Jump to content


Photo

Browser hijacked


  • Please log in to reply
24 replies to this topic

#1 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 16 June 2008 - 12:14 AM

Hey -
I turned my back and a relative d/l'ed something into my box. Looks like the browsers been hijacked. I've run adaware 2008 updated and just run hijack this 2.02 and waiting for further instructions per the forum directions.
Thx

Mod. Edit. Moved to appropriate forum. Please read this topic and then follow the instructions (ie post the results of the scan). Casey

my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:45 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\zoobie\Desktop\AnyPass.exe
C:\Documents and Settings\zoobie\Desktop\My Downloads\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buskeralley.com/
O2 - BHO: (no name) - {0DDF8B50-7F95-4A8C-B23D-93AB75769655} - c:\windows\system32\gdajlay.dll
O2 - BHO: (no name) - {61CFCCF2-D2A1-43CF-AE32-8B9843D58804} - C:\WINDOWS\system32\cmsetACLo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: xfvrwkmj - C:\WINDOWS\SYSTEM32\gdajlay.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4483 bytes

Mod.Edit/merged into one/Raziel

Edited by Raziel v. Nosgoth, 16 June 2008 - 08:26 AM.


#2 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 16 June 2008 - 04:28 PM

zoobie

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Microsoft MVP Consumer Security

#3 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 17 June 2008 - 03:11 AM

vundofix didn't find anything...

#4 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 17 June 2008 - 02:08 PM

zoobie

We are going to run Vundofix again, but change the instructions slightly.
  • Double Click VundoFix.exe to run the program
  • In the white open window Right Click and Select "Add more files?"
  • An Explorer window will open. Locate the files in listed below and Select "Open"

    c:\windows\system32\gdajlay.dll
    C:\WINDOWS\system32\cmsetACLo.dll

  • If there is more than one file listed, repeat the process until all the files listed are added.
  • If you are unable to find one of the files listed, manually type in the complete path and file name and Select "Open"
  • Right click in the open window and Select "Select all" (or manualy add check marks) in the boxes preceeeding the file names.
  • With the boxes all checked Select "Fix Vundo" Do Not Select "Scan for Vundo"
  • You will receive a prompt asking "Are you sure you want to remove these files?", click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot


Microsoft MVP Consumer Security

#5 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 18 June 2008 - 12:53 AM

it didn't remove those files...rather crashes my box
crashes on reboot, too
moveonboot couldn't touch them, either
thx

Edited by zoobie, 18 June 2008 - 12:55 AM.


#6 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 18 June 2008 - 01:19 PM

zoobie

Let's change tools.

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.



Microsoft MVP Consumer Security

#7 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 19 June 2008 - 12:20 AM

my combo fix log (second run...it crashed the first)

ComboFix 08-06-16.5 - zoobie 2008-06-18 17:38:12.3 - NTFSx86
Running from: C:\Documents and Settings\zoobie\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-17 14:37 . 2008-06-17 14:37 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-06-16 20:30 . 2008-06-17 14:37 <DIR> d-------- C:\VundoFix Backups
2008-06-10 03:31 . 2008-06-10 03:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\dreccvzt
2008-06-10 01:17 . 2008-06-10 01:17 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2008-06-10 01:17 . 2008-06-10 01:17 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2008-06-09 16:48 . 2008-06-09 16:48 <DIR> d-------- C:\Documents and Settings\zoobie\Application Data\dreccvzt
2008-06-09 14:00 . 2008-06-09 16:48 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-06-07 00:23 . 2004-08-02 23:31 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-06-07 00:22 . 2001-08-22 21:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-06-07 00:21 . 2001-08-22 21:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-07 00:20 . 2004-08-03 01:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-06-07 00:19 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-06-07 00:15 . 2008-06-07 00:15 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-06-07 00:15 . 2008-06-07 00:15 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-06-07 00:15 . 2008-06-07 00:15 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-06-07 00:15 . 2008-06-07 00:15 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-06-07 00:15 . 2008-06-07 00:15 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-06-07 00:15 . 2008-06-07 00:15 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-06-07 00:14 . 2001-08-22 21:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-06-07 00:03 . 2001-08-22 21:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-06-07 00:03 . 2001-08-22 21:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-06-07 00:03 . 2001-08-22 21:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-06-07 00:03 . 2001-08-22 21:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-06-06 20:34 . 2008-06-16 08:59 <DIR> d-------- C:\Program Files\a-squared Free
2008-06-06 20:29 . 2008-06-06 20:29 <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-06 19:25 . 2008-06-11 03:34 <DIR> d-------- C:\Documents and Settings\zoobie\Application Data\AVG7
2008-06-06 19:25 . 2008-06-06 19:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-06-06 19:24 . 2008-06-06 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-06 18:23 . 2008-06-06 18:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-06 18:23 . 2008-06-06 18:53 <DIR> d-------- C:\Documents and Settings\zoobie\Application Data\SUPERAntiSpyware.com
2008-06-06 18:23 . 2008-06-06 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 17:57 . 2008-06-06 18:08 <DIR> d-------- C:\Program Files\JustZIPit
2008-06-06 17:07 . 2008-06-06 17:07 <DIR> d-------- C:\Program Files\CONEXANT
2008-06-06 17:07 . 2004-09-29 00:33 1,036,928 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys
2008-06-06 17:07 . 2004-09-29 00:34 702,592 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-06-06 17:07 . 2004-09-29 00:35 219,136 --a------ C:\WINDOWS\system32\drivers\HSFHWBS2.sys
2008-06-06 17:07 . 2004-09-28 19:19 129,045 --a------ C:\WINDOWS\system32\drivers\HSFProf.cty
2008-06-06 17:07 . 2004-03-16 21:00 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2008-06-06 17:07 . 2004-08-04 00:34 39,018 --a------ C:\WINDOWS\system32\hsfci011.dll
2008-06-06 17:07 . 2004-03-16 21:04 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-06 17:00 . 2008-06-18 17:14 2,011,713,536 --a------ C:\WINDOWS\MEMORY.DMP
2008-06-06 15:47 . 2008-06-06 23:36 8,319 --a------ C:\WINDOWS\setupapi.old
2008-06-06 15:13 . 2008-06-06 15:13 <DIR> d--hs---- C:\found.000
2008-06-06 12:30 . 2008-06-06 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 12:29 . 2008-06-06 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 21:52 . 2008-06-04 21:52 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-06-04 21:52 . 2008-06-17 15:50 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-06-03 21:09 . 2008-06-06 13:08 4,922 --a------ C:\Documents and Settings\zoobie\xrt_log.dat
2008-06-03 20:00 . 2008-06-03 20:50 <DIR> d-------- C:\Downloads
2008-06-03 19:59 . 2008-06-05 18:26 <DIR> d-------- C:\Program Files\BitComet
2008-06-03 17:27 . 2004-08-03 01:56 127,488 --a------ C:\WINDOWS\system32\atle.dll
2008-06-03 17:26 . 2004-08-03 01:56 88,064 --a------ C:\WINDOWS\system32\cmsetACLo.dll
2008-05-31 15:16 . 2004-08-03 02:57 1,086,058 -ra------ C:\WINDOWS\SET47.tmp
2008-05-31 15:16 . 2004-08-03 03:03 1,042,903 -ra------ C:\WINDOWS\SET3C.tmp
2008-05-31 15:16 . 2004-08-03 02:58 13,753 -ra------ C:\WINDOWS\SET52.tmp
2008-05-28 23:11 . 2008-05-28 23:11 12 --a------ C:\WINDOWS\YAHVOX_ignore.ini
2008-05-26 17:25 . 2008-06-17 23:23 3,496 --a------ C:\WINDOWS\YAHELITE_IGNORE.INI
2008-05-26 16:29 . 2008-06-10 12:12 <DIR> d-------- C:\Program Files\YahELite
2008-05-26 16:29 . 2008-06-17 23:23 13,021 --a------ C:\WINDOWS\YAHELITE.INI
2008-05-24 21:44 . 2008-05-24 21:45 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-05-24 19:50 . 2008-05-24 19:50 <DIR> d-------- C:\Program Files\ImgBurn
2008-05-24 18:56 . 2008-05-24 18:56 <DIR> d-------- C:\Program Files\DVD Shrink
2008-05-24 18:56 . 2008-06-10 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-24 13:24 . 2008-05-24 13:37 <DIR> d-------- C:\Documents and Settings\zoobie\Application Data\RipIt4Me
2008-05-24 12:44 . 2008-05-31 16:54 <DIR> d-------- C:\Documents and Settings\zoobie\Application Data\Vso
2008-05-24 12:44 . 2008-05-24 12:44 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-24 12:44 . 2008-05-31 16:54 47,360 --a------ C:\Documents and Settings\zoobie\Application Data\pcouffin.sys
2008-05-23 23:55 . 2008-05-24 12:47 <DIR> d-------- C:\Program Files\Live_TV
2008-05-23 23:55 . 2008-05-24 12:47 <DIR> d-------- C:\Program Files\Conduit
2008-05-23 23:37 . 2008-06-04 23:32 <DIR> d-------- C:\Program Files\LimeWire
2008-05-20 21:28 . 2008-03-13 23:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 00:24 320,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-19 00:24 27,299,872 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-18 21:37 1,753,600 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-06-18 02:17 --------- d-----w C:\Documents and Settings\zoobie\Application Data\dvdcss
2008-06-16 15:58 1,741,824 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-06-15 18:04 1,735,680 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-06-15 08:13 --------- d-----w C:\Documents and Settings\zoobie\Application Data\Audacity
2008-06-14 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-12 16:53 1,733,120 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-06-11 16:44 1,732,096 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-06-10 05:24 1,724,928 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-06-08 10:56 1,721,856 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-06-07 01:56 --------- d-----w C:\Documents and Settings\zoobie\Application Data\LimeWire
2008-06-07 01:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 22:46 15,600 ----a-w C:\WINDOWS\gdrv.sys
2008-06-06 19:30 --------- d-----w C:\Program Files\Lavasoft
2008-06-06 01:10 229,888 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-06-05 03:29 2,639,872 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-06-03 21:24 16,700,982 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-28 00:17 2,653,184 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-28 00:17 1,681,920 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-27 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 06:52 --------- d-----w C:\Program Files\Ulead Systems
2008-05-27 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-24 20:34 46,106 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_05_24_13_28_22_small.dmp.zip
2008-05-24 00:27 --------- d-----w C:\Documents and Settings\zoobie\Application Data\Yahoo!
2008-05-24 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-24 00:25 --------- d-----w C:\Program Files\Yahoo!
2008-05-17 16:36 41,311 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_05_17_09_34_04_small.dmp.zip
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-10 00:56 10,266 ----a-w C:\Documents and Settings\zoobie\xrt_collect.zip
2008-05-09 21:31 1,304,064 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-30 05:36 --------- d-----w C:\Documents and Settings\zoobie\Application Data\Winff
2008-04-30 05:28 --------- d-----w C:\Program Files\WinFF
2008-04-30 02:55 5,144,064 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 01:09 --------- d-----w C:\Documents and Settings\zoobie\Application Data\Apple Computer
2008-04-26 22:09 --------- d-----w C:\Program Files\Riva
2008-04-26 22:09 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-04-24 03:49 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2008-04-22 00:11 --------- d-----w C:\Program Files\Common Files\SONY Digital Images
2008-04-22 00:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 00:08 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-04-21 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_17.28.30.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 00:25:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 00:35:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DDF8B50-7F95-4A8C-B23D-93AB75769655}]
2001-08-22 21:00 84992 --a------ c:\windows\system32\gdajlay.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61CFCCF2-D2A1-43CF-AE32-8B9843D58804}]
2004-08-03 01:56 88064 --a------ C:\WINDOWS\system32\cmsetACLo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-02-09 03:15 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-09 03:15 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 02:08 16342528 C:\WINDOWS\RTHDCPL.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 02:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43 83608]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-06 19:24 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-06 19:24 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18569:TCP"= 18569:TCP:BitComet 18569 TCP
"18569:UDP"= 18569:UDP:BitComet 18569 UDP
"14202:TCP"= 14202:TCP:@xpsp2res.dll,-22009
"51834:TCP"= 51834:TCP:@xpsp2res.dll,-22009
"32890:TCP"= 32890:TCP:@xpsp2res.dll,-22009
"21114:TCP"= 21114:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"4218:TCP"= 4218:TCP:@xpsp2res.dll,-22009
"1914:TCP"= 1914:TCP:@xpsp2res.dll,-22009
"56186:TCP"= 56186:TCP:@xpsp2res.dll,-22009
"33914:TCP"= 33914:TCP:@xpsp2res.dll,-22009
"11130:TCP"= 11130:TCP:@xpsp2res.dll,-22009
"1146:TCP"= 1146:TCP:@xpsp2res.dll,-22009
"10618:TCP"= 10618:TCP:@xpsp2res.dll,-22009
"33402:TCP"= 33402:TCP:@xpsp2res.dll,-22009
"35962:TCP"= 35962:TCP:@xpsp2res.dll,-22009
"61573:TCP"= 61573:TCP:@xpsp2res.dll,-22009
"61562:TCP"= 61562:TCP:@xpsp2res.dll,-22009
"19066:TCP"= 19066:TCP:@xpsp2res.dll,-22009
"36474:TCP"= 36474:TCP:@xpsp2res.dll,-22009
"30074:TCP"= 30074:TCP:@xpsp2res.dll,-22009
"52346:TCP"= 52346:TCP:@xpsp2res.dll,-22009
"1402:TCP"= 1402:TCP:@xpsp2res.dll,-22009
"43642:TCP"= 43642:TCP:@xpsp2res.dll,-22009
"47738:TCP"= 47738:TCP:@xpsp2res.dll,-22009

R0 igmygpmu;igmygpmu;C:\WINDOWS\system32\drivers\igmygpmu.sys [2001-08-22 21:00]
R3 RTHDMIAzAudService;Service for HDMI;C:\WINDOWS\system32\drivers\RtHDMI.sys [2007-05-13 18:12]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 00:10]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-06 15:46]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 00:10]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 10:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart.zoobie.Runs RegistrySmart to optimize your registry.
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 17:41:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 17:42:33
ComboFix-quarantined-files.txt 2008-06-19 00:42:26
ComboFix2.txt 2008-06-19 00:29:00

Pre-Run: 163,845,832,704 bytes free
Post-Run: 163,831,894,016 bytes free

224



thx

#8 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 19 June 2008 - 01:53 PM

zoobie

You have a couple of files I need to look at.

