Virtumonde.sdn infection, hard to remove

H

hiatus138

New member
Yesterday, SBSD discovered virtumonde infection. I had it fix probs, but then when the computer was restarted, it reappeared. I updated SBSD, and Zonealarm, to current, installed and ran ad-aware, and installed and ran Malwarebytes anti-malware. Re-ran scans, virtumonde was back again.

Then I updated windows from winXP SP2 to SP3, but the install failed, so I rolled that back, and installed all the other windows updates. 9 total i think. I had not updated in a while, because each time in the past that I tried, the install failed, or it broke my computer.
I restarted after each of these changes.
after the last scan, Malwarebytes found 3 other infections, and I had it clean them.
Finally, after one last scan with SBSD, it found virtumonde again, I came here.
Turned off TeaTimer, restarted, ran ERUNT, and then HJT. Here is the report, and thanks

I've been at this for 14 hours now. Thanks for being out there to help us!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:17 AM, on 6/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\WN311T\WN311T.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WN311T.exe] C:\Program Files\NETGEAR\WN311T\WN311T.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustCheckerIE] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236985826765
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://E:\components\wmvhdrating.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SpongeBob Diner Dash 2\Images\armhelper.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6936 bytes
 
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!
 
Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:

1)Antivir PersonalEdition Classic
2)avast! 4 Home Edition

Download and install only one!


Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include the Uninstall List,C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.

Use multiple posts if you can't fit everything into one post.
 
Hello, and thanks for your help.


I am running ZoneAlarm Extreme Security Antivirus/antispyware/firewall. It is updated to current definitions, and it was installed and active at the time I ran the HJT report.
Is there a chance it has been disabled by virtumonde?

I am following the steps now. will reply soon.
 
hiatus138 said:
I am running ZoneAlarm Extreme Security Antivirus/antispyware/firewall. It is updated to current definitions, and it was installed and active at the time I ran the HJT report.
Is there a chance it has been disabled by virtumonde?
Click to expand...

It shouldn't have been. Since you have an Anti-Virus installed, then no need to install a new one. Just do Steps 1 and 2. :)
 
Here are the 3 reports: thanks.


Uninstall List:

7-Zip 4.65
Acrobat.com
Acrobat.com
ACS495
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Backup Dell-Installed Programs
Bonjour
Canon iP2600 series
Canon iP2600 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Casual Game MEGA Pack
Conexant HCF V90 56K RTAD Speakerphone PCI Modem (Uninstall)
Cosmic Ball version 2.1.0
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
DellTouch
Diner Dash
Diner Dash - Hometown Hero
DVD Decrypter (Remove Only)
EAGLE 5.4.0
ERUNT 1.1j
Google SketchUp 6
Google SketchUp 6
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hoyle Board Games 2005
iDump (Backing up your iPod)
iTunes
J2SE Runtime Environment 5.0 Update 2
Japanese Fonts Support For Adobe Reader 9
Jardinains 2!
Java(TM) 6 Update 13
Java(TM) 6 Update 7
LEGO Builder Bots
LEGO Racers
LEGO Racers 2
Macromedia Flash Player 8
Mad Tracks Demo
Mah Jong Solitaire 2 V1.11
Malwarebytes' Anti-Malware
MicroMachines V4
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliPoint
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Motocross Madness 2
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero Suite
NETGEAR WN311T Wireless PCI Adapter
NetStorm
NVIDIA Drivers
OLYMPUS CAMEDIA Master 4.1
OpenAL
OpenExpert 1.40
OpenOffice.org 3.0
PC Inspector smart recovery
PIXMA Extended Survey Program
Registry Mechanic
Risk II
Rollcage
Rollcage Stage II Demo
ROM CHECK FAIL 1.0
Safari
Santa Cruz
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Spybot - Search & Destroy
SpywareBlaster 4.2
Swarm Racer 2.0
TAGAP
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VC 9.0 Runtime
WallMaster
Wild Wheels
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Uninstall
WinLems 1.24
WinZip
xat.com JPEG Optimizer
ZoneAlarm Extreme Security



