Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Infected with Malware

  1. #1
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default Infected with Malware

    Hi, I've recently noticed some pop up messages from ZoneAlarm indicating that certain files want to gain access to my system. In addition, Windows Security Alerts is always asking me to get new updates when I normally have automatic updates off. Not really sure what I am infected with.

    Much thanks in advance for your help.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:35:50 PM, on 9/10/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\SiSAudUt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\sys32_nov.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Documents and Settings\L\sys32_nov.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\system32\SiSAudUt.exe -wdm
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\L\sys32_nov.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: ikowin32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.clubbox.co.kr
    O15 - Trusted Zone: http://forums.spybot.info
    O16 - DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} (NowStarter2 Control) - http://sticube.clubbox.co.kr/sticube...owStarter2.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1252612289843
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 6816 bytes

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello

    Welcome to Safer Networking.

    Please read Before You Post
    That said, All advice given by anyone volunteering here, is taken at your own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

    Two questions,
    1. Why do you have SuperAntiSpyware installed and have not run it to remove some of this junk ?

    2. Why do you not have any Antivirus program installed. With the latest threats going around , going online with out one is kind of suicidal .


    Install just one of these free ones.







    Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

    O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)

    O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\L\sys32_nov.exe

    O4 - Startup: ikowin32.exe


    If you want this one in your trusted zone than leave it be
    O15 - Trusted Zone: http://*.clubbox.co.kr


    Open up SuperAntiSpyware, check for updates and run a scan, post the log and a new HJT log please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    Hi there, thanks so much for your time and help.

    To answer your questions first: I had used Malwarebytes Antimalware prior to do a scan and had removed some junk. I guess it wasn't good enough. I also thought that having ZoneAlarm was sufficient. I have now downloaded AVG and installed it into my computer.

    I did 2 scans with SuperAntiSpyware. The first was after using HJT to fix the items you mentioned. The second scan was after doing a full scan using AVG.


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/14/2009 at 01:50 PM

    Application Version : 4.27.1002

    Core Rules Database Version : 4098
    Trace Rules Database Version: 2039

    Scan type : Complete Scan
    Total Scan Time : 00:56:30

    Memory items scanned : 482
    Memory threats detected : 0
    Registry items scanned : 5276
    Registry threats detected : 0
    File items scanned : 13811
    File threats detected : 5

    Trojan.Agent/Gen-Sys32[Nov]
    C:\DOCUMENTS AND SETTINGS\L\SYS32_NOV.EXE
    C:\WINDOWS\SYSTEM32\SYS32_NOV.EXE
    C:\WINDOWS\Prefetch\SYS32_NOV.EXE-22742382.pf
    C:\WINDOWS\Prefetch\SYS32_NOV.EXE-2429F1E9.pf

    Trojan.Agent/Gen-SOJ
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP512\A0060591.EXE


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/14/2009 at 07:21 PM

    Application Version : 4.28.1010

    Core Rules Database Version : 4100
    Trace Rules Database Version: 2040

    Scan type : Complete Scan
    Total Scan Time : 00:42:11

    Memory items scanned : 366
    Memory threats detected : 0
    Registry items scanned : 5285
    Registry threats detected : 0
    File items scanned : 13730
    File threats detected : 1

    Trojan.Agent/Gen-SOJ
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP512\A0060595.EXE


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:30:38 PM, on 9/14/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\SiSAudUt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\system32\SiSAudUt.exe -wdm
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.clubbox.co.kr
    O15 - Trusted Zone: http://forums.spybot.info
    O16 - DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} (NowStarter2 Control) - http://sticube.clubbox.co.kr/sticube...owStarter2.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1252612289843
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 7432 bytes

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Looking good. Lets make sure there is no more of this garbage hiding

    Please download RootRepeal one of these locations and save it to your desktop
    Here
    Here
    Here
    • Open on your desktop.
    • Click the tab.
    • Click the button.
    • Check just these boxes:
    • Push Ok
    • Check the box for your main system drive (Usually C:, and press Ok.
    • Allow RootRepeal to run a scan of your system. This may take some time.
    • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.





