PDA

View Full Version : suspected infection


key
2010-04-16, 17:04
Hi, Yesterday morning Ihad a major problem with my PC.
it was impossible to connect to several sites speciaaly yours and other that offer spyware-malware removal.
I could install SD copying it in a folder inside C:\ProgramsFiles, and launch it with SD Main executable.
It was impossiblllleto connect toyour site so I did a scan without update and I found several problems that were removed.
Later I dwnloaded on another computer the installer of Malwarebytes and Combofix and " introduced" in the PC by email, Icould install them and scan the PC.
During Malwarebytes scan several problems were detected by this program and, simoultaneously by Zone Alarm Security, and removed.
things didn't go better, the PC remained impossible to connect with all the sites of software, but it was doing less weird things. I scanned it with Combo fix,without too much change too.
then I whent to delete all the cookies, Temporary folder and emptied the recycle bin, and theen a lot of things changed.
ate the end of the night, Icould connect to your site and downlod the last version with updates of SD, and a scan revealed no problems.
I re-scanned with Zone Alarm, after updating, and only one troyan was found.
here I attach the logs I got during this ordeal, it would be great if you could check it and, possible, tell me if the problem is solved or I still have to do something more.
thanks a lot for your assistance.


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

15/04/2010 23:13:30
mbam-log-2010-04-15 (23-13-30).txt

Scan type: Quick scan
Objects scanned: 96853
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ComboFix 10-04-15.02 - dues 15/04/2010 23:25:15.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1470 [GMT -6:00]
Running from: c:\documents and settings\dues\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 00:04 . 2010-04-16 00:04 -------- d-----w- c:\documents and settings\dues\Application Data\Malwarebytes
2010-04-16 00:04 . 2010-03-30 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-16 00:04 . 2010-04-16 00:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-16 00:04 . 2010-04-16 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-16 00:04 . 2010-03-30 06:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-15 18:13 . 2010-04-15 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-15 18:09 . 2010-04-15 18:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-15 04:58 . 2010-04-15 04:58 -------- d-----w- c:\windows\ServicePackFiles
2010-04-15 04:57 . 2004-08-03 22:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-14 20:39 . 2010-04-15 15:37 -------- d--h--w- c:\windows\$hf_mig$
2010-04-13 21:58 . 2010-04-13 21:58 -------- d-----w- c:\windows\Sun
2010-04-12 20:32 . 2004-08-04 05:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-04-12 20:32 . 2004-08-04 05:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-04-12 18:57 . 2010-04-12 18:57 503808 ----a-w- c:\documents and settings\dues\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56c5b8e9-n\msvcp71.dll
2010-04-12 18:57 . 2010-04-12 18:57 499712 ----a-w- c:\documents and settings\dues\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56c5b8e9-n\jmc.dll
2010-04-12 18:57 . 2010-04-12 18:57 348160 ----a-w- c:\documents and settings\dues\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56c5b8e9-n\msvcr71.dll
2010-04-12 18:56 . 2010-04-12 18:56 61440 ----a-w- c:\documents and settings\dues\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6264a5a3-n\decora-sse.dll
2010-04-12 18:56 . 2010-04-12 18:56 12800 ----a-w- c:\documents and settings\dues\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6264a5a3-n\decora-d3d.dll
2010-04-12 17:46 . 2010-04-12 17:46 -------- d-----w- c:\documents and settings\dues\Application Data\MSNInstaller
2010-04-12 07:13 . 2010-04-12 07:13 -------- d-----w- c:\program files\MSN Toolbar
2010-04-12 07:13 . 2010-03-16 17:43 52224 ----a-w- c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{0974848a-b5bc-49f2-9778-307742b4a55d}\components\FFExternalAlert.dll
2010-04-12 07:13 . 2010-03-16 17:43 101376 ----a-w- c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{0974848a-b5bc-49f2-9778-307742b4a55d}\components\RadioWMPCore.dll
2010-04-12 06:00 . 2010-04-12 06:00 -------- d-----w- c:\program files\Conduit
2010-04-12 06:00 . 2010-04-12 06:00 -------- d-----w- c:\documents and settings\dues\Local Settings\Application Data\Conduit
2010-04-12 06:00 . 2010-03-16 18:31 52224 ----a-w- c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{770720c8-c640-43ec-b9f6-6de6d151428b}\components\FFExternalAlert.dll
2010-04-12 06:00 . 2010-03-16 18:31 101376 ----a-w- c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{770720c8-c640-43ec-b9f6-6de6d151428b}\components\RadioWMPCore.dll
2010-04-12 05:53 . 2010-04-12 08:03 -------- d-----w- c:\program files\Ask.com
2010-04-12 05:48 . 2010-04-12 05:48 -------- d-----w- c:\program files\Common Files\Java
2010-04-12 05:48 . 2010-04-12 05:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-12 05:47 . 2010-04-12 05:47 -------- d-----w- c:\program files\Java
2010-04-12 05:13 . 2010-04-12 05:13 -------- d-----w- c:\documents and settings\dues\Downloads
2010-04-11 22:39 . 2010-04-11 22:39 -------- d-----w- c:\program files\SonicWallES
2010-04-09 00:50 . 2010-04-09 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-04-09 00:44 . 2010-04-11 22:39 -------- d-----w- c:\documents and settings\dues\Application Data\MailFrontier
2010-04-09 00:44 . 2010-04-09 00:44 -------- d-----w- c:\documents and settings\dues\Application Data\CheckPoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 05:43 . 2010-04-09 00:34 144 ----a-w- c:\windows\system32\pdfl.dat
2010-04-16 05:43 . 2008-04-17 00:08 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-16 05:36 . 2010-04-16 05:36 570909 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-15 20:41 . 2010-04-15 20:42 1856000 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-15 04:59 . 2010-04-15 14:37 1865728 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-04-15 04:59 . 2010-04-15 14:37 344064 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-04-13 05:09 . 2010-04-13 20:43 1773568 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-04-09 00:34 . 2010-04-09 00:34 80 ----a-w- c:\windows\system32\ibfl.dat
2010-04-09 00:34 . 2010-04-09 00:34 144 ----a-w- c:\windows\system32\lkfl.dat
2010-04-09 00:34 . 2010-04-09 00:34 -------- d-----w- c:\program files\CheckPoint
2010-04-09 00:34 . 2010-04-09 00:34 -------- d-----w- c:\program files\Zone Labs
2010-03-10 08:02 . 2004-08-03 22:56 417792 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-15_23.58.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-16 05:41 . 2010-04-16 05:41 16384 c:\windows\Temp\Perflib_Perfdata_35c.dat
+ 2010-04-16 05:41 . 2010-04-16 05:43 2535 c:\windows\Temp\sdk8\Report\g_objid.dat
- 2010-04-15 23:57 . 2010-04-15 23:58 2535 c:\windows\Temp\sdk8\Report\g_objid.dat
+ 2010-04-16 05:41 . 2010-04-16 05:43 3448 c:\windows\Temp\sdk8\Report\g_objdt.dat
+ 2010-04-16 05:41 . 2010-04-16 05:42 1792 c:\windows\Temp\sdk8\Report\g_objbt.dat
+ 2010-04-16 05:16 . 2010-04-16 05:16 1956 c:\windows\system32\Restore\rstrlog.dat
+ 2010-04-15 23:57 . 2010-04-16 05:02 393216 c:\windows\Temp\sfdb.dat
+ 2010-04-09 00:54 . 2010-04-16 05:25 748032 c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-11 7286784]
"nwiz"="nwiz.exe" [2005-10-11 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-11 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"conime.exe"="conime.exe" [2004-08-03 27648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.15.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe [2006-11-19 634880]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 07:30 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 07:30 476528]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [14/10/2009 07:29 35448]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [02/10/2002 09:57 13532]
.
Contents of the 'Scheduled Tasks' folder

2010-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2431232
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431232&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - softonic.com4 Customized Web Search
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431232&q=
FF - component: c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{0974848a-b5bc-49f2-9778-307742b4a55d}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{0974848a-b5bc-49f2-9778-307742b4a55d}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{770720c8-c640-43ec-b9f6-6de6d151428b}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\dues\Application Data\Mozilla\Firefox\Profiles\vbixfl4y.default\extensions\{770720c8-c640-43ec-b9f6-6de6d151428b}\components\RadioWMPCore.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 23:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(896)
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(3112)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll

- - - - - - - > 'csrss.exe'(816)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-15 23:45:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 05:45
ComboFix2.txt 2010-04-16 00:01

Pre-Run: 4,886,671,360 bytes free
Post-Run: 4,882,837,504 bytes free

- - End Of File - - 1D26561CD55F9DA82C740D2EECE6457D





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:44:58, on 16/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dues\Desktop\Virtumond\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2431232
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.es.es-la\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [conime.exe] conime.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5725 bytes



Bests
tashi
2010-04-16, 18:44
Hello key,

Please do read the forum FAQ which I have provided a link to several times now.

Open topic: http://forums.spybot.info/showthread.php?t=56874


Please do not start more than one topic for the same computer, during the same period. It will either be removed, closed or merged with your original thread.
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts but please do not count on it.
Please wait to be advised and Do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806) (Pinned Sticky topic) If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :) "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Your username has been edited. FAQ (http://forums.spybot.info/faq.php?faq=vb3_board_faq#faq_software) ;)

Best regards.