ComboFix 09-06-26.02 - windows 06/28/2009 11:19.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.242 [GMT -7:00]
Running from: c:\documents and settings\windows\Desktop\ComboFix.exe
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\windows\Application Data\inst.exe
c:\windows\start.exe
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-22 06:57 . 2009-06-22 06:57 -------- d-----w- c:\program files\Trend Micro
2009-06-22 06:53 . 2009-06-22 06:53 -------- d-----w- c:\program files\ERUNT
2009-06-22 04:45 . 2009-04-29 04:31 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-22 04:45 . 2009-04-29 04:31 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-22 02:39 . 2009-02-09 10:20 453120 ----a-w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-22 02:38 . 2008-12-11 11:57 333184 ----a-w- c:\windows\system32\drivers\srv.sys
2009-06-22 00:22 . 2009-06-22 00:22 -------- d-----w- c:\documents and settings\windows\Application Data\Malwarebytes
2009-06-22 00:22 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 00:22 . 2009-06-22 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-22 00:22 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 00:22 . 2009-06-22 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 23:39 . 2009-06-21 23:39 -------- d-----w- c:\documents and settings\windows\Downloads
2009-06-15 14:53 . 2009-06-15 14:54 -------- d-----w- c:\program files\iTunes
2009-06-15 07:57 . 2009-06-15 07:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-08 10:20 . 2009-06-08 10:20 -------- d-----w- C:\HOTEL_FOR_DOGS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 18:37 . 2009-04-25 18:11 144 ----a-w- c:\windows\system32\pdfl.dat
2009-06-28 18:37 . 2007-09-01 22:57 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-28 18:31 . 2007-09-01 22:57 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-28 18:31 . 2007-09-01 22:57 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-23 06:30 . 2009-06-23 14:10 1009664 ------w- c:\windows\Internet Logs\xDB1C.tmp
2009-06-20 00:16 . 2008-11-20 04:15 1 ----a-w- c:\documents and settings\windows\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-12 06:00 . 2009-06-12 21:15 243712 ------w- c:\windows\Internet Logs\xDB1B.tmp
2009-06-07 14:55 . 2009-06-07 14:55 87359 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_06_07_07_34_39_small.dmp.zip
2009-06-07 14:34 . 2009-06-07 14:49 3474432 ------w- c:\windows\Internet Logs\xDB1A.tmp
2009-06-07 14:34 . 2009-06-07 14:49 275456 ------w- c:\windows\Internet Logs\xDB19.tmp
2009-05-31 19:38 . 2009-05-31 19:37 170841 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_05_31_12_31_28_small.dmp.zip
2009-05-31 11:48 . 2009-05-31 13:54 1784832 ------w- c:\windows\Internet Logs\xDB18.tmp
2009-05-16 05:21 . 2009-05-16 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-16 05:18 . 2009-05-16 05:18 -------- d-----w- c:\program files\Bonjour
2009-05-14 07:27 . 2009-05-16 04:11 1693696 ------w- c:\windows\Internet Logs\xDB17.tmp
2009-05-07 15:44 . 2009-06-22 02:39 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 03:40 . 2009-05-05 03:40 152576 ----a-w- c:\documents and settings\windows\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-29 04:31 . 2005-10-15 03:28 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-25 18:11 . 2009-04-25 18:11 80 ----a-w- c:\windows\system32\ibfl.dat
2009-04-25 18:11 . 2009-04-25 18:11 144 ----a-w- c:\windows\system32\lkfl.dat
2009-04-17 09:58 . 2009-06-22 02:39 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-10-15 03:18 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-03 05:40 . 2009-04-03 05:39 13559612 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_19_full.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51298 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_16_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51234 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_13_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51165 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_10_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51243 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_05_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51210 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_02_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51207 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_07_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51127 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_32_59_small.dmp.zip
2009-04-03 05:34 . 2007-11-01 17:09 20742883 ------w- c:\windows\Internet Logs\tvDebug.zip
2009-04-03 05:22 . 2009-04-03 05:34 3357696 ------w- c:\windows\Internet Logs\xDB16.tmp
2009-04-03 05:22 . 2009-04-03 05:34 532992 ------w- c:\windows\Internet Logs\xDB15.tmp
2009-04-01 03:40 . 2008-12-03 03:35 47360 ----a-w- c:\documents and settings\windows\Application Data\pcouffin.sys
2009-04-01 03:40 . 2008-12-03 03:35 47360 ----a-w- c:\documents and settings\windows\Application Data\pcouffin.sys
2009-04-01 02:20 . 2007-09-01 22:57 72584 ----a-w- c:\windows\zllsputility.exe
2009-04-01 02:20 . 2008-12-20 07:52 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-04-01 02:20 . 2008-12-20 07:52 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-04-01 02:20 . 2008-12-20 07:52 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2008-04-12 17:22 . 2007-09-12 03:59 143 ----a-w- c:\program files\mw.cfg
2005-03-04 05:44 . 2005-03-04 05:44 11079 ---h--w- c:\program files\folder.htt
2003-10-31 19:34 . 2007-09-05 01:16 4287671 ----a-w- c:\program files\Mario Worlds.exe
2008-05-27 04:27 . 2008-05-27 04:27 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-07-03 13:16 8454656 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WN311T.exe"="c:\program files\NETGEAR\WN311T\WN311T.exe" [2006-09-29 659456]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-04-01 982408]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZAFFRegisterTrustChecker"="-s" [X]
"ZAFFRegisterTrustCheckerIE"="-s" [X]