    Please run this free online virus scanner from ESET
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
    • Click Scan
    • Wait for the scan to finish
    • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2009/09/15 18:50
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP2
    ==================================================

    Drivers
    -------------------
    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xB719A000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xBAE32000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xB49AE000 Size: 49152 File Visible: No Signed: -
    Status: -

    Name: srescan.sys
    Image Path: srescan.sys
    Address: 0xBA6D5000 Size: 81920 File Visible: No Signed: -
    Status: -

    SSDT
    -------------------
    #: 031 Function Name: NtConnectPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0040

    #: 037 Function Name: NtCreateFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dc930

    #: 041 Function Name: NtCreateKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e7a80

    #: 046 Function Name: NtCreatePort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0510

    #: 047 Function Name: NtCreateProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6870

    #: 048 Function Name: NtCreateProcessEx
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6aa0

    #: 050 Function Name: NtCreateSection
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e9fd0

    #: 056 Function Name: NtCreateWaitablePort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0600

    #: 062 Function Name: NtDeleteFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dcf20

    #: 063 Function Name: NtDeleteKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e86e0

    #: 065 Function Name: NtDeleteValueKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e8440

    #: 068 Function Name: NtDuplicateObject
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6580

    #: 097 Function Name: NtLoadDriver
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73da3f0

    #: 098 Function Name: NtLoadKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e88b0

    #: 108 Function Name: NtMapViewOfSection
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73ea270

    #: 116 Function Name: NtOpenFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dcd70

    #: 122 Function Name: NtOpenProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6350

    #: 128 Function Name: NtOpenThread
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6150

    #: 192 Function Name: NtRenameKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e9250

    #: 193 Function Name: NtReplaceKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e8cb0

    #: 200 Function Name: NtRequestWaitReplyPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dfc00

    #: 204 Function Name: NtRestoreKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e9080

    #: 210 Function Name: NtSecureConnectPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0220

    #: 224 Function Name: NtSetInformationFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dd120

    #: 240 Function Name: NtSetSystemInformation
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73da1c0

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e8140

    #: 257 Function Name: NtTerminateProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6cd0

    #: 262 Function Name: NtUnloadDriver
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73da5f0

    ==EOF==

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=6
    # IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.6050
    # api_version=3.0.2
    # EOSSerial=f12551d91aaaa64b87aabcd245d3f1f1
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2009-09-16 02:00:22
    # local_time=2009-09-15 10:00:22 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=1026 21 83 100 1210213563742
    # scanned=56199
    # found=6
    # cleaned=6
    # scan_time=10821
    C:\qoobox\Quarantine\C\VundoFix Backups\rrqss.ini.bad.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\qoobox\Quarantine\C\VundoFix Backups\rrqss.ini2.bad.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\qoobox\Quarantine\C\WINDOWS\system32\gfhkj.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\qoobox\Quarantine\C\WINDOWS\system32\qvyyhgwq.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\qoobox\Quarantine\C\WINDOWS\system32\uuudolji.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\qoobox\Quarantine\C\WINDOWS\system32\xesrieab.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    No Rootkit infection was found All ESET found where backups of what Combofix removed, which I want to add should not be taken lightly, its a very powerful tool and what it fixes on one system it could damage another.

    Do this, post the log from Combofix, you can find it here C:\ComboFix.txt
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    Hi there,
    good to know that there are no more infections!

    For some reason I have 2 combofix logs. I will post them both.


    ComboFix 07-12-15.5 - L 2007-12-15 12:26:22.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
    Running from: C:\Documents and Settings\L\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\L\My Documents\ASKS~1
    C:\Documents and Settings\L\My Documents\CROSOF~1.NET
    C:\Program Files\Temporary
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\bkR11
    C:\Temp\bkR11\ftCa.log
    C:\WINDOWS\system32\pac.txt

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
    .