We need to make sure we can see hidden files and folders

To enable the viewing of Hidden and System files follow these steps: Right click on Start and select Explore.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Click Yes To confirm
Press the Apply button and then the OK button.
Please go HERE

Put Your Name, and Lavasoft HJT forum

and In the file to submit box, click Browse.
Locate the fileC:\WINDOWS\system32\cmsetACLo.dll
Using another Browse button and box, locate and upload the following files as wellC:\WINDOWS\system32\atle.dll
C:\WINDOWS\system32\drivers\igmygpmu.sys

In the comments tell them that I asked you to upload the files
Then Select Send File.


Microsoft MVP Consumer Security

#9 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 19 June 2008 - 07:16 PM

Hidden and System files were already set to display
I've uploaded the files requested to uploadmalware.com
thx for the help

#10 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 19 June 2008 - 08:12 PM

zoobie

Thanks. I got the files, 2 bad and one o.k.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File&#58;&#58;
C&#58;\WINDOWS\system32\atle.dll
C&#58;\WINDOWS\system32\cmsetACLo.dll
c&#58;\windows\system32\gdajlay.dll

Registry&#58;&#58;
&#91;HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DDF8B50-7F95-4A8C-B23D-93AB75769655}&#93;
&#91;HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61CFCCF2-D2A1-43CF-AE32-8B9843D58804}&#93;
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply



Microsoft MVP Consumer Security

#11 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 20 June 2008 - 12:09 AM

that seems to have done it...it's no longer highjacked on a search
however, I've noticed that gdajlay.dll and gdajlay.dll.bak are still in the system32 folder
ComboFix 08-06-16.5 - zoobie 2008-06-19 15&#58;18&#58;29.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1419 &#91;GMT -7&#58;00&#93;
Running from&#58; C&#58;\Documents and Settings\zoobie\Desktop\ComboFix.exe
Command switches used &#58;&#58; C&#58;\Documents and Settings\zoobie\Desktop\CFScript.txt
 * Created a new restore point

&#91;color=red&#93;&#91;b&#93;WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!&#91;/b&#93;&#91;/color&#93;

FILE &#58;&#58;
C&#58;\WINDOWS\system32\atle.dll
C&#58;\WINDOWS\system32\cmsetACLo.dll
c&#58;\windows\system32\gdajlay.dll
.

&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Other Deletions   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.

C&#58;\WINDOWS\system32\atle.dll
C&#58;\WINDOWS\system32\cmsetACLo.dll . . . . failed to delete
c&#58;\windows\system32\gdajlay.dll . . . . failed to delete

.
&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Files Created from 2008-05-19 to 2008-06-19  &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.

2008-06-17 14&#58;37 . 2008-06-17 14&#58;37	24,576	--a------	C&#58;\WINDOWS\system32\VundoFixSVC.exe
2008-06-16 20&#58;30 . 2008-06-17 14&#58;37	<DIR>	d--------	C&#58;\VundoFix Backups
2008-06-10 03&#58;31 . 2008-06-10 03&#58;31	<DIR>	d--------	C&#58;\Documents and Settings\NetworkService\Application Data\dreccvzt
2008-06-10 01&#58;17 . 2008-06-10 01&#58;17	<DIR>	d--------	C&#58;\WINDOWS\Freecorder Toolbar
2008-06-10 01&#58;17 . 2008-06-10 01&#58;17	<DIR>	d--------	C&#58;\Program Files\Freecorder Toolbar
2008-06-09 16&#58;48 . 2008-06-09 16&#58;48	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\dreccvzt
2008-06-09 14&#58;00 . 2008-06-09 16&#58;48	<DIR>	d--------	C&#58;\Program Files\Common Files\Mozilla Shared
2008-06-07 00&#58;23 . 2004-08-02 23&#58;31	482,304	--a--c---	C&#58;\WINDOWS\system32\dllcache\pintlgnt.ime
2008-06-07 00&#58;22 . 2001-08-22 21&#58;00	1,875,968	--a--c---	C&#58;\WINDOWS\system32\dllcache\msir3jp.lex
2008-06-07 00&#58;21 . 2001-08-22 21&#58;00	13,463,552	--a--c---	C&#58;\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-07 00&#58;20 . 2004-08-03 01&#58;56	2,134,528	--a--c---	C&#58;\WINDOWS\system32\dllcache\smtpsnap.dll
2008-06-07 00&#58;19 . 2004-05-13 00&#58;39	876,653	--a--c---	C&#58;\WINDOWS\system32\dllcache\fp4awel.dll
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\WindowsShell.Manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\wuaucpl.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\sapi.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\nwc.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\ncpa.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	488	-rah-----	C&#58;\WINDOWS\system32\logonui.exe.manifest
2008-06-07 00&#58;14 . 2001-08-22 21&#58;00	16,384	--a--c---	C&#58;\WINDOWS\system32\dllcache\isignup.exe
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	24,661	--a------	C&#58;\WINDOWS\system32\spxcoins.dll
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	24,661	--a--c---	C&#58;\WINDOWS\system32\dllcache\spxcoins.dll
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	13,312	--a------	C&#58;\WINDOWS\system32\irclass.dll
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	13,312	--a--c---	C&#58;\WINDOWS\system32\dllcache\irclass.dll
2008-06-06 20&#58;34 . 2008-06-16 08&#58;59	<DIR>	d--------	C&#58;\Program Files\a-squared Free
2008-06-06 20&#58;29 . 2008-06-06 20&#58;29	<DIR>	dr-h-----	C&#58;\$VAULT$.AVG
2008-06-06 19&#58;25 . 2008-06-11 03&#58;34	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\AVG7
2008-06-06 19&#58;25 . 2008-06-06 19&#58;25	<DIR>	d--------	C&#58;\Documents and Settings\LocalService\Application Data\AVG7
2008-06-06 19&#58;24 . 2008-06-06 19&#58;24	<DIR>	d--------	C&#58;\Documents and Settings\All Users\Application Data\Grisoft
2008-06-06 18&#58;23 . 2008-06-06 18&#58;53	<DIR>	d--------	C&#58;\Program Files\SUPERAntiSpyware
2008-06-06 18&#58;23 . 2008-06-06 18&#58;53	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\SUPERAntiSpyware.com
2008-06-06 18&#58;23 . 2008-06-06 18&#58;23	<DIR>	d--------	C&#58;\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 17&#58;57 . 2008-06-06 18&#58;08	<DIR>	d--------	C&#58;\Program Files\JustZIPit
2008-06-06 17&#58;07 . 2008-06-06 17&#58;07	<DIR>	d--------	C&#58;\Program Files\CONEXANT
2008-06-06 17&#58;07 . 2004-09-29 00&#58;33	1,036,928	--a------	C&#58;\WINDOWS\system32\drivers\HSF_DP.sys
2008-06-06 17&#58;07 . 2004-09-29 00&#58;34	702,592	--a------	C&#58;\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-06-06 17&#58;07 . 2004-09-29 00&#58;35	219,136	--a------	C&#58;\WINDOWS\system32\drivers\HSFHWBS2.sys
2008-06-06 17&#58;07 . 2004-09-28 19&#58;19	129,045	--a------	C&#58;\WINDOWS\system32\drivers\HSFProf.cty
2008-06-06 17&#58;07 . 2004-03-16 21&#58;00	86,016	--a------	C&#58;\WINDOWS\system32\mdmxsdk.dll
2008-06-06 17&#58;07 . 2004-08-04 00&#58;34	39,018	--a------	C&#58;\WINDOWS\system32\hsfci011.dll
2008-06-06 17&#58;07 . 2004-03-16 21&#58;04	13,059	--a------	C&#58;\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-06 17&#58;00 . 2008-06-18 17&#58;14	2,011,713,536	--a------	C&#58;\WINDOWS\MEMORY.DMP
2008-06-06 15&#58;47 . 2008-06-06 23&#58;36	8,319	--a------	C&#58;\WINDOWS\setupapi.old
2008-06-06 15&#58;13 . 2008-06-06 15&#58;13	<DIR>	d--hs----	C&#58;\found.000
2008-06-06 12&#58;30 . 2008-06-06 12&#58;30	<DIR>	d--------	C&#58;\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 12&#58;29 . 2008-06-06 18&#58;53	<DIR>	d--------	C&#58;\Program Files\Common Files\Wise Installation Wizard
2008-06-04 21&#58;52 . 2008-06-04 21&#58;52	<DIR>	d--------	C&#58;\Program Files\GiPo@Utilities
2008-06-04 21&#58;52 . 2008-06-17 15&#58;50	<DIR>	d--------	C&#58;\Program Files\Common Files\Gibinsoft Shared
2008-06-03 21&#58;09 . 2008-06-06 13&#58;08	4,922	--a------	C&#58;\Documents and Settings\zoobie\xrt_log.dat
2008-06-03 20&#58;00 . 2008-06-03 20&#58;50	<DIR>	d--------	C&#58;\Downloads
2008-06-03 19&#58;59 . 2008-06-05 18&#58;26	<DIR>	d--------	C&#58;\Program Files\BitComet
2008-06-03 17&#58;26 . 2004-08-03 01&#58;56	88,064	--a------	C&#58;\WINDOWS\system32\cmsetACLo.dll
2008-05-31 15&#58;16 . 2004-08-03 02&#58;57	1,086,058	-ra------	C&#58;\WINDOWS\SET47.tmp
2008-05-31 15&#58;16 . 2004-08-03 03&#58;03	1,042,903	-ra------	C&#58;\WINDOWS\SET3C.tmp
2008-05-31 15&#58;16 . 2004-08-03 02&#58;58	13,753	-ra------	C&#58;\WINDOWS\SET52.tmp
2008-05-28 23&#58;11 . 2008-05-28 23&#58;11	12	--a------	C&#58;\WINDOWS\YAHVOX_ignore.ini
2008-05-26 17&#58;25 . 2008-06-18 22&#58;38	3,496	--a------	C&#58;\WINDOWS\YAHELITE_IGNORE.INI
2008-05-26 16&#58;29 . 2008-06-10 12&#58;12	<DIR>	d--------	C&#58;\Program Files\YahELite
2008-05-26 16&#58;29 . 2008-06-18 22&#58;38	13,021	--a------	C&#58;\WINDOWS\YAHELITE.INI
2008-05-24 21&#58;44 . 2008-05-24 21&#58;45	<DIR>	d--------	C&#58;\Program Files\DVD Decrypter
2008-05-24 19&#58;50 . 2008-05-24 19&#58;50	<DIR>	d--------	C&#58;\Program Files\ImgBurn
2008-05-24 18&#58;56 . 2008-05-24 18&#58;56	<DIR>	d--------	C&#58;\Program Files\DVD Shrink
2008-05-24 18&#58;56 . 2008-06-10 13&#58;54	<DIR>	d--------	C&#58;\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-24 13&#58;24 . 2008-05-24 13&#58;37	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\RipIt4Me
2008-05-24 12&#58;44 . 2008-05-31 16&#58;54	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\Vso
2008-05-24 12&#58;44 . 2008-05-24 12&#58;44	47,360	--a------	C&#58;\WINDOWS\system32\drivers\pcouffin.sys
2008-05-24 12&#58;44 . 2008-05-31 16&#58;54	47,360	--a------	C&#58;\Documents and Settings\zoobie\Application Data\pcouffin.sys
2008-05-23 23&#58;55 . 2008-05-24 12&#58;47	<DIR>	d--------	C&#58;\Program Files\Live_TV
2008-05-23 23&#58;55 . 2008-05-24 12&#58;47	<DIR>	d--------	C&#58;\Program Files\Conduit
2008-05-23 23&#58;37 . 2008-06-04 23&#58;32	<DIR>	d--------	C&#58;\Program Files\LimeWire
2008-05-20 21&#58;28 . 2008-03-13 23&#58;11	1,086,952	--a------	C&#58;\WINDOWS\system32\zpeng24.dll