c:\documents and settings\windows\Start Menu\Programs\Startup\
WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2008-6-1 288256]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Mozilla Quick Launch"="c:\progra~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"VSOCheckTask"="c:\progra~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
"MCAgentExe"=c:\progra~1\MCAFEE.COM\AGENT\mcagent.exe
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"TIPS"=c:\progra~1\MICROS~1\tips\mouse\tips.exe
"MCUpdateExe"=c:\progra~1\MCAFEE.COM\AGENT\McUpdate.exe
"McRegWiz"=c:\progra~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2/12/2009 3:12 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [2/12/2009 3:12 AM 394632]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2/12/2009 3:11 AM 54928]
R3 NETMW145;NETGEAR WN311T;c:\windows\SYSTEM32\DRIVERS\NETMW145.sys [3/16/2008 11:29 AM 435456]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [10/15/2005 5:00 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [10/15/2005 5:00 PM 545088]
S1 ANVIOCTL;ANVIOCTL;c:\windows\SYSTEM32\DRIVERS\anvioctl.sys [6/24/2008 12:28 AM 231480]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [10/15/2005 5:00 PM 19232]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SPCI\VEN_1013&DEV_6003&SUBSYS_33575053&REV_01\38F000

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\windows\Application Data\Mozilla\Firefox\Profiles\os3tb7c7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\windows\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 11:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(424)
c:\windows\system32\iac25_32.ax
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(480)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(564)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mlfhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\CANON\IJPLM\IJPLMSVC.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
c:\program files\CheckPoint\ZAForceField\forcefield.exe
c:\windows\system32\wscntfy.exe
c:\program files\CheckPoint\ZAForceField\ISWMGR.exe
c:\program files\CheckPoint\ZAForceField\ISWMGR.exe
.
**************************************************************************
.
Completion time: 2009-06-28 11:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 18:42

Pre-Run: 236,648,169,472 bytes free
Post-Run: 238,908,375,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,4,5,6,7,8,9,10
222 --- E O F --- 2009-06-22 05:15


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:54 AM, on 6/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\WN311T\WN311T.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [WN311T.exe] C:\Program Files\NETGEAR\WN311T\WN311T.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustCheckerIE] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236985826765
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://E:\components\wmvhdrating.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SpongeBob Diner Dash 2\Images\armhelper.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6953 bytes
 
Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    KILLALL::

File::

c:\windows\Internet Logs\xDB1C.tmp
c:\windows\Internet Logs\xDB1B.tmp
c:\windows\Internet Logs\xDB1A.tmp
c:\windows\Internet Logs\xDB19.tmp
c:\windows\Internet Logs\xDB18.tmp
c:\windows\Internet Logs\xDB17.tmp
c:\windows\Internet Logs\xDB16.tmp
c:\windows\Internet Logs\xDB15.tmp

FixCSet::

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    CFScriptB-4.gif



    Note: This CFScript is for use on hiatus138's computer only! Do not use it on your computer.

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh HiJackThis Log taken after Step 1 has been completed.
 
