Infected with Malware

Status
Not open for further replies.
R

rukia88

New member
Hi, I've recently noticed some pop up messages from ZoneAlarm indicating that certain files want to gain access to my system. In addition, Windows Security Alerts is always asking me to get new updates when I normally have automatic updates off. Not really sure what I am infected with.

Much thanks in advance for your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:50 PM, on 9/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SiSAudUt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\sys32_nov.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\L\sys32_nov.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\system32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\L\sys32_nov.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: ikowin32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.clubbox.co.kr
O15 - Trusted Zone: http://forums.spybot.info
O16 - DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} (NowStarter2 Control) - http://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252612289843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6816 bytes
 
Hello

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Two questions,
1. Why do you have SuperAntiSpyware installed and have not run it to remove some of this junk ?

2. Why do you not have any Antivirus program installed. With the latest threats going around , going online with out one is kind of suicidal .


Install just one of these free ones.






Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)

O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\L\sys32_nov.exe

O4 - Startup: ikowin32.exe

If you want this one in your trusted zone than leave it be
O15 - Trusted Zone: http://*.clubbox.co.kr


Open up SuperAntiSpyware, check for updates and run a scan, post the log and a new HJT log please
 
Hi there, thanks so much for your time and help.

To answer your questions first: I had used Malwarebytes Antimalware prior to do a scan and had removed some junk. I guess it wasn't good enough. I also thought that having ZoneAlarm was sufficient. I have now downloaded AVG and installed it into my computer.

I did 2 scans with SuperAntiSpyware. The first was after using HJT to fix the items you mentioned. The second scan was after doing a full scan using AVG.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/14/2009 at 01:50 PM

Application Version : 4.27.1002

Core Rules Database Version : 4098
Trace Rules Database Version: 2039

Scan type : Complete Scan
Total Scan Time : 00:56:30

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 5276
Registry threats detected : 0
File items scanned : 13811
File threats detected : 5

Trojan.Agent/Gen-Sys32[Nov]
C:\DOCUMENTS AND SETTINGS\L\SYS32_NOV.EXE
C:\WINDOWS\SYSTEM32\SYS32_NOV.EXE
C:\WINDOWS\Prefetch\SYS32_NOV.EXE-22742382.pf
C:\WINDOWS\Prefetch\SYS32_NOV.EXE-2429F1E9.pf

Trojan.Agent/Gen-SOJ
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP512\A0060591.EXE


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/14/2009 at 07:21 PM

Application Version : 4.28.1010

Core Rules Database Version : 4100
Trace Rules Database Version: 2040

Scan type : Complete Scan
Total Scan Time : 00:42:11

Memory items scanned : 366
Memory threats detected : 0
Registry items scanned : 5285
Registry threats detected : 0
File items scanned : 13730
File threats detected : 1

Trojan.Agent/Gen-SOJ
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CEFD36F5-C9BA-45E7-8577-FA1F83BCEDE9}\RP512\A0060595.EXE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:38 PM, on 9/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SiSAudUt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\system32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.clubbox.co.kr
O15 - Trusted Zone: http://forums.spybot.info
O16 - DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} (NowStarter2 Control) - http://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252612289843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7432 bytes
 
Looking good. Lets make sure there is no more of this garbage hiding

Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here
  • Open
    rootRepealDesktopIcon.png
    on your desktop.
  • Click the
    reportTab.png
    tab.
  • Click the
    btnScan.png
    button.
  • Check just these boxes:
  • post-75503-1250480183.gif
  • Push Ok
  • Check the box for your main system drive (Usually C:, and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the
    saveReport.png
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.




Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/15 18:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB719A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE32000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB49AE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xBA6D5000 Size: 81920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0040

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dc930

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e7a80

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0510

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6870

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6aa0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e9fd0

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0600

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dcf20

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e86e0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e8440

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6580

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73da3f0

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e88b0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73ea270

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dcd70

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6350

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6150

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e9250

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e8cb0

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dfc00

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e9080

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e0220

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73dd120

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73da1c0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e8140