.
&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Find3M Report   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.
2008-06-19 22&#58;25	27,430,944	--sha-w	C&#58;\WINDOWS\system32\drivers\fidbox.dat
2008-06-19 22&#58;23	17,712,259	----a-w	C&#58;\WINDOWS\Internet Logs\tvDebug.zip
2008-06-19 22&#58;22	323,504	--sha-w	C&#58;\WINDOWS\system32\drivers\fidbox.idx
2008-06-19 22&#58;21	84,992	----a-w	C&#58;\WINDOWS\system32\fqoethz.dll
2008-06-19 22&#58;16	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Audacity
2008-06-18 21&#58;37	1,753,600	----a-w	C&#58;\WINDOWS\Internet Logs\xDB14.tmp
2008-06-18 02&#58;17	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\dvdcss
2008-06-16 15&#58;58	1,741,824	----a-w	C&#58;\WINDOWS\Internet Logs\xDB13.tmp
2008-06-15 18&#58;04	1,735,680	----a-w	C&#58;\WINDOWS\Internet Logs\xDB12.tmp
2008-06-14 10&#58;35	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Avg7
2008-06-12 16&#58;53	1,733,120	----a-w	C&#58;\WINDOWS\Internet Logs\xDB11.tmp
2008-06-11 16&#58;44	1,732,096	----a-w	C&#58;\WINDOWS\Internet Logs\xDB10.tmp
2008-06-10 05&#58;24	1,724,928	----a-w	C&#58;\WINDOWS\Internet Logs\xDBF.tmp
2008-06-08 10&#58;56	1,721,856	----a-w	C&#58;\WINDOWS\Internet Logs\xDBE.tmp
2008-06-07 01&#58;56	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\LimeWire
2008-06-07 01&#58;51	---------	d---a-w	C&#58;\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 22&#58;46	15,600	----a-w	C&#58;\WINDOWS\gdrv.sys
2008-06-06 19&#58;30	---------	d-----w	C&#58;\Program Files\Lavasoft
2008-06-06 01&#58;10	229,888	----a-w	C&#58;\WINDOWS\Internet Logs\xDBD.tmp
2008-06-05 03&#58;29	2,639,872	----a-w	C&#58;\WINDOWS\Internet Logs\xDBB.tmp
2008-05-28 00&#58;17	2,653,184	----a-w	C&#58;\WINDOWS\Internet Logs\xDB9.tmp
2008-05-28 00&#58;17	1,681,920	----a-w	C&#58;\WINDOWS\Internet Logs\xDBA.tmp
2008-05-27 07&#58;03	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 06&#58;52	---------	d-----w	C&#58;\Program Files\Ulead Systems
2008-05-27 06&#58;52	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-24 20&#58;34	46,106	----a-w	C&#58;\WINDOWS\Internet Logs\zlclient_2nd_2008_05_24_13_28_22_small.dmp.zip
2008-05-24 00&#58;27	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Yahoo!
2008-05-24 00&#58;27	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-24 00&#58;25	---------	d-----w	C&#58;\Program Files\Yahoo!
2008-05-17 16&#58;36	41,311	----a-w	C&#58;\WINDOWS\Internet Logs\zlclient_2nd_2008_05_17_09_34_04_small.dmp.zip
2008-05-16 18&#58;58	12,632	----a-w	C&#58;\WINDOWS\system32\lsdelete.exe
2008-05-10 00&#58;56	10,266	----a-w	C&#58;\Documents and Settings\zoobie\xrt_collect.zip
2008-05-09 21&#58;31	1,304,064	----a-w	C&#58;\WINDOWS\Internet Logs\xDB8.tmp
2008-04-30 05&#58;36	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Winff
2008-04-30 05&#58;28	---------	d-----w	C&#58;\Program Files\WinFF
2008-04-30 02&#58;55	5,144,064	----a-w	C&#58;\WINDOWS\Internet Logs\xDB7.tmp
2008-04-29 18&#58;20	15,648	----a-w	C&#58;\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18&#58;19	15,648	----a-w	C&#58;\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18&#58;19	12,960	----a-w	C&#58;\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 01&#58;09	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Apple Computer
2008-04-26 22&#58;09	---------	d-----w	C&#58;\Program Files\Riva
2008-04-26 22&#58;09	---------	d-----w	C&#58;\Program Files\Common Files\SWF Studio
2008-04-24 03&#58;49	147,456	----a-w	C&#58;\WINDOWS\system32\vbzip10.dll
2008-04-22 00&#58;11	---------	d-----w	C&#58;\Program Files\Common Files\SONY Digital Images
2008-04-22 00&#58;10	---------	d--h--w	C&#58;\Program Files\InstallShield Installation Information
2008-04-22 00&#58;08	---------	d-----w	C&#58;\Program Files\Common Files\Ulead Systems
2008-04-21 22&#58;12	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Sony
.

&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   snapshot@2008-06-18_17.28.30.73   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.
- 2008-06-19 00&#58;25&#58;13	2,048	--s-a-w	C&#58;\WINDOWS\bootstat.dat
+ 2008-06-19 22&#58;23&#58;13	2,048	--s-a-w	C&#58;\WINDOWS\bootstat.dat
.
&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Reg Loading Points   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

&#91;HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DDF8B50-7F95-4A8C-B23D-93AB75769655}&#93;
2008-06-19 15&#58;21	84992	--a------	c&#58;\windows\system32\gdajlay.dll

&#91;HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61CFCCF2-D2A1-43CF-AE32-8B9843D58804}&#93;
2004-08-03 01&#58;56	88064	--a------	C&#58;\WINDOWS\system32\cmsetACLo.dll

&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar&#93;
&#34;{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}&#34;= &#34;C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL&#34; &#91;2008-02-09 03&#58;15 262144&#93;

&#91;HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}&#93;

&#91;HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser&#93;
&#34;{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}&#34;= C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL &#91;2008-02-09 03&#58;15 262144&#93;

&#91;HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}&#93;

&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run&#93;
&#34;RTHDCPL&#34;=&#34;RTHDCPL.EXE&#34; &#91;2007-05-10 02&#58;08 16342528 C&#58;\WINDOWS\RTHDCPL.exe&#93;
&#34;Logitech Utility&#34;=&#34;Logi_MwX.Exe&#34; &#91;2003-03-04 02&#58;50 19968 C&#58;\WINDOWS\LOGI_MWX.EXE&#93;
&#34;SunJavaUpdateSched&#34;=&#34;C&#58;\Program Files\Java\jre1.6.0_01\bin\jusched.exe&#34; &#91;2007-03-14 04&#58;43 83608&#93;
&#34;ZoneAlarm Client&#34;=&#34;C&#58;\Program Files\Zone Labs\ZoneAlarm\zlclient.exe&#34; &#91;2008-03-13 23&#58;11 919016&#93;
&#34;AVG7_CC&#34;=&#34;C&#58;\PROGRA~1\Grisoft\AVG7\avgcc.exe&#34; &#91;2008-06-06 19&#58;24 579072&#93;

&#91;HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run&#93;
&#34;AVG7_Run&#34;=&#34;C&#58;\PROGRA~1\Grisoft\AVG7\avgw.exe&#34; &#91;2008-06-06 19&#58;24 219136&#93;

&#91;HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32&#93;
&#34;msacm.dvacm&#34;= C&#58;\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

&#91;HKEY_LOCAL_MACHINE\software\microsoft\security center&#93;
&#34;AntiVirusDisableNotify&#34;=dword&#58;00000001
&#34;UpdatesDisableNotify&#34;=dword&#58;00000001

&#91;HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall&#93;
&#34;DisableMonitoring&#34;=dword&#58;00000001

&#91;HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile&#93;
&#34;EnableFirewall&#34;= 0 &#40;0x0&#41;

&#91;HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List&#93;
&#34;%windir%\\system32\\sessmgr.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avginet.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avgcc.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avgemc.exe&#34;=

&#91;HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List&#93;
&#34;18569&#58;TCP&#34;= 18569&#58;TCP&#58;BitComet 18569 TCP
&#34;18569&#58;UDP&#34;= 18569&#58;UDP&#58;BitComet 18569 UDP
&#34;14202&#58;TCP&#34;= 14202&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;51834&#58;TCP&#34;= 51834&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;32890&#58;TCP&#34;= 32890&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;21114&#58;TCP&#34;= 21114&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;80&#58;TCP&#34;= 80&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;4218&#58;TCP&#34;= 4218&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;1914&#58;TCP&#34;= 1914&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;56186&#58;TCP&#34;= 56186&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;33914&#58;TCP&#34;= 33914&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;11130&#58;TCP&#34;= 11130&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;1146&#58;TCP&#34;= 1146&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;10618&#58;TCP&#34;= 10618&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;33402&#58;TCP&#34;= 33402&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;35962&#58;TCP&#34;= 35962&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;61573&#58;TCP&#34;= 61573&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;61562&#58;TCP&#34;= 61562&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;19066&#58;TCP&#34;= 19066&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;36474&#58;TCP&#34;= 36474&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;30074&#58;TCP&#34;= 30074&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;52346&#58;TCP&#34;= 52346&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;1402&#58;TCP&#34;= 1402&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;43642&#58;TCP&#34;= 43642&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;47738&#58;TCP&#34;= 47738&#58;TCP&#58;@xpsp2res.dll,-22009

R0 igmygpmu;igmygpmu;C&#58;\WINDOWS\system32\drivers\igmygpmu.sys &#91;2001-08-22 21&#58;00&#93;
R3 RTHDMIAzAudService;Service for HDMI;C&#58;\WINDOWS\system32\drivers\RtHDMI.sys &#91;2007-05-13 18&#58;12&#93;
S3 AVCSTRM;AVC Streaming Filter Driver;C&#58;\WINDOWS\system32\DRIVERS\avcstrm.sys &#91;2004-08-04 00&#58;10&#93;
S3 gdrv;gdrv;C&#58;\WINDOWS\gdrv.sys &#91;2008-06-06 15&#58;46&#93;
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C&#58;\WINDOWS\system32\DRIVERS\mstape.sys &#91;2004-08-04 00&#58;10&#93;

.
Contents of the &#39;Scheduled Tasks&#39; folder
&#34;2008-06-19 10&#58;30&#58;00 C&#58;\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job&#34;
- C&#58;\Program Files\RegistrySmart\RegistrySmart.ex
- C&#58;\Program Files\RegistrySmart.zoobie.Runs RegistrySmart to optimize your registry.
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http&#58;//www.gmer.net
Rootkit scan 2008-06-19 15&#58;24&#58;37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files&#58; 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C&#58;\WINDOWS\system32\ati2evxx.exe
C&#58;\WINDOWS\system32\ati2evxx.exe
C&#58;\WINDOWS\system32\ZoneLabs\vsmon.exe
C&#58;\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C&#58;\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C&#58;\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C&#58;\PROGRA~1\Grisoft\AVG7\avgemc.exe
C&#58;\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C&#58;\Program Files\Executive Software\DiskeeperLite\DKService.exe
C&#58;\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time&#58; 2008-06-19 15&#58;27&#58;12 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-19 22&#58;27&#58;04
ComboFix2.txt  2008-06-19 00&#58;42&#58;34
ComboFix3.txt  2008-06-19 00&#58;29&#58;00

Pre-Run&#58; 163,528,921,088 bytes free
Post-Run&#58; 163,576,696,832 bytes free

252

anything free out there that's recommended to block viruses?
thanks a ton...I was in the middle of a project and almost lost it all

#12 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 20 June 2008 - 01:23 PM

zoobie

Glad to hear things are better, but we are not out of the woods here. 2 of the files failed to delete, so we need to find what else is in hiding.

Download gmer from HERESave it To your Desktop
Rt click->>Extract All->>and extract it to your Desktop
Open the gmer folder->>Double click the gmer.exe to run it
Select the Rootkit tab, press the "Scan" button
Allow the program to run
When it finishes Select "Save". Save the log to the Gmer folder on your Desktop.
Name it Gmer.
Then open the Gmer.log
Copy and paste that log as a reply to this thread



Microsoft MVP Consumer Security

#13 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 21 June 2008 - 12:27 AM

Gmer.log
GMER 1.0.14.14536 - http&#58;//www.gmer.net
Rootkit scan 2008-06-20 18&#58;12&#58;07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwConnectPort &#91;0xAEDE3040&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwCreateFile &#91;0xAEDDF930&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwCreateKey &#91;0xAEDEAA80&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwCreatePort &#91;0xAEDE3510&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwCreateProcess &#91;0xAEDE9870&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwCreateProcessEx &#91;0xAEDE9AA0&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwCreateSection &#91;0xAEDECFD0&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwCreateWaitablePort &#91;0xAEDE3600&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwDeleteFile &#91;0xAEDDFF20&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwDeleteKey &#91;0xAEDEB6E0&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwDeleteValueKey &#91;0xAEDEB440&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwDuplicateObject &#91;0xAEDE9580&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwLoadKey &#91;0xAEDEB8B0&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwOpenFile &#91;0xAEDDFD70&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwOpenProcess &#91;0xAEDE9350&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwOpenThread &#91;0xAEDE9150&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwRenameKey &#91;0xAEDEC250&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwReplaceKey &#91;0xAEDEBCB0&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwRequestWaitReplyPort &#91;0xAEDE2C00&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwRestoreKey &#91;0xAEDEC080&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwSecureConnectPort &#91;0xAEDE3220&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwSetInformationFile &#91;0xAEDE0120&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwSetValueKey &#91;0xAEDEB140&#93;
SSDT			\SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;  ZwTerminateProcess &#91;0xAEDE9CD0&#93;