Here are the reports:

ComboFix 09-06-26.02 - windows 06/30/2009 7:58.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.207 [GMT -7:00]
Running from: c:\documents and settings\windows\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\windows\Desktop\cfscript.txt
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

FILE ::
"c:\windows\Internet Logs\xDB15.tmp"
"c:\windows\Internet Logs\xDB16.tmp"
"c:\windows\Internet Logs\xDB17.tmp"
"c:\windows\Internet Logs\xDB18.tmp"
"c:\windows\Internet Logs\xDB19.tmp"
"c:\windows\Internet Logs\xDB1A.tmp"
"c:\windows\Internet Logs\xDB1B.tmp"
"c:\windows\Internet Logs\xDB1C.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\xDB15.tmp
c:\windows\Internet Logs\xDB16.tmp
c:\windows\Internet Logs\xDB17.tmp
c:\windows\Internet Logs\xDB18.tmp
c:\windows\Internet Logs\xDB19.tmp
c:\windows\Internet Logs\xDB1A.tmp
c:\windows\Internet Logs\xDB1B.tmp
c:\windows\Internet Logs\xDB1C.tmp

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-28 18:38 . 2009-06-28 18:38 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-22 06:57 . 2009-06-22 06:57 -------- d-----w- c:\program files\Trend Micro
2009-06-22 06:53 . 2009-06-22 06:53 -------- d-----w- c:\program files\ERUNT
2009-06-22 04:45 . 2009-04-29 04:31 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-22 04:45 . 2009-04-29 04:31 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-22 02:39 . 2009-02-09 10:20 453120 ----a-w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-22 02:38 . 2008-12-11 11:57 333184 ----a-w- c:\windows\system32\drivers\srv.sys
2009-06-22 00:22 . 2009-06-22 00:22 -------- d-----w- c:\documents and settings\windows\Application Data\Malwarebytes
2009-06-22 00:22 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 00:22 . 2009-06-22 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-22 00:22 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 00:22 . 2009-06-22 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 23:39 . 2009-06-21 23:39 -------- d-----w- c:\documents and settings\windows\Downloads
2009-06-15 14:53 . 2009-06-15 14:54 -------- d-----w- c:\program files\iTunes
2009-06-15 07:57 . 2009-06-15 07:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-08 10:20 . 2009-06-08 10:20 -------- d-----w- C:\HOTEL_FOR_DOGS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 15:11 . 2009-04-25 18:11 144 ----a-w- c:\windows\system32\pdfl.dat
2009-06-30 15:05 . 2007-09-01 22:57 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-30 15:05 . 2007-09-01 22:57 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-29 23:30 . 2009-06-30 14:29 56832 ------w- c:\windows\Internet Logs\xDB1E.tmp
2009-06-28 21:55 . 2007-09-01 22:57 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-28 21:49 . 2009-06-28 21:50 165376 ------w- c:\windows\Internet Logs\xDB1D.tmp
2009-06-20 00:16 . 2008-11-20 04:15 1 ----a-w- c:\documents and settings\windows\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-07 14:55 . 2009-06-07 14:55 87359 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_06_07_07_34_39_small.dmp.zip
2009-05-31 19:38 . 2009-05-31 19:37 170841 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_05_31_12_31_28_small.dmp.zip
2009-05-16 05:21 . 2009-05-16 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-16 05:18 . 2009-05-16 05:18 -------- d-----w- c:\program files\Bonjour
2009-05-07 15:44 . 2009-06-22 02:39 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 03:40 . 2009-05-05 03:40 152576 ----a-w- c:\documents and settings\windows\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-29 04:31 . 2005-10-15 03:28 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-25 18:11 . 2009-04-25 18:11 80 ----a-w- c:\windows\system32\ibfl.dat
2009-04-25 18:11 . 2009-04-25 18:11 144 ----a-w- c:\windows\system32\lkfl.dat
2009-04-17 09:58 . 2009-06-22 02:39 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-10-15 03:18 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-03 05:40 . 2009-04-03 05:39 13559612 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_19_full.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51298 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_16_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51234 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_13_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51165 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_10_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51243 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_05_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51210 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_02_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51207 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_33_07_small.dmp.zip