    2007-12-15 00:49 . 2007-12-15 12:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\L\Application Data\SUPERAntiSpyware.com
    2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-12-13 23:20 . 2007-12-13 23:20 <DIR> d-------- C:\Program Files\Trend Micro
    2007-12-13 20:34 . 2007-12-15 12:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-13 20:34 . 2007-12-13 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-13 19:48 . 2007-12-15 01:21 7,494 --ahs---- C:\WINDOWS\system32\gfhkj.ini2
    2007-12-13 01:14 . 2007-12-13 08:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-12 23:42 . 2007-12-12 23:42 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
    2007-12-12 22:33 . 2007-12-15 00:42 917,260 ---hs---- C:\WINDOWS\system32\xesrieab.ini
    2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-11 19:44 . 2007-12-13 00:10 <DIR> d-------- C:\VundoFix Backups
    2007-12-10 22:37 . 2007-12-10 22:37 <DIR> d-------- C:\Documents and Settings\L\Application Data\SuperAdBlocker.com
    2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\WINDOWS\system32\URTTemp
    2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
    2007-12-10 17:20 . 2007-12-10 17:20 858,824 --ahs---- C:\WINDOWS\system32\qvyyhgwq.ini
    2007-12-10 16:19 . 2007-12-10 16:19 294 --ahs---- C:\WINDOWS\system32\uuudolji.ini
    2007-12-10 00:36 . 2007-12-13 19:52 143 --a------ C:\WINDOWS\system32\mcrh.tmp
    2007-12-09 22:51 . 2007-12-10 12:33 512 --a------ C:\ScanSectorLog.dat
    2007-12-09 20:10 . 2007-12-15 11:12 2,070 --a------ C:\rollback.ini
    2007-12-09 20:06 . 2007-12-15 12:31 2,822,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-12-09 20:06 . 2007-12-15 12:30 40,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-12-09 20:06 . 2007-12-15 12:30 31,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-12-09 20:06 . 2007-12-15 12:30 4,028 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-12-09 20:04 . 2007-12-09 20:04 <DIR> d-------- C:\Documents and Settings\L\Application Data\MailFrontier
    2007-12-09 19:42 . 2007-12-15 00:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2007-12-09 19:40 . 2007-12-15 12:19 <DIR> d-------- C:\WINDOWS\Internet Logs
    2007-12-07 23:57 . 2007-12-09 19:50 16 --a------ C:\WINDOWS\system32\coh.cache
    2007-12-07 22:21 . 2007-12-09 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
    2007-12-07 21:00 . 2007-12-07 21:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-12-07 20:50 . 2007-12-13 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
    2007-12-07 20:47 . 2007-12-07 20:47 <DIR> d-------- C:\WINDOWS\system32\tdm2
    2007-12-07 20:47 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\system32\pi3
    2007-12-07 20:47 . 2007-12-08 14:30 <DIR> d-------- C:\WINDOWS\system32\eu1
    2007-12-07 20:46 . 2007-12-08 13:12 <DIR> d-------- C:\WINDOWS\system32\daSgo01
    2007-12-07 20:46 . 2007-12-15 12:28 <DIR> d-------- C:\Temp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-15 05:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-12 02:51 1,203,447 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    2007-12-11 12:37 96,571 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_11_00_37_27_small.dmp.zip
    2007-12-10 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-12-02 22:15 --------- d-----w C:\Program Files\BitComet
    2007-11-15 02:42 --------- d-----w C:\Program Files\TuneUp Utilities 2006
    2007-11-13 17:44 1,617,920 ----a-r C:\WINDOWS\system32\pdbox28.exe
    2007-11-03 19:02 --------- d-----w C:\Program Files\SpookyManor_at
    2007-11-01 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-19 20:41 1,536,000 ----a-r C:\WINDOWS\system32\clubbox.exe
    2007-02-16 01:24 87,608 ----a-w C:\Documents and Settings\L\Application Data\ezpinst.exe
    2007-02-16 01:24 47,360 ----a-w C:\Documents and Settings\L\Application Data\pcouffin.sys
    2007-02-16 01:22 94,080 ----a-w C:\Documents and Settings\L\Application Data\ezplay.sys
    2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DF11C63-051F-4EEC-9BCE-8C5BA1EB71D1}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556CCAC-C1D5-4C24-A3DB-D54145F6225C}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82E42D62-88C8-4ED4-91D5-0D50F577A337}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F38858FF-F237-437D-999C-068A62B52016}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 12:49]
    "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SiS7012Utility"="C:\WINDOWS\system32\SiSAudUt.exe" [2001-11-21 06:39]
    "SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [2001-12-13 11:27]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-03 18:56 C:\WINDOWS\system32\narrator.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 20:30:47]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    R2 TTDec;ATI WDM Teletext Decoder;C:\WINDOWS\system32\DRIVERS\ATINTTXX.sys
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys
    S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
    S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
    S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
    S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
    S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
    S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-12-08 00:09:34 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-15 12:36:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************
    .
    Completion time: 2007-12-15 12:37:10 - machine was rebooted




    ComboFix 09-01-13.04 - L 2009-01-14 17:47:01.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1248.936 [GMT -5:00]
    Running from: c:\documents and settings\L\Desktop\ComboFix.exe
    AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
    FW: ZoneAlarm Security Suite Firewall *disabled*
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    F:\Autorun.inf
    F:\resycled
    f:\resycled\boot.com

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
    .