---- Kernel code sections - GMER 1.0.14 ----

.text		   ntkrnlpa.exe!ZwCallbackReturn + 2BED										 805037ED 11 Bytes  &#91; 35, DE, AE, 70, 98, DE, AE, ... &#93;
PAGE			ntkrnlpa.exe!ObReferenceObjectByHandle + 44F								 805BA2A9 7 Bytes  JMP 8A5A9408 
?			   srescan.sys																  The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT			 \SystemRoot\system32\DRIVERS\raspppoe.sys&#91;NDIS.SYS!NdisRegisterProtocol&#93;	 &#91;AEDE7CA0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\raspppoe.sys&#91;NDIS.SYS!NdisOpenAdapter&#93;		  &#91;AEDE81C0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\raspppoe.sys&#91;NDIS.SYS!NdisCloseAdapter&#93;		 &#91;AEDE8320&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\raspppoe.sys&#91;NDIS.SYS!NdisDeregisterProtocol&#93;   &#91;AEDE7E10&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\psched.sys&#91;NDIS.SYS!NdisDeregisterProtocol&#93;	 &#91;AEDE7E10&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\psched.sys&#91;NDIS.SYS!NdisRegisterProtocol&#93;	   &#91;AEDE7CA0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\psched.sys&#91;NDIS.SYS!NdisOpenAdapter&#93;			&#91;AEDE81C0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\psched.sys&#91;NDIS.SYS!NdisCloseAdapter&#93;		   &#91;AEDE8320&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\System32\Drivers\NDProxy.SYS&#91;NDIS.SYS!NdisRegisterProtocol&#93;	  &#91;AEDE7CA0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\System32\Drivers\NDProxy.SYS&#91;NDIS.SYS!NdisCloseAdapter&#93;		  &#91;AEDE8320&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\System32\Drivers\NDProxy.SYS&#91;NDIS.SYS!NdisOpenAdapter&#93;		   &#91;AEDE81C0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\System32\Drivers\NDProxy.SYS&#91;NDIS.SYS!NdisDeregisterProtocol&#93;	&#91;AEDE7E10&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\tcpip.sys&#91;NDIS.SYS!NdisCloseAdapter&#93;			&#91;AEDE8320&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\tcpip.sys&#91;NDIS.SYS!NdisRegisterProtocol&#93;		&#91;AEDE7CA0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\tcpip.sys&#91;NDIS.SYS!NdisOpenAdapter&#93;			 &#91;AEDE81C0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\wanarp.sys&#91;NDIS.SYS!NdisDeregisterProtocol&#93;	 &#91;AEDE7E10&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\wanarp.sys&#91;NDIS.SYS!NdisRegisterProtocol&#93;	   &#91;AEDE7CA0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\wanarp.sys&#91;NDIS.SYS!NdisOpenAdapter&#93;			&#91;AEDE81C0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\wanarp.sys&#91;NDIS.SYS!NdisCloseAdapter&#93;		   &#91;AEDE8320&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\arp1394.sys&#91;NDIS.SYS!NdisCloseAdapter&#93;		  &#91;AEDE8320&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\arp1394.sys&#91;NDIS.SYS!NdisOpenAdapter&#93;		   &#91;AEDE81C0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\arp1394.sys&#91;NDIS.SYS!NdisDeregisterProtocol&#93;	&#91;AEDE7E10&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\arp1394.sys&#91;NDIS.SYS!NdisRegisterProtocol&#93;	  &#91;AEDE7CA0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\ndisuio.sys&#91;NDIS.SYS!NdisRegisterProtocol&#93;	  &#91;AEDE7CA0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\ndisuio.sys&#91;NDIS.SYS!NdisDeregisterProtocol&#93;	&#91;AEDE7E10&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\ndisuio.sys&#91;NDIS.SYS!NdisCloseAdapter&#93;		  &#91;AEDE8320&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
IAT			 \SystemRoot\system32\DRIVERS\ndisuio.sys&#91;NDIS.SYS!NdisOpenAdapter&#93;		   &#91;AEDE81C0&#93; \SystemRoot\System32\vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;

---- Devices - GMER 1.0.14 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs													   avg7rsw.sys &#40;AVG Resident Shield Unload Helper/GRISOFT, s.r.o.&#41;

Device		  \Driver\Tcpip \Device\Ip													 vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
Device		  \Driver\Tcpip \Device\Ip													 avgtdi.sys &#40;AVG Network connection watcher/GRISOFT, s.r.o.&#41;
Device		  \Driver\Tcpip \Device\Tcp													vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
Device		  \Driver\Tcpip \Device\Tcp													avgtdi.sys &#40;AVG Network connection watcher/GRISOFT, s.r.o.&#41;
Device		  \Driver\Tcpip \Device\Udp													vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
Device		  \Driver\Tcpip \Device\Udp													avgtdi.sys &#40;AVG Network connection watcher/GRISOFT, s.r.o.&#41;
Device		  \Driver\Tcpip \Device\RawIp												  vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
Device		  \Driver\Tcpip \Device\RawIp												  avgtdi.sys &#40;AVG Network connection watcher/GRISOFT, s.r.o.&#41;
Device		  \Driver\Tcpip \Device\IPMULTICAST											vsdatant.sys &#40;TrueVector Device Driver/Zone Labs, LLC&#41;
Device		  \Driver\Tcpip \Device\IPMULTICAST											avgtdi.sys &#40;AVG Network connection watcher/GRISOFT, s.r.o.&#41;

AttachedDevice  \FileSystem\Fastfat \Fat													 fltMgr.sys &#40;Microsoft Filesystem Filter Manager/Microsoft Corporation&#41;
AttachedDevice  \FileSystem\Fastfat \Fat													 avg7rsw.sys &#40;AVG Resident Shield Unload Helper/GRISOFT, s.r.o.&#41;

---- EOF - GMER 1.0.14 ----


#14 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 21 June 2008 - 12:55 AM

zoobie

Unfortunately that didn't give me what I was looking for.

1. One of the files I requested, shows to be a Compaq driver for a Compaq Personal Audio Player. Do you have such a device?

Please include the answer in your reply

2. Go HERE and Download System Repair Engineer by smallfrogs
Select local download1 or 2Save it to your Desktop
Rt Click sreng2.zip->>Extract all->>Extract it to your desktop
Open the sreng folder
Double click SREngPS.exe->>Click Run
At the main Window, in the left Pane,Select Smart Scan
At the next window make sure all of the boxes are checked and Select Scan
When the scan is complete Select Save reports
Save it to your desktop and Close the tool
Double Click SREngLog.txt copy and paste that log as a reply to this thread
Do not run any other options with this tool unless instructed to do so.


Microsoft MVP Consumer Security

#15 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 22 June 2008 - 11:42 PM

Hi back -
1) No...I don't have Compaq Personal Audio Player
2)My SREngLog.txt below
2008-06-22,17&#58;26&#58;11

System Repair Engineer 2.5.16.900
Smallfrogs &#40;http&#58;//www.KZTechs.com&#41;

Windows XP Professional Service Pack 2 &#40;Build 2600&#41; - Administrative User - Completed Functions Allowed

Follow item&#40;s&#41; have been choosed&#58;
	All Boot Items &#40;Including Registry, Startup Folders, Services and so on&#41;
	Browser Add-ons
	Runing Processes &#40;Including process model information&#41;
	File Associations
	Winsock Provider
	Autorun.Inf
	HOSTS File
	Process Privileges Scan


Boot Items
Registry
&#91;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run&#93;
	<RTHDCPL><RTHDCPL.EXE>  &#91;&#40;Verified&#41;Microsoft Windows Hardware Compatibility Publisher&#93;
	<Logitech Utility><Logi_MwX.Exe>  &#91;&#40;Verified&#41;Microsoft Windows Hardware Compatibility Publisher&#93;
	<SunJavaUpdateSched><&#34;C&#58;\Program Files\Java\jre1.6.0_01\bin\jusched.exe&#34;>  &#91;&#40;Verified&#41;&#34;Sun Microsystems, Inc.&#34;&#93;
	<ZoneAlarm Client><&#34;C&#58;\Program Files\Zone Labs\ZoneAlarm\zlclient.exe&#34;>  &#91;&#40;Verified&#41;Check Point Software Technologies Ltd.&#93;
	<AVG7_CC><C&#58;\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP>  &#91;GRISOFT, s.r.o.&#93;
&#91;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon&#93;
	<shell><Explorer.exe>  &#91;&#40;Verified&#41;Microsoft Windows Publisher&#93;
	<Userinit><C&#58;\WINDOWS\system32\userinit.exe,>  &#91;&#40;Verified&#41;Microsoft Windows Publisher&#93;
&#91;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows&#93;
	<AppInit_DLLs><>  &#91;N/A&#93;
&#91;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon&#93;
	<UIHost><logonui.exe>  &#91;&#40;Verified&#41;Microsoft Windows Publisher&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}&#93;
	<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  &#91;N/A&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}&#93;
	<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  &#91;N/A&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}&#93;
	<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i&#58;/UserInstall %SystemRoot%\system32\themeui.dll>  &#91;N/A&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}&#93;
	<Microsoft Outlook Express 6><&#34;%ProgramFiles%\Outlook Express\setup50.exe&#34; /APP&#58;OE /CALLER&#58;WINNT /user /install>  &#91;N/A&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}&#93;
	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C&#58;\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  &#91;&#40;Verified&#41;Microsoft Windows Publisher&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}&#93;
	<Internet Explorer><%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf>  &#91;N/A&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}&#93;
	<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C&#58;\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  &#91;&#40;Verified&#41;Microsoft Windows Publisher&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}&#93;
	<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C&#58;\WINDOWS\INF\wmp10.inf,PerUserStub>  &#91;&#40;Verified&#41;&#34;Sun Microsystems, Inc.&#34;&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}&#93;
	<Address Book 6><&#34;%ProgramFiles%\Outlook Express\setup50.exe&#34; /APP&#58;WAB /CALLER&#58;WINNT /user /install>  &#91;N/A&#93;
&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}&#93;
	<N/A><C&#58;\WINDOWS\system32\Rundll32.exe C&#58;\WINDOWS\system32\mscories.dll,Install>  &#91;Microsoft Corporation&#93;

==================================
Startup Folders
N/A

==================================
Services
&#91;Lavasoft Ad-Aware Service / aawservice&#93;&#91;Running/Auto Start&#93;
  <&#34;C&#58;\Program Files\Lavasoft\Ad-Aware\aawservice.exe&#34;><Lavasoft>
&#91;Ati HotKey Poller / Ati HotKey Poller&#93;&#91;Running/Auto Start&#93;
  <C&#58;\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
&#91;AVG7 Alert Manager Server / Avg7Alrt&#93;&#91;Running/Auto Start&#93;
  <C&#58;\PROGRA~1\Grisoft\AVG7\avgamsvr.exe><GRISOFT, s.r.o.>
&#91;AVG7 Update Service / Avg7UpdSvc&#93;&#91;Running/Auto Start&#93;
  <C&#58;\PROGRA~1\Grisoft\AVG7\avgupsvc.exe><GRISOFT, s.r.o.>
&#91;AVG E-mail Scanner / AVGEMS&#93;&#91;Running/Auto Start&#93;
  <C&#58;\PROGRA~1\Grisoft\AVG7\avgemc.exe><GRISOFT, s.r.o.>
&#91;Capture Device Service / Capture Device Service&#93;&#91;Running/Auto Start&#93;
  <&#34;C&#58;\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe&#34;><InterVideo Inc.>
&#91;Diskeeper / Diskeeper&#93;&#91;Running/Auto Start&#93;
  <&#34;C&#58;\Program Files\Executive Software\DiskeeperLite\DKService.exe&#34;><Executive Software International, Inc.>
&#91;Human Interface Device Access / HidServ&#93;&#91;Stopped/Disabled&#93;
  <C&#58;\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
&#91;MSSQL$SONY_MEDIAMGR / MSSQL$SONY_MEDIAMGR&#93;&#91;Stopped/Manual Start&#93;
  <C&#58;\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR><Microsoft Corporation>
&#91;MSSQLServerADHelper / MSSQLServerADHelper&#93;&#91;Stopped/Manual Start&#93;
  <C&#58;\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe><Microsoft Corporation>
&#91;SQLAgent$SONY_MEDIAMGR / SQLAgent$SONY_MEDIAMGR&#93;&#91;Stopped/Manual Start&#93;
  <C&#58;\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR><Microsoft Corporation>
&#91;TrueVector Internet Monitor / vsmon&#93;&#91;Running/Auto Start&#93;
  <C&#58;\WINDOWS\system32\ZoneLabs\vsmon.exe -service><Zone Labs, LLC>
&#91;VundoFix Service / VundoFixSvc&#93;&#91;Stopped/Manual Start&#93;
  <VundoFixSVC.exe><Atribune.org>

