TechSpot

Attn: Bobbye Persistent Infection

By Conners
Mar 6, 2011
  1. hi. thank you for your continued help. ref thread: http://www.techspot.com/vb/topic161743.html

    here are the logs requested:-

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5977

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    07/03/2011 00:06:22
    mbam-log-2011-03-07 (00-06-22).txt

    Scan type: Full scan (C:\|J:\|)
    Objects scanned: 154998
    Time elapsed: 24 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-07 00:14:38
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-1d ST3400833AS rev.3.AAE
    Running: 84gi61dn.exe; Driver: C:\DOCUME~1\Srennoc\LOCALS~1\Temp\uxpdafow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    ---- EOF - GMER 1.0.15 ----


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 02/03/2011 23:15:49
    System Uptime: 07/03/2011 00:11:59 (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5N-D
    Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Socket 775 | 3200/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 373 GiB total, 354.802 GiB free.
    D: is Removable
    E: is Removable
    F: is Removable
    G: is Removable
    H: is CDROM (CDFS)
    I: is CDROM ()
    J: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_81BC1043&REV_A3\3&2411E6FE&0&51
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_81BC1043&REV_A3\3&2411E6FE&0&51
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&DC268A3&0&3880
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&DC268A3&0&3880
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Other PCI Bridge Device
    Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_82211043&REV_A3\3&2411E6FE&0&A0
    Manufacturer:
    Name: Other PCI Bridge Device
    PNP Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_82211043&REV_A3\3&2411E6FE&0&A0
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\ATK0110\1010110
    Manufacturer:
    Name:
    PNP Device ID: ACPI\ATK0110\1010110
    Service:
    .
    ==== System Restore Points ===================
    .
    RP1: 05/03/2011 05:39:43 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Avira AntiVir Personal - Free Antivirus
    Call of Duty(R) 4 - Modern Warfare(TM)
    Entropia Universe
    Google Chrome
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 24
    Malwarebytes' Anti-Malware
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    NVIDIA Control Panel 266.58
    NVIDIA Graphics Driver 266.58
    NVIDIA Install Application
    NVIDIA nView 135.50
    NVIDIA nView Desktop Manager
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2482017)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Spybot - Search & Destroy
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 8.0 CRT (x86) WinSXS MSM
    Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
    web'n'walk USB manager
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows XP Service Pack 3
    ZoneAlarm
    ZoneAlarm Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    05/03/2011 11:52:31, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    05/03/2011 11:52:26, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
    05/03/2011 11:52:03, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
    05/03/2011 11:51:55, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
    05/03/2011 11:51:52, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
    04/03/2011 11:18:30, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 7 for Windows XP.
    04/03/2011 00:08:45, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    04/03/2011 00:08:45, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    03/03/2011 19:55:04, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
    03/03/2011 19:55:04, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Srennoc\LOCALS~1\Temp\schk.tmp. Reference error message: The operation completed successfully. .
    03/03/2011 19:55:04, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    03/03/2011 18:49:11, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
    03/03/2011 10:09:38, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
    03/03/2011 09:52:20, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    03/03/2011 09:52:20, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Srennoc\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    03/03/2011 09:52:20, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    .
    ==== End Of File ===========================


