"= 3306:TCP:MySQL

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"1054:TCP"= 1054:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/18/2010 9:53 AM 64288]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/7/2010 10:05 PM 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/26/2009 10:05 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 68168]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 8:00 AM 14336]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/7/2010 10:05 PM 19024]

R3 ATNICm5;Allied Telesyn PCI Ethernet Adapter NDIS 5.1 Driver;c:\windows\system32\drivers\atnicm51.sys [9/27/2004 8:28 AM 38144]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [5/7/2010 5:53 PM 15944]

S3 Macromedia JRun Admin Server;Macromedia JRun Admin Server;c:\jrun4\bin\jrunsvc.exe [1/22/2010 5:08 PM 65536]

S3 Macromedia JRun CFusion Server;Macromedia JRun CFusion Server;c:\jrun4\bin\jrunsvc.exe [1/22/2010 5:08 PM 65536]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 12872]

S4 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;c:\coldfusion8dotnetservice\CF8DotNetsvc.exe [1/22/2010 5:10 PM 77824]

S4 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swagent.exe "ColdFusion 8 ODBC Agent" --> c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swagent.exe ColdFusion 8 ODBC Agent [?]

S4 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swstrtr.exe "ColdFusion 8 ODBC Server" --> c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swstrtr.exe ColdFusion 8 ODBC Server [?]

S4 ColdFusion 8 Search Server;ColdFusion 8 Search Server;c:\jrun4\verity\k2\_nti40\bin\k2admin.exe [1/22/2010 5:06 PM 2743056]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1285864]

S4 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [6/15/2009 12:56 PM 188736]

S4 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\CM\Agent\radexecd.exe [8/15/2007 4:02 PM 258222]

S4 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\CM\Agent\radsched.exe [7/20/2007 3:54 PM 172208]

S4 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\CM\Agent\Radstgms.exe [7/20/2007 3:54 PM 315568]

S4 Remark FTP Utility;Remark FTP Utility;c:\program files\Common Files\Gravic\RemarkFTPUtility12.exe [9/25/2009 12:37 PM 65024]

S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 12:52]

2009-11-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-05-07 c:\windows\Tasks\Norton Security Scan for Assessment.job

- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-05 22:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.famu.edu/

TCP: {073811F5-8595-4AEE-9BAF-861FA628DBD2} = 168.223.2.3,168.223.3.20

FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\pgg04e11.default\

FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-08 18:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

@=""

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2010-05-08 19:02:22

ComboFix-quarantined-files.txt 2010-05-08 23:02

ComboFix2.txt 2010-05-07 23:06

ComboFix3.txt 2009-09-17 01:54

Pre-Run: 126,028,136,448 bytes free

Post-Run: 126,064,828,416 bytes free

- - End Of File - - A02B00CB2C7CC670AE0FB69764BB0EEE

Regarding Gmer, i tried running it after disabling Avast(my anti-virus), but it froze so i don't have its log. I tried running Gmer

in normal mode of windows and no other programs were running. I allowed it 11 hours to finish, but still it did not complete so at the

end I had to manually power off my computer and restart it as Windows also was not responding.

Should I try running Gmer in Safe mode of windows which would allow it to complete?

Please let me know if you need more information.

Thanks for your help.

ComboFixmay8.txt

Link to post
Share on other sites

  • Staff

Greetings

extra combofix report

I need to see one of the extra reports combofix makes

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box

C:\qoobox\ComboFix2.txt

  • click ok
  • and also do the following
    C:\qoobox\ComboFix3.txt


  • copy and paste these reports into this topic for me to review

I still would like to see the report from Gmer

"information and logs"

  • In your next post I need the following
  1. the two combofix reports
  2. the report from GMER
  3. let me know of any problems you may have had
  4. How is the computer doing now?

Gringo

Link to post
Share on other sites

Hi Gringo,

The combofix2.txt and combofix3.txt are attached. When I tried to post the text of ComboFix2.txt and reply I got the message "Request Entity Too Large

The requested resource

/index.php

does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit. "

Apparently, the message length was more than that what is allowed in this text box.

I could not run Gmer as it runs OK for a while, then freezes. I will try again to run it. This is the way I am running it, disable my Avast antivirus until I restart my machine(as i don't know how long GMER may run), I start GMER by double clicking the exe, uncheck the three options you mentioned, click start which seems OK for a while then freezes making me manually reset the machine by resetting power. Am I doing anything wrong while running GMER?

Also, I am attaching the log file of my firewall Zonealarm(Zalog.txt) as i see some strange things like

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (65.197.244.165:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (96.6.40.13:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.140:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.135:Port 3478).,N/A,N/A

and PE,2010/05/09,13:23:22 -4:00 GMT,Java Quick Starter binary,C:\Program Files\Java\jre6\bin\jqsnotify.exe,127.0.0.1:5152,N/A

Quick Starter binary should not be starting up or running as it is not shown in my start up list of programs

Computer seems OK for now, Firefox did not have redirects, but the logs from Zonealarm confuse me.