==================================
Drivers
&#91;Ad-Watch Connect Kernel Filter / Ad-Watch Connect Filter&#93;&#91;Stopped/Manual Start&#93;
  <\??\C&#58;\WINDOWS\system32\drivers\NSDriver.sys><Lavasoft AB>
&#91;AMD Processor Driver / AmdK8&#93;&#91;Running/System Start&#93;
  <system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
&#91;ati2mtag / ati2mtag&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
&#91;AVG7 Kernel / Avg7Core&#93;&#91;Running/System Start&#93;
  <\SystemRoot\System32\Drivers\avg7core.sys><GRISOFT, s.r.o.>
&#91;AVG7 Wrap Driver / Avg7RsW&#93;&#91;Running/System Start&#93;
  <\SystemRoot\System32\Drivers\avg7rsw.sys><GRISOFT, s.r.o.>
&#91;AVG7 Resident Driver XP / Avg7RsXP&#93;&#91;Running/System Start&#93;
  <\SystemRoot\System32\Drivers\avg7rsxp.sys><GRISOFT, s.r.o.>
&#91;AVG7 Clean Driver / AvgClean&#93;&#91;Running/System Start&#93;
  <\SystemRoot\System32\Drivers\avgclean.sys><GRISOFT, s.r.o.>
&#91;AVG Network Redirector / AvgTdi&#93;&#91;Running/Auto Start&#93;
  <\SystemRoot\System32\Drivers\avgtdi.sys><GRISOFT, s.r.o.>
&#91;gdrv / gdrv&#93;&#91;Stopped/Manual Start&#93;
  <\??\C&#58;\WINDOWS\gdrv.sys><Windows &#40;R&#41; 2000 DDK provider>
&#91;gmer / gmer&#93;&#91;Stopped/Manual Start&#93;
  <System32\DRIVERS\gmer.sys><GMER>
&#91;Microsoft UAA Bus Driver for High Definition Audio / HDAudBus&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\HDAudBus.sys><Windows &#40;R&#41; Server 2003 DDK provider>
&#91;HSFHWBS2 / HSFHWBS2&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\HSFHWBS2.sys><Conexant Systems, Inc.>
&#91;HSF_DP / HSF_DP&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\HSF_DP.sys><Conexant Systems, Inc.>
&#91;igmygpmu / igmygpmu&#93;&#91;Running/Boot Start&#93;
  <\SystemRoot\system32\drivers\igmygpmu.sys><N/A>
&#91;Service for Realtek HD Audio &#40;WDM&#41; / IntcAzAudAddService&#93;&#91;Running/Manual Start&#93;
  <system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
&#91;KLIF / KLIF&#93;&#91;Running/System Start&#93;
  <system32\DRIVERS\klif.sys><Kaspersky Lab>
&#91;Logitech PS/2 Mouse Filter Driver / L8042pr2&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\L8042pr2.Sys><Logitech, Inc.>
&#91;Logitech Mouse Class Filter Driver / LMouFlt2&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\LMouFlt2.Sys><Logitech, Inc.>
&#91;mdmxsdk / mdmxsdk&#93;&#91;Running/Auto Start&#93;
  <system32\DRIVERS\mdmxsdk.sys><Conexant>
&#91;VSO Software pcouffin / pcouffin&#93;&#91;Stopped/Manual Start&#93;
  <System32\Drivers\pcouffin.sys><VSO Software>
&#91;Direct Parallel Link Driver / Ptilink&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
&#91;PxHelp20 / PxHelp20&#93;&#91;Running/Boot Start&#93;
  <\SystemRoot\system32\Drivers\PxHelp20.sys><Sonic Solutions>
&#91;Service for HDMI / RTHDMIAzAudService&#93;&#91;Running/Manual Start&#93;
  <system32\drivers\RtHDMI.sys><Realtek Semiconductor Corp.>
&#91;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver / RTL8023xp&#93;&#91;Stopped/Manual Start&#93;
  <system32\DRIVERS\Rtnicxp.sys><Realtek Semiconductor Corporation>
&#91;Secdrv / Secdrv&#93;&#91;Stopped/Manual Start&#93;
  <system32\DRIVERS\secdrv.sys><N/A>
&#91;srescan / srescan&#93;&#91;Running/Boot Start&#93;
  <\SystemRoot\system32\ZoneLabs\srescan.sys><Zone Labs, LLC>
&#91;vsdatant / vsdatant&#93;&#91;Running/System Start&#93;
  <System32\vsdatant.sys><Zone Labs, LLC>
&#91;winachsf / winachsf&#93;&#91;Running/Manual Start&#93;
  <system32\DRIVERS\HSF_CNXT.sys><Conexant Systems, Inc.>
&#91;World Standard Teletext Codec / WSTCODEC&#93;&#91;Stopped/Manual Start&#93;
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

==================================
Browser Add-ons
&#91;&#93;
  {0DDF8B50-7F95-4A8C-B23D-93AB75769655} <c&#58;\windows\system32\gdajlay.dll, N/A>
&#91;&#93;
  {61CFCCF2-D2A1-43CF-AE32-8B9843D58804} <C&#58;\WINDOWS\system32\cmsetACLo.dll, N/A>
&#91;SSVHelper Class&#93;
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C&#58;\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
&#91;ZoneAlarm Spy Blocker BHO&#93;
  {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} <C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL, ZoneAlarm>
&#91;&#93;
  {FFFFFEF0-5B30-21D4-945D-000000000000} <C&#58;\PROGRA~1\STARDO~1\SDIEInt.dll, N/A>
&#91;Messenger&#93;
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C&#58;\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
&#91;ZoneAlarm Spy Blocker&#93;
  {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} <C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL, ZoneAlarm>
&#91;Java Plug-in 1.6.0_01&#93;
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C&#58;\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
&#91;Java Plug-in 1.6.0_01&#93;
  {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} <C&#58;\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
&#91;Java Plug-in 1.6.0_01&#93;
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C&#58;\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll, Sun Microsystems, Inc.>
&#91;&#93;
  {0DDF8B50-7F95-4A8C-B23D-93AB75769655} <c&#58;\windows\system32\gdajlay.dll, N/A>
&#91;Tabular Data Control&#93;
  {333C7BC4-460F-11D0-BC04-0080C7055A83} <C&#58;\WINDOWS\system32\tdc.ocx, Microsoft Corporation>
&#91;XML Document&#93;
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\system32\msxml3.dll, N/A>
&#91;&#93;
  {61CFCCF2-D2A1-43CF-AE32-8B9843D58804} <C&#58;\WINDOWS\system32\cmsetACLo.dll, N/A>
&#91;Windows Media Player&#93;
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C&#58;\WINDOWS\system32\wmp.dll, Microsoft Corporation>
&#91;SSVHelper Class&#93;
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C&#58;\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
&#91;SearchAssistantOC&#93;
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
&#91;RDS.DataSpace&#93;
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C&#58;\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
&#91;AUDIO__MID Moniker Class&#93;
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C&#58;\WINDOWS\system32\wmp.dll, Microsoft Corporation>
&#91;AUDIO__MP3 Moniker Class&#93;
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C&#58;\WINDOWS\system32\wmp.dll, Microsoft Corporation>
&#91;AUDIO__WAV Moniker Class&#93;
  {CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C&#58;\WINDOWS\system32\wmp.dll, Microsoft Corporation>
&#91;VIDEO__AVI Moniker Class&#93;
  {CD3AFA88-B84F-48F0-9393-7EDC34128127} <C&#58;\WINDOWS\system32\wmp.dll, Microsoft Corporation>
&#91;VIDEO__X_MS_WMV Moniker Class&#93;
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C&#58;\WINDOWS\system32\wmp.dll, Microsoft Corporation>
&#91;Shockwave Flash Object&#93;
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C&#58;\WINDOWS\system32\Macromed\Flash\Flash9e.ocx, Adobe Systems, Inc.>
&#91;ZoneAlarm Spy Blocker BHO&#93;
  {F0D4B231-DA4B-4DAF-81E4-DFEE4931A4AA} <C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL, ZoneAlarm>
&#91;ZoneAlarm Spy Blocker&#93;
  {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} <C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL, ZoneAlarm>
&#91;&#93;
  {FFFFFEF0-5B30-21D4-945D-000000000000} <C&#58;\PROGRA~1\STARDO~1\SDIEInt.dll, N/A>
&#91;Download with Star Downloader&#93;
  <C&#58;\Program Files\Star Downloader\sdie.htm, N/A>