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Srennoc at 0:15:44.25 on 07/03/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1678 [GMT -8:00]
    .
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\internet stuff\Avira\AntiVir Desktop\avguard.exe
    C:\internet stuff\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\internet stuff\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program anti\avajff\bin\jqs.exe
    C:\internet stuff\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Documents and Settings\Srennoc\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\prograzs\earcestroy\SDHelper.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SpybotSD TeaTimer] c:\prograzs\earcestroy\TeaTimer.exe
    mRun: [avgnt] "c:\internet stuff\avira\antivir desktop\avgnt.exe" /min
    mRun: [ZoneAlarm Client] "c:\program anti\abs\zonealarm\zlclient.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] c:\progra\tes' anti-malware\mbamgui.exe /install /silent
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\prograzs\earcestroy\SDHelper.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1299198266453
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\internet stuff\avira\antivir desktop\avgio.sys [2011-3-3 11608]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-3-3 532224]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\internet stuff\avira\antivir desktop\sched.exe [2011-3-3 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\internet stuff\avira\antivir desktop\avguard.exe [2011-3-3 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-3 61960]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-2-15 26872]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\b.tmp --> c:\windows\system32\B.tmp [?]
    S4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-2-15 488952]
    .
    =============== Created Last 30 ================
    .
    2011-03-07 07:24:03 -------- d-----w- c:\docume~1\srennoc\applic~1\Malwarebytes
    2011-03-07 07:23:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-07 07:23:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-07 07:23:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-07 07:23:24 -------- d-----w- C:\Progra
    2011-03-05 15:52:17 -------- d-----w- C:\Progrtn
    2011-03-05 13:47:33 -------- d-sha-r- C:\cmdcons
    2011-03-05 13:39:41 98816 ----a-w- c:\windows\sed.exe
    2011-03-05 13:39:41 89088 ----a-w- c:\windows\MBR.exe
    2011-03-05 13:39:41 256512 ----a-w- c:\windows\PEV.exe
    2011-03-05 13:39:41 161792 ----a-w- c:\windows\SWREG.exe
    2011-03-04 20:25:44 -------- d-----w- c:\windows\Entropia Universe
    2011-03-04 20:25:44 -------- d-----w- c:\program files\Entropia Universe
    2011-03-04 20:19:56 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2011-03-04 19:32:18 -------- d-----w- c:\program files\Activision
    2011-03-04 19:09:42 -------- d-sh--w- c:\windows\ftpcache
    2011-03-04 07:53:41 221184 ----a-w- c:\windows\system32\wmpns.dll
    2011-03-04 07:49:21 -------- d-----w- C:\Prograzs
    2011-03-04 07:39:31 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2011-03-04 07:39:28 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2011-03-04 07:39:28 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2011-03-04 07:39:05 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2011-03-04 07:37:45 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2011-03-04 06:49:26 -------- d-----w- c:\windows\pss
    2011-03-04 06:20:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
    2011-03-04 06:17:55 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-03-04 06:16:43 -------- d-----w- C:\videenis
    2011-03-04 05:53:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-04 05:53:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-04 04:29:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-03-04 04:12:03 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\Temp
    2011-03-04 04:11:14 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\Google
    2011-03-04 04:10:39 -------- d-----w- C:\Stuff
    2011-03-04 03:57:04 -------- d-----w- c:\docume~1\srennoc\applic~1\CheckPoint
    2011-03-04 03:56:29 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\Conduit
    2011-03-04 03:56:28 -------- d-----w- c:\program files\ZoneAlarm_Security
    2011-03-04 03:56:28 -------- d-----w- c:\program files\Conduit
    2011-03-04 03:56:28 -------- d-----w- c:\docume~1\srennoc\locals~1\applic~1\ZoneAlarm_Security
    2011-03-04 03:55:11 -------- d-----w- c:\program files\CheckPoint
    2011-03-04 03:54:47 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2011-03-04 03:54:46 -------- d-----w- c:\windows\system32\ZoneLabs
    2011-03-04 03:54:12 -------- d-----w- C:\Program anti
    2011-03-04 03:25:04 -------- d-----w- c:\windows\system32\scripting
    2011-03-04 03:25:03 -------- d-----w- c:\windows\l2schemas
    2011-03-04 03:25:02 -------- d-----w- c:\windows\system32\en
    2011-03-04 03:21:05 -------- d-----w- c:\windows\network diagnostic
    2011-03-04 02:19:11 -------- d-----w- c:\program files\Zone Labs
    2011-03-04 02:18:37 -------- d-----w- c:\windows\Internet Logs
    2011-03-04 00:35:54 26488 ----a-w- c:\windows\system32\spupdsvc.exe
    2011-03-04 00:35:54 -------- d-----w- c:\windows\system32\PreInstall
    2011-03-04 00:35:53 -------- d--h--w- c:\windows\$hf_mig$
    2011-03-04 00:35:24 -------- d-----w- c:\windows\system32\bits
    2011-03-04 00:34:07 8192 ------w- c:\windows\system32\bitsprx2.dll
    2011-03-04 00:34:07 7168 ------w- c:\windows\system32\bitsprx3.dll
    2011-03-04 00:34:07 438784 ------w- c:\windows\system32\xpob2res.dll
    2011-03-04 00:34:07 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-03-04 00:34:07 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