    2009-01-13 14:52 . 2009-01-13 14:52 <DIR> d-------- C:\rsit
    2009-01-13 09:18 . 2009-01-13 09:18 <DIR> d-------- c:\documents and settings\L\Application Data\Malwarebytes
    2009-01-13 09:18 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-01-13 09:17 . 2009-01-13 09:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-01-13 09:17 . 2009-01-13 09:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-13 09:17 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-01-07 19:26 . 2009-01-07 19:26 <DIR> d-------- c:\windows\Sun
    2009-01-07 19:26 . 2009-01-07 19:25 410,984 --a------ c:\windows\system32\deploytk.dll
    2009-01-07 19:26 . 2009-01-07 19:25 73,728 --a------ c:\windows\system32\javacpl.cpl
    2009-01-07 19:25 . 2009-01-07 19:25 <DIR> d-------- c:\program files\Java
    2009-01-07 19:10 . 2009-01-07 19:10 54,156 --ah----- c:\windows\QTFont.qfn
    2009-01-07 19:10 . 2009-01-07 19:10 1,409 --a------ c:\windows\QTFont.for
    2008-12-30 00:40 . 2008-12-30 00:40 1,626,112 -ra------ c:\windows\system32\clubbox.exe
    2008-12-15 22:35 . 2009-01-03 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NJStar