2009-04-03 05:39 . 2009-04-03 05:39 51127 ------w- c:\windows\Internet Logs\vsmon_2nd_2009_04_02_22_32_59_small.dmp.zip
2009-04-03 05:34 . 2007-11-01 17:09 20742883 ------w- c:\windows\Internet Logs\tvDebug.zip
2008-04-12 17:22 . 2007-09-12 03:59 143 ----a-w- c:\program files\mw.cfg
2005-03-04 05:44 . 2005-03-04 05:44 11079 ---h--w- c:\program files\folder.htt
2003-10-31 19:34 . 2007-09-05 01:16 4287671 ----a-w- c:\program files\Mario Worlds.exe
2008-05-27 04:27 . 2008-05-27 04:27 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-06-28_18.35.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 15:06 . 2009-06-30 15:06 16384 c:\windows\TEMP\Perflib_Perfdata_708.dat
+ 2009-04-25 18:17 . 2009-06-30 15:07 72672 c:\windows\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-06-28 18:38 . 2008-10-16 21:09 51224 c:\windows\SYSTEM32\dllcache\cache\wuauclt.exe
+ 2009-06-28 18:38 . 2004-08-04 19:00 82944 c:\windows\SYSTEM32\dllcache\cache\ws2_32.dll
+ 2009-06-28 18:38 . 2004-08-04 19:00 24576 c:\windows\SYSTEM32\dllcache\cache\userinit.exe
+ 2009-06-28 18:38 . 2004-08-04 19:00 14336 c:\windows\SYSTEM32\dllcache\cache\svchost.exe
+ 2009-06-28 18:38 . 2005-06-10 23:53 57856 c:\windows\SYSTEM32\dllcache\cache\spoolsv.exe
+ 2009-06-28 18:38 . 2004-08-04 19:00 17408 c:\windows\SYSTEM32\dllcache\cache\powrprof.dll
+ 2009-06-28 18:38 . 2004-08-04 19:00 13312 c:\windows\SYSTEM32\dllcache\cache\lsass.exe
+ 2009-06-28 18:38 . 2004-08-04 19:00 24576 c:\windows\SYSTEM32\dllcache\cache\kbdclass.sys
+ 2009-06-28 18:38 . 2004-08-04 19:00 29056 c:\windows\SYSTEM32\dllcache\cache\ip6fw.sys
+ 2009-06-28 18:38 . 2004-08-04 19:00 15360 c:\windows\SYSTEM32\dllcache\cache\ctfmon.exe
+ 2009-06-28 18:38 . 2004-08-04 19:00 502272 c:\windows\SYSTEM32\dllcache\cache\winlogon.exe
+ 2009-06-28 18:38 . 2009-04-29 04:31 668160 c:\windows\SYSTEM32\dllcache\cache\wininet.dll
+ 2009-06-28 18:38 . 2007-03-08 14:36 577536 c:\windows\SYSTEM32\dllcache\cache\user32.dll
+ 2009-06-28 18:38 . 2004-08-04 19:00 295424 c:\windows\SYSTEM32\dllcache\cache\termsrv.dll
+ 2009-06-28 18:38 . 2008-06-20 10:45 360320 c:\windows\SYSTEM32\dllcache\cache\tcpip.sys
+ 2009-06-28 18:38 . 2009-02-06 17:14 110592 c:\windows\SYSTEM32\dllcache\cache\services.exe
+ 2009-06-28 18:38 . 2004-08-04 19:00 182912 c:\windows\SYSTEM32\dllcache\cache\ndis.sys
+ 2009-06-28 18:38 . 2009-03-21 14:18 986112 c:\windows\SYSTEM32\dllcache\cache\kernel32.dll
+ 2009-06-28 18:38 . 2004-08-04 19:00 110080 c:\windows\SYSTEM32\dllcache\cache\imm32.dll
+ 2009-06-30 14:30 . 2009-06-30 14:30 188416 c:\windows\ERDNT\AutoBackup\6-30-2009\Users\00000002\UsrClass.dat
+ 2009-06-30 14:30 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\6-30-2009\ERDNT.EXE
+ 2009-06-29 23:19 . 2009-06-29 23:19 188416 c:\windows\ERDNT\AutoBackup\6-29-2009\Users\00000002\UsrClass.dat
+ 2009-06-29 23:19 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\6-29-2009\ERDNT.EXE
+ 2009-06-28 18:38 . 2004-08-04 19:00 1580544 c:\windows\SYSTEM32\dllcache\cache\sfcfiles.dll
+ 2009-06-28 18:38 . 2009-02-06 17:24 2180480 c:\windows\SYSTEM32\dllcache\cache\ntoskrnl.exe
+ 2009-06-28 18:38 . 2009-02-06 16:49 2057728 c:\windows\SYSTEM32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-28 18:38 . 2007-06-13 09:23 1033216 c:\windows\SYSTEM32\dllcache\cache\explorer.exe
+ 2009-06-30 14:29 . 2009-06-30 14:30 10682368 c:\windows\ERDNT\AutoBackup\6-30-2009\Users\00000001\ntuser.dat
+ 2009-06-29 23:19 . 2009-06-29 23:19 10682368 c:\windows\ERDNT\AutoBackup\6-29-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-07-03 13:16 8454656 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WN311T.exe"="c:\program files\NETGEAR\WN311T\WN311T.exe" [2006-09-29 659456]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-04-01 982408]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZAFFRegisterTrustChecker"="-s" [X]
"ZAFFRegisterTrustCheckerIE"="-s" [X]