Thanks for your help and time

ComboFix2.txt

ComboFix3.txt

ZALog.txt

Link to post
Share on other sites

  • Staff

hello

thanks for the logs I will go thru them now.

Are you still getting redirects?

if you keep having problems with gmer then try it this way.

I would like you to delete the Gmer you have now and download this version from here.

GMER:

I would like you to download this "special version of gmer." and save it to your desktop.

  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

GMER_2.png

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • devices(don't miss this one) <--this one is different than the picture
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish.

    [*]Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If Gmer runs then please give me the log and pass on the next step.

If Gmer still does not run and Only if it does not run please do the following.

I would like you to try and run Gmer in Safe mode to enter safe mode do the following.

Boot into Safe Mode

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"

  • In your next post I need the following
  1. log from Gmer
  2. let me know of any problems you may have had
  3. How is the computer doing now?

Gringo

Link to post
Share on other sites

Hi,

Thanks for the prompt reply.

Gmer did not run in normal mode of windows. While it was running, suddenly Windows rebooted. I tried to go into safe mode and run it, but i could not go into safe mode as after the below drivers were loaded no further movement was there so i had to reset the machine manually.

C:\Windows\system32\drivers\Lbd.sys

C:\Windows\system32\drivers\DRVMCDB.sys

C:\Windows\system32\drivers\PxHelp20.sys

C:\Windows\system32\drivers\KseCDD.sys

C:\Windows\system32\drivers\Ntfs.sys

C:\Windows\system32\drivers\MDIS.sys

C:\Windows\system32\drivers\mup.sys

Apparently, i can't go into safe mode now.

When I was restarting Windows, I got a message that Windows needs to do a disk consistency test for my hard disks. I canceled the disk consistency checking.

When I finished booting into Windows, I got a message that Windows has recovered from a serious error and wants to send the information

to Microsoft. I wanted to see the error report and found that below files will be sent.

C:\DOCUME~1\Admin\LOCALS~1\Temp\WER73b9.dir00\Mini050910-01.dmp

C:\DOCUME~1\Admin\LOCALS~1\Temp\WER73b9.dir00\sysdata.xml

But, when I wanted to find the location of the files I could not find them.

Since the GMER run terminated prematurely, there are two dump files in location

C:\DOCUME~1\Admin\LOCALS~1\Temp\WER86e2.dir00

called gl5x32s1.exe.hdmp and gl5x32s1.exe.mdmp

I have attached them as called gl5x32s1.exe.hdmp.zip(compressed as the original size was 16MB as this one is some 6MB) and gl5x32s1.exe.mdmp.txt(as gl5x32s1.exe.mdmp may not be allowed to upload so i added a extension .txt to it).

You can view them to determine the cause of error of Gmer terminating prematurely. They appear to be in hex and

I don't have a Hex editor and they make more sense to you than me.

Computer seems to be running OK for now.

If there is any other way, I can run GMER or any other rootkit scanning program, please advise.

Thanks for your help and time.

gl5x32s1.exe.hdmp.zip

gl5x32s1.exe.mdmp.txt

Link to post
Share on other sites

  • Staff

Hello

Ok lets try this one

RootRepeal Beta

  • Please download RootRepeal Beta and save it to your Desktop.
  • close all other programs then run it by double-clicking on the file named RootRepeal.exe
  • Once the main window shows up, please click on the Report button on the bottom of the window.
  • Next, please click the Scan button.
  • Another window will pop up asking you to select what to include in the scan. Please uncheck everything except for the Stealth Code checkbox, and then click OK.
  • Once the program has finished scanning, the results will appear. Click on the Save Report button, and save the report to your Desktop.
  • Please post the log in you're next reply.

gringo

Link to post
Share on other sites

Hi,

Thanks for your reply. I ran rootrepeal as per your instructions(unchecking everything except Stealth Code). It ran hardly for 2 seconds and it was done. Does it run that quickly? The report is below and also attached.

ROOTREPEAL © AD, 2007-2010

==================================================

Report Save Time: 2010/05/10 09:21

Program Version: Version 2.0.0.0

Windows Version: Windows XP SP3

==================================================

STEALTH CODE

-------------------

Thanks

Rootrepeal_report.txt

Link to post
Share on other sites

Hi Gringo,

So far, no redirects while I was using Firefox. I guess I should be OK.

Should I be worried about the strange things I saw in the Zonealarm firewall log which are listed below?

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (65.197.244.165:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (96.6.40.13:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.140:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.135:Port 3478).,N/A,N/A

Also, how about that, I can't get into safe mode now?

Thanks for your help.

Link to post
Share on other sites

  • Staff

Hello

please run this tool tp fix booting into safe mode and let me know if it worked

SafeBoot Key Repair

Please download SafeBootKeyRepair ... by sUBs. Save to your desktop.

  1. Double click on SafeBootKeyRepair.exe to run it.
    A window will open showing only "Please wait... The process may take a few minutes, so let it run.
  2. When finished, Notepad will open with a report, saved at C:\SafeBoot_Repair.txt
  3. Please copy and paste the contents of the SafeBoot_Repair.txt file in your next reply.