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-14 22:49 33,741,600 --sha-w c:\windows\system32\drivers\fidbox.dat
    2009-01-14 22:49 1,768,480 --sha-w c:\windows\system32\drivers\fidbox2.dat
    2009-01-14 22:19 455,144 --sha-w c:\windows\system32\drivers\fidbox.idx
    2009-01-14 22:19 169,520 --sha-w c:\windows\system32\drivers\fidbox2.idx
    2009-01-14 16:31 55,849 ----a-w c:\windows\system32\fscflist.ini.tmp
    2009-01-13 22:30 94,080 ----a-w c:\documents and settings\L\Application Data\ezplay.sys
    2009-01-13 22:30 87,608 ----a-w c:\documents and settings\L\Application Data\ezpinst.exe
    2009-01-13 22:30 47,360 ----a-w c:\documents and settings\L\Application Data\pcouffin.sys
    2009-01-13 22:30 --------- d-----w c:\program files\BitComet
    2009-01-13 22:30 --------- d-----w c:\documents and settings\L\Application Data\Vso
    2009-01-13 22:22 --------- d-----w c:\program files\Slice N Hook
    2009-01-12 20:53 24,419,387 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_12_15_51_31_full.dmp.zip
    2009-01-11 15:55 44,484,230 ----a-w c:\windows\Internet Logs\tvDebug.zip
    2009-01-06 02:24 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-01-06 02:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-01-06 02:11 --------- d-----w c:\program files\SpywareBlaster
    2008-11-13 12:45 15,104 ----a-r c:\windows\system32\nowmemdf.sys
    2008-11-13 12:36 155,648 ----a-r c:\windows\system32\downengine.dll
    2008-08-14 00:14 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
    2008-08-14 00:14 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
    2008-08-14 00:14 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
    2008-08-14 00:14 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
    2008-08-14 00:14 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
    2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
    2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
    2007-12-17 13:43 27,648 --sh--w c:\windows\system32\Smab0.dll
    2008-02-04 19:26 151,040 --sh--w c:\windows\system32\VistaUltm.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2007-12-15_12.32.49.04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-01-17 06:00:00 2,504 ----a-w c:\windows\Downloaded Program Files\catalog.dat
    + 2007-01-17 06:00:00 1,957 ----a-w c:\windows\Downloaded Program Files\tinfl.dat
    + 2007-01-22 21:43:49 2,072 ----a-w c:\windows\Downloaded Program Files\vscanmsx.dat
    + 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
    + 2000-08-31 13:00:00 89,504 ----a-w c:\windows\fdsv.exe
    + 2000-08-31 13:00:00 80,412 ----a-w c:\windows\grep.exe
    + 2008-09-06 02:17:19 81,920 ----a-r c:\windows\Installer\{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}\ARPPRODUCTICON.exe
    - 2006-04-12 13:47:22 217,073 ----a-w c:\windows\meta4.exe
    + 2006-04-12 14:47:22 217,073 ----a-w c:\windows\meta4.exe
    + 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
    + 2006-09-18 02:22:05 2,722 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
    + 2000-08-31 13:00:00 98,816 ----a-w c:\windows\sed.exe
    + 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
    + 2000-08-31 13:00:00 136,704 ----a-w c:\windows\SWSC.exe
    + 2000-08-31 13:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe
    + 2001-08-23 12:00:00 2,000 ----a-w c:\windows\system\KEYBOARD.DRV
    + 2001-08-23 12:00:00 73,376 ----a-w c:\windows\system\MCIAVI.DRV
    + 2001-08-23 12:00:00 25,264 ----a-w c:\windows\system\MCISEQ.DRV
    + 2001-08-23 12:00:00 28,160 ----a-w c:\windows\system\MCIWAVE.DRV
    + 2001-08-23 12:00:00 2,032 ----a-w c:\windows\system\MOUSE.DRV
    + 2001-08-23 12:00:00 1,744 ----a-w c:\windows\system\SOUND.DRV
    + 2001-08-23 12:00:00 3,360 ----a-w c:\windows\system\SYSTEM.DRV
    + 2001-08-23 12:00:00 4,048 ----a-w c:\windows\system\TIMER.DRV
    + 2001-08-23 12:00:00 2,176 ----a-w c:\windows\system\VGA.DRV
    + 2001-08-23 12:00:00 13,600 ----a-w c:\windows\system\WFWNET.DRV
    + 2004-08-03 23:56:58 146,432 ----a-w c:\windows\system\WINSPOOL.DRV
    + 2008-08-06 20:22:02 114,688 ----a-w c:\windows\system32\Adobe\Director\np32dsw.dll
    + 2008-08-06 20:30:48 202,168 ----a-w c:\windows\system32\Adobe\Director\swdir.dll
    + 2008-08-06 20:31:08 67,000 ----a-w c:\windows\system32\Adobe\Director\SwDnld.exe
    + 2008-08-06 20:22:42 499,712 ----a-w c:\windows\system32\Adobe\Shockwave 11\Control.dll
    + 2008-08-06 19:45:40 1,798,144 ----a-w c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
    + 2008-08-06 20:22:44 9,216 ----a-w c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
    + 2008-08-06 19:35:52 706,048 ----a-w c:\windows\system32\Adobe\Shockwave 11\gi.dll