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73e6cd0

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb73da5f0

==EOF==

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=f12551d91aaaa64b87aabcd245d3f1f1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-16 02:00:22
# local_time=2009-09-15 10:00:22 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1026 21 83 100 1210213563742
# scanned=56199
# found=6
# cleaned=6
# scan_time=10821
C:\qoobox\Quarantine\C\VundoFix Backups\rrqss.ini.bad.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\qoobox\Quarantine\C\VundoFix Backups\rrqss.ini2.bad.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\qoobox\Quarantine\C\WINDOWS\system32\gfhkj.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\qoobox\Quarantine\C\WINDOWS\system32\qvyyhgwq.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\qoobox\Quarantine\C\WINDOWS\system32\uuudolji.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\qoobox\Quarantine\C\WINDOWS\system32\xesrieab.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
 
Good Morning,

No Rootkit infection was found :bigthumb: All ESET found where backups of what Combofix removed, which I want to add should not be taken lightly, its a very powerful tool and what it fixes on one system it could damage another.

Do this, post the log from Combofix, you can find it here C:\ComboFix.txt
 
Hi there,
good to know that there are no more infections! :thanks:

For some reason I have 2 combofix logs. I will post them both.


ComboFix 07-12-15.5 - L 2007-12-15 12:26:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
Running from: C:\Documents and Settings\L\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\L\My Documents\ASKS~1
C:\Documents and Settings\L\My Documents\CROSOF~1.NET
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-15 00:49 . 2007-12-15 12:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\L\Application Data\SUPERAntiSpyware.com
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 23:20 . 2007-12-13 23:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-13 20:34 . 2007-12-15 12:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-13 20:34 . 2007-12-13 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-13 19:48 . 2007-12-15 01:21 7,494 --ahs---- C:\WINDOWS\system32\gfhkj.ini2
2007-12-13 01:14 . 2007-12-13 08:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 23:42 . 2007-12-12 23:42 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-12 22:33 . 2007-12-15 00:42 917,260 ---hs---- C:\WINDOWS\system32\xesrieab.ini
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-11 19:44 . 2007-12-13 00:10 <DIR> d-------- C:\VundoFix Backups
2007-12-10 22:37 . 2007-12-10 22:37 <DIR> d-------- C:\Documents and Settings\L\Application Data\SuperAdBlocker.com
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2007-12-10 17:20 . 2007-12-10 17:20 858,824 --ahs---- C:\WINDOWS\system32\qvyyhgwq.ini
2007-12-10 16:19 . 2007-12-10 16:19 294 --ahs---- C:\WINDOWS\system32\uuudolji.ini
2007-12-10 00:36 . 2007-12-13 19:52 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-09 22:51 . 2007-12-10 12:33 512 --a------ C:\ScanSectorLog.dat
2007-12-09 20:10 . 2007-12-15 11:12 2,070 --a------ C:\rollback.ini
2007-12-09 20:06 . 2007-12-15 12:31 2,822,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-09 20:06 . 2007-12-15 12:30 40,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-09 20:06 . 2007-12-15 12:30 31,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-09 20:06 . 2007-12-15 12:30 4,028 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-09 20:04 . 2007-12-09 20:04 <DIR> d-------- C:\Documents and Settings\L\Application Data\MailFrontier
2007-12-09 19:42 . 2007-12-15 00:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-09 19:40 . 2007-12-15 12:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-07 23:57 . 2007-12-09 19:50 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-07 22:21 . 2007-12-09 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-07 21:00 . 2007-12-07 21:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-07 20:50 . 2007-12-13 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-07 20:47 . 2007-12-07 20:47 <DIR> d-------- C:\WINDOWS\system32\tdm2
2007-12-07 20:47 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-07 20:47 . 2007-12-08 14:30 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-07 20:46 . 2007-12-08 13:12 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-07 20:46 . 2007-12-15 12:28 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 05:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 02:51 1,203,447 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-11 12:37 96,571 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_11_00_37_27_small.dmp.zip
2007-12-10 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 22:15 --------- d-----w C:\Program Files\BitComet
2007-11-15 02:42 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2007-11-13 17:44 1,617,920 ----a-r C:\WINDOWS\system32\pdbox28.exe
2007-11-03 19:02 --------- d-----w C:\Program Files\SpookyManor_at
2007-11-01 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 20:41 1,536,000 ----a-r C:\WINDOWS\system32\clubbox.exe
2007-02-16 01:24 87,608 ----a-w C:\Documents and Settings\L\Application Data\ezpinst.exe
2007-02-16 01:24 47,360 ----a-w C:\Documents and Settings\L\Application Data\pcouffin.sys
2007-02-16 01:22 94,080 ----a-w C:\Documents and Settings\L\Application Data\ezplay.sys
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DF11C63-051F-4EEC-9BCE-8C5BA1EB71D1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556CCAC-C1D5-4C24-A3DB-D54145F6225C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82E42D62-88C8-4ED4-91D5-0D50F577A337}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F38858FF-F237-437D-999C-068A62B52016}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 12:49]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS7012Utility"="C:\WINDOWS\system32\SiSAudUt.exe" [2001-11-21 06:39]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [2001-12-13 11:27]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 18:56 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 20:30:47]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 TTDec;ATI WDM Teletext Decoder;C:\WINDOWS\system32\DRIVERS\ATINTTXX.sys
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 00:09:34 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 12:36:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-15 12:37:10 - machine was rebooted