    2011-03-04 00:25:31 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
    2011-03-04 00:25:31 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2011-03-04 00:25:31 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2011-03-04 00:25:31 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2011-03-04 00:25:31 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-03-04 00:03:11 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-03 23:56:49 88960 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2011-03-03 23:56:49 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2011-03-03 23:56:33 -------- d-----w- C:\internet stuff
    2011-03-03 18:21:59 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
    2011-03-03 18:08:42 -------- d-----w- c:\windows\system32\NtmsData
    2011-03-03 18:00:55 -------- d-----w- c:\docume~1\srennoc\applic~1\Avira
    2011-03-03 17:54:28 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-03 17:54:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2011-03-03 17:53:18 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-03-03 17:52:57 357248 -c----w- c:\windows\system32\dllcache\srv.sys
    2011-03-03 17:52:03 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-03-03 17:51:57 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2011-03-03 17:51:57 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2011-03-03 17:51:53 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
    2011-03-03 17:51:47 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-03-03 17:51:41 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2011-03-03 17:51:28 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
    2011-03-03 17:51:26 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2011-03-03 17:51:21 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2011-03-03 17:51:07 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2011-03-03 17:49:53 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
    2011-03-03 17:49:52 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
    2011-03-03 17:49:52 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
    2011-03-03 17:49:52 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
    2011-03-03 17:49:52 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
    2011-03-03 17:49:52 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
    2011-03-03 17:49:52 110592 -c----w- c:\windows\system32\dllcache\services.exe
    2011-03-03 17:49:51 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
    2011-03-03 17:49:51 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
    2011-03-03 17:49:50 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2011-03-03 17:49:50 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2011-03-03 17:49:49 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2011-03-03 17:37:34 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
    2011-03-03 17:37:09 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2011-03-03 17:37:05 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
    2011-03-03 17:36:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-03-03 17:36:31 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
    2011-03-03 17:28:32 -------- d-----w- c:\windows\system32\wbem\AutoRecover
    2011-03-03 17:23:36 -------- d-----w- c:\windows\peernet
    2011-03-03 17:23:35 -------- d-----w- c:\windows\provisioning
    2011-03-03 17:22:44 -------- d-----w- c:\windows\ServicePackFiles
    2011-03-03 17:21:26 -------- d-----w- c:\windows\system32\ReinstallBackups
    2011-03-03 17:19:27 -------- d-----w- c:\windows\EHome
    2011-03-03 17:14:13 11264 ------w- c:\windows\system32\spnpinst.exe
    .
    ==================== Find3M ====================
    .
    2011-03-04 06:18:53 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-03-04 06:18:53 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-03-04 06:18:49 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-08 03:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
    2011-01-08 03:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
    2011-01-08 03:27:00 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
    2011-01-08 03:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2011-01-08 03:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll
    2011-01-08 03:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-01-08 03:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin
    2011-01-08 03:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-01-08 03:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll
    2011-01-08 03:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
    2011-01-08 03:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 22:15:52 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 15:30:29 369664 ------w- c:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    ============= FINISH: 0:17:14.60 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay then, let's go on. In the previous thread, you mentioned a concern about a possibly infected flash drive. Let's be sure to handle that: Don't use the flash drive on the system until it's been disinfected.
    These worms can travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    1. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    2. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    3. Wait until it has finished scanning and then exit the program.
    4. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    ==========================================
    I'd like to ask you about some Directories> it's my job to know what's in them and that they or safe-or find malware and remove it. I see these in the log and ask if you know what you put in them:
    C:\Progra
    C:\Progrtn
    C:\cmdcons
    C:\Prograzs
    C:\videenis
    C:\Program anti