==================================
Running Processes
&#91;PID&#58; 508 / SYSTEM&#93;&#91;\SystemRoot\System32\smss.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 572 / SYSTEM&#93;&#91;\??\C&#58;\WINDOWS\system32\csrss.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 604 / SYSTEM&#93;&#91;\??\C&#58;\WINDOWS\system32\winlogon.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
	&#91;C&#58;\WINDOWS\system32\Ati2evxx.dll&#93;  &#91;ATI Technologies Inc., 6.14.10.4163&#93;
&#91;PID&#58; 648 / SYSTEM&#93;&#91;C&#58;\WINDOWS\system32\services.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 660 / SYSTEM&#93;&#91;C&#58;\WINDOWS\system32\lsass.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 824 / SYSTEM&#93;&#91;C&#58;\WINDOWS\system32\Ati2evxx.exe&#93;  &#91;ATI Technologies Inc., 6.14.10.4173&#93;
	&#91;C&#58;\WINDOWS\system32\Ati2edxx.dll&#93;  &#91;ATI Technologies, Inc., 6, 14, 10, 2512&#93;
	&#91;C&#58;\WINDOWS\system32\atipdlxx.dll&#93;  &#91;ATI Technologies, Inc., 6, 14, 10, 2521&#93;
&#91;PID&#58; 844 / SYSTEM&#93;&#91;C&#58;\WINDOWS\system32\svchost.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 928 / NETWORK SERVICE&#93;&#91;C&#58;\WINDOWS\system32\svchost.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 972 / SYSTEM&#93;&#91;C&#58;\WINDOWS\System32\svchost.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 1032 / NETWORK SERVICE&#93;&#91;C&#58;\WINDOWS\system32\svchost.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 1096 / SYSTEM&#93;&#91;C&#58;\WINDOWS\system32\Ati2evxx.exe&#93;  &#91;ATI Technologies Inc., 6.14.10.4173&#93;
	&#91;C&#58;\WINDOWS\system32\Ati2edxx.dll&#93;  &#91;ATI Technologies, Inc., 6, 14, 10, 2512&#93;
	&#91;C&#58;\WINDOWS\system32\atipdlxx.dll&#93;  &#91;ATI Technologies, Inc., 6, 14, 10, 2521&#93;
	&#91;C&#58;\WINDOWS\system32\ati2evxx.dll&#93;  &#91;ATI Technologies Inc., 6.14.10.4163&#93;
&#91;PID&#58; 1148 / LOCAL SERVICE&#93;&#91;C&#58;\WINDOWS\system32\svchost.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 1324 / zoobie&#93;&#91;C&#58;\WINDOWS\Explorer.EXE&#93;  &#91;Microsoft Corporation, 6.00.2900.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
	&#91;C&#58;\Program Files\Common Files\Logitech\Scrolling\LgMsgHk.dll&#93;  &#91;Logitech Inc., 1.1.0&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\LgWndHk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll&#93;  &#91;Gibin Software House &#40;http&#58;//www.gibinsoft.net&#41;, 1, 9, 5, 22&#93;
	&#91;C&#58;\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll&#93;  &#91;Zone Labs, LLC, 7.0.470.000&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avgse.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.409&#93;
	&#91;C&#58;\WINDOWS\system32\MSVCP71.dll&#93;  &#91;Microsoft Corporation, 7.10.3077.0&#93;
	&#91;C&#58;\WINDOWS\system32\MSVCR71.dll&#93;  &#91;Microsoft Corporation, 7.10.3052.4&#93;
	&#91;C&#58;\Program Files\Java\jre1.6.0_01\bin\ssv.dll&#93;  &#91;Sun Microsystems, Inc., 6.0.10.6&#93;
	&#91;C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL&#93;  &#91;ZoneAlarm, 2, 3, 0, 11&#93;
	&#91;C&#58;\PROGRA~1\STARDO~1\SDIEInt.dll&#93;  &#91;N/A, &#93;
	&#91;C&#58;\Program Files\Iconoid\tr3dll.dll&#93;  &#91;N/A, &#93;
&#91;PID&#58; 1556 / SYSTEM&#93;&#91;C&#58;\Program Files\Lavasoft\Ad-Aware\aawservice.exe&#93;  &#91;Lavasoft, 7,1,0,12&#93;
	&#91;C&#58;\Program Files\Lavasoft\Ad-Aware\CEAPI.dll&#93;  &#91;Lavasoft, 7,1,0,12&#93;
	&#91;C&#58;\Program Files\Lavasoft\Ad-Aware\PKArchive85u.dll&#93;  &#91;PKWARE, Inc., 8.4.1045.0&#93;
&#91;PID&#58; 1616 / SYSTEM&#93;&#91;C&#58;\WINDOWS\system32\spoolsv.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 1720 / SYSTEM&#93;&#91;C&#58;\PROGRA~1\Grisoft\AVG7\avgamsvr.exe&#93;  &#91;GRISOFT, s.r.o., 7.5.0.496&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\avgklib.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.458&#93;
	&#91;C&#58;\WINDOWS\system32\MSVCP71.dll&#93;  &#91;Microsoft Corporation, 7.10.3077.0&#93;
	&#91;C&#58;\WINDOWS\system32\MSVCR71.dll&#93;  &#91;Microsoft Corporation, 7.10.3052.4&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\avglog.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.429&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avgcfg.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.501&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avglng.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.480&#93;
&#91;PID&#58; 1732 / SYSTEM&#93;&#91;C&#58;\PROGRA~1\Grisoft\AVG7\avgupsvc.exe&#93;  &#91;GRISOFT, s.r.o., 7.5.0.420&#93;
	&#91;C&#58;\WINDOWS\system32\MSVCR71.dll&#93;  &#91;Microsoft Corporation, 7.10.3052.4&#93;
&#91;PID&#58; 1772 / SYSTEM&#93;&#91;C&#58;\PROGRA~1\Grisoft\AVG7\avgemc.exe&#93;  &#91;GRISOFT, s.r.o., 7.5.0.494&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\libsasl.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.407&#93;
	&#91;C&#58;\WINDOWS\system32\MSVCR71.dll&#93;  &#91;Microsoft Corporation, 7.10.3052.4&#93;
	&#91;C&#58;\WINDOWS\system32\MSVCP71.dll&#93;  &#91;Microsoft Corporation, 7.10.3077.0&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\avglog.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.429&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avgcfg.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.501&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avgklib.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.458&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avglng.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.480&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avgscan.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.491&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avgunarc.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.474&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\saslcrammd5.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.407&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\sasldigestmd5.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.407&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\sasllogin.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.407&#93;
	&#91;C&#58;\PROGRA~1\Grisoft\AVG7\saslplain.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.407&#93;
	&#91;C&#58;\Program Files\Grisoft\AVG7\avgmail.dll&#93;  &#91;GRISOFT, s.r.o., 7.5.0.429&#93;
&#91;PID&#58; 1784 / SYSTEM&#93;&#91;C&#58;\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe&#93;  &#91;InterVideo Inc., 1.0.0.1&#93;
	&#91;C&#58;\WINDOWS\system32\devenum.dll&#93;  &#91;, &#93;
	&#91;C&#58;\WINDOWS\system32\msdmo.dll&#93;  &#91;, &#93;
	&#91;C&#58;\WINDOWS\system32\qcap.dll&#93;  &#91;, &#93;
	&#91;C&#58;\WINDOWS\system32\qdvd.dll&#93;  &#91;, &#93;
	&#91;C&#58;\WINDOWS\system32\quartz.dll&#93;  &#91;, &#93;
&#91;PID&#58; 1816 / SYSTEM&#93;&#91;C&#58;\Program Files\Executive Software\DiskeeperLite\DKService.exe&#93;  &#91;Executive Software International, Inc., 7.0.418.0&#93;
	&#91;C&#58;\Program Files\Executive Software\DiskeeperLite\PSAPI.DLL&#93;  &#91;Microsoft Corporation, 5.00.1849.1&#93;
	&#91;C&#58;\Program Files\Executive Software\DiskeeperLite\DKLib.dll&#93;  &#91;Executive Software International, Inc., 7.0.418.0&#93;
	&#91;C&#58;\Program Files\Executive Software\DiskeeperLite\DkRes.dll&#93;  &#91;Executive Software International, Inc., 7.0.418.0&#93;
&#91;PID&#58; 1948 / SYSTEM&#93;&#91;C&#58;\WINDOWS\system32\svchost.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 1000 / LOCAL SERVICE&#93;&#91;C&#58;\WINDOWS\System32\alg.exe&#93;  &#91;Microsoft Corporation, 5.1.2600.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
&#91;PID&#58; 1292 / zoobie&#93;&#91;C&#58;\WINDOWS\RTHDCPL.EXE&#93;  &#91;Realtek Semiconductor Corp., 2.1.3.6&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\LgWndHk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Common Files\Logitech\Scrolling\LgMsgHk.dll&#93;  &#91;Logitech Inc., 1.1.0&#93;
&#91;PID&#58; 1868 / zoobie&#93;&#91;C&#58;\Program Files\Java\jre1.6.0_01\bin\jusched.exe&#93;  &#91;Sun Microsystems, Inc., 6.0.10.6&#93;
	&#91;C&#58;\Program Files\Java\jre1.6.0_01\bin\MSVCR71.dll&#93;  &#91;Microsoft Corporation, 7.10.3052.4&#93;
&#91;PID&#58; 2076 / zoobie&#93;&#91;C&#58;\Program Files\Logitech\MouseWare\system\em_exec.exe&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\system\EVENTEX.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\WINDOWS\system32\COMNCTR.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\system\MFC42.DLL&#93;  &#91;Microsoft Corporation, 6.00.8665.0&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\system\ccresrce.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\system\GlbResLt.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Common Files\Logitech\Scrolling\LgMsgHk.dll&#93;  &#91;Logitech Inc., 1.1.0&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\devices.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\system\ccstmglb.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\system\ccustom.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\system\ccmsghk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\LgWndHk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
&#91;PID&#58; 2940 / zoobie&#93;&#91;C&#58;\Program Files\Audacity 1.3 Beta &#40;Unicode&#41;\audacity.exe&#93;  &#91;The Audacity Team, 1,3,4,0&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\LgWndHk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Audacity 1.3 Beta &#40;Unicode&#41;\Plug-Ins\4ormulator.dll&#93;  &#91;WOLTON, 3, 1, 0, 7&#93;
	&#91;C&#58;\Program Files\Audacity 1.3 Beta &#40;Unicode&#41;\Plug-Ins\gverb_1216.dll&#93;  &#91;N/A, &#93;
	&#91;C&#58;\Program Files\Audacity 1.3 Beta &#40;Unicode&#41;\Plug-Ins\hard_limiter_1413.dll&#93;  &#91;N/A, &#93;
	&#91;C&#58;\Program Files\Audacity 1.3 Beta &#40;Unicode&#41;\Plug-Ins\lame_enc.dll&#93;  &#91;N/A, &#93;
	&#91;C&#58;\Program Files\Audacity 1.3 Beta &#40;Unicode&#41;\Plug-Ins\sc4_1882.dll&#93;  &#91;N/A, &#93;
	&#91;C&#58;\Program Files\Common Files\Logitech\Scrolling\LgMsgHk.dll&#93;  &#91;Logitech Inc., 1.1.0&#93;
&#91;PID&#58; 420 / zoobie&#93;&#91;C&#58;\Program Files\Internet Explorer\iexplore.exe&#93;  &#91;Microsoft Corporation, 6.00.2900.2180 &#40;xpsp_sp2_rtm.040803-2158&#41;&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\LgWndHk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Common Files\Logitech\Scrolling\LgMsgHk.dll&#93;  &#91;Logitech Inc., 1.1.0&#93;
	&#91;C&#58;\Program Files\Java\jre1.6.0_01\bin\ssv.dll&#93;  &#91;Sun Microsystems, Inc., 6.0.10.6&#93;
	&#91;C&#58;\Program Files\Java\jre1.6.0_01\bin\MSVCR71.dll&#93;  &#91;Microsoft Corporation, 7.10.3052.4&#93;
	&#91;C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL&#93;  &#91;ZoneAlarm, 2, 3, 0, 11&#93;
	&#91;C&#58;\PROGRA~1\STARDO~1\SDIEInt.dll&#93;  &#91;N/A, &#93;
	&#91;C&#58;\WINDOWS\system32\Macromed\Flash\Flash9e.ocx&#93;  &#91;Adobe Systems, Inc., 9,0,115,0&#93;
&#91;PID&#58; 968 / zoobie&#93;&#91;C&#58;\Program Files\Iconoid\iconoid.exe&#93;  &#91;SillySot Software, 3.5.0&#93;
	&#91;C&#58;\Program Files\Iconoid\tr3dll.dll&#93;  &#91;N/A, &#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\LgWndHk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Common Files\Logitech\Scrolling\LgMsgHk.dll&#93;  &#91;Logitech Inc., 1.1.0&#93;
&#91;PID&#58; 3584 / zoobie&#93;&#91;C&#58;\Documents and Settings\zoobie\Desktop\sreng2\SREngPS.EXE&#93;  &#91;Smallfrogs Studio, 2.5.16.900&#93;
	&#91;C&#58;\Program Files\Logitech\MouseWare\System\LgWndHk.dll&#93;  &#91;Logitech Inc., 9.76.046&#93;
	&#91;C&#58;\Program Files\Common Files\Logitech\Scrolling\LgMsgHk.dll&#93;  &#91;Logitech Inc., 1.1.0&#93;
	&#91;C&#58;\Documents and Settings\zoobie\Desktop\sreng2\Upload\3rdUpd.DLL&#93;  &#91;Smallfrogs Studio, 2, 1, 0, 15&#93;

==================================
File Associations
.TXT  OK. &#91;%SystemRoot%\system32\NOTEPAD.EXE %1&#93;
.EXE  OK. &#91;&#34;%1&#34; %*&#93;
.COM  OK. &#91;&#34;%1&#34; %*&#93;
.PIF  OK. &#91;&#34;%1&#34; %*&#93;
.REG  OK. &#91;regedit.exe &#34;%1&#34;&#93;
.BAT  OK. &#91;&#34;%1&#34; %*&#93;
.SCR  OK. &#91;&#34;%1&#34; /S&#93;
.CHM  OK. &#91;&#34;C&#58;\WINDOWS\hh.exe&#34; %1&#93;
.HLP  OK. &#91;%SystemRoot%\System32\winhlp32.exe %1&#93;
.INI  OK. &#91;%SystemRoot%\System32\NOTEPAD.EXE %1&#93;
.INF  OK. &#91;%SystemRoot%\System32\NOTEPAD.EXE %1&#93;
.VBS  OK. &#91;%SystemRoot%\System32\WScript.exe &#34;%1&#34; %*&#93;
.JS   OK. &#91;%SystemRoot%\System32\WScript.exe &#34;%1&#34; %*&#93;
.LNK  OK. &#91;{00021401-0000-0000-C000-000000000046}&#93;

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1	   localhost

==================================
Process Privileges Scan
Special Privilege Enabled&#58; SeLoadDriverPrivilege &#91;PID = 2076, C&#58;\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE&#93;
Special Privilege Enabled&#58; SeLoadDriverPrivilege &#91;PID = 2940, C&#58;\PROGRAM FILES\AUDACITY 1.3 BETA &#40;UNICODE&#41;\AUDACITY.EXE&#93;
Special Privilege Enabled&#58; SeLoadDriverPrivilege &#91;PID = 968, C&#58;\PROGRAM FILES\ICONOID\ICONOID.EXE&#93;

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================


#16 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 23 June 2008 - 01:21 PM

zoobie

We are going to make another CFScript file

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (Not the word Code)
DRIVER&#58;&#58;
igmygpmu

Collect&#58;&#58;
C&#58;\WINDOWS\system32\drivers\igmygpmu.sys
c&#58;\windows\system32\gdajlay.dll
C&#58;\WINDOWS\system32\cmsetACLo.dll

REGISTRY&#58;&#58;
&#91;-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DDF8B50-7F95-4A8C-B23D-93AB75769655}&#93;
&#91;-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61CFCCF2-D2A1-43CF-AE32-8B9843D58804}&#93;
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hijackthis log as well


Microsoft MVP Consumer Security

#17 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 28 June 2008 - 09:43 AM

my combo fix log
ComboFix 08-06-16.5 - zoobie 2008-06-28  3&#58;21&#58;13.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1419 &#91;GMT -7&#58;00&#93;
Running from&#58; C&#58;\Documents and Settings\zoobie\Desktop\ComboFix.exe
Command switches used &#58;&#58; C&#58;\Documents and Settings\zoobie\Desktop\CFScript.txt
 * Created a new restore point

&#91;color=red&#93;&#91;b&#93;WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!&#91;/b&#93;&#91;/color&#93;
.

&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Other Deletions   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.

C&#58;\WINDOWS\system32\cmsetACLo.dll
C&#58;\WINDOWS\system32\drivers\igmygpmu.sys
c&#58;\windows\system32\gdajlay.dll

.
&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Drivers/Services   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.

-------\Legacy_IGMYGPMU
-------\Service_igmygpmu


&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Files Created from 2008-05-28 to 2008-06-28  &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.