ComboFix 09-01-13.04 - L 2009-01-14 17:47:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1248.936 [GMT -5:00]
Running from: c:\documents and settings\L\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf
F:\resycled
f:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-13 14:52 . 2009-01-13 14:52 <DIR> d-------- C:\rsit
2009-01-13 09:18 . 2009-01-13 09:18 <DIR> d-------- c:\documents and settings\L\Application Data\Malwarebytes
2009-01-13 09:18 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 09:17 . 2009-01-13 09:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 09:17 . 2009-01-13 09:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 09:17 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 19:26 . 2009-01-07 19:26 <DIR> d-------- c:\windows\Sun
2009-01-07 19:26 . 2009-01-07 19:25 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-07 19:26 . 2009-01-07 19:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-07 19:25 . 2009-01-07 19:25 <DIR> d-------- c:\program files\Java
2009-01-07 19:10 . 2009-01-07 19:10 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-07 19:10 . 2009-01-07 19:10 1,409 --a------ c:\windows\QTFont.for
2008-12-30 00:40 . 2008-12-30 00:40 1,626,112 -ra------ c:\windows\system32\clubbox.exe
2008-12-15 22:35 . 2009-01-03 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NJStar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 22:49 33,741,600 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-14 22:49 1,768,480 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-14 22:19 455,144 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-14 22:19 169,520 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-14 16:31 55,849 ----a-w c:\windows\system32\fscflist.ini.tmp
2009-01-13 22:30 94,080 ----a-w c:\documents and settings\L\Application Data\ezplay.sys
2009-01-13 22:30 87,608 ----a-w c:\documents and settings\L\Application Data\ezpinst.exe
2009-01-13 22:30 47,360 ----a-w c:\documents and settings\L\Application Data\pcouffin.sys
2009-01-13 22:30 --------- d-----w c:\program files\BitComet
2009-01-13 22:30 --------- d-----w c:\documents and settings\L\Application Data\Vso
2009-01-13 22:22 --------- d-----w c:\program files\Slice N Hook
2009-01-12 20:53 24,419,387 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_12_15_51_31_full.dmp.zip
2009-01-11 15:55 44,484,230 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-06 02:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-06 02:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 02:11 --------- d-----w c:\program files\SpywareBlaster
2008-11-13 12:45 15,104 ----a-r c:\windows\system32\nowmemdf.sys
2008-11-13 12:36 155,648 ----a-r c:\windows\system32\downengine.dll
2008-08-14 00:14 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-14 00:14 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-14 00:14 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-14 00:14 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-14 00:14 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w c:\windows\system32\Smab0.dll
2008-02-04 19:26 151,040 --sh--w c:\windows\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_12.32.49.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-17 06:00:00 2,504 ----a-w c:\windows\Downloaded Program Files\catalog.dat
+ 2007-01-17 06:00:00 1,957 ----a-w c:\windows\Downloaded Program Files\tinfl.dat
+ 2007-01-22 21:43:49 2,072 ----a-w c:\windows\Downloaded Program Files\vscanmsx.dat
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 13:00:00 89,504 ----a-w c:\windows\fdsv.exe
+ 2000-08-31 13:00:00 80,412 ----a-w c:\windows\grep.exe