    There are also 2 others and I don't want to open them with script and have a gazillion files showing!
    C:\Stuff
    C:\internet stuff

    If you set these up and know the contents, no problem, although I would have suggested sub-folders rather than entire Directories.
    =============================================
    Go ahead with this now: Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    You probably already got the Recovery Console so Combofix will skip that and go right on to the scan.
     
  3. Conners

    Conners TS Rookie Topic Starter Posts: 29

    combofix

    hi i installed them things in them places on the drive to see if it made any difference to my issues.
    c:\Progra = Malwarebytes
    c:\progrtn =empty directory (did have a malware scanner in there)
    c:\cmdcons =dont know what this is :S has a system32 folder and ntdetect applcation
    c:\prograzs = spybot search and destroy
    c:\videenis = display driver software
    c:\Program anti = java and zone alarm
    c:\internet stuff= t-mobile web'n'walk software (not sure if that software has been hijacked in some way)
    c:\stuff = that only has google chrome setup files in it i think

    thanks again

    ComboFix 11-03-06.06 - Srennoc 07/03/2011 16:06:16.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1746 [GMT -8:00]
    Running from: c:\documents and settings\Srennoc\Desktop\ComboFix.exe
    FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-07 07:23 . 2011-03-07 07:23 -------- d-----w- C:\Progra
    2011-03-05 15:52 . 2011-03-05 15:52 -------- d-----w- C:\Progrtn
    2011-03-04 06:16 . 2011-03-04 06:16 -------- d-----w- C:\videenis
    2011-03-04 04:10 . 2011-03-04 04:11 -------- d-----w- C:\Stuff
    2011-03-03 23:56 . 2011-03-03 17:54 -------- d-----w- C:\internet stuff
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsel.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsesm.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsth.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrseng.dll
    2011-01-08 03:58 . 2011-01-08 03:58 126976 ----a-w- c:\windows\system32\nvrszht.dll
    2011-01-08 03:58 . 2011-01-08 03:58 331776 ----a-w- c:\windows\system32\nvrshe.dll
    2011-01-08 03:58 . 2011-01-08 03:58 286720 ----a-w- c:\windows\system32\nvrsfr.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsnl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsru.dll
    2011-01-08 03:58 . 2011-01-08 03:58 262144 ----a-w- c:\windows\system32\nvrshu.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsda.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrsfi.dll
    2011-01-08 03:58 . 2011-01-08 03:58 229376 ----a-w- c:\windows\system32\nvrszhc.dll
    2011-01-08 03:58 . 2011-01-08 03:58 335872 ----a-w- c:\windows\system32\nvrsar.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrses.dll
    2011-01-08 03:58 . 2011-01-08 03:58 278528 ----a-w- c:\windows\system32\nvrsde.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsptb.dll
    2011-01-08 03:58 . 2011-01-08 03:58 266240 ----a-w- c:\windows\system32\nvrsko.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrstr.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssk.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrssv.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsno.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrscs.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsit.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrspt.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsja.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrspl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2011-01-08 03:58 . 2011-01-08 03:58 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-01-08 03:58 . 2011-01-08 03:58 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2011-01-08 03:58 . 2011-01-08 03:58 156776 ----a-w- c:\windows\system32\nvsvc32.exe
    2011-01-08 03:58 . 2011-01-08 03:58 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2011-01-08 03:58 . 2011-01-08 03:58 13880424 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-08 03:27 . 2004-08-04 07:56 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
    2011-01-08 03:27 . 2004-08-04 05:29 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 22:15 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 22:15 . 2003-03-31 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-12-20 22:15 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
    2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 15:30 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2003-03-31 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2003-03-31 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    2010-12-01 19:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\prograzs\earcestroy\TeaTimer.exe" [2009-03-06 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoneAlarm Client"="c:\program anti\abs\ZoneAlarm\zlclient.exe" [2011-02-19 1043968]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "IswSvc"=2 (0x2)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    "nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    "ZoneAlarm Client"="c:\program anti\abs\ZoneAlarm\zlclient.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [15/02/2011 07:25 26872]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]
    S4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [15/02/2011 07:25 488952]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004Core.job
    - c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
    .
    2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004UA.job
    - c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-07 16:13
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\B.tmp"
    .
    Completion time: 2011-03-07 16:16:58
    ComboFix-quarantined-files.txt 2011-03-08 00:16
    .
    Pre-Run: 381,458,681,856 bytes free
    Post-Run: 381,450,944,512 bytes free
    .
    - - End Of File - - B61DFCEDD93C2C43D98DC0B1B639F682
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please check the Combofix log- I think there are some additional entry sections at the bottom.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\B.tmp
    Registry::
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    Driver::
    MEMSWEEP2
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I strongly advise you not to create new directories as you did. This is more of a file/folder setup. For instance, in My Docs.& Settings:
    Create folder: name it something like testings. Then create sub-folders is needed for names like> Security test, etc. You have the desktop for the cleaning scans and/or directories when indicated. Anyone who helps you with problem in the system is going to have to ask the same thing.
     