c:\documents and settings\windows\Start Menu\Programs\Startup\
WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2008-6-1 288256]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Mozilla Quick Launch"="c:\progra~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"VSOCheckTask"="c:\progra~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
"MCAgentExe"=c:\progra~1\MCAFEE.COM\AGENT\mcagent.exe
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"TIPS"=c:\progra~1\MICROS~1\tips\mouse\tips.exe
"MCUpdateExe"=c:\progra~1\MCAFEE.COM\AGENT\McUpdate.exe
"McRegWiz"=c:\progra~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2/12/2009 3:12 AM 21136]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2/12/2009 3:11 AM 54928]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [10/15/2005 5:00 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [10/15/2005 5:00 PM 545088]
S1 ANVIOCTL;ANVIOCTL;c:\windows\SYSTEM32\DRIVERS\anvioctl.sys [6/24/2008 12:28 AM 231480]
S3 NETMW145;NETGEAR WN311T;c:\windows\SYSTEM32\DRIVERS\NETMW145.sys [3/16/2008 11:29 AM 435456]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [10/15/2005 5:00 PM 19232]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SPCI\VEN_1013&DEV_6003&SUBSYS_33575053&REV_01\38F000

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\windows\Application Data\Mozilla\Firefox\Profiles\os3tb7c7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\windows\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 08:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(372)
c:\windows\system32\iac25_32.ax
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(428)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(3296)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mlfhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
c:\windows\SYSTEM32\ZONELABS\AVSYS\SCANNINGPROCESS.EXE
c:\program files\CHECKPOINT\ZAFORCEFIELD\ISWSVC.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\CANON\IJPLM\IJPLMSVC.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\IPOD\BIN\IPODSERVICE.EXE
c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
.
**************************************************************************
.
Completion time: 2009-06-30 8:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 15:28
ComboFix2.txt 2009-06-28 18:43

Pre-Run: 238,716,878,848 bytes free
Post-Run: 238,675,951,616 bytes free

252 --- E O F --- 2009-06-22 05:15






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:23 PM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\WN311T\WN311T.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [WN311T.exe] C:\Program Files\NETGEAR\WN311T\WN311T.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustCheckerIE] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236985826765
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://E:\components\wmvhdrating.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SpongeBob Diner Dash 2\Images\armhelper.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6970 bytes
 
Registry Cleaners

Re. Registry Mechanic

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners:

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.
Click to expand...

http://forums.whatthetech.com/Regcleaner_t42862.html

I recommend that you uninstall Registry Mechanic
 from your computer.


Step # 1 Remove old versions of Java

Older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

J2SE Runtime Environment 5.0 Update 2

Java(TM) 6 Update 7

Reboot your Computer.


Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Step # 4 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log
 
Ta-Da!


Malwarebytes' Anti-Malware 1.38
Database version: 2360
Windows 5.1.2600 Service Pack 2

7/1/2009 7:22:45 PM
mbam-log-2009-07-01 (19-22-45).txt

Scan type: Quick Scan
Objects scanned: 83667
Time elapsed: 14 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:18 PM, on 7/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\WN311T\WN311T.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [WN311T.exe] C:\Program Files\NETGEAR\WN311T\WN311T.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustCheckerIE] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236985826765
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://E:\components\wmvhdrating.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SpongeBob Diner Dash 2\Images\armhelper.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6969 bytes
 
Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall all previous versions.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 9.1.2 is a large program and if you prefer a smaller program you can get Foxit 3.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.0 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
 
So here are the reports, also last night I updated and ran spybot, and it found nothing.

Icwtech was my old dial up provider. Hasn't been used in like 5 years. Are these items that kaspersky found old, or just where this stuff is hiding?