2008-06-26 23&#58;51 . 2008-06-26 23&#58;51	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\Canneverbe_Limited
2008-06-26 23&#58;50 . 2008-06-26 23&#58;50	<DIR>	d--------	C&#58;\Program Files\CDBurnerXP
2008-06-25 11&#58;32 . 2008-06-25 11&#58;32	<DIR>	d--------	C&#58;\Temp\Ogif
2008-06-25 11&#58;32 . 2008-06-25 11&#58;32	<DIR>	d--------	C&#58;\Temp
2008-06-22 00&#58;48 . 2008-06-22 00&#58;48	<DIR>	d--------	C&#58;\Program Files\AnalogX
2008-06-20 17&#58;55 . 2008-06-20 17&#58;55	250	--a------	C&#58;\WINDOWS\gmer.ini
2008-06-17 14&#58;37 . 2008-06-17 14&#58;37	24,576	--a------	C&#58;\WINDOWS\system32\VundoFixSVC.exe
2008-06-16 20&#58;30 . 2008-06-17 14&#58;37	<DIR>	d--------	C&#58;\VundoFix Backups
2008-06-10 03&#58;31 . 2008-06-10 03&#58;31	<DIR>	d--------	C&#58;\Documents and Settings\NetworkService\Application Data\dreccvzt
2008-06-10 01&#58;17 . 2008-06-10 01&#58;17	<DIR>	d--------	C&#58;\WINDOWS\Freecorder Toolbar
2008-06-10 01&#58;17 . 2008-06-10 01&#58;17	<DIR>	d--------	C&#58;\Program Files\Freecorder Toolbar
2008-06-09 16&#58;48 . 2008-06-09 16&#58;48	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\dreccvzt
2008-06-09 14&#58;00 . 2008-06-09 16&#58;48	<DIR>	d--------	C&#58;\Program Files\Common Files\Mozilla Shared
2008-06-07 00&#58;23 . 2004-08-02 23&#58;31	482,304	--a--c---	C&#58;\WINDOWS\system32\dllcache\pintlgnt.ime
2008-06-07 00&#58;22 . 2001-08-22 21&#58;00	1,875,968	--a--c---	C&#58;\WINDOWS\system32\dllcache\msir3jp.lex
2008-06-07 00&#58;21 . 2001-08-22 21&#58;00	13,463,552	--a--c---	C&#58;\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-07 00&#58;20 . 2004-08-03 01&#58;56	2,134,528	--a--c---	C&#58;\WINDOWS\system32\dllcache\smtpsnap.dll
2008-06-07 00&#58;19 . 2004-05-13 00&#58;39	876,653	--a--c---	C&#58;\WINDOWS\system32\dllcache\fp4awel.dll
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\WindowsShell.Manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\wuaucpl.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\sapi.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\nwc.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	749	-rah-----	C&#58;\WINDOWS\system32\ncpa.cpl.manifest
2008-06-07 00&#58;15 . 2008-06-07 00&#58;15	488	-rah-----	C&#58;\WINDOWS\system32\logonui.exe.manifest
2008-06-07 00&#58;14 . 2001-08-22 21&#58;00	16,384	--a--c---	C&#58;\WINDOWS\system32\dllcache\isignup.exe
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	24,661	--a------	C&#58;\WINDOWS\system32\spxcoins.dll
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	24,661	--a--c---	C&#58;\WINDOWS\system32\dllcache\spxcoins.dll
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	13,312	--a------	C&#58;\WINDOWS\system32\irclass.dll
2008-06-07 00&#58;03 . 2001-08-22 21&#58;00	13,312	--a--c---	C&#58;\WINDOWS\system32\dllcache\irclass.dll
2008-06-06 20&#58;34 . 2008-06-16 08&#58;59	<DIR>	d--------	C&#58;\Program Files\a-squared Free
2008-06-06 20&#58;29 . 2008-06-06 20&#58;29	<DIR>	dr-h-----	C&#58;\$VAULT$.AVG
2008-06-06 19&#58;25 . 2008-06-11 03&#58;34	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\AVG7
2008-06-06 19&#58;25 . 2008-06-06 19&#58;25	<DIR>	d--------	C&#58;\Documents and Settings\LocalService\Application Data\AVG7
2008-06-06 19&#58;24 . 2008-06-06 19&#58;24	<DIR>	d--------	C&#58;\Documents and Settings\All Users\Application Data\Grisoft
2008-06-06 18&#58;23 . 2008-06-06 18&#58;53	<DIR>	d--------	C&#58;\Program Files\SUPERAntiSpyware
2008-06-06 18&#58;23 . 2008-06-06 18&#58;53	<DIR>	d--------	C&#58;\Documents and Settings\zoobie\Application Data\SUPERAntiSpyware.com
2008-06-06 18&#58;23 . 2008-06-06 18&#58;23	<DIR>	d--------	C&#58;\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 17&#58;57 . 2008-06-06 18&#58;08	<DIR>	d--------	C&#58;\Program Files\JustZIPit
2008-06-06 17&#58;07 . 2008-06-06 17&#58;07	<DIR>	d--------	C&#58;\Program Files\CONEXANT
2008-06-06 17&#58;07 . 2004-09-29 00&#58;33	1,036,928	--a------	C&#58;\WINDOWS\system32\drivers\HSF_DP.sys
2008-06-06 17&#58;07 . 2004-09-29 00&#58;34	702,592	--a------	C&#58;\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-06-06 17&#58;07 . 2004-09-29 00&#58;35	219,136	--a------	C&#58;\WINDOWS\system32\drivers\HSFHWBS2.sys
2008-06-06 17&#58;07 . 2004-09-28 19&#58;19	129,045	--a------	C&#58;\WINDOWS\system32\drivers\HSFProf.cty
2008-06-06 17&#58;07 . 2004-03-16 21&#58;00	86,016	--a------	C&#58;\WINDOWS\system32\mdmxsdk.dll
2008-06-06 17&#58;07 . 2004-08-04 00&#58;34	39,018	--a------	C&#58;\WINDOWS\system32\hsfci011.dll
2008-06-06 17&#58;07 . 2004-03-16 21&#58;04	13,059	--a------	C&#58;\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-06 17&#58;00 . 2008-06-18 17&#58;14	2,011,713,536	--a------	C&#58;\WINDOWS\MEMORY.DMP
2008-06-06 15&#58;47 . 2008-06-06 23&#58;36	8,319	--a------	C&#58;\WINDOWS\setupapi.old
2008-06-06 15&#58;13 . 2008-06-06 15&#58;13	<DIR>	d--hs----	C&#58;\found.000
2008-06-06 12&#58;30 . 2008-06-06 12&#58;30	<DIR>	d--------	C&#58;\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 12&#58;29 . 2008-06-06 18&#58;53	<DIR>	d--------	C&#58;\Program Files\Common Files\Wise Installation Wizard
2008-06-04 21&#58;52 . 2008-06-04 21&#58;52	<DIR>	d--------	C&#58;\Program Files\GiPo@Utilities
2008-06-04 21&#58;52 . 2008-06-17 15&#58;50	<DIR>	d--------	C&#58;\Program Files\Common Files\Gibinsoft Shared
2008-06-03 21&#58;09 . 2008-06-06 13&#58;08	4,922	--a------	C&#58;\Documents and Settings\zoobie\xrt_log.dat
2008-06-03 20&#58;00 . 2008-06-03 20&#58;50	<DIR>	d--------	C&#58;\Downloads
2008-06-03 19&#58;59 . 2008-06-05 18&#58;26	<DIR>	d--------	C&#58;\Program Files\BitComet
2008-05-31 15&#58;16 . 2004-08-03 02&#58;57	1,086,058	-ra------	C&#58;\WINDOWS\SET47.tmp
2008-05-31 15&#58;16 . 2004-08-03 03&#58;03	1,042,903	-ra------	C&#58;\WINDOWS\SET3C.tmp
2008-05-31 15&#58;16 . 2004-08-03 02&#58;58	13,753	-ra------	C&#58;\WINDOWS\SET52.tmp
2008-05-28 23&#58;11 . 2008-06-25 18&#58;58	12	--a------	C&#58;\WINDOWS\YAHVOX_ignore.ini

.
&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Find3M Report   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.
2008-06-28 10&#58;31	28,823,584	--sha-w	C&#58;\WINDOWS\system32\drivers\fidbox.dat
2008-06-28 10&#58;29	339,824	--sha-w	C&#58;\WINDOWS\system32\drivers\fidbox.idx
2008-06-28 10&#58;18	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Audacity
2008-06-23 02&#58;48	---------	d-----w	C&#58;\Program Files\YahELite
2008-06-23 00&#58;13	---------	d-----w	C&#58;\Program Files\WinFF
2008-06-21 08&#58;21	---------	d-----w	C&#58;\Program Files\LimeWire
2008-06-21 08&#58;21	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\LimeWire
2008-06-19 22&#58;23	17,712,259	----a-w	C&#58;\WINDOWS\Internet Logs\tvDebug.zip
2008-06-19 22&#58;21	84,992	----a-w	C&#58;\WINDOWS\system32\fqoethz.dll
2008-06-18 21&#58;37	1,753,600	----a-w	C&#58;\WINDOWS\Internet Logs\xDB14.tmp
2008-06-18 02&#58;17	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\dvdcss
2008-06-16 15&#58;58	1,741,824	----a-w	C&#58;\WINDOWS\Internet Logs\xDB13.tmp
2008-06-15 18&#58;04	1,735,680	----a-w	C&#58;\WINDOWS\Internet Logs\xDB12.tmp
2008-06-14 10&#58;35	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Avg7
2008-06-12 16&#58;53	1,733,120	----a-w	C&#58;\WINDOWS\Internet Logs\xDB11.tmp
2008-06-11 16&#58;44	1,732,096	----a-w	C&#58;\WINDOWS\Internet Logs\xDB10.tmp
2008-06-10 20&#58;54	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-10 05&#58;24	1,724,928	----a-w	C&#58;\WINDOWS\Internet Logs\xDBF.tmp
2008-06-08 10&#58;56	1,721,856	----a-w	C&#58;\WINDOWS\Internet Logs\xDBE.tmp
2008-06-07 01&#58;51	---------	d---a-w	C&#58;\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 22&#58;46	15,600	----a-w	C&#58;\WINDOWS\gdrv.sys
2008-06-06 19&#58;30	---------	d-----w	C&#58;\Program Files\Lavasoft
2008-06-06 01&#58;10	229,888	----a-w	C&#58;\WINDOWS\Internet Logs\xDBD.tmp
2008-06-05 03&#58;29	2,639,872	----a-w	C&#58;\WINDOWS\Internet Logs\xDBB.tmp
2008-05-31 23&#58;54	47,360	----a-w	C&#58;\Documents and Settings\zoobie\Application Data\pcouffin.sys
2008-05-31 23&#58;54	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Vso
2008-05-28 00&#58;17	2,653,184	----a-w	C&#58;\WINDOWS\Internet Logs\xDB9.tmp
2008-05-28 00&#58;17	1,681,920	----a-w	C&#58;\WINDOWS\Internet Logs\xDBA.tmp
2008-05-27 07&#58;03	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 06&#58;52	---------	d-----w	C&#58;\Program Files\Ulead Systems
2008-05-27 06&#58;52	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-25 04&#58;45	---------	d-----w	C&#58;\Program Files\DVD Decrypter
2008-05-25 02&#58;50	---------	d-----w	C&#58;\Program Files\ImgBurn
2008-05-25 01&#58;56	---------	d-----w	C&#58;\Program Files\DVD Shrink
2008-05-24 20&#58;37	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\RipIt4Me
2008-05-24 20&#58;34	46,106	----a-w	C&#58;\WINDOWS\Internet Logs\zlclient_2nd_2008_05_24_13_28_22_small.dmp.zip
2008-05-24 19&#58;47	---------	d-----w	C&#58;\Program Files\Live_TV
2008-05-24 19&#58;47	---------	d-----w	C&#58;\Program Files\Conduit
2008-05-24 19&#58;44	47,360	----a-w	C&#58;\WINDOWS\system32\drivers\pcouffin.sys
2008-05-24 00&#58;27	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Yahoo!
2008-05-24 00&#58;27	---------	d-----w	C&#58;\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-24 00&#58;25	---------	d-----w	C&#58;\Program Files\Yahoo!
2008-05-17 16&#58;36	41,311	----a-w	C&#58;\WINDOWS\Internet Logs\zlclient_2nd_2008_05_17_09_34_04_small.dmp.zip
2008-05-16 18&#58;58	12,632	----a-w	C&#58;\WINDOWS\system32\lsdelete.exe
2008-05-10 00&#58;56	10,266	----a-w	C&#58;\Documents and Settings\zoobie\xrt_collect.zip
2008-05-09 21&#58;31	1,304,064	----a-w	C&#58;\WINDOWS\Internet Logs\xDB8.tmp
2008-04-30 05&#58;36	---------	d-----w	C&#58;\Documents and Settings\zoobie\Application Data\Winff
2008-04-30 02&#58;55	5,144,064	----a-w	C&#58;\WINDOWS\Internet Logs\xDB7.tmp
2008-04-29 18&#58;20	15,648	----a-w	C&#58;\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18&#58;19	15,648	----a-w	C&#58;\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18&#58;19	12,960	----a-w	C&#58;\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 03&#58;49	147,456	----a-w	C&#58;\WINDOWS\system32\vbzip10.dll
.

&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   snapshot@2008-06-18_17.28.30.73   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.
- 2008-06-19 00&#58;25&#58;13	2,048	--s-a-w	C&#58;\WINDOWS\bootstat.dat
+ 2008-06-28 10&#58;30&#58;24	2,048	--s-a-w	C&#58;\WINDOWS\bootstat.dat
+ 2008-06-21 00&#58;55&#58;27	884,736	----a-w	C&#58;\WINDOWS\gmer.dll
+ 2008-04-18 04&#58;13&#58;02	811,008	----a-w	C&#58;\WINDOWS\gmer.exe
- 2005-01-28 21&#58;44&#58;28	294,912	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
+ 2005-01-28 20&#58;44&#58;28	294,912	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
- 2005-01-28 21&#58;44&#58;28	258,296	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmclien.dll
+ 2005-01-28 20&#58;44&#58;28	258,296	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmclien.dll
- 2005-01-28 21&#58;44&#58;28	96,768	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmstor.dll
+ 2005-01-28 20&#58;44&#58;28	96,768	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmstor.dll
- 2005-01-28 21&#58;44&#58;28	502,272	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
+ 2005-01-28 20&#58;44&#58;28	502,272	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
- 2005-01-28 21&#58;44&#58;28	142,336	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
+ 2005-01-28 20&#58;44&#58;28	142,336	----a-w	C&#58;\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
- 2004-08-03 08&#58;56&#58;42	286,208	----a-w	C&#58;\WINDOWS\system32\blackbox.dll
+ 2005-01-28 20&#58;44&#58;28	294,912	----a-w	C&#58;\WINDOWS\system32\blackbox.dll
- 2004-08-03 08&#58;56&#58;42	286,208	-c--a-w	C&#58;\WINDOWS\system32\dllcache\blackbox.dll
+ 2005-01-28 20&#58;44&#58;28	294,912	-c--a-w	C&#58;\WINDOWS\system32\dllcache\blackbox.dll
- 2004-08-03 08&#58;57&#58;06	299,520	-c--a-w	C&#58;\WINDOWS\system32\dllcache\drmclien.dll
+ 2005-01-28 20&#58;44&#58;28	258,296	-c--a-w	C&#58;\WINDOWS\system32\dllcache\drmclien.dll
- 2004-08-03 08&#58;56&#58;44	87,040	-c--a-w	C&#58;\WINDOWS\system32\dllcache\drmstor.dll
+ 2005-01-28 20&#58;44&#58;28	96,768	-c--a-w	C&#58;\WINDOWS\system32\dllcache\drmstor.dll
- 2004-08-03 08&#58;57&#58;04	695,296	-c--a-w	C&#58;\WINDOWS\system32\dllcache\drmv2clt.dll
+ 2005-01-28 20&#58;44&#58;28	502,272	-c--a-w	C&#58;\WINDOWS\system32\dllcache\drmv2clt.dll
- 2004-08-03 08&#58;57&#58;02	259,072	-c--a-w	C&#58;\WINDOWS\system32\dllcache\msnetobj.dll
+ 2005-01-28 20&#58;44&#58;28	142,336	-c--a-w	C&#58;\WINDOWS\system32\dllcache\msnetobj.dll
+ 2008-06-21 00&#58;55&#58;27	85,969	----a-w	C&#58;\WINDOWS\system32\drivers\gmer.sys
- 2004-08-03 08&#58;57&#58;06	299,520	----a-w	C&#58;\WINDOWS\system32\drmclien.dll
+ 2005-01-28 20&#58;44&#58;28	258,296	----a-w	C&#58;\WINDOWS\system32\drmclien.dll
- 2004-08-03 08&#58;56&#58;44	87,040	----a-w	C&#58;\WINDOWS\system32\drmstor.dll
+ 2005-01-28 20&#58;44&#58;28	96,768	----a-w	C&#58;\WINDOWS\system32\drmstor.dll
- 2004-08-03 08&#58;57&#58;04	695,296	----a-w	C&#58;\WINDOWS\system32\drmv2clt.dll
+ 2005-01-28 20&#58;44&#58;28	502,272	----a-w	C&#58;\WINDOWS\system32\drmv2clt.dll
- 2004-08-03 08&#58;57&#58;02	259,072	----a-w	C&#58;\WINDOWS\system32\msnetobj.dll
+ 2005-01-28 20&#58;44&#58;28	142,336	----a-w	C&#58;\WINDOWS\system32\msnetobj.dll
.
-- Snapshot reset to current date --
.
&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;&#40;   Reg Loading Points   &#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;&#41;
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar&#93;
&#34;{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}&#34;= &#34;C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL&#34; &#91;2008-02-09 03&#58;15 262144&#93;