  5. Conners

    Conners TS Rookie Topic Starter Posts: 29

    Hi Bobbye thanks again lol ;) i have run that script through combofix the log is below. and have checked the other log and i missed nothing off the end, that is all that is saved.
    and about making them directorys i dont usually do that. but i read somewhere that some virus/spyware/tojan/dialers/worm whatever it is that i have lol, search for specific directories that they know are used for antivirus applications. so thought id put them somewhere else.
    i could always reformat again if it would be better, ive lost my data now lol.
    thanks again and let me know what is needed next. take care.


    ComboFix 11-03-06.06 - Srennoc 08/03/2011 20:07:03.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1765 [GMT -8:00]
    Running from: c:\documents and settings\Srennoc\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Srennoc\Desktop\CFScript.txt
    FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    FILE ::
    "c:\windows\system32\B.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    -------\Legacy_MEMSWEEP2
    -------\Service_MEMSWEEP2
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-07 07:23 . 2011-03-07 07:23 -------- d-----w- C:\Progra
    2011-03-05 15:52 . 2011-03-05 15:52 -------- d-----w- C:\Progrtn
    2011-03-04 06:16 . 2011-03-04 06:16 -------- d-----w- C:\videenis
    2011-03-04 04:10 . 2011-03-04 04:11 -------- d-----w- C:\Stuff
    2011-03-03 23:56 . 2011-03-03 17:54 -------- d-----w- C:\internet stuff
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsel.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsesm.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsth.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrseng.dll
    2011-01-08 03:58 . 2011-01-08 03:58 126976 ----a-w- c:\windows\system32\nvrszht.dll
    2011-01-08 03:58 . 2011-01-08 03:58 331776 ----a-w- c:\windows\system32\nvrshe.dll
    2011-01-08 03:58 . 2011-01-08 03:58 286720 ----a-w- c:\windows\system32\nvrsfr.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsnl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsru.dll
    2011-01-08 03:58 . 2011-01-08 03:58 262144 ----a-w- c:\windows\system32\nvrshu.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsda.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrsfi.dll
    2011-01-08 03:58 . 2011-01-08 03:58 229376 ----a-w- c:\windows\system32\nvrszhc.dll
    2011-01-08 03:58 . 2011-01-08 03:58 335872 ----a-w- c:\windows\system32\nvrsar.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrses.dll
    2011-01-08 03:58 . 2011-01-08 03:58 278528 ----a-w- c:\windows\system32\nvrsde.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsptb.dll
    2011-01-08 03:58 . 2011-01-08 03:58 266240 ----a-w- c:\windows\system32\nvrsko.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrstr.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssk.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrssv.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsno.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrscs.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsit.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrspt.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsja.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrspl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2011-01-08 03:58 . 2011-01-08 03:58 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-01-08 03:58 . 2011-01-08 03:58 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2011-01-08 03:58 . 2011-01-08 03:58 156776 ----a-w- c:\windows\system32\nvsvc32.exe
    2011-01-08 03:58 . 2011-01-08 03:58 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2011-01-08 03:58 . 2011-01-08 03:58 13880424 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-08 03:27 . 2004-08-04 07:56 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
    2011-01-08 03:27 . 2004-08-04 05:29 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 22:15 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 22:15 . 2003-03-31 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-12-20 22:15 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
    2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 15:30 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2003-03-31 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2003-03-31 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-08_00.13.52 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-09 04:15 . 2011-03-09 04:15 16384 c:\windows\Temp\Perflib_Perfdata_4a0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    2010-12-01 19:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\prograzs\earcestroy\TeaTimer.exe" [2009-03-06 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "IswSvc"=2 (0x2)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    "nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    "ZoneAlarm Client"="c:\program anti\abs\ZoneAlarm\zlclient.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [15/02/2011 07:25 26872]
    S4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [15/02/2011 07:25 488952]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004Core.job
    - c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
    .
    2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004UA.job
    - c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-08 20:15
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program anti\avajff\bin\jqs.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-08 20:20:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-09 04:19
    ComboFix2.txt 2011-03-08 00:17
    .
    Pre-Run: 381,133,410,304 bytes free
    Post-Run: 381,092,958,208 bytes free
    .
    - - End Of File - - F24E51BC10BA9C0D0F349A0147696F6E
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like to get Zone Alarm out of the picture> there are way too many entries for a firewall, including on Beta program in testing:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\CheckPoint\ZAForceField\ISWKL.sys
    c:\program files\CheckPoint\ZAForceField\ISWSVC.exe
    