Boy this stuff is tough. I thought I was well protected, what with zonealarm, Spybot, and using firefox, with Noscript plugin. What would we do without folks like you! I can't thank you enough.

I did uninstall registry mechanic, which i never had used anyhow, and uninstalled old Java, and Acrobat, and updated them.

the computer seems to be ok. it doesn't do anything unexpected.

How concerned do I need to be about my personal information having been stolen? I don't save passwords on the comp, and keep browsing history cleaned up, but some of these infections are keyloggers, yes? I havent done any banking or billpaying since the infection, just email and browsing.

Should I change all my passwords, or wait until this is all done?

Also, when I have zonealarm turned off, for scans, I've been disabling my wireless adapter, my only web connection. can spies / virus still use it while it's disabled in device manager?

million questions.... thanks again.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 03, 2009 08:04:10
Records in database: 2417671
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 94057
Threat name: 6
Infected objects: 23
Suspicious objects: 1
Duration of the scan: 02:53:23


File name / Threat name / Threats count
C:\Documents and Settings\windows\Application Data\Mozilla\Profiles\default\nrx2lg2v.slt\Mail\pop3.icwtech-2.com\Inbox Infected: Trojan-Spy.HTML.Paylap.bj 7
C:\Documents and Settings\windows\Application Data\Mozilla\Profiles\default\nrx2lg2v.slt\Mail\pop3.icwtech-2.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ds 1
C:\Documents and Settings\windows\Application Data\Mozilla\Profiles\default\nrx2lg2v.slt\Mail\pop3.icwtech-2.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ci 1
C:\Documents and Settings\windows\Application Data\Mozilla\Profiles\default\nrx2lg2v.slt\Mail\pop3.icwtech-2.com\Inbox Infected: Trojan-Spy.HTML.Paylap.dl 1
C:\Documents and Settings\windows\Application Data\Mozilla\Profiles\default\nrx2lg2v.slt\Mail\pop3.icwtech-2.com\Junk Infected: Trojan-Spy.HTML.Paylap.dl 1
C:\Documents and Settings\windows\Application Data\Thunderbird\Profiles\6itf5vz9.default\Mail\pop3.icwtech.com\Inbox Infected: Trojan-Spy.HTML.Paylap.bj 7
C:\Documents and Settings\windows\Application Data\Thunderbird\Profiles\6itf5vz9.default\Mail\pop3.icwtech.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ds 1
C:\Documents and Settings\windows\Application Data\Thunderbird\Profiles\6itf5vz9.default\Mail\pop3.icwtech.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ci 1
C:\Documents and Settings\windows\Application Data\Thunderbird\Profiles\6itf5vz9.default\Mail\pop3.icwtech.com\Inbox Infected: Trojan-Spy.HTML.Paylap.dl 1
C:\Documents and Settings\windows\Application Data\Thunderbird\Profiles\6itf5vz9.default\Mail\pop3.icwtech.com\Junk Infected: Trojan-Spy.HTML.Paylap.dl 1
C:\Documents and Settings\windows\Application Data\Thunderbird\Profiles\6itf5vz9.default\Mail\pop3.icwtech-2.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\windows\Application Data\Thunderbird\Profiles\6itf5vz9.default\Mail\pop3.icwtech-2.com\Inbox Infected: Trojan-Spy.HTML.Paylap.bw 1

The selected area was scanned.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:24 AM, on 7/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\WN311T\WN311T.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [WN311T.exe] C:\Program Files\NETGEAR\WN311T\WN311T.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustCheckerIE] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236985826765
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://E:\components\wmvhdrating.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SpongeBob Diner Dash 2\Images\armhelper.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 7372 bytes
 
In addition to the steps above, overnight I allowed zonealarm to do a deep scan for virus/spyware. It found 4 spies:

Power spy was found in
File: C:\Documents and Settings\All Users\Start Menu\Programs\Games\Cosmic Ball\Uninstall Cosmic Ball.lnk
File: C:\Program Files\Cosmic Ball\unins000.exe
which is a game we have had installed for years.

win32.hllw.spreader.17 was found in
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP310\A0126766.exe
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP310\A0126854.EXE
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP311\A0127010.EXE
Directory: C:\Documents and Settings\windows\Application Data\Malwarebytes

win32.trojan.generic.1265979 was found in
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP304\A0119249.sys

and win32.trojan.killav.ko was found in
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP309\A0126716.exe
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP309\A0126717.exe
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP309\A0126718.exe
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP310\A0126726.exe
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP310\A0126727.exe
File: C:\System Volume Information\_restore{7483A73D-2B48-4C3A-8E72-2DEFA16B4FB3}\RP310\A0126937.exe




I had zonealarm quarantine them, but are they just records of what we've been doing? the system restores points?