&#91;HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}&#93;

&#91;HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser&#93;
&#34;{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}&#34;= C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL &#91;2008-02-09 03&#58;15 262144&#93;

&#91;HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}&#93;

&#91;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run&#93;
&#34;RTHDCPL&#34;=&#34;RTHDCPL.EXE&#34; &#91;2007-05-10 02&#58;08 16342528 C&#58;\WINDOWS\RTHDCPL.exe&#93;
&#34;Logitech Utility&#34;=&#34;Logi_MwX.Exe&#34; &#91;2003-03-04 02&#58;50 19968 C&#58;\WINDOWS\LOGI_MWX.EXE&#93;
&#34;SunJavaUpdateSched&#34;=&#34;C&#58;\Program Files\Java\jre1.6.0_01\bin\jusched.exe&#34; &#91;2007-03-14 04&#58;43 83608&#93;
&#34;ZoneAlarm Client&#34;=&#34;C&#58;\Program Files\Zone Labs\ZoneAlarm\zlclient.exe&#34; &#91;2008-03-13 23&#58;11 919016&#93;
&#34;AVG7_CC&#34;=&#34;C&#58;\PROGRA~1\Grisoft\AVG7\avgcc.exe&#34; &#91;2008-06-06 19&#58;24 579072&#93;

&#91;HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run&#93;
&#34;AVG7_Run&#34;=&#34;C&#58;\PROGRA~1\Grisoft\AVG7\avgw.exe&#34; &#91;2008-06-06 19&#58;24 219136&#93;

&#91;HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32&#93;
&#34;msacm.dvacm&#34;= C&#58;\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

&#91;HKEY_LOCAL_MACHINE\software\microsoft\security center&#93;
&#34;AntiVirusDisableNotify&#34;=dword&#58;00000001
&#34;UpdatesDisableNotify&#34;=dword&#58;00000001

&#91;HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall&#93;
&#34;DisableMonitoring&#34;=dword&#58;00000001

&#91;HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile&#93;
&#34;EnableFirewall&#34;= 0 &#40;0x0&#41;

&#91;HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List&#93;
&#34;%windir%\\system32\\sessmgr.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avginet.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avgcc.exe&#34;=
&#34;C&#58;\\Program Files\\Grisoft\\AVG7\\avgemc.exe&#34;=
&#34;C&#58;\\Program Files\\LimeWire\\LimeWire.exe&#34;=

&#91;HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List&#93;
&#34;18569&#58;TCP&#34;= 18569&#58;TCP&#58;BitComet 18569 TCP
&#34;18569&#58;UDP&#34;= 18569&#58;UDP&#58;BitComet 18569 UDP
&#34;14202&#58;TCP&#34;= 14202&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;51834&#58;TCP&#34;= 51834&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;32890&#58;TCP&#34;= 32890&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;21114&#58;TCP&#34;= 21114&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;80&#58;TCP&#34;= 80&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;4218&#58;TCP&#34;= 4218&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;1914&#58;TCP&#34;= 1914&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;56186&#58;TCP&#34;= 56186&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;33914&#58;TCP&#34;= 33914&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;11130&#58;TCP&#34;= 11130&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;1146&#58;TCP&#34;= 1146&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;10618&#58;TCP&#34;= 10618&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;33402&#58;TCP&#34;= 33402&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;35962&#58;TCP&#34;= 35962&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;61573&#58;TCP&#34;= 61573&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;61562&#58;TCP&#34;= 61562&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;19066&#58;TCP&#34;= 19066&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;36474&#58;TCP&#34;= 36474&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;30074&#58;TCP&#34;= 30074&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;52346&#58;TCP&#34;= 52346&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;1402&#58;TCP&#34;= 1402&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;43642&#58;TCP&#34;= 43642&#58;TCP&#58;@xpsp2res.dll,-22009
&#34;47738&#58;TCP&#34;= 47738&#58;TCP&#58;@xpsp2res.dll,-22009

R2 NMSAccessU;NMSAccessU;C&#58;\Program Files\CDBurnerXP\NMSAccessU.exe &#91;2008-06-15 15&#58;34&#93;
R3 RTHDMIAzAudService;Service for HDMI;C&#58;\WINDOWS\system32\drivers\RtHDMI.sys &#91;2007-05-13 18&#58;12&#93;
S3 AVCSTRM;AVC Streaming Filter Driver;C&#58;\WINDOWS\system32\DRIVERS\avcstrm.sys &#91;2004-08-04 00&#58;10&#93;
S3 gdrv;gdrv;C&#58;\WINDOWS\gdrv.sys &#91;2008-06-06 15&#58;46&#93;
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C&#58;\WINDOWS\system32\DRIVERS\mstape.sys &#91;2004-08-04 00&#58;10&#93;

*Newly Created Service* - IGMYGPMU
.
Contents of the &#39;Scheduled Tasks&#39; folder
&#34;2008-06-27 10&#58;30&#58;00 C&#58;\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job&#34;
- C&#58;\Program Files\RegistrySmart\RegistrySmart.ex
- C&#58;\Program Files\RegistrySmart.zoobie.Runs RegistrySmart to optimize your registry.
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http&#58;//www.gmer.net
Rootkit scan 2008-06-28 03&#58;31&#58;19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files&#58; 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C&#58;\WINDOWS\system32\ati2evxx.exe
C&#58;\WINDOWS\system32\ZoneLabs\vsmon.exe
C&#58;\WINDOWS\system32\ati2evxx.exe
C&#58;\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C&#58;\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C&#58;\PROGRA~1\Grisoft\AVG7\avgemc.exe
C&#58;\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C&#58;\Program Files\Executive Software\DiskeeperLite\DKService.exe
C&#58;\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C&#58;\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time&#58; 2008-06-28  3&#58;34&#58;01 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-28 10&#58;33&#58;55
ComboFix2.txt  2008-06-19 22&#58;27&#58;14
ComboFix3.txt  2008-06-19 00&#58;42&#58;34
ComboFix4.txt  2008-06-19 00&#58;29&#58;00

Pre-Run&#58; 160,125,718,528 bytes free
Post-Run&#58; 160,732,635,136 bytes free

281





my highjackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3&#58;40&#58;08 AM, on 6/28/2008
Platform&#58; Windows XP SP2 &#40;WinNT 5.01.2600&#41;
MSIE&#58; Internet Explorer v6.00 SP2 &#40;6.00.2900.2180&#41;
Boot mode&#58; Normal

Running processes&#58;
C&#58;\WINDOWS\System32\smss.exe
C&#58;\WINDOWS\system32\winlogon.exe
C&#58;\WINDOWS\system32\services.exe
C&#58;\WINDOWS\system32\lsass.exe
C&#58;\WINDOWS\system32\Ati2evxx.exe
C&#58;\WINDOWS\system32\svchost.exe
C&#58;\WINDOWS\System32\svchost.exe
C&#58;\WINDOWS\system32\ZoneLabs\vsmon.exe
C&#58;\WINDOWS\system32\Ati2evxx.exe
C&#58;\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C&#58;\WINDOWS\system32\spoolsv.exe
C&#58;\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C&#58;\PROGRA~1\Grisoft\AVG7\avgemc.exe
C&#58;\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C&#58;\Program Files\Executive Software\DiskeeperLite\DKService.exe
C&#58;\Program Files\CDBurnerXP\NMSAccessU.exe
C&#58;\WINDOWS\system32\svchost.exe
C&#58;\WINDOWS\RTHDCPL.EXE
C&#58;\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C&#58;\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C&#58;\Program Files\Logitech\MouseWare\system\em_exec.exe
C&#58;\WINDOWS\explorer.exe
C&#58;\Program Files\Internet Explorer\IEXPLORE.EXE
C&#58;\Documents and Settings\zoobie\Desktop\My Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http&#58;//buskeralley.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http&#58;//go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http&#58;//go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http&#58;//go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO&#58; SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C&#58;\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO&#58; ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO&#58; &#40;no name&#41; - {FFFFFEF0-5B30-21D4-945D-000000000000} - C&#58;\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar&#58; ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C&#58;\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run&#58; &#91;RTHDCPL&#93; RTHDCPL.EXE
O4 - HKLM\..\Run&#58; &#91;Logitech Utility&#93; Logi_MwX.Exe
O4 - HKLM\..\Run&#58; &#91;SunJavaUpdateSched&#93; &#34;C&#58;\Program Files\Java\jre1.6.0_01\bin\jusched.exe&#34;
O4 - HKLM\..\Run&#58; &#91;ZoneAlarm Client&#93; &#34;C&#58;\Program Files\Zone Labs\ZoneAlarm\zlclient.exe&#34;
O4 - HKLM\..\Run&#58; &#91;AVG7_CC&#93; C&#58;\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run&#58; &#91;AVG7_Run&#93; C&#58;\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE &#40;User &#39;LOCAL SERVICE&#39;&#41;
O4 - HKUS\S-1-5-20\..\Run&#58; &#91;AVG7_Run&#93; C&#58;\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE &#40;User &#39;NETWORK SERVICE&#39;&#41;
O4 - HKUS\S-1-5-18\..\Run&#58; &#91;AVG7_Run&#93; C&#58;\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE &#40;User &#39;SYSTEM&#39;&#41;
O4 - HKUS\.DEFAULT\..\Run&#58; &#91;AVG7_Run&#93; C&#58;\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE &#40;User &#39;Default user&#39;&#41;
O8 - Extra context menu item&#58; Download with Star Downloader - C&#58;\Program Files\Star Downloader\sdie.htm
O9 - Extra button&#58; Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C&#58;\Program Files\Messenger\msmsgs.exe
O9 - Extra &#39;Tools&#39; menuitem&#58; Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C&#58;\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3BD73C7-C5FC-4160-8B63-E566441916E9}&#58; NameServer = 67.211.172.29 67.211.172.30
O23 - Service&#58; Lavasoft Ad-Aware Service &#40;aawservice&#41; - Lavasoft - C&#58;\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service&#58; Ati HotKey Poller - ATI Technologies Inc. - C&#58;\WINDOWS\system32\Ati2evxx.exe
O23 - Service&#58; AVG7 Alert Manager Server &#40;Avg7Alrt&#41; - GRISOFT, s.r.o. - C&#58;\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service&#58; AVG7 Update Service &#40;Avg7UpdSvc&#41; - GRISOFT, s.r.o. - C&#58;\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service&#58; AVG E-mail Scanner &#40;AVGEMS&#41; - GRISOFT, s.r.o. - C&#58;\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service&#58; Capture Device Service - InterVideo Inc. - C&#58;\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service&#58; Diskeeper - Executive Software International, Inc. - C&#58;\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service&#58; NMSAccessU - Unknown owner - C&#58;\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service&#58; TrueVector Internet Monitor &#40;vsmon&#41; - Zone Labs, LLC - C&#58;\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service&#58; VundoFix Service &#40;VundoFixSvc&#41; - Atribune.org - C&#58;\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 4478 bytes


#18 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 29 June 2008 - 01:34 AM

zoobie

Nice work, How your PC running now?


Microsoft MVP Consumer Security

#19 zoobie

zoobie

    Member

  • Members
  • PipPip
  • 14 posts

Posted 29 June 2008 - 05:09 PM

It's back to go I think
I had repaired the OS, too, but that wasn't the problem
The files were also successfully removed, zipped, and submitted

I use this box for several things...email, editing HDV, editing audio, pages, etc...
Thanks a lot for your expertise
Good to know

#20 bamajim

bamajim

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 339 posts

Posted 30 June 2008 - 12:31 PM

zoobie

Glad to hear it and you are most welcome.

There are 2 more files We would like to have samples of for research. If you could help us out that wold be great.

To do tghat we are going to make another CFScript file

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
Collect&#58;&#58;
c&#58;\Qoobox\Quarantine\Registry_backups\Legacy_IGMYGPMU.reg.dat 
c&#58;\Qoobox\Quarantine\Registry_backups\Service_igmygpmu.reg.dat
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted Image

Thanks

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall
Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe


Microsoft MVP Consumer Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users