    DDS::
    uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [ZoneAlarm Client] "c:\program anti\abs\zonealarm\zlclient.exe"
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"=- 
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"=-
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"=- 
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "ZoneAlarm Client"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    Driver::
    ISWKL
    IswSvc
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    This is essentially shutting Zone Alarm down and removing all it's toolbars. It may protest since it's a security program. If it does, run the script in Safe Mode.
    ====================
    With ZA down, run a new Eset scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  7. Conners

    Conners TS Rookie Topic Starter Posts: 29

    hi mate. here is the combofix log, will scan now with the other and post as soon as its done.


    ComboFix 11-03-06.06 - Srennoc 10/03/2011 21:19:10.5.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1765 [GMT -8:00]
    Running from: c:\documents and settings\Srennoc\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Srennoc\Desktop\CFScript.txt
    FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    * Created a new restore point
    .
    FILE ::
    "c:\program files\CheckPoint\ZAForceField\ISWKL.sys"
    "c:\program files\CheckPoint\ZAForceField\ISWSVC.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program anti\abs\zonealarm\zlclient.exe
    c:\program files\CheckPoint\ZAForceField\ISWKL.sys
    c:\program files\CheckPoint\ZAForceField\ISWSVC.exe
    c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    c:\program files\zonealarm_security\tbZone.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    -------\Legacy_ISWKL
    -------\Legacy_ISWSVC
    -------\Service_ISWKL
    -------\Service_IswSvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-07 07:23 . 2011-03-07 07:23 -------- d-----w- C:\Progra
    2011-03-05 15:52 . 2011-03-05 15:52 -------- d-----w- C:\Progrtn
    2011-03-04 06:16 . 2011-03-04 06:16 -------- d-----w- C:\videenis
    2011-03-04 04:10 . 2011-03-04 04:11 -------- d-----w- C:\Stuff
    2011-03-03 23:56 . 2011-03-03 17:54 -------- d-----w- C:\internet stuff
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsel.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsesm.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsth.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrseng.dll
    2011-01-08 03:58 . 2011-01-08 03:58 126976 ----a-w- c:\windows\system32\nvrszht.dll
    2011-01-08 03:58 . 2011-01-08 03:58 331776 ----a-w- c:\windows\system32\nvrshe.dll
    2011-01-08 03:58 . 2011-01-08 03:58 286720 ----a-w- c:\windows\system32\nvrsfr.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrsnl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsru.dll
    2011-01-08 03:58 . 2011-01-08 03:58 262144 ----a-w- c:\windows\system32\nvrshu.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsda.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrsfi.dll
    2011-01-08 03:58 . 2011-01-08 03:58 229376 ----a-w- c:\windows\system32\nvrszhc.dll
    2011-01-08 03:58 . 2011-01-08 03:58 335872 ----a-w- c:\windows\system32\nvrsar.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrses.dll
    2011-01-08 03:58 . 2011-01-08 03:58 278528 ----a-w- c:\windows\system32\nvrsde.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsptb.dll
    2011-01-08 03:58 . 2011-01-08 03:58 266240 ----a-w- c:\windows\system32\nvrsko.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrstr.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrssk.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrssv.dll
    2011-01-08 03:58 . 2011-01-08 03:58 253952 ----a-w- c:\windows\system32\nvrsno.dll
    2011-01-08 03:58 . 2011-01-08 03:58 249856 ----a-w- c:\windows\system32\nvrscs.dll
    2011-01-08 03:58 . 2011-01-08 03:58 282624 ----a-w- c:\windows\system32\nvrsit.dll
    2011-01-08 03:58 . 2011-01-08 03:58 274432 ----a-w- c:\windows\system32\nvrspt.dll
    2011-01-08 03:58 . 2011-01-08 03:58 270336 ----a-w- c:\windows\system32\nvrsja.dll
    2011-01-08 03:58 . 2011-01-08 03:58 258048 ----a-w- c:\windows\system32\nvrspl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2011-01-08 03:58 . 2011-01-08 03:58 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-01-08 03:58 . 2011-01-08 03:58 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2011-01-08 03:58 . 2011-01-08 03:58 156776 ----a-w- c:\windows\system32\nvsvc32.exe
    2011-01-08 03:58 . 2011-01-08 03:58 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2011-01-08 03:58 . 2011-01-08 03:58 13880424 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-08 03:58 . 2011-01-08 03:58 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-08 03:27 . 2004-08-04 07:56 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
    2011-01-08 03:27 . 2004-08-04 05:29 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 22:15 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 22:15 . 2003-03-31 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-12-20 22:15 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
    2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 15:30 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-08_00.13.52 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-11 05:27 . 2011-03-11 05:27 16384 c:\windows\Temp\Perflib_Perfdata_4a4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\prograzs\earcestroy\TeaTimer.exe" [2009-03-06 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "IswSvc"=2 (0x2)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    "nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004Core.job
    - c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
    .
    2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1275210071-1801674531-1004UA.job
    - c:\documents and settings\Srennoc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-04 04:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-10 21:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program anti\avajff\bin\jqs.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-10 21:32:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-11 05:32
    ComboFix2.txt 2011-03-09 04:20
    ComboFix3.txt 2011-03-08 00:17
    .
    Pre-Run: 380,916,813,824 bytes free
    Post-Run: 380,907,499,520 bytes free
    .
    - - End Of File - - C1778F2A8858A7222B6530B596D6296C
     