    + 2008-08-06 19:35:52 1,145,896 ----a-w c:\windows\system32\Adobe\Shockwave 11\gt.exe
    + 2008-08-06 19:35:52 52,288 ----a-w c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
    + 2008-08-06 19:42:04 892,928 ----a-w c:\windows\system32\Adobe\Shockwave 11\iml32.dll
    + 2008-08-06 19:35:52 54,656 ----a-w c:\windows\system32\Adobe\Shockwave 11\pccuapi.dll
    + 2008-08-06 20:21:14 266,240 ----a-w c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
    + 2008-08-06 20:24:14 446,464 ----a-w c:\windows\system32\Adobe\Shockwave 11\Proj.dll
    + 2008-08-06 20:30:30 447,928 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwHelper_1100465.exe
    + 2008-08-06 20:24:56 114,688 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
    + 2008-08-06 20:21:04 94,208 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
    + 2008-08-06 19:35:52 50,808 ----a-w c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
    + 1999-06-25 14:55:30 149,504 ----a-w c:\windows\system32\Adobe\Shockwave 11\UNWISE.EXE
    + 2001-08-23 12:00:00 10,544 ----a-w c:\windows\system32\comm.drv
    + 2004-08-04 00:07:22 1,788 ----a-w c:\windows\system32\Dcache.bin
    + 2001-08-23 12:00:00 2,000 -c--a-w c:\windows\system32\dllcache\keyboard.drv
    + 2001-08-23 12:00:00 2,560 -c--a-w c:\windows\system32\dllcache\lz32.dll
    + 2001-08-23 12:00:00 73,376 -c--a-w c:\windows\system32\dllcache\mciavi.drv
    + 2001-08-23 12:00:00 25,264 -c--a-w c:\windows\system32\dllcache\mciseq.drv
    + 2001-08-23 12:00:00 28,160 -c--a-w c:\windows\system32\dllcache\mciwave.drv
    + 2001-08-23 12:00:00 2,032 -c--a-w c:\windows\system32\dllcache\mouse.drv
    + 2001-08-23 12:00:00 2,944 -c--a-w c:\windows\system32\dllcache\null.sys
    + 2001-08-23 12:00:00 1,744 -c--a-w c:\windows\system32\dllcache\sound.drv
    + 2001-08-23 12:00:00 3,360 -c--a-w c:\windows\system32\dllcache\system.drv
    + 2001-08-23 12:00:00 4,048 -c--a-w c:\windows\system32\dllcache\timer.drv
    + 2001-08-23 12:00:00 2,176 -c--a-w c:\windows\system32\dllcache\vga.drv
    + 2001-08-23 12:00:00 13,600 -c--a-w c:\windows\system32\dllcache\wfwnet.drv
    + 2001-08-23 12:00:00 2,864 -c--a-w c:\windows\system32\dllcache\winsock.dll
    + 2004-08-03 23:56:58 146,432 -c--a-w c:\windows\system32\dllcache\winspool.drv
    + 2001-08-23 12:00:00 2,112 -c--a-w c:\windows\system32\dllcache\winspool.exe
    + 2001-08-23 12:00:00 2,736 -c--a-w c:\windows\system32\dllcache\wowdeb.exe
    + 2006-05-19 21:16:24 2,432 ------w c:\windows\system32\drivers\cdr4_xp.sys
    + 2006-05-19 21:16:24 2,560 ------w c:\windows\system32\drivers\cdralw2k.sys
    + 2004-08-03 23:07:58 2,944 ----a-w c:\windows\system32\drivers\drmkaud.sys
    + 2001-08-17 14:00:04 2,944 ----a-w c:\windows\system32\drivers\msmpu401.sys
    + 2001-08-23 12:00:00 2,944 ----a-w c:\windows\system32\drivers\null.sys
    - 2007-04-13 10:06:40 159,744 ----a-r c:\windows\system32\fscagent.exe
    + 2008-02-25 16:24:40 159,744 ----a-r c:\windows\system32\fscagent.exe
    + 2009-01-08 00:25:51 144,792 ----a-w c:\windows\system32\java.exe
    + 2009-01-08 00:25:51 144,792 ----a-w c:\windows\system32\javaw.exe
    + 2009-01-08 00:25:51 148,888 ----a-w c:\windows\system32\javaws.exe
    + 2001-08-23 12:00:00 2,000 ----a-w c:\windows\system32\keyboard.drv
    + 2001-08-23 12:00:00 221,600 ----a-w c:\windows\system32\lanman.drv
    + 2001-08-23 12:00:00 2,560 ----a-w c:\windows\system32\lz32.dll
    + 2008-03-15 03:31:26 57,344 ----a-w c:\windows\system32\Macromed\Common\SwSupport.dll
    + 2008-03-24 23:32:46 218,496 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
    + 2008-03-25 03:21:18 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
    + 2008-03-25 03:21:20 218,496 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
    + 2008-09-03 01:53:26 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
    + 2008-03-15 03:29:22 581,632 ----a-w c:\windows\system32\Macromed\Shockwave 10\Control.dll
    + 2008-03-15 03:12:30 1,490,944 ----a-w c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll
    + 2008-03-15 03:29:58 24,576 ----a-w c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll
    + 2008-03-15 03:10:06 606,208 ----a-w c:\windows\system32\Macromed\Shockwave 10\iml32X.dll
    + 2008-03-15 03:28:48 339,968 ----a-w c:\windows\system32\Macromed\Shockwave 10\Plugin.dll
    + 2008-03-15 03:28:56 475,136 ----a-w c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll
    + 2008-03-15 03:21:52 180,224 ----a-w c:\windows\system32\Macromed\Shockwave 10\Proj.dll
    + 2008-03-15 03:31:28 77,824 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwInit.exe
    + 2008-03-15 15:38:08 86,016 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll
    + 2008-03-15 03:31:28 98,304 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll
    + 2001-08-23 12:00:00 73,376 ----a-w c:\windows\system32\mciavi.drv
    + 2001-08-23 12:00:00 25,264 ----a-w c:\windows\system32\mciseq.drv
    + 2001-08-23 12:00:00 28,160 ----a-w c:\windows\system32\mciwave.drv
    + 2001-08-23 12:00:00 2,032 ----a-w c:\windows\system32\mouse.drv
    + 2001-08-23 12:00:00 20,480 ----a-w c:\windows\system32\msacm32.drv
    + 2004-08-03 23:56:58 188,416 ----a-w c:\windows\system32\msh261.drv
    + 2004-08-04 00:05:44 294,912 ----a-w c:\windows\system32\msh263.drv
    + 2001-08-23 12:00:00 2,656 ----a-w c:\windows\system32\netware.drv
    - 2007-11-13 17:44:42 1,617,920 ----a-r c:\windows\system32\pdbox28.exe
    + 2008-02-28 10:57:34 1,622,016 ----a-r c:\windows\system32\pdbox28.exe
    - 2007-10-28 20:09:56 40,196 ----a-w c:\windows\system32\perfc009.dat
    + 2008-10-26 21:06:51 40,196 ----a-w c:\windows\system32\perfc009.dat
    - 2007-10-28 20:09:56 311,934 ----a-w c:\windows\system32\perfh009.dat
    + 2008-10-26 21:06:51 311,934 ----a-w c:\windows\system32\perfh009.dat
    - 2007-05-14 19:24:30 394,240 ----a-w c:\windows\system32\Smab.dll
    + 2007-11-13 14:31:46 399,360 ----a-w c:\windows\system32\Smab.dll
    + 2001-08-23 12:00:00 1,744 ----a-w c:\windows\system32\sound.drv
    + 2001-08-23 12:00:00 3,360 ----a-w c:\windows\system32\system.drv
    + 2001-08-23 12:00:00 4,048 ----a-w c:\windows\system32\timer.drv
    + 2001-08-23 12:00:00 2,176 ----a-w c:\windows\system32\vga.drv
    + 2004-08-04 00:05:44 23,552 ----a-w c:\windows\system32\wdmaud.drv
    + 2001-08-23 12:00:00 13,600 ----a-w c:\windows\system32\wfwnet.drv
    + 2001-08-23 12:00:00 2,864 ----a-w c:\windows\system32\winsock.dll
    + 2004-08-03 23:56:58 146,432 ----a-w c:\windows\system32\winspool.drv
    + 2001-08-23 12:00:00 2,112 ----a-w c:\windows\system32\winspool.exe
    + 2001-08-23 12:00:00 2,736 ----a-w c:\windows\system32\wowdeb.exe
    - 2007-12-15 05:32:45 4,212 ---h--w c:\windows\system32\zllictbl.dat
    + 2009-01-10 17:12:53 4,212 ---h--w c:\windows\system32\zllictbl.dat
    - 2007-12-15 17:15:36 246,796 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
    + 2009-01-14 22:43:08 299,492 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
    - 2007-01-08 19:30:04 153,240 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
    + 2008-05-12 23:26:34 152,976 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
    - 2007-12-10 01:10:38 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
    + 2007-12-26 18:09:19 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
    - 2007-12-10 01:10:38 787,936 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
    + 2007-12-26 18:09:19 792,032 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
    - 2007-12-15 05:37:16 7,139,599 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
    + 2009-01-13 16:00:25 10,707,916 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
    - 2007-12-10 01:10:43 6,463,239 ----a-w c:\windows\system32\ZoneLabs\spyware0.dat
    + 2009-01-10 18:00:49 10,696,658 ----a-w c:\windows\system32\ZoneLabs\spyware0.dat
    - 2007-12-10 01:10:38 1,500,640 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
    + 2007-12-26 18:09:19 1,504,736 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
    - 2007-12-10 01:10:38 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
    + 2007-12-26 18:09:19 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
    - 2007-12-13 05:37:43 8,824,832 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
    + 2008-04-08 03:12:32 8,953,856 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
    + 2009-01-14 22:20:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a4.dat
    + 2008-05-01 21:02:56 2,546 ----a-w c:\windows\unins000.dat
    + 2008-05-01 20:55:18 691,545 ----a-w c:\windows\unins000.exe
    + 2000-08-31 13:00:00 49,152 ----a-w c:\windows\VFIND.exe
    + 2000-08-31 13:00:00 68,096 ----a-w c:\windows\zip.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-08 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SiS7012Utility"="c:\windows\system32\SiSAudUt.exe" [2001-11-21 294912]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 919280]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-03 c:\windows\system32\narrator.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 113664]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.I420"= i420vfw.dll
    "vidc.uyvy"= c:\windows\system32\msyuv.DLL
    "vidc.yuy2"= ATIVYUY.DLL
    "vidc.3iv2"= 3ivxVfWCodec.dll
    "VIDC.HFYU"= huffyuv.dll
    "VIDC.VP31"= vp31vfw.dll
    "MSACM.MI-SC4"= MI-SC4.acm