Should I restore them? delete them?
 
Icwtech was my old dial up provider. Hasn't been used in like 5 years. Are these items that kaspersky found old, or just where this stuff is hiding?
Click to expand...

Kaspersky found old e-mails in your Thunderbird/Mozilla mail folders that most likely have attachments that Kaspersky picked up as infected. Go ahead and open up Thunderbird/Mozilla Mail and delete all the e-mails that are in your Junk/Bulk/Spam folder. Then open up your Inbox and delete e-mails that you no longer need.


How concerned do I need to be about my personal information having been stolen? I don't save passwords on the comp, and keep browsing history cleaned up, but some of these infections are keyloggers, yes? I havent done any banking or billpaying since the infection, just email and browsing.

Should I change all my passwords, or wait until this is all done?
Click to expand...

Your passwords and/or personal information should be ok as none of the infections you had were keyloggers. For peace of mind, you can change your passwords if you wish. If you decide to do that, I would change them from another computer that is clean, just to be on the safe side. But you should be ok changing them from the computer we've been working on.

Also, when I have zonealarm turned off, for scans, I've been disabling my wireless adapter, my only web connection. can spies / virus still use it while it's disabled in device manager?
Click to expand...

Since you disabled your internet connection, any malware/spyware you had would be dead, since they need an active internet connection in order to download/bring more baddies to your computer. You did the right thing disabling your connection. :bigthumb:


I had zonealarm quarantine them, but are they just records of what we've been doing? the system restores points?

Should I restore them? delete them?
Click to expand...

It sounds like the Power Spy findings may be a false positive, since you say you've had the game installed for years and no other scan has brought it up till now.

The infected System Restore points that ZoneAlarm are harmless where they were and are. Since ZA quarantined them you can go ahead and delete them from ZA's quarantine.

In an upcoming post, I'll show you how to remove any other infected System Restore points and set up a new, clean one.
 
km2357 said:
Kaspersky found old e-mails in your Thunderbird/Mozilla mail folders that most likely have attachments that Kaspersky picked up as infected. Go ahead and open up Thunderbird/Mozilla Mail and delete all the e-mails that are in your Junk/Bulk/Spam folder. Then open up your Inbox and delete e-mails that you no longer need.
Click to expand...

As I have neither mozilla or thunderbird installed anymore, I went in and deleted the entire pop3 icwtech folders. I didn't remove yhe mozilla or thunderbird folders, since it looked like firefox was using the mozilla folder also. simply deleting the folders will take care of it?

Have a good 4th? (are you in the USA?)
 
You can go ahead and delete what is in ZoneAlarm's quarantine.

As I have neither mozilla or thunderbird installed anymore, I went in and deleted the entire pop3 icwtech folders. I didn't remove yhe mozilla or thunderbird folders, since it looked like firefox was using the mozilla folder also. simply deleting the folders will take care of it?
Click to expand...

Yes, deleting those pop3 icwtech folders took care of the problem. :)

Have a good 4th? (are you in the USA?)
Click to expand...

Yes, I live in the USA and I had a good time on the 4th. Thanks for asking. :bigthumb:
 
Success?!

I have run "deep scan" with spybot s&d, zonealarm (virus+spyware), and malwarebytes. all clean! Anything else I should look for? I assume it's ok to turn teatimer back on? are we all done?

Thank you so much for your help!

-Gene
 
If there are no more problems, then you are good to go. :)

You can go ahead and turn on Tea Timer again.

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK

Empty your Recycle Bin.


Since your computer looks to be clean, now would be a good time to upgrade to Windows XP SP3. To do to that, go to Windows Update and download and install SP3. Once that is done, reboot your computer and go back to Windows Update and download all the critical updates listed. Reboot once they are installed and repeat until they are no more critical updates left to download.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it asks you if you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button on the task bar at the bottom of your screen
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then doubleclick it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.
 
You must log in or register to reply here.
Back
Top