  8. Conners

    Conners TS Rookie Topic Starter Posts: 29

    ok here is the new scan results. also when combo fix ran it said it detected rootkit activity and had to restart. hope i did this right and these tell you somthing. thanks.


    ESETSmartInstaller@High as downloader log:
    all ok
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=432c7d36b2d13f458332a37577405307
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-11 06:35:12
    # local_time=2011-03-10 10:35:12 (-0800, Pacific Standard Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=29848
    # found=0
    # cleaned=0
    # scan_time=1800
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, the logs are clean. You can go ahead and reinstall Zone Alarm. What, if any, signs of persistent infection are you still having?
     
  10. Conners

    Conners TS Rookie Topic Starter Posts: 29

    redirecting in browsers and failure to connect most of the time.
    usage of my 2 gb download limit pretty much within minutes of buying new credit even when i downloaded nothing.
    my t-mobile software shows im getting ten times the speed that it is actually letting me use to download.
    hidden folders that i cant see or access at all.
    and when i connect to any games i could play before this started it disconnects me instantly everytime

    :( :(
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There is no sign of malware. Please describe the 'redirect' precisely.

    The following problems should be addressed with T-Mobile and any ISP you have.
    As for this:
    If you can't see them or you can't access them, how do you know they are there?

    I'm not sure you're getting 'redirected'. You will need to further explain what is happening. I don't think you have a persistent infection- I think you're having connection problems due to the ISP and/or possibly settings on your system.
     
  12. Conners

    Conners TS Rookie Topic Starter Posts: 29

    before i formatted my HD zone alarm showed multiple programs running from C:\32788R22FWJFW and also in C:\documents and settings\srennoc\local settings\temp

    i know this isnt isp related cause there was a point when things worked fine now its all gone tits up.

    is there a way for people to compromise my whole windows installation? also what does windows nt do? my operating system is xp. do i have to have nt things on a xp setup too?
    or a way to put hidden dialers in somewhere?
    ive read the same problems on forums all over but the threads either get closed or the people buy new computers.

    can i be going through a proxy server without my knowledge? ill get in touch with my isp but i cant see it being that. i downloaded some old dos games and i think this all started from one of them...

    any ideas would be appreciated please
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, you're throwing a lot at me, but I'll try to answer what I can:
    Regarding:
    This is a temp file and will be removed in a disc cleanup.
    I cannot identify srennoc but with a slight spelling change to rennoc I found this:
    http://www.myspace.com/connermiskowiec
    Is this you by chance?
    ===============================
    Regarding:
    Without anything following the end of the string, it's just a directory. Most commonly, it is for the Application.NirCmd which is a collection of third party tools packed in one executable that can be used to remove threats in an infected machine. However it can also be used by users with malicious intent to do a different activity. But I don't have enough information to identify it.
    ======================================
    Regarding:
    Yes, numerous ways.
    ===================================
    Regarding Windows NT:
    Windows NT is a family of operating systems produced by Microsoft:
    Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Home Server, Windows Server 2008, and Windows 7 are based on Windows NT, although they are not branded as Windows NT.
    More infirmation here: http://en.wikipedia.org/wiki/Windows_NT
    ====================================
    Regarding:
    Consider uninstalling these games and see if it makes a difference.
    =====================================
    Again, I encourage to get more information from TMobile and the ISP. It sounds like you are on some credit/speed plan and I can't help you with that.