Please try to boot to Safe Mode now... let me know if you still have problems.

All the addresses you have listed are from one company - Akamai Technologies it is a ligit company I would not worry about that to much, it has to do with a program you have installed on your computer

Your Java is out of date.

It can be updated by the Java control panel

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts
  • After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

:Kaspersky scan:

  • Please go to
Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

"information and logs"

  • In your next post I need the following
  1. Log From MBAM
  2. Log From Kaspersky
  3. let me know of any problems you may have had
  4. How is the computer doing now?

Gringo

Link to post
Share on other sites

Hi Gringo,

I am able to get into SafeBoot now.

I updated Java, ran TFC and the quick MBAM scan(after updating its database).

But, Kapersky, I could not as the database update of its engine definitions seems to take forever. I am still trying. Could it be because my Avast antivirus is active which might be blocking something? I am on a fiber optic network connection where a 1MB file can be downloaded in a second, but downloading some 95MB of the definitions seems to indefinite time. I realize distance from server matters, but still the amount to get 95MB is excessive.

Log of MBAM is attached.

Computer seems to be fine now.

My system restore of Windows was always off all the time(before I got the malware till now).

Thanks a lot for your help and time.

MBAMlogMay10.txt

Link to post
Share on other sites

Hi Gringo,

After a few minutes, the Kapersky scan database update gives a message Update Timeout and stops the process.

The whole message is below:

The program is starting. Please wait...

Updates source is selected: http://www.kaspersky.com

File download: packages/kos-extras.jar

null

null

Updates source is selected: http://downloads2.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/kavset.xml.klz

File download: bases/five/avc/kavset.xml.klz

File download: bases/five/avc/black.lst

Updates source is selected: ftp://downloads3.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Update timeout

Update timeout

Updates source is selected: http://downloads3.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Updates source is selected: http://downloads1.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Updates source is selected: http://downloads5.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Updates source is selected: ftp://downloads5.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Update timeout

Update timeout

Updates source is selected: ftp://downloads2.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Update timeout

Update timeout

Updates source is selected: http://downloads4.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Updates source is selected: ftp://downloads4.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Update timeout

Update timeout

Updates source is selected: ftp://downloads1.kaspersky-labs.com/

File download: index/master.xml.klz

File download: bases/five/avc/black.lst

Update timeout

Update timeout

0 [ERROR: Update timeout]

If you want me to disable Avast, restart the machine or have any other suggestion, please let me know.

Thanks

Link to post
Share on other sites

  • Staff

greetings

go ahead and shut off avast

and try use eset if you still have problems with kaspersky

Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

gringo

Link to post
Share on other sites

Hi Gringo,

Below is the log from ESET online scanner

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=eab63a93b8f3b748826fd0489039f939

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-11 11:53:40

# local_time=2010-05-11 07:53:40 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 321653 321653 0 0

# compatibility_mode=768 16777191 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 75 70 0 13753233 0 0

# scanned=212991

# found=0

# cleaned=0

# scan_time=32942

It did not find anything else. But, a program called Browser Plus has got installed on my system. Could it be related to the ESET online scanner(when I ran its Active X control) or something else?

Thank you for your help.

Link to post
Share on other sites

  • Staff

Hello

BrowserPlus - http://browserplus.yahoo.com/

You can uninstall it from add/remove programs - Yahoo! BrowserPlus

Very well done!! This is my general post for when your logs show no more signs of malware :)- Please let me know if you still are having problems with your computer and what these problems are.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point.

:Uninstall ComboFix:

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:

  • please visit this page that gives instructions to do this
http://surfthenetsafely.com/ieseczone8.htm

:Turn On Automatic Updates:

  • Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
    or visit
http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

  • you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also
    I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee.
    • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

please read this great article by miekiemoes How to prevent Malware:

and

this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints

If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:btn_donate_SM.gif

Gringo

Link to post
Share on other sites

Hi Gringo,

Avast did a boot scan and found the below:

A tightvnc-1.3.10-setup.exe\{app3}\Vncnooks.dll was infected by Win 32:PUP.gen. Since it was a boot scan(which Avast claims is done before Windows file/drivers are loaded, would it be serious?

It reported that another file(a CHM file) was corrupted .

I did not allow the boot scan to complete as I needed the machine and Avast, stops when it finds a infected file(and asks what to do for the infected file). I told to repair the Vncnooks.dll file which it could not so i told it to delete it. There might be more infected files, but how can i configure Avast to scan everything, then list what it found which McAfee does after end of scan.

What would you advise?

Thanks for your help.

Link to post
Share on other sites

Hi Gringo,

Avast bootscan found another infection Win 32: Alureon: FZ. I asked it to delete it, but don't know how many such infected files exist which Avast detects only during boot scan.

I know about the program TightVNC, haven't used it, but it was present on my machine in case i needed to remotely connect to another machine.

What do you think i should do about the infections Avast finds during bootscan?

Link to post
Share on other sites

  • Staff

Hello

Can you give me the file path? Where does it say this infection is?

try this scan please

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.