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "SiS KHooker"=c:\windows\system32\khooker.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 51440]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2006-09-17 165760]
    R4 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2006-09-17 13824]
    S1 DW;DW; [x]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
    S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2006-10-17 10368]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-09 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-22 00:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
    IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm

    c:\windows\DownUpdater.exe - c:\windows\Downloaded Program Files\NowStarter.ocx
    O16 -: {072039AB-2117-4ED5-A85F-9B9EB903E021}
    hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
    c:\windows\Downloaded Program Files\NowStarter.inf
    FF - ProfilePath - c:\documents and settings\L\Application Data\Mozilla\Firefox\Profiles\cv2hil3o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-14 17:49:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1960408961-1417001333-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(556)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    Completion time: 2009-01-14 17:52:03
    ComboFix-quarantined-files.txt 2009-01-14 22:52:00
    ComboFix2.txt 2007-12-16 04:08:14

    Pre-Run: 7,985,745,920 bytes free
    Post-Run: 8,192,135,168 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    316

  8. #8
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    It looks like you ran Combofix a long time ago. The log is a bit confusing, I am looking at a few bad files on the log , not sure if they have been removed

    Run this tool ,it won't fix anything but will give us a nice report.

    Download DDS by sUBs from one of the following links. Save it to your desktop.
    • DDS.com
    • DDS.scr
    • DDS.pif
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • Close the program window, and delete the program from your desktop.

    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control Here
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #9
    Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    DDS (Ver_09-07-30.01) - NTFSx86
    Run by L at 20:49:11.85 on Thu 09/17/2009
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1248.857 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\SiSAudUt.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\L\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.ca/
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - IeCatch5 Class
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: {f156768e-81ef-470c-9057-481ba8380dba} - gFlash Class
    TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [SiS7012Utility] c:\windows\system32\SiSAudUt.exe -wdm
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\l\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
    IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: clubbox.co.kr
    Trusted Zone: spybot.info\forums
    DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252612289843
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: avgrsstarter - avgrsstx.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\l\applic~1\mozilla\firefox\profiles\cv2hil3o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-15 127768]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 74480]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-12-9 394952]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]
    R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2006-9-17 13824]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2006-9-17 165760]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2006-10-18 10368]

    =============== Created Last 30 ================

    2009-09-15 18:53 <DIR> --d----- c:\program files\ESET
    2009-09-14 13:25 <DIR> --d-h--- C:\$AVG8.VAULT$
    2009-09-14 12:24 11,952 a------- c:\windows\system32\avgrsstx.dll
    2009-09-14 12:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
    2009-09-14 12:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
    2009-09-14 12:23 <DIR> --d----- c:\windows\system32\drivers\Avg
    2009-09-14 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
    2009-09-14 12:21 <DIR> --d----- c:\program files\AVG
    2009-09-14 12:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
    2009-09-14 11:47 <DIR> --d----- c:\docume~1\l\applic~1\AVG8
    2009-09-10 18:07 221,184 a------- c:\windows\system32\wmpns.dll
    2009-09-10 18:04 <DIR> --d----- c:\windows\ServicePackFiles
    2009-09-10 17:30 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
    2009-09-10 17:30 2,180,480 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
    2009-09-10 17:30 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
    2009-09-10 17:30 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
    2009-09-10 17:22 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
    2009-09-10 15:57 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
    2009-09-10 15:57 272,128 -------- c:\windows\system32\drivers\bthport.sys
    2009-09-10 15:56 <DIR> --d----- c:\windows\system32\PreInstall
    2009-09-10 15:56 26,488 a------- c:\windows\system32\spupdsvc.exe
    2009-09-10 15:52 23,576 a------- c:\windows\system32\wuapi.dll.mui

    ==================== Find3M ====================

    2009-09-17 20:49 20,516,640 a--sh--- c:\windows\system32\drivers\fidbox.dat
    2009-09-17 13:02 280,784 a--sh--- c:\windows\system32\drivers\fidbox.idx
    2009-09-12 12:49 4,212 ----h--- c:\windows\system32\zllictbl.dat
    2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
    2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
    2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
    2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
    2009-07-26 12:21 34,300 a------- c:\windows\system32\fscflist.ini.tmp
    2009-07-19 21:33 167,936 a------- c:\windows\system32\fscagent.exe
    2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
    2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
    2009-07-03 15:28 640,240 a------- c:\windows\system32\NowUpdate.exe
    2009-07-03 02:34 46,866 a------- c:\windows\system32\clubboxuninstall.exe
    2009-07-01 22:53 1,626,112 a------- c:\windows\system32\clubbox.exe
    2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
    2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
    2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
    2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll
    2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll
    2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll
    2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll
    2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll
    2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll
    2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll
    2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll
    2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll
    2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll
    2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll
    2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
    2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
    2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
    2009-01-13 18:30 87,608 a------- c:\docume~1\l\applic~1\ezpinst.exe
    2009-01-13 18:30 94,080 a------- c:\docume~1\l\applic~1\ezplay.sys
    2009-01-13 18:30 47,360 a------- c:\docume~1\l\applic~1\pcouffin.sys
    2006-05-03 06:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
    2007-02-21 07:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
    2007-12-17 09:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
    2008-02-04 15:26 151,040 ---sh--- c:\windows\system32\VistaUltm.dll

    ============= FINISH: 20:50:20.79 ===============

  10. #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    Nothing is jumping out at me as bad. How are things running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •