Jump to content


Photo

Infected Temporary Internet Files in NetworkServices, Google Redirects, "Iexplore.exe - Application Error", Welcome screen freezes.


  • This topic is locked This topic is locked
36 replies to this topic

#1 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 23 April 2011 - 07:24 PM

Hi,

Need help to prevent computer crash. I couldn't finish first post attempt today, Apr 23. System overloads with folders with many files (infected?) in Content.IE5 of the NetworkServices. To continue using the web, I delete the infected Temporary Internet Files in the system folders at "Documents and Settings\ NetworkServices\Local Settings\Temporary Internet Files\Content.IE5". I get up to over 26,000 files, over 20 folders. The virus or rootkit malware is well hidden.

1. ZoneAlarm removed infected Temporary Internet Files, but infections continue. I delete the temporary folders, excluding 2 system files that don't delete. 4 new folders load into Content.IE5 during reboot. As infected folders and files accumulate, the computer slows way down.

Zonealarm quarantined 3 viruses:
2 in NetworkService......Content.IE5: Exploit.JS.Pdfka.dms & Exploit.JS.Pdfka.dmx
1 in Windows\Temp\A9R5D1A.tmp : Exploit.JS.Pdfka.dms Forgot to open tmp to determine malware source.

2. NetworkService infections preventing Microsoft Update. I get Error number: 0x80072EFF,...cannot display the page...

3. A few times monthly "Welcome Screen" freezes or has long "loading your personal settings..." 5 to over 30 min. When it's longer than 6 minutes, I press and hold in "on button" until computer turns off. It has always restarted without problems except a few times in the last couple of years when I had a serious virus. I reboot in Safe Mode and eliminated the malware using mbam, sas and ZoneAlarm. Next, repeat using Safe Mode with Networking for updating prior to scans(is this safe?). The welcome screen froze today, but I rebooted using the on button.

4. Following error pop ups often when on web, started Apr 19/20 and continues. It's popping up more.

"Iexplore.exe - Application Error"
"The instruction at "0x00000000" referenced memory at "0x00000000". The memory could not be "read"."
"Click on OK to terminate the program"

5. Google.com & google.co.uk are constantly redirecting. Frequency increases as infected files amass in NetworkServices.
1. I minimize redirecting by selecting with Open in New window.
2. Redirecting was reduced after flushing DNS: ran cmd: ipconfig /flushdns.

6. US google.com is corrupted: "Search Settings" does not appear and bottom taskbar indicates google is "restricted sites". I double clicked "Restricted sites" but didn't find any valid google files listed in restricted list. I modified and/or added files in the registry to stop "google instant", but can't remember what I did. Need to do a complete deletion and reinstallation of google.com. Googled, but can't find how to do this.

Yesterday, I had no hosts files which may contribute to some of my problems.
I messed up repairing missing hosts file using: http://support.microsoft.com/kb/972034.

I finally got TDSSKiller from Kaspersky to run, but it found no infections and did not give a report.
Doesn't it provide a report/log whether infected or not? Malware is preventing TDSSKiller from running?

Ran SUPERAntiSpyware, no malware. Ran twice and still no logs. No logs after Apr 6.

I run the following 2 scans at least once a day when removing serious malware and normally once a week:
Start, run: sfc /scannow with Dell's reinstallation CD
Command Prompt: chkdsk /r

All help and referrals totally appreciated.

Malware, Security and Maintenance Programs

ZoneAlarm Security Suite
Registry Mechanic
CyberScrub Privacy Suite
CCleaner, free
Auslogics Disk Defrag, free
SpywareBlaster, free
Malwarebytes Anti-Malware, free
SuperAntiSpyware, free


Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6416

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/21/11 6:10:20 PM
mbam-log-2011-04-21 (18-10-20).txt

Scan type: Quick scan
Objects scanned: 153681
Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:49:05 PM, on 04/23/11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\hijack this apr 23\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.co...sreqlab_nvd.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.updat...b?1274651240500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1247371952406
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5562 bytes

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by johnt at 14:35:21.76 on 04/23/11
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.429 [GMT -7:00]
.
AV: ZoneAlarm Security Suite Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\johnt\Desktop\23dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [Privacy Suite RiskMonitor]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1274651240500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247371952406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-1-6 128016]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-3 28544]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-1-6 317072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-1-6 528128]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-8-27 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-8-27 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-1-8 632792]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2009-11-6 8960]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52:54 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 03:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2010-07-08 10:43:41 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59:11 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59:11 553832 ----a-w- c:\program files\autorunsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: IC35L060AVV207-0 rev.V22OA66A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8733C4E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873427d0]; MOV EAX, [0x8734284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x873A4AB8]
3 CLASSPNP[0xF7861FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x86E42208]
\Driver\atapi[0x873A4828] -> IRP_MJ_CREATE -> 0x8733C4E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8733C332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:39:35.76 ===============



Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
ZoneAlarm Security Suite
ZoneAlarm Toolbar
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 24
Adobe Flash Player
Adobe Reader 9.3.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````

Notes by johneangel regarding edits:

Edits made to correct wording, add problems and/or add observed changes in computer operation.
Edit on Apr 25 deleted duplicate copy of Logfile of Trend Micro HijackThis v2.0.4

Edited by johneangel, 25 April 2011 - 12:34 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,481 posts

Posted 26 April 2011 - 07:39 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 27 April 2011 - 07:14 AM

Hello, Welcome to SpywareInfoForum
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingc...opic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

For AVG antivirus and anti-spyware security software users only.

Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with this AppRemover by Opswat. The AVG uninstaller can be downloaded from here > AppRemover.exe Go to their homepage and you will see they have support for removal of other AV's as well AVG appremover tool.


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 27 April 2011 - 12:40 PM

Hi Nasdaq,

Thanks for the prompt replay.

I ran Combofix on the weekend and did nothing with it, allowing it to automatically repair and delete malware damage. This worked, I was able to use computer, but had to repeatedly delete the infected Temporary Internet Files in the system folders at "Documents and Settings\ NetworkServices\Local Settings\Temporary Internet Files\Content.IE5". I was desperate, my computer was erratic, not completing boots unless I rebooted, began loading "Firefox.exe" in Windows Task Manager Processes, and had additional error pop-ups including "Generic Host Process for Win32 Services has encountered a problem and needs to close". I messed up the repair/installation of Hosts files.

Today, apr 27 at about 5pm pdt, I repaired my Hosts file letting MS do it automatically.
NO MORE REDIRECTING BY GOOGLE. Don't know how I messed up such a simple repair...

I tried renaming Combofix from your link but it wasn't accepted. Renamed the Combofix that I download last weekend, download and ran your Combofix. First it repaired, "Infected copy of c:\windows\system32\kernel32.dll was found and disinfected". Next, Combofix rebooted my computer, its blue screen came up, but computer loaded ZoneAlarm which I turned off, Registry Mechanic pop up which I deleted. Registry Mechanic runs in the background, but I didn't go into the Task Manager since Combofix says not to click anything or run anything while its running. Combofix ran, log below. I rebooted and immediately got a "ZoneAlarm Security Alert: Registry Editor is trying to modify an existing driver or service: ALG". I viewed properties which basically said it wants to modify ALG so that it runs everytime on bootup. I didn't want to make a choice but I had to. I googled the web and found that ALG is malware so I selected deny. Crap, I get confused, sorry. Perhaps the registry was trying to complete the deletion by Combofix?

Do you want me to run combofix again?

Complications: If whenever I screw up my computer and I can't bootup normally is it safe to boot up in "safe mode with networking", load my ZoneAlarm, Registry Mechanics and Spyware Blaster? May be a dumb question, but I not very computer literate. I may just have to do this.



ComboFix 11-04-26.05 - johnt 04/27/11 7:58.21.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.610 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\kernel32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and

settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-04-27 14:42 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application

Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
2011-04-05 01:38 . 2011-04-07 04:21 -------- d-----w- c:\documents and settings\All Users\Application

Data\pJo01819pNfLn01819
2011-04-04 22:48 . 2011-04-09 20:32 -------- d-----w- c:\documents and settings\johnt\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-11-16 4364248]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
.
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2003-05-07 8960]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-20 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-17 66632]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-08-27 26352]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-08-27 493032]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC

Tools\sMonitor\StartManSvc.exe [2010-12-08 632792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-04-27 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-07 01:05]
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-27 08:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: IC35L060AVV207-0 rev.V22OA66A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8733C332
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(2044)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2011-04-27 08:28:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-27 15:28
ComboFix2.txt 2011-04-26 14:17
ComboFix3.txt 2011-04-21 22:38
ComboFix4.txt 2011-02-13 22:28
ComboFix5.txt 2011-04-27 14:55
.
Pre-Run: 25,987,473,408 bytes free
Post-Run: 26,144,600,064 bytes free
.
- - End Of File - - 16976A131BFB42127C2494583F7C82B7

Edited by johneangel, 27 April 2011 - 09:43 PM.


#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 28 April 2011 - 07:40 AM

Your MBR (Master Boot Record) is infected.

ComboFix installed the Recovery Console. earlier. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image

When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter

Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

Run the ComboFix tool again and please post the log.

Let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 28 April 2011 - 11:27 AM

Nasdaq,

Selected mwr console and entered before 6 seconds ran out.
Never got the "second black screen": Mirosoft Windows XP<TM> Recovery Console.
Immediately got:

"NTLDR is missing
Press ctrl+alt+del"

"Press F8 for more options"

1. Pressed ctrl+alt+del and computer rebooted normally.

2. Rebooted, selected F8 and got screen of choices: safe mode, safe mode with networking, etc.

Tried 1. and 2. several times, but never "second black screen".

The problem I create is that using "Internet Options" delete or running "CCleaner" default mode or running Auslogics Disk Defrag or Registry Mechanics corrupts the files so that Windows system recovery will not function.

Please advise.

I believe that I need to do the following without any use of the above 4 programs:

1. Turn off "System Recovery" to clear all corrupted recoveries.
2. Reboot
3. Start, RUN: sfc /scannow
4. Reboot
5. Start, select "Command Prompt", in black screen type chkdsk /r
6. Reboot and run ComboFix
7. Then, follow your instructions to repair MBR

thanks for prompt response.


Edited by johneangel 4:40pdt

1. Most of my problems are probable due to a dying mouse. It died today, I was unable to use the left button. Put on another mouse and now left button works immediately. I sometimes had to click twice to get a response.

But I still can't get into MWR Module, see above. Dying mouse created problems.
Got to go north for the evening.
What to do. Clean computer with 4 programs, do above 7 steps ?????????????
Your the boss. Below is the combofix log from early today done with the sick mouse:

ComboFix 11-04-28.01 - johnt 04/28/11 14:37:28.22.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.508 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
PEV Error: AppFolder
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 )))))))))))))))))))))))))))))))
.
.
2011-04-28 21:31 . 2011-04-28 21:32 -------- d-----w- C:\32788R22FWJFW
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-04-28 03:37 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
2011-04-05 01:38 . 2011-04-07 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\pJo01819pNfLn01819
2011-04-04 22:48 . 2011-04-09 20:32 -------- d-----w- c:\documents and settings\johnt\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-07-10 18:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-07-12 02:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52 . 2011-02-10 16:48 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2011-02-08 13:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 03:19 . 2010-04-18 19:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2009-07-10 18:36 2067456 ----a-w- c:\windows\system32\mstscax.dll
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-04-26_14.11.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-28 21:02 . 2011-04-28 21:02 16384 c:\windows\temp\Perflib_Perfdata_220.dat
+ 2011-04-26 20:01 . 2011-04-26 20:01 12508 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0017.dat
+ 2011-04-26 20:01 . 2011-04-26 20:01 73455 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0016.dat
- 2011-04-25 21:27 . 2011-04-25 21:27 73455 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0016.dat
+ 2011-04-26 20:01 . 2011-04-26 20:01 89933 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-04-26 20:00 . 2011-04-26 20:00 51435 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\blst\bl0021.dat
+ 2011-04-26 20:00 . 2011-04-26 20:00 90097 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0018.dat
+ 2011-04-22 20:00 . 2011-04-26 20:00 17717 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0017.dat
+ 2011-04-09 19:14 . 2011-04-26 20:00 73442 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0016.dat
+ 2011-01-06 22:03 . 2011-04-26 20:00 89930 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
+ 2011-01-06 21:53 . 2011-04-26 20:00 55910 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0021.dat
+ 2011-02-17 22:44 . 2011-04-26 20:00 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
- 2011-02-17 22:44 . 2011-04-24 09:16 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
+ 2011-04-22 20:00 . 2011-04-26 20:01 17717 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0017.dat
+ 2011-04-09 19:16 . 2011-04-26 20:01 73442 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0016.dat
+ 2011-01-06 21:35 . 2011-04-26 20:01 89930 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
+ 2011-01-06 22:03 . 2011-04-26 20:00 55910 c:\windows\system32\ZoneLabs\avsys\bases\bl0021.dat
+ 2011-02-17 22:45 . 2011-04-26 20:00 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
- 2011-02-17 22:45 . 2011-04-24 09:16 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
+ 2011-04-26 20:00 . 2011-04-26 20:00 6711 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0020.dat
+ 2011-04-21 11:43 . 2011-04-26 20:00 8042 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-04-21 11:43 . 2011-04-26 20:00 8042 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
+ 2004-08-04 10:00 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll
+ 2004-08-04 10:00 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\kernel32.dll
+ 2011-04-26 16:36 . 2011-04-26 00:12 164212 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-11-16 4364248]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/17/10 11:15 AM 66632]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/27/10 2:33 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/27/10 2:34 AM 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [01/08/10 1:03 AM 632792]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-04-28 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-07 01:05]
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 14:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: IC35L060AVV207-0 rev.V22OA66A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8733C332
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(1360)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-28 14:57:46
ComboFix-quarantined-files.txt 2011-04-28 21:57
ComboFix2.txt 2011-04-27 15:28
ComboFix3.txt 2011-04-26 14:17
ComboFix4.txt 2011-04-21 22:38
ComboFix5.txt 2011-04-28 21:33
.
Pre-Run: 25,548,513,280 bytes free
Post-Run: 25,697,566,720 bytes free
.
- - End Of File - - E6E78F5594B24FF52D1A79D197227757

Edited by johneangel, 28 April 2011 - 06:51 PM.


#7 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 April 2011 - 05:10 AM

Nasdaq,

Finally, googled missing Recovery Console and went to support.microsoft which gives steps to follow if Console doesn't appear. I'm confused because both ntldr and ntdectect.com folders are in my root folder c:\ and have system , read only and hidden attributes. Why aren't they being recognized? Has a rootkit corrupted them? I then copied both folders from my Dell reinstallation CD to the I386 folder if they are needed.

MS says to "type the following lines at the MS DOS command prompt, and then press enter after each line:
attrib ntdect.com -r -s -h
attrib ntldr -r -s -h

The files I copied into I386 have the exact size in bytes as the originals in the root folder and the only difference between the date/time of ntdect.com is the time:
I386 is 08/04/04 3am and C:\ is 08/04/04 4am.

Help.

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 29 April 2011 - 06:43 AM

We need to find out if you have a boot.ini file

It should be in your C:\

If not search your computer and if found give me the PATH.

Open the file with Notepad. Copy and past the results on your next reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 April 2011 - 12:08 PM

Nasdaq

Copy of boot.ini file at c:\

[boot loader]
timeout=7
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

additional info by john:

Location: c:\
Size: 282 bytes (282)
Size on disk: 4.00KB (4,096 bytes)

Created: July 10, 2009, 4:21:26 am
Modified: January 03, 2011, 10:10:14pm
Accessed April 29, 2011, 8:52:11am

Attributes: read-only

Checked my System Restore and found only one restore point, created today at 8:37:12PM today, 20 minutes ago. Evidently one of my programs is deleting the rp's. I will exempt C:\system volume information from deletion by my 3 cleaning programs which shouldn't be necessary since it's a system file hidden and protected.

I checked Dell's Reinstallation CD for original boot.ini file but couldn't find. When I reinstalled Windows-xp on July 10, 2009 with Dell's Reinstallation CD, I may have downloaded some files from Dell online. If boot.ini is corrupted I may be able to download the boot.ini from Dell online.

Computer working fair. Had to reboot when I got a blank blue screen with nothing.

thanks

Edited by johneangel, 29 April 2011 - 11:07 PM.


#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 30 April 2011 - 07:13 AM

From what I understand from your last comment you may still have difficulties in booting.

If yes please follow the follow fix. If not stop and let me know what the actual problem is.


Your boot.ini file may still be damaged. Then it must be rebuilt.

[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot

===

I checked Dell's Reinstallation CD for original boot.ini file but couldn't find. When I reinstalled Windows-xp on July 10, 2009 with Dell's Reinstallation CD, I may have downloaded some files from Dell online


The boot.ini file must be rebuilt. If you use the above boot.ini file it may not be compatible with Dell.

Microsoft's article on how to rebuilt the boot.ini file

You have the Dell's installation disk use it and follow the instructions on this page.
http://support.microsoft.com/kb/330184

In 8b under You receive a message that is similar to the following message:
Enter Load Identifier


Enter

Microsoft Windows XP Home Edition

If you are not sure how to proceed please ask.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 01 May 2011 - 12:30 AM

nasdaq

No. I don't have any problem with booting. Only minor inconveniences with booting once every month or two, the bootup or restart stops on the blank blue screen. I press the ctrl-alt-del and computer usually reboots. But, it hasn't rebooted about 6 times and I've held the "on button" in to turn off the computer and then turn on and hold F8 down to boot into the safe mode. I then scan with MBAM and SAS. Next, I reboot and go into safe mode with networking where ZoneAlarm can load and "super scan" all files, folders and archives, and also scan for rootkits. When I can't repair, I contactspywareinfoforum, 3x in 2 years.

Too tired to continue. All the problems listed still exist. I clean NetworkService's Content.IE5 folder when computer slows down.

New Problems

1. Can't get into Microsoft Windows Recovery Console. All the files are present, even the ones indicated as missing. RELEVANT: I don't think that I have ever suceeded is using a System Recovery Point. I've added exemptions for the SR Points and the Content.IE5 folder in all cleaning, defrag and registry programs even though they are hidden and protected.

2. Audio fails after being on web, but it doesn't fail while watching a movie or program. I only have to reboot. Malware? computer dying? I'll determine what that I connect to that stops audio.

I'm 70, have a dysfunctional memory and have an 8 year old computer that's getting lazy.
Appreciate your patience.

Edited by johneangel, 01 May 2011 - 01:26 AM.


#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 01 May 2011 - 07:22 AM

Place the Dell CD in the CD reader and restart the computer.

What options are available to you?

Write them them and post them in your next message.

Do not attempt anything just exit the setup.

p.s. I'll be 70 next month so nothing to do with age.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 01 May 2011 - 09:07 AM

Just received news that this tool may save our sanity.

Download http://public.avast....erek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the
aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time)
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

If you encounter any difficulties select the Exit button and let me know what happen.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 01 May 2011 - 07:38 PM

Just received news that this tool may save our sanity.

Download http://public.avast....erek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the
aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time)
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

If you encounter any difficulties select the Exit button and let me know what happen.



#15 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 01 May 2011 - 09:00 PM

Attached File  MBR.dat.zip   497bytes   90 downloadsAttached File  MBR.dat.zip   497bytes   90 downloadsnasdaq

As directed by MS made boot disk with boot.ini, NTDETECT.COM and NTLDR. Tried booting with disk under direction of a Dell technician, but unsuccessful. Most likely rootkit malware.

This morning I booted up in safe mode and run MBAM and SAS that I updated last night, no malware. Rebooted into safe mode with networking, updated ZoneAlarm and ran SuperScan, no malware. Still in safe + networking, I updated and run MBAMWB and SAS again, no malware.

Was getting ready to go into setup and set bootup only for ROM drive and attempt booting with Reinstallation CD, but read you response and have follow directions. Below are post

aswMBR version 0.9.5.232 Copyright© 2011 AVAST Software
Run date: 2011-05-01 17:32:49
-----------------------------
17:32:49.375 OS Version: Windows 5.1.2600 Service Pack 3
17:32:49.375 Number of processors: 1 586 0x209
17:32:49.375 ComputerName: JOHN-F8EF23E355 UserName: johnt
17:33:03.546 Initialize success
17:33:46.015 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:33:46.015 Disk 0 Vendor: IC35L060AVV207-0 V22OA66A Size: 38146MB BusType: 3
17:33:46.015 Device \Driver\atapi -> DriverStartIo 87341332
17:33:48.046 Disk 0 MBR read successfully
17:33:48.046 Disk 0 MBR scan
17:33:48.046 Disk 0 TDL4@MBR code has been found
17:33:48.046 Disk 0 Windows XP default MBR code found via API
17:33:48.046 Disk 0 MBR hidden
17:33:48.046 Disk 0 MBR [TDL4] **ROOTKIT**
17:33:48.046 Disk 0 trace - called modules:
17:33:48.078 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x873414e7]<<
17:33:48.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x873ceab8]
17:33:48.078 3 CLASSPNP.SYS[f77e1fd7] -> nt!IofCallDriver -> [0x86b4e030]
17:33:48.078 \Driver\atapi[0x87388030] -> IRP_MJ_CREATE -> 0x873414e7
17:33:48.109 Scan finished successfully
17:34:28.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\johnt\Desktop\MBR.dat"
17:34:28.203 The log file has been saved successfully to "C:\Documents and Settings\johnt\Desktop\aswMBR.txt 5 1 2011.txt"

Couldn't find MBR.dat on desktop. Click both MBR.dat files in search, opened each and found empty files. Evidently I ran aswMBR.exe on Apr 21(created apr19) and then today may 1 (created may 1). I was able to open today's zip file, but don't know how to copy and paste it here.

Just found out how to attach, use full edit.

I made a mistake, I forgot to check: Hide protected operating..... and Do not show... when I was running the MBR. I turned off ZoneAlarm and thus left my computer open to the web. I made the dumb assumption that running MBR required this. Damn it.

Edited by johneangel, 01 May 2011 - 09:28 PM.


#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 02 May 2011 - 07:04 AM

You did goo.

Exactly what I was looking for.

Now run this aswMBR.exe tool. Select the Fix button.

Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Run the ComboFix tool and post the log.

Please let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#17 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 02 May 2011 - 11:16 AM

nasdaq

1. Do you want the MBR log?

2. When running aswMBR.exe tool, do I close down ZoneAlarm, all running applications (all applications in Windows Task Manager)?
I don't like closing down ZA, but will do when instructed to as for ComboFix.

I double clicked the "aswMBR.exe" in your post, but nothing happened. Thus, I clicked the "aswMBR.exe" desktop icon and turned off ZA.

I got paranoid when a woman started calling out numbers and letters. I was watching a TV show online and had only 2 applications running for the show. She stopped on her on. It was like having a phone conversation and then an uninvited third party starts talking. Perhaps I opened another pathway for malware since I not sure that I returned my setup boot sequence to the default since both the DVD Drive(d) and the CD-RW Drive (E) light up after or while the screen is loading. Usually only one lights up. My notes while working with the Dell technician to get the Microsoft Windows Recovery Console working are not complete. All the crap about master and slave is confusing--I have to take scrupulous notes since I can't remember things. I'll google for default settings or call Dell.

wow! Results after 10 minutes:

a. No redirecting
No popups
No error msgs
Selecting user, icon moves down faster

b. But still can't use MS Recovery Module

Got to swim my 45 minuts

ComboFix 11-05-01.04 - johnt 05/02/11 7:31.23.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.725 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-01 23:32 . 2011-05-01 23:33 -------- d-----w- c:\documents and settings\johnt\Local Settings\Application Data\Deployment
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-04-30 22:50 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
2011-04-05 01:38 . 2011-04-07 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\pJo01819pNfLn01819
2011-04-04 22:48 . 2011-04-09 20:32 -------- d-----w- c:\documents and settings\johnt\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-07-10 18:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-07-12 02:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52 . 2011-02-10 16:48 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2011-02-08 13:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 03:19 . 2010-04-18 19:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2009-07-10 18:36 2067456 ----a-w- c:\windows\system32\mstscax.dll
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-04-26_14.11.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-02 14:20 . 2011-05-02 14:20 16384 c:\windows\temp\Perflib_Perfdata_504.dat
+ 2011-05-01 18:31 . 2011-05-01 18:31 32635 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0017.dat
+ 2011-05-01 18:31 . 2011-05-01 18:31 89931 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-04-22 20:00 . 2011-05-01 18:31 32940 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0017.dat
+ 2011-04-09 19:14 . 2011-05-01 17:14 73444 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0016.dat
+ 2011-03-22 20:56 . 2011-05-01 17:14 79216 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat
+ 2011-02-17 22:45 . 2011-05-01 17:14 79871 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0014.dat
+ 2011-01-06 22:03 . 2011-05-01 08:53 88444 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0013.dat
+ 2011-01-06 22:03 . 2011-05-01 18:31 89931 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
+ 2011-01-06 22:03 . 2011-05-01 17:14 89990 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0011.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 90092 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0010.dat
- 2011-01-06 22:02 . 2011-04-17 15:53 90092 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0010.dat
- 2011-01-06 22:02 . 2011-04-17 15:53 90058 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0009.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 90058 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0009.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 90050 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 89958 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0007.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 90108 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0006.dat
- 2011-01-06 22:02 . 2011-04-17 15:53 90108 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0006.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 90108 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0005.dat
- 2011-01-06 22:02 . 2011-04-17 15:53 90108 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0005.dat
+ 2011-01-06 21:53 . 2011-05-01 08:53 56533 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-01 17:14 11967 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-01 08:53 90069 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0019.dat
- 2011-02-17 22:44 . 2011-04-24 09:16 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
+ 2011-02-17 22:44 . 2011-05-01 08:53 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
- 2011-01-06 22:02 . 2011-04-24 09:16 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 90112 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0012.dat
- 2011-01-06 22:02 . 2011-04-24 09:16 90112 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0012.dat
- 2011-01-06 22:02 . 2011-04-24 09:15 74321 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0002.dat
+ 2011-01-06 22:02 . 2011-05-01 08:53 74321 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0002.dat
+ 2011-04-22 20:00 . 2011-05-01 18:31 32940 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0017.dat
+ 2011-04-09 19:16 . 2011-05-01 17:14 73444 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0016.dat
+ 2011-03-22 20:57 . 2011-05-01 17:14 79216 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat
+ 2011-02-17 22:49 . 2011-05-01 17:14 79871 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0014.dat
+ 2011-01-06 22:09 . 2011-05-01 08:54 88444 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0013.dat
+ 2011-01-06 21:35 . 2011-05-01 18:31 89931 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
+ 2011-01-06 21:35 . 2011-05-01 17:14 89990 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0011.dat
- 2011-01-06 21:35 . 2011-04-17 15:54 90092 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0010.dat
+ 2011-01-06 21:35 . 2011-05-01 08:54 90092 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0010.dat
- 2011-01-06 21:35 . 2011-04-17 15:54 90058 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0009.dat
+ 2011-01-06 21:35 . 2011-05-01 08:54 90058 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0009.dat
+ 2011-01-06 21:35 . 2011-05-01 08:54 90050 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2011-01-06 21:35 . 2011-05-01 08:54 89958 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0007.dat
- 2011-01-06 21:35 . 2011-04-17 15:54 90108 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0006.dat
+ 2011-01-06 21:35 . 2011-05-01 08:54 90108 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0006.dat
+ 2011-01-06 21:35 . 2011-05-01 08:54 90108 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0005.dat
- 2011-01-06 21:35 . 2011-04-17 15:54 90108 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0005.dat
+ 2011-01-06 22:03 . 2011-05-01 08:53 56533 c:\windows\system32\ZoneLabs\avsys\bases\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-01 17:14 11967 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-01 08:53 90069 c:\windows\system32\ZoneLabs\avsys\bases\apu0019.dat
- 2011-02-17 22:45 . 2011-04-24 09:16 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
+ 2011-02-17 22:45 . 2011-05-01 08:53 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
+ 2011-01-06 22:03 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
- 2011-01-06 22:03 . 2011-04-24 09:16 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
- 2011-01-06 21:34 . 2011-04-24 09:16 90112 c:\windows\system32\ZoneLabs\avsys\bases\apu0012.dat
+ 2011-01-06 21:34 . 2011-05-01 08:53 90112 c:\windows\system32\ZoneLabs\avsys\bases\apu0012.dat
+ 2011-01-06 21:34 . 2011-05-01 08:53 74321 c:\windows\system32\ZoneLabs\avsys\bases\apu0002.dat
- 2011-01-06 21:34 . 2011-04-24 09:16 74321 c:\windows\system32\ZoneLabs\avsys\bases\apu0002.dat
+ 2011-04-29 08:14 . 2004-08-04 10:00 47564 c:\windows\Driver Cache\i386\NTDETECT.COM
+ 2011-01-06 22:02 . 2011-05-01 17:14 2983 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0000.dat
+ 2011-01-06 21:35 . 2011-05-01 17:14 2983 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0000.dat
+ 2004-08-04 10:00 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll
+ 2004-08-04 10:00 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\kernel32.dll
+ 2011-01-06 21:52 . 2011-05-02 04:56 2831360 c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-11-16 4364248]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/17/10 11:15 AM 66632]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/27/10 2:33 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/27/10 2:34 AM 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [01/08/10 1:03 AM 632792]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-05-02 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-07 01:05]
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 07:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(712)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(1436)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-02 07:49:16
ComboFix-quarantined-files.txt 2011-05-02 14:49
ComboFix2.txt 2011-04-28 21:57
ComboFix3.txt 2011-04-27 15:28
ComboFix4.txt 2011-04-26 14:17
ComboFix5.txt 2011-05-02 14:30
.
Pre-Run: 25,373,536,256 bytes free
Post-Run: 25,641,398,272 bytes free
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 2B4E4D0F858509705B03F137C4361AE9

Edited by johneangel, 02 May 2011 - 01:07 PM.


#18 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 02 May 2011 - 10:42 PM

nasdaq

If the last post is yours (SWIF), I Add Reply. Otherwise if mine & short I Edit.
The last was mine, long and included some Edits, so I used Add Reply.
Which is your preference? Do you need to see the sequence of my actions?

Case in point
.
I returned in the afternoon and found my computer still without the following infections:

Popups
"Iexplore.exe - Application Error"
Redirecting of selected google search
Hosts problems
No additions to ZA quarantine

BUT, I decided to watch a movie and on loading it I got a virus when I selected a "loombo" link because there were no MegaVideo, divxdcn or Novamov links which are always malware free. I got a virus which was removed by ZoneAlarm. If I'm too slow in x-ing out, closing down the page, the first option, the "delete" option becomes unavailable. I then select quarantine, rename, delete on reboot or something else. I assume the choices are listed in decreasing power of stopping malware. I always select delete since I've never had malware that can be repaired or has had the repair option listed which I would check since this option is saying that vital files are envolved and could be removed or damaged.

Your feedback?

IMPORTANT

I got 4 infections this afternoon during my search for a movie to watch when I linked to a site with the movie. I got the ZoneAlarm popup only twice. Thus, 2 of 4 were instantly quarantined or deleted by ZA. But all 4 listed in ZA quarantine. The last two are sequential.

The first infection was from the desktop MBR.dat---I don't know when this infection occurred. I deleted all mbr.dat files.

Infection
Path

Rootkit.Win32.TDSS.mbr
C\Documents and Settings\johnt\Desktop\MBR.dat

Trojan-Downloader.HTML.Agent.tm
C\Documents and Settings\johnt\local settings\temporary internet files\content.ie5\ULKOG2V0\QQkFBwQEQEAgABB....................

Trojan.JS.Redirector.oy
C:\Documents and Settings\johnt\local settings\temporary internet files\content.ie5\ NEBTCZQD\mdc-300x250=1007720[1].php

Trojan.JS.Redirector.oy
C:\Documents and Settings\johnt\local settings\temporary internet files\content.ie5\MJLPJ8EP\mdc-300x250-10077210[1].php

Spent over an hour typing this note and didn't save every 5 minutes to Notepad. Did something that closed and lost reply.

QUESTIONS
Did the first infection from the desktop MBR.dat file cause the following three infections?

Do I need to run MBR again followed by ComboFix?

And then rename, save MBR.dat files, and then Search and delete all mbr.dat files listed with the mouse delete with Shift key pressed or delete with 3 or more passes with CyberScrub Security Suite?

Watch tv shows and movies only on links that I know have no malware?
Note that some links that have never had malware, can start having malware.

?????

Edited by johneangel, 03 May 2011 - 06:36 AM.


#19 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 03 May 2011 - 07:43 AM

QUESTIONS
Did the first infection from the desktop MBR.dat file cause the following three infections?

Do I need to run MBR again followed by ComboFix?

And then rename, save MBR.dat files, and then Search and delete all mbr.dat files listed with the mouse delete with Shift key pressed or delete with 3 or more passes with CyberScrub Security Suite?

Watch tv shows and movies only on links that I know have no malware?


I think that because the MBR.dat has a copy of your infected MBR Zone Alarm targets the file.
The .dat file cannot run so not causing any problem to the computer.

What I need to see no is a fresh copy of ComboFix so that I can see what has spawned again.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#20 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 03 May 2011 - 03:40 PM

nasdaq

All problems gone except MS Recovery Console and Google.com being restricted.

I'll do the following:

1. Run ComboFix and send log

2. In SpywareBlaster (SWB) there is one Restricted Site that keeps getting unchecked: AntiMalwareGuard (AMG) at AntiMalwareGuard.com. After I run ComboFix, I'll manually check mark AMG in SWB and use computer, constantly checking SWB to find the malware that unchecks AMG in SWB, and always checking when ZA warnings pops up indicating malware has been deleted, renamed, quarantined or will be deleted, renamed or quarantined on next boot. After I determine malware that unchecks AMG malware in SWB, I'll add AMG to ZAFW's "blocked list".

It remains on the list unchecked until I check AMG for an update, update and select "protect against all" or manually check it. I should advise SWG of AWG malware being unchecked by malware. It was "unchecked" this morning. I left it unchecked in order to find what malware unchecks it. I'll probably purchase SWB for the auto update feature. I will not add AMG to my ZoneAlarm Firewall Zone(ZAFW) list where I can list it as a Trusted, Internet or Blocked site until I determine what malware unchecks it in SWB. I want to see if ComboFix removes it. If it does, it will probably leave it unchecked on SWB. Are there any malware protection programs that "automatically add" the address site of detected malware to their list of sites to block on their progrm on my computer without be updating or do I need to add the sites to my ZAFW list as blocked? If there aren't there should be. A money maker for you.

QUESTIONS

1. Still can't connect to MS Recovery Console. Assume I need to resolve this problem with Dell's technician. After all malware removed, it's there problem.

2. My understanding after googling non-working System Recovery is that registry and defrag programs that edit and/or defrag files make the use of System Restore impossible since any changes to files in a Restore Point prevent it from working. Each Recovery Point depends on all files in previous Restore Points being unchanged. Thus, use of CCleaner, Auslogics Defrag and/or Registry Mechanics prevents System Restore from working. Correct?

3. Can you advise how to reinstall google or where to get info?

thanks, will definitely send check for help last 2 years.



#21 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 03 May 2011 - 04:09 PM

QUESTIONS
Did the first infection from the desktop MBR.dat file cause the following three infections?

Do I need to run MBR again followed by ComboFix?

And then rename, save MBR.dat files, and then Search and delete all mbr.dat files listed with the mouse delete with Shift key pressed or delete with 3 or more passes with CyberScrub Security Suite?

Watch tv shows and movies only on links that I know have no malware?


I think that because the MBR.dat has a copy of your infected MBR Zone Alarm targets the file.
The .dat file cannot run so not causing any problem to the computer.

What I need to see no is a fresh copy of ComboFix so that I can see what has spawned again.



#22 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 03 May 2011 - 05:39 PM

nasdaq

Attached combofix log below.

Wow! Computer bootup, 2 min 55 sec fastest ever! Fastest loading movies. Less buffering.

Is it safe running safe mode with networking, immediating turning on ZoneAlarm, SpywareBlaster, MalwareBytes, SuperAntiSpy and then scanning with ZA, MBMA, SAS. I know, that sometimes I can only start one program in safe mode with no extra clicking or the computer freezes and I have to reboot. I've never tried safe mode with networking first. Maybe I start without updating since I update security & filtering programs following first bootup of the day.
Where does running ComboFix and MBR fit in? First or after ZA and MBMA.

No longer a Content.IE5 folder in C:\Documents and Settings\NetworkService\Local Settings.
Thousands of files gone.

On apr 25 I added a new user thinking infections on my main user would not cross over to a new user.
Is this correct, wrong or partial true?

I recommend that swif add this to directions: Prior to running ComboFix.exe, turn off MS System Restore which will delete all Restore Points. Often System Restore is unable to restore Restore Points because registry cleaning or defrag programs have made changes to completed Restore Point files. Thus some Retore Points will not work. Each Restore Point is accumulative. If you are certain that your System Restore does and will work and you don't turn off System Recovery, good luck.

thanks, john

ComboFix 11-05-03.02 - johnt 05/03/11 13:50:03.24.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.689 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-03 10:45 . 2011-05-03 10:45 -------- d-----w- c:\program files\ieSpell
2011-05-01 23:32 . 2011-05-01 23:33 -------- d-----w- c:\documents and settings\johnt\Local Settings\Application Data\Deployment
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-05-03 11:50 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
2011-04-05 01:38 . 2011-04-07 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\pJo01819pNfLn01819
2011-04-04 22:48 . 2011-04-09 20:32 -------- d-----w- c:\documents and settings\johnt\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-07-10 18:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-07-12 02:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52 . 2011-02-10 16:48 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2011-02-08 13:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 03:19 . 2010-04-18 19:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-05-02_14.45.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-03 11:54 . 2011-05-03 11:54 16384 c:\windows\temp\Perflib_Perfdata_530.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 32940 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0017.dat
- 2011-05-01 18:31 . 2011-05-01 18:31 89931 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 89931 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 11967 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0020.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 90069 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0019.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 90110 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0017.dat
+ 2011-04-22 20:00 . 2011-05-02 18:09 33706 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0017.dat
+ 2011-01-06 22:03 . 2011-05-02 18:09 89930 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
+ 2011-04-21 11:43 . 2011-05-02 18:09 12559 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-02 18:09 90068 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0019.dat
+ 2011-01-06 22:02 . 2011-05-02 18:09 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-04-22 20:00 . 2011-05-02 18:09 33706 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0017.dat
+ 2011-01-06 21:35 . 2011-05-02 18:09 89930 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
+ 2011-04-21 11:43 . 2011-05-02 18:09 12559 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-02 18:09 90068 c:\windows\system32\ZoneLabs\avsys\bases\apu0019.dat
+ 2011-01-06 22:03 . 2011-05-02 18:09 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
- 2011-01-06 22:03 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-03 00:58 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2011-01-03 00:58 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2011-01-06 21:52 . 2011-05-02 23:59 2833920 c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-07-12 03:51 . 2011-04-18 22:46 42181064 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-11-16 4364248]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/17/10 11:15 AM 66632]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/27/10 2:33 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/27/10 2:34 AM 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [01/08/10 1:03 AM 632792]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S?4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/01/10 3:04 PM 38224]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-05-03 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-07 01:05]
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-03 13:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(712)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-03 14:01:36
ComboFix-quarantined-files.txt 2011-05-03 21:01
ComboFix2.txt 2011-05-02 14:49
ComboFix3.txt 2011-04-28 21:57
ComboFix4.txt 2011-04-27 15:28
ComboFix5.txt 2011-05-03 20:48
.
Pre-Run: 24,611,569,664 bytes free
Post-Run: 24,594,989,056 bytes free
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 4C6091D16BE0DCD4C6CDA96809F8496A

Edited by johneangel, 04 May 2011 - 12:28 AM.


#23 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 04 May 2011 - 07:00 AM

Is it safe running safe mode with networking, immediating turning on ZoneAlarm, SpywareBlaster, MalwareBytes, SuperAntiSpy and then scanning with ZA, MBMA, SAS. I know, that sometimes I can only start one program in safe mode with no extra clicking or the computer freezes and I have to reboot. I've never tried safe mode with networking first. Maybe I start without updating since I update security & filtering programs following first bootup of the day.


When you run in Safe Mode only the drivers and files required by the operating systems are loaded. With the options networking you should be able to connect to the internet. If some 3rd party programs are not working it means that some of the files needed by the application were not loaded in safe mode.

Where does running ComboFix and MBR fit in? First or after ZA and MBMA.


ComboFix and MBR should not be started at start-up.
At start-up you should only be checking for ZA updates.

MBAM should only be run if you have difficulties with the computer.

You are running these 3 jobs at startup.
[/b]2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-05-03 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-07 01:05]
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26][/b]

If you remove them you should find that your computer start up much faster.
If there was one that is realy not required is the AppleSoftwareUpdate.job. How often do you need to update Apple programs?

===

Lets try to fix these.

Open notepad and copy/paste the text in the quote box below into it:

RENV::
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Post the log and let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#24 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 04 May 2011 - 01:12 PM

Nasdaq

1. I don't know if I left Do not show hidden... and Hide protect.... Unchecked when I ran cmd: chkdsk /r while I slept or if combofix unchecked them. I assume leaving these unchecked will allow malware paths into my computer and into system files????

2. When I left computer running "cmd: chkdsk /r" last nite, in SpywareBlaster the only restricted site that gets unchecked, AntiMalwareGuard at antimalwareguard.com was checked. After running combofix , it became unchecked. Does this mean that AntiMalwareGuard is a legitimate program used by combofix and that it is a false negative, that I should leave it unchecked in SpywareBlaster????????

3. When I Opened notepad and copy/pasted the text in the quote box, highlighting kept going outside of the box to include the google popup arrow. Backspacing couldn't unhighlight, don't remember if I held shift button in .
Thus, in notepad I backspaced to the end of mbam .exe. Was this necessary????

got to go
returned. Instead of reading my bs, you can skip down to ComboFix log, highligthed, big siz.


Reviewed ComboFix logs and did the following:

1. Apple file, "MSIInstallPlugin.dll" no match found by search at Uniblue Process Library Useless crap.
Dates on "MSIInstallPlugin.dll": created and modified jul 30 08 12:34:12 pm
Searched jul 30 08 12:34:12 pm found 39 files, 37 dll files plus SoftwareUpdate.exe and .tiff
All Apple's files created and modified jul 30, 2008 12:34:06 or 12:34:12 pm
Opened SoftwareUpdate.exe and found it's update for "Apples Quick Time Update.exe"
Update scheduler scheduled for update on may 30 11
I will hard delete the Programs folder "Apple Software Update" since Quick Time no longer installed.
Thus a secure delete with CyberScrub's 3 passes or Schneier''s 7 passes. Gutman's 35 passes is overkill.
No threat, thus 3 will do.
Okay??

2. Unchecked, turned off RegMech scheduler for both scan and update which I do almost daily. Missed the second page.

3. Okay to Wipe Free Space and MFT Free Space on Local Disk C with CCleaner 3 passes: ?
Usually do this with CyberScrub monthly.

4. pavboot.sys is part of Panda which I used once.
As apple, I did ms search and only in Programs.
Thus a secure delete with CyberScrub's 3 passes, Schneier''s 7 passes.
No threat, thus 3 will do.
Okay??

5. GetPlusHelper I think was removed, I don't use it. Ms search found nothing.
But lots of files in registry (regedit using F).
Evidently it's part of other program(s).
What to do??

6. Recently added Spell program, not a great speller.

7. Locked registry keys --know nothing, googled "...some good, bad or ugly." Great description, describes everything.

Burned out.

ComboFix 11-05-03.08 - johnt 05/04/11 10:13:02.25.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.721 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\johnt\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-03 10:45 . 2011-05-03 10:45 -------- d-----w- c:\program files\ieSpell
2011-05-01 23:32 . 2011-05-01 23:33 -------- d-----w- c:\documents and settings\johnt\Local Settings\Application Data\Deployment
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-05-04 11:46 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
2011-04-05 01:38 . 2011-04-07 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\pJo01819pNfLn01819
2011-04-04 22:48 . 2011-04-09 20:32 -------- d-----w- c:\documents and settings\johnt\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-07-10 18:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-07-12 02:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52 . 2011-02-10 16:48 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2011-02-08 13:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
<pre><BR>c:\program files\Common Files\Java\Java Update\jusched .exe<BR>c:\program files\Malwarebytes' Anti-Malware\mbam .exe<BR></pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-05-02_14.45.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-04 12:35 . 2011-05-04 12:35 16384 c:\windows\temp\Perflib_Perfdata_218.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 32940 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0017.dat
- 2011-05-01 18:31 . 2011-05-01 18:31 89931 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 89931 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 11967 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0020.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 90069 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0019.dat
+ 2011-05-02 18:09 . 2011-05-02 18:09 90110 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0017.dat
+ 2011-04-22 20:00 . 2011-05-02 18:09 33706 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0017.dat
+ 2011-01-06 22:03 . 2011-05-02 18:09 89930 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
+ 2011-04-21 11:43 . 2011-05-02 18:09 12559 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-02 18:09 90068 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0019.dat
+ 2011-01-06 22:02 . 2011-05-02 18:09 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-04-22 20:00 . 2011-05-02 18:09 33706 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0017.dat
+ 2011-01-06 21:35 . 2011-05-02 18:09 89930 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
+ 2011-04-21 11:43 . 2011-05-02 18:09 12559 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-02 18:09 90068 c:\windows\system32\ZoneLabs\avsys\bases\apu0019.dat
+ 2011-01-06 22:03 . 2011-05-02 18:09 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
- 2011-01-06 22:03 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-03 00:58 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2011-01-03 00:58 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2011-01-06 21:52 . 2011-05-02 23:59 2833920 c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-07-12 03:51 . 2011-04-18 22:46 42181064 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-11-16 4364248]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/17/10 11:15 AM 66632]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/27/10 2:33 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/27/10 2:34 AM 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [01/08/10 1:03 AM 632792]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-05-04 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-07 01:05]
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 10:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(720)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(496)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll10:37 AM 05/04/11
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-04 10:24:59
ComboFix-quarantined-files.txt 2011-05-04 17:24
ComboFix2.txt 2011-05-03 21:01
ComboFix3.txt 2011-05-02 14:49
ComboFix4.txt 2011-04-28 21:57
ComboFix5.txt 2011-05-04 17:10
.
Pre-Run: 23,844,691,968 bytes free
Post-Run: 23,833,219,072 bytes free
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - D4135605890C4AE340FB7298A1CE771E

Edited by johneangel, 04 May 2011 - 07:10 PM.


#25 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 05 May 2011 - 07:25 AM

1. I don't know if I left Do not show hidden... and Hide protect.... Unchecked when I ran cmd: chkdsk /r while I slept or if combofix unchecked them. I assume leaving these unchecked will allow malware paths into my computer and into system files????


It's very easy for any malware to change the attribute of a file and corrupt a good operating file.
Not much you can do here.

2. When I left computer running "cmd: chkdsk /r" last nite, in SpywareBlaster the only restricted site that gets unchecked, AntiMalwareGuard at antimalwareguard.com was checked. After running combofix , it became unchecked. Does this mean that AntiMalwareGuard is a legitimate program used by combofix and that it is a false negative, that I should leave it unchecked in SpywareBlaster????????


It's a bad site. Make sure it's checked in SpywareBlaster.
===

I will hard delete the Programs folder "Apple Software Update" since Quick Time no longer installed.
Thus a secure delete with CyberScrub's 3 passes or Schneier''s 7 passes. Gutman's 35 passes is overkill.
No threat, thus 3 will do.
Okay??

Yes

3. Okay to Wipe Free Space and MFT Free Space on Local Disk C with CCleaner 3 passes: ?
Usually do this with CyberScrub monthly.

Yes delete. Read this.
http://www.overclock...free-space.html


Panda and GetPlusHelper will be remove with the Combo Script below.


Locked registry keys - Do not touch these keys.
===

Your Malwarebytes program (MBAM) is infected.
I suggest you remove it via the Add/Remove programs applet and reinstall it.
===

Secure your system by updating 3rd party programs.

Clean the old registry entries left over by older versions of Java.
Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.
In Vista and Windows 7 right click the JavaRa.exe and select run as Administrator.

===


Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u25-windows-i586.exe that you have downloaded to install the newest version (the x64 version is jre-6u25-windows-x64.exe).
    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

Remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 24 <- if found.

===


Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet.

===

On April 15, 2011 - "A critical vulnerability has been identified in Adobe Flash Player 10.2.153.1 and earlier versions... Adobe recommends... update to Adobe Flash Player 10.2.159.1..."

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

Now let remove the Panda and GetPlushelp.

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\windows\system32\drivers\pavboot.sys

Driver::
pavboot
nosGetPlusHelper


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
==

You are doing good. Take you time.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#26 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 05 May 2011 - 02:36 PM

nasdaq

I'm confused. I added "Add Reply" to your early post of today and then made 2 edits. I've added the combofix log to this 3rd edit.
Was I suppose to add the log by "Add Reply" or add by edit?

I use the bold options and then things get messed up. Where are directions for using or there are none.
I gave up after an hour of trying to correct the bold problem. I've posted the combofix logs again as a "Add Reply" to this Post.

Important Edits of first reply today, may 5

1. Is MBAM still infected? Removed mbam per instructions and installed from majorgeeks, couldn't download from Cnet. I observed during mbam scanning that the running number count of "scanning filesystem objects for infection" would jump from about 1,400 to over 28,000 objects. Different from before. See Item 3. below. I thought this jump indicated the infection of mbam. Is jump normal??

2. You say to update to Adobe Flash Player 10.2.159.1... I'm already updated to that.
Do I need to uninstall existing Adobe Flash Player 10.2.159.1 and replace with new Adobe Flash Player 10.2.159.1. My update is infested??