+ 2008-09-06 02:17:19 81,920 ----a-r c:\windows\Installer\{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}\ARPPRODUCTICON.exe
- 2006-04-12 13:47:22 217,073 ----a-w c:\windows\meta4.exe
+ 2006-04-12 14:47:22 217,073 ----a-w c:\windows\meta4.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2006-09-18 02:22:05 2,722 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2000-08-31 13:00:00 98,816 ----a-w c:\windows\sed.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 136,704 ----a-w c:\windows\SWSC.exe
+ 2000-08-31 13:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe
+ 2001-08-23 12:00:00 2,000 ----a-w c:\windows\system\KEYBOARD.DRV
+ 2001-08-23 12:00:00 73,376 ----a-w c:\windows\system\MCIAVI.DRV
+ 2001-08-23 12:00:00 25,264 ----a-w c:\windows\system\MCISEQ.DRV
+ 2001-08-23 12:00:00 28,160 ----a-w c:\windows\system\MCIWAVE.DRV
+ 2001-08-23 12:00:00 2,032 ----a-w c:\windows\system\MOUSE.DRV
+ 2001-08-23 12:00:00 1,744 ----a-w c:\windows\system\SOUND.DRV
+ 2001-08-23 12:00:00 3,360 ----a-w c:\windows\system\SYSTEM.DRV
+ 2001-08-23 12:00:00 4,048 ----a-w c:\windows\system\TIMER.DRV
+ 2001-08-23 12:00:00 2,176 ----a-w c:\windows\system\VGA.DRV
+ 2001-08-23 12:00:00 13,600 ----a-w c:\windows\system\WFWNET.DRV
+ 2004-08-03 23:56:58 146,432 ----a-w c:\windows\system\WINSPOOL.DRV
+ 2008-08-06 20:22:02 114,688 ----a-w c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2008-08-06 20:30:48 202,168 ----a-w c:\windows\system32\Adobe\Director\swdir.dll
+ 2008-08-06 20:31:08 67,000 ----a-w c:\windows\system32\Adobe\Director\SwDnld.exe
+ 2008-08-06 20:22:42 499,712 ----a-w c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2008-08-06 19:45:40 1,798,144 ----a-w c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2008-08-06 20:22:44 9,216 ----a-w c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2008-08-06 19:35:52 706,048 ----a-w c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2008-08-06 19:35:52 1,145,896 ----a-w c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2008-08-06 19:35:52 52,288 ----a-w c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2008-08-06 19:42:04 892,928 ----a-w c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2008-08-06 19:35:52 54,656 ----a-w c:\windows\system32\Adobe\Shockwave 11\pccuapi.dll
+ 2008-08-06 20:21:14 266,240 ----a-w c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2008-08-06 20:24:14 446,464 ----a-w c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2008-08-06 20:30:30 447,928 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwHelper_1100465.exe
+ 2008-08-06 20:24:56 114,688 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2008-08-06 20:21:04 94,208 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2008-08-06 19:35:52 50,808 ----a-w c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 1999-06-25 14:55:30 149,504 ----a-w c:\windows\system32\Adobe\Shockwave 11\UNWISE.EXE
+ 2001-08-23 12:00:00 10,544 ----a-w c:\windows\system32\comm.drv
+ 2004-08-04 00:07:22 1,788 ----a-w c:\windows\system32\Dcache.bin
+ 2001-08-23 12:00:00 2,000 -c--a-w c:\windows\system32\dllcache\keyboard.drv
+ 2001-08-23 12:00:00 2,560 -c--a-w c:\windows\system32\dllcache\lz32.dll
+ 2001-08-23 12:00:00 73,376 -c--a-w c:\windows\system32\dllcache\mciavi.drv
+ 2001-08-23 12:00:00 25,264 -c--a-w c:\windows\system32\dllcache\mciseq.drv
+ 2001-08-23 12:00:00 28,160 -c--a-w c:\windows\system32\dllcache\mciwave.drv
+ 2001-08-23 12:00:00 2,032 -c--a-w c:\windows\system32\dllcache\mouse.drv
+ 2001-08-23 12:00:00 2,944 -c--a-w c:\windows\system32\dllcache\null.sys
+ 2001-08-23 12:00:00 1,744 -c--a-w c:\windows\system32\dllcache\sound.drv
+ 2001-08-23 12:00:00 3,360 -c--a-w c:\windows\system32\dllcache\system.drv
+ 2001-08-23 12:00:00 4,048 -c--a-w c:\windows\system32\dllcache\timer.drv
+ 2001-08-23 12:00:00 2,176 -c--a-w c:\windows\system32\dllcache\vga.drv
+ 2001-08-23 12:00:00 13,600 -c--a-w c:\windows\system32\dllcache\wfwnet.drv
+ 2001-08-23 12:00:00 2,864 -c--a-w c:\windows\system32\dllcache\winsock.dll
+ 2004-08-03 23:56:58 146,432 -c--a-w c:\windows\system32\dllcache\winspool.drv
+ 2001-08-23 12:00:00 2,112 -c--a-w c:\windows\system32\dllcache\winspool.exe
+ 2001-08-23 12:00:00 2,736 -c--a-w c:\windows\system32\dllcache\wowdeb.exe
+ 2006-05-19 21:16:24 2,432 ------w c:\windows\system32\drivers\cdr4_xp.sys
+ 2006-05-19 21:16:24 2,560 ------w c:\windows\system32\drivers\cdralw2k.sys
+ 2004-08-03 23:07:58 2,944 ----a-w c:\windows\system32\drivers\drmkaud.sys
+ 2001-08-17 14:00:04 2,944 ----a-w c:\windows\system32\drivers\msmpu401.sys
+ 2001-08-23 12:00:00 2,944 ----a-w c:\windows\system32\drivers\null.sys
- 2007-04-13 10:06:40 159,744 ----a-r c:\windows\system32\fscagent.exe
+ 2008-02-25 16:24:40 159,744 ----a-r c:\windows\system32\fscagent.exe
+ 2009-01-08 00:25:51 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-08 00:25:51 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-08 00:25:51 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2001-08-23 12:00:00 2,000 ----a-w c:\windows\system32\keyboard.drv
+ 2001-08-23 12:00:00 221,600 ----a-w c:\windows\system32\lanman.drv
+ 2001-08-23 12:00:00 2,560 ----a-w c:\windows\system32\lz32.dll
+ 2008-03-15 03:31:26 57,344 ----a-w c:\windows\system32\Macromed\Common\SwSupport.dll
+ 2008-03-24 23:32:46 218,496 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-03-25 03:21:18 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-09-03 01:53:26 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-03-15 03:29:22 581,632 ----a-w c:\windows\system32\Macromed\Shockwave 10\Control.dll
+ 2008-03-15 03:12:30 1,490,944 ----a-w c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll
+ 2008-03-15 03:29:58 24,576 ----a-w c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2008-03-15 03:10:06 606,208 ----a-w c:\windows\system32\Macromed\Shockwave 10\iml32X.dll
+ 2008-03-15 03:28:48 339,968 ----a-w c:\windows\system32\Macromed\Shockwave 10\Plugin.dll
+ 2008-03-15 03:28:56 475,136 ----a-w c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2008-03-15 03:21:52 180,224 ----a-w c:\windows\system32\Macromed\Shockwave 10\Proj.dll
+ 2008-03-15 03:31:28 77,824 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwInit.exe
+ 2008-03-15 15:38:08 86,016 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll
+ 2008-03-15 03:31:28 98,304 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll
+ 2001-08-23 12:00:00 73,376 ----a-w c:\windows\system32\mciavi.drv
+ 2001-08-23 12:00:00 25,264 ----a-w c:\windows\system32\mciseq.drv
+ 2001-08-23 12:00:00 28,160 ----a-w c:\windows\system32\mciwave.drv
+ 2001-08-23 12:00:00 2,032 ----a-w c:\windows\system32\mouse.drv
+ 2001-08-23 12:00:00 20,480 ----a-w c:\windows\system32\msacm32.drv
+ 2004-08-03 23:56:58 188,416 ----a-w c:\windows\system32\msh261.drv
+ 2004-08-04 00:05:44 294,912 ----a-w c:\windows\system32\msh263.drv
+ 2001-08-23 12:00:00 2,656 ----a-w c:\windows\system32\netware.drv
- 2007-11-13 17:44:42 1,617,920 ----a-r c:\windows\system32\pdbox28.exe
+ 2008-02-28 10:57:34 1,622,016 ----a-r c:\windows\system32\pdbox28.exe
- 2007-10-28 20:09:56 40,196 ----a-w c:\windows\system32\perfc009.dat
+ 2008-10-26 21:06:51 40,196 ----a-w c:\windows\system32\perfc009.dat
- 2007-10-28 20:09:56 311,934 ----a-w c:\windows\system32\perfh009.dat
+ 2008-10-26 21:06:51 311,934 ----a-w c:\windows\system32\perfh009.dat
- 2007-05-14 19:24:30 394,240 ----a-w c:\windows\system32\Smab.dll
+ 2007-11-13 14:31:46 399,360 ----a-w c:\windows\system32\Smab.dll
+ 2001-08-23 12:00:00 1,744 ----a-w c:\windows\system32\sound.drv
+ 2001-08-23 12:00:00 3,360 ----a-w c:\windows\system32\system.drv
+ 2001-08-23 12:00:00 4,048 ----a-w c:\windows\system32\timer.drv
+ 2001-08-23 12:00:00 2,176 ----a-w c:\windows\system32\vga.drv
+ 2004-08-04 00:05:44 23,552 ----a-w c:\windows\system32\wdmaud.drv
+ 2001-08-23 12:00:00 13,600 ----a-w c:\windows\system32\wfwnet.drv
+ 2001-08-23 12:00:00 2,864 ----a-w c:\windows\system32\winsock.dll
+ 2004-08-03 23:56:58 146,432 ----a-w c:\windows\system32\winspool.drv
+ 2001-08-23 12:00:00 2,112 ----a-w c:\windows\system32\winspool.exe
+ 2001-08-23 12:00:00 2,736 ----a-w c:\windows\system32\wowdeb.exe
- 2007-12-15 05:32:45 4,212 ---h--w c:\windows\system32\zllictbl.dat
+ 2009-01-10 17:12:53 4,212 ---h--w c:\windows\system32\zllictbl.dat
- 2007-12-15 17:15:36 246,796 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-01-14 22:43:08 299,492 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-01-08 19:30:04 153,240 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-05-12 23:26:34 152,976 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
- 2007-12-10 01:10:38 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
+ 2007-12-26 18:09:19 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
- 2007-12-10 01:10:38 787,936 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2007-12-26 18:09:19 792,032 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
- 2007-12-15 05:37:16 7,139,599 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-01-13 16:00:25 10,707,916 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
- 2007-12-10 01:10:43 6,463,239 ----a-w c:\windows\system32\ZoneLabs\spyware0.dat
+ 2009-01-10 18:00:49 10,696,658 ----a-w c:\windows\system32\ZoneLabs\spyware0.dat
- 2007-12-10 01:10:38 1,500,640 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
+ 2007-12-26 18:09:19 1,504,736 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
- 2007-12-10 01:10:38 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
+ 2007-12-26 18:09:19 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
- 2007-12-13 05:37:43 8,824,832 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-04-08 03:12:32 8,953,856 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-01-14 22:20:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a4.dat
+ 2008-05-01 21:02:56 2,546 ----a-w c:\windows\unins000.dat
+ 2008-05-01 20:55:18 691,545 ----a-w c:\windows\unins000.exe
+ 2000-08-31 13:00:00 49,152 ----a-w c:\windows\VFIND.exe
+ 2000-08-31 13:00:00 68,096 ----a-w c:\windows\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-08 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS7012Utility"="c:\windows\system32\SiSAudUt.exe" [2001-11-21 294912]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 919280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.uyvy"= c:\windows\system32\msyuv.DLL
"vidc.yuy2"= ATIVYUY.DLL
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"MSACM.MI-SC4"= MI-SC4.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SiS KHooker"=c:\windows\system32\khooker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 51440]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2006-09-17 165760]
R4 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2006-09-17 13824]
S1 DW;DW; [x]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2006-10-17 10368]
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-22 00:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm

c:\windows\DownUpdater.exe - c:\windows\Downloaded Program Files\NowStarter.ocx
O16 -: {072039AB-2117-4ED5-A85F-9B9EB903E021}
hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
c:\windows\Downloaded Program Files\NowStarter.inf
FF - ProfilePath - c:\documents and settings\L\Application Data\Mozilla\Firefox\Profiles\cv2hil3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 17:49:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1417001333-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-14 17:52:03
ComboFix-quarantined-files.txt 2009-01-14 22:52:00
ComboFix2.txt 2007-12-16 04:08:14

Pre-Run: 7,985,745,920 bytes free
Post-Run: 8,192,135,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

316
 
It looks like you ran Combofix a long time ago. The log is a bit confusing, I am looking at a few bad files on the log , not sure if they have been removed

Run this tool ,it won't fix anything but will give us a nice report.

Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here
 
DDS (Ver_09-07-30.01) - NTFSx86
Run by L at 20:49:11.85 on Thu 09/17/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1248.857 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SiSAudUt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\L\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - IeCatch5 Class
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f156768e-81ef-470c-9057-481ba8380dba} - gFlash Class
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SiS7012Utility] c:\windows\system32\SiSAudUt.exe -wdm
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\l\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: clubbox.co.kr
Trusted Zone: spybot.info\forums
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252612289843
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\l\applic~1\mozilla\firefox\profiles\cv2hil3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-15 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-12-9 394952]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2006-9-17 13824]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2006-9-17 165760]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2006-10-18 10368]

=============== Created Last 30 ================

2009-09-15 18:53 <DIR> --d----- c:\program files\ESET
2009-09-14 13:25 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-14 12:24 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-14 12:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-14 12:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-14 12:23 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-14 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-14 12:21 <DIR> --d----- c:\program files\AVG
2009-09-14 12:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-14 11:47 <DIR> --d----- c:\docume~1\l\applic~1\AVG8
2009-09-10 18:07 221,184 a------- c:\windows\system32\wmpns.dll
2009-09-10 18:04 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-10 17:30 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-10 17:30 2,180,480 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-10 17:30 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-10 17:30 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-10 17:22 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-10 15:57 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-09-10 15:57 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-09-10 15:56 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-10 15:56 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-09-10 15:52 23,576 a------- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-09-17 20:49 20,516,640 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-17 13:02 280,784 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-09-12 12:49 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-26 12:21 34,300 a------- c:\windows\system32\fscflist.ini.tmp
2009-07-19 21:33 167,936 a------- c:\windows\system32\fscagent.exe
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 15:28 640,240 a------- c:\windows\system32\NowUpdate.exe
2009-07-03 02:34 46,866 a------- c:\windows\system32\clubboxuninstall.exe
2009-07-01 22:53 1,626,112 a------- c:\windows\system32\clubbox.exe
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-01-13 18:30 87,608 a------- c:\docume~1\l\applic~1\ezpinst.exe
2009-01-13 18:30 94,080 a------- c:\docume~1\l\applic~1\ezplay.sys
2009-01-13 18:30 47,360 a------- c:\docume~1\l\applic~1\pcouffin.sys
2006-05-03 06:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 07:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 09:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2008-02-04 15:26 151,040 ---sh--- c:\windows\system32\VistaUltm.dll

============= FINISH: 20:50:20.79 ===============
 
Hi,

it seems that my computer is running fine now. no more alerts from ZoneAlarm or from Windows security. i guess the only thing is that it just seems that things are running a bit slow but maybe that's just something else i.e my system is slow or i have too many processes running. I haven't done a defragmentation for a LONG time now.

Once my computer is deemed as clear by you, I will be going back to backing up my stuff to my external hard drive and eventually do a big clean up of my computer.

just as an aside, currently i have ZoneAlarm, AVG, SuperAntiSpyware, and Spyblaster running on my computer. Should i also have spybot running too? (i do have it installed) and do you have another suggestion for an Internet Security program other than ZoneAlarm? i use to have Norton Internet security but that eventually caused a lot of problems for my computer hence changing to ZoneAlarm.
 
Hi,

Clean out all your temp files and all other not needed garbage.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean



Do that Defrag you mentioned. As far as trying to sort out what starting, I am linking you to a windows support site, those guys work with those issues as we just do malware removal on this one.
http://forums.whatthetech.com/Microsoft_Windows_f119.html


You can install Spybot search and Destroy but leave the TeaTimer disabled as the TeaTimer will conflict with SpywareBlaster.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top