    As far as you comment about what was found before you reformatted, if it's not on the computer now, you should not be concerned,

    You are asking me fragmented questions out of context so I can only give you general answers.
     
  14. Conners

    Conners TS Rookie Topic Starter Posts: 29

    hi again. thanks for trying to answer all my questions...
    srennoc is my username and the windows profile i use. im worried about the tempory folder and im pretty sure my windows is compromised (can these viruses be stored in the bios or drivers?)
    in zonealarm i have found a program that isnt looking good. it is AU_.exe it is stored here:-
    C:\Documents and Settings\Srennoc\Local Settings\temp\~nsu.tmp\Au_.exe researched it online and found this about it:-

    Description: File Au_.exe is located in a subfolder of "C:\Documents and Settings". Known file sizes on Windows XP are 34717 bytes (10% of all occurrence), 111790 bytes, 60364 bytes, 51275 bytes, 102514 bytes, 62850 bytes, 189367 bytes, 36225 bytes, 65711 bytes, 125841 bytes.
    The program has no file description. The file is not a Windows system file. Au_.exe is able to monitor applications. Therefore the technical security rating is 32% dangerous.


    This is Spyware.SpyFalcon

    AU_EXE. Does.
    AU_.EXE has been seen to perform the following behavior(s):

    * This Process Deletes Other Processes From Disk
    * Executes Processes stored in Temporary Folders
    * Writes to another Process's Virtual Memory (Process Hijacking)
    * This Process Creates Other Processes On Disk
    * Executes a Process
    * Can communicate with other computer systems using HTTP protocols
    * Adds Products to the system registry
    * Deletes Links in the Start Menu
    * Registers a Dynamic Link Library File
    * This Process tampers with Vulnerable System Files and Settings
    * The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
    * Downloads hidden code from covert web sites
    * Creates new folders in the file system
    * Uses DNS to retrieve the IP address for web sites

    im certain it isnt an isp problem
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    On the other hand, only using Safe Sites:

    I'm certain it isn't SpyFalcon;
    ========================================
    I don't think you will be happy unless you reformat/reinstall.
    =======================================
    Is can make a big difference what site you search on.
    =================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    If the problem continues after the reformat/reinstall, please contach the ISP.
     
  16. Conners

    Conners TS Rookie Topic Starter Posts: 29

    hi mate I have done all of them steps. will it make any difference now than when i formated last week? i still have the same issues, since i deleted the restore point do you think that it wont happen again when i format/reinstall?

    this picture is of my usb modem software. notice the graph. what is that happening? the connection was idle. usually when idle i dont see any of them green/yellow spikes

    [​IMG]

    should i refomat from the recovery console after booting from my windows xp cd?
    thanks
     
  17. Conners

    Conners TS Rookie Topic Starter Posts: 29

    i think i have found what is using my connection. could it be vsmon.exe??
    the file is a part of zonealarm but am i right in thinking it shouldn't be in the windows folder?

    it is in C:\windows\system32\zonelabs\vsmon.exe
    and using netlimiter 2 monitor i can see it constantly trying to connect to i.p. addresses but then a red 'x' appears by the ip and it dissapears.

    im going to try and see what the ip addresses belong too so far it has repeatedly tryed to connect to 92.122.49.218:80 & 209.87.211.144:443 & also 77.67.21.34:80

    any ideas would be appriciated. cheers
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    vsmon - vsmon.exe - Process Information
    Process File: vsmon or vsmon.exe
    Process Name: True Vector Internet Monitor
    Description: The True Vector Internet Monitor is a component of the ZoneAlarm Personal FireWall which monitors internet traffic and generates alerts

    The path is correct.

    We have finished cleaning any malware that was present. You are asking system-related questions now. It would be best if you started a new thread in the Windows OS forum. There are other processes they can check for you.

    I think you main trouble is some lack of knowledge in not knowing what is running and what is suppose to run. Until you get some type of reference to assist you, You are going to continue to worry,

    I'm going to close this thread now.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...