3. Added combofix log after completing most fixes.
Above question 2. is now unnecessary since the answer is in the log. I'm too burn out to decipher.


Busy performing repairs suggested. I'll edit this reply as needed.

Thanks for your continuing help, especially for the professional, thorough answering of almost each question. I appreciate your answers since I trying to learn how to repair my computer problems on my own. I tried a class but couldn't keep up. Thanks for your patience.

To generate more donations for you by stimulating those you help to donate, I suggest that between "Support the forum!" and "Donate" a line be added similar to:

SpywareInfo Forum technician Nasdaq's Total Time worked on johneangel's computer as of May 5, 2011 at 09:58 AM:
5 hrs 30 minutes

When customers see the Total Time they will donate. Total Time to be updated manually or automatically with each of your responses.

I'm estimate your total time assisting me current problem on the order of 5 hours. Considering my financial status, age, lack of a retirement program and Social Security as my only income source, I will calculate my donation at $15/hr. I'm assuming you have a full time job and that computer repair you do with swif is part time work. I want to be reasonable.

1. Please correct my estimate of your time for this repair so that I can make a just donation.
If possible include estimate for your previous help, never sent check. Had problem using PayPal on Ebay, got messages
demanding payment for something I never purchased. Thus, I make payments using telephone, nothing online.

2. Should I "Enable scanning of network files" in ZA?
Since Malware can infect any file on my computer, I'm paranoid.
Thus, even though ZA's default setting didn't check "Enable scanning of network files" in "On-Access Scanning" options, It's
now checked. I don't understand "network files". I don't belong to a network, only use comcast. I'm showing my
ignorance and confusion.

ZoneAlarm setting selected, *checked in "Advanced Options". "On-Access Scanning":
*Enable On-Access Scanning [recommended]
*Scan when reading and writing [recommended]
[Scans a file when it's opened, saved or executed.]
*Enable scanning of network files.

3. After removing Malwarebytes with Add or Remove Programs in Control Panel, same as "add/remove programs applet".
But many MBAM files left on computer. Searched malwarebytes, 11file and mbam, 122 files.
Could any of these logs, etc have the malware that infected mbam?
Do I need to delete (3 passes) those remaining files that are by mbam? not files referencing mbam that I don't recognize?
I observed during mbam scanning that the running number count of "scanning filesystem objects for infection" would jump
from about 750 to over 25,000 objects. I googled this erratic jump, but found nothing. I forgot to include this in my initial
comments. This was a clear indication of mbam infection that I let pass. Can't remember when this jumping started.

4. Should I delete (3 passes) all saved "program installations" that I save on C: before running them?
I save download programs in case I have to reinstall.

5. When is it safe and unsafe to use safe mode(sm) or safe mode with networking(smn)?
Can existing malware on my computer get worse when I connect to the web by downloading more malware?
My answer, yes if it can get thru ZA, SpywareBlaster, MS defenses, etc.
Can existing malware on my computer become active both safe modes?

ComboFix 11-05-05.01 - johnt 05/05/11 15:00:33.26.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.737 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\johnt\Desktop\CFScript..txt
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-05 20:11 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:11 . 2011-05-05 20:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 20:11 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 10:45 . 2011-05-03 10:45 -------- d-----w- c:\program files\ieSpell
2011-05-01 23:32 . 2011-05-01 23:33 -------- d-----w- c:\documents and settings\johnt\Local Settings\Application Data\Deployment
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-05-05 00:56 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-05 20:49 . 2010-04-18 19:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-05 20:49 . 2010-04-18 19:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 05:33 . 2009-07-10 18:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-07-12 02:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52 . 2011-02-10 16:48 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2011-02-08 13:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-05-02_14.45.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-05 21:53 . 2011-05-05 21:53 16384 c:\windows\temp\Perflib_Perfdata_5a0.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 37407 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0017.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 79216 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0015.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 79871 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0014.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 89928 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 14730 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0020.dat
+ 2011-04-22 20:00 . 2011-05-05 14:01 39396 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0017.dat
+ 2011-03-22 20:56 . 2011-05-05 14:01 79216 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat
- 2011-03-22 20:56 . 2011-05-01 17:14 79216 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat
+ 2011-02-17 22:45 . 2011-05-05 14:01 79872 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0014.dat
+ 2011-01-06 22:03 . 2011-05-05 14:01 89930 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90050 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2011-01-06 22:02 . 2011-05-04 18:18 90050 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2011-01-06 21:53 . 2011-05-04 18:18 56965 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-05 14:01 15033 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-04 18:18 90068 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0019.dat
- 2011-02-17 22:44 . 2011-05-01 08:53 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
+ 2011-02-17 22:44 . 2011-05-04 18:18 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-01-06 22:02 . 2011-05-04 18:18 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-04-22 20:00 . 2011-05-05 14:01 39396 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0017.dat
- 2011-03-22 20:57 . 2011-05-01 17:14 79216 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat
+ 2011-03-22 20:57 . 2011-05-05 14:01 79216 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat
+ 2011-02-17 22:49 . 2011-05-05 14:01 79872 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0014.dat
+ 2011-01-06 21:35 . 2011-05-05 14:01 89930 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
- 2011-01-06 21:35 . 2011-05-01 08:54 90050 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2011-01-06 21:35 . 2011-05-04 18:18 90050 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2011-01-06 22:03 . 2011-05-04 18:18 56965 c:\windows\system32\ZoneLabs\avsys\bases\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-05 14:01 15033 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-04 18:18 90068 c:\windows\system32\ZoneLabs\avsys\bases\apu0019.dat
+ 2011-02-17 22:45 . 2011-05-04 18:18 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
- 2011-02-17 22:45 . 2011-05-01 08:53 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
- 2011-01-06 22:03 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-06 22:03 . 2011-05-04 18:18 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-03 00:58 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2011-01-03 00:58 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2011-05-05 14:01 . 2011-05-05 14:01 2993 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0000.dat
+ 2011-01-06 22:02 . 2011-05-05 14:01 3001 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0000.dat
+ 2011-01-06 21:35 . 2011-05-05 14:01 3001 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0000.dat
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2011-02-20 21:11 . 2011-02-03 05:40 157472 c:\windows\system32\javaws.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 157472 c:\windows\system32\javaws.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 145184 c:\windows\system32\javaw.exe
- 2011-02-20 21:11 . 2011-02-03 05:40 145184 c:\windows\system32\javaw.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 145184 c:\windows\system32\java.exe
- 2011-02-20 21:11 . 2011-02-03 05:40 145184 c:\windows\system32\java.exe
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2011-05-05 20:50 . 2011-05-05 20:50 180224 c:\windows\Installer\3636d4.msi
+ 2011-05-05 20:49 . 2011-05-05 20:49 677376 c:\windows\Installer\3636c6.msi
+ 2011-01-06 21:52 . 2011-05-02 23:59 2833920 c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-07-12 03:51 . 2011-04-18 22:46 42181064 c:\windows\system32\MRT.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\922b0.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-11-16 01:05 4364248 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/17/10 11:15 AM 66632]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/27/10 2:33 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/27/10 2:34 AM 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [01/08/10 1:03 AM 632792]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-05 15:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(712)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(964)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-05 15:12:30
ComboFix-quarantined-files.txt 2011-05-05 22:12
ComboFix2.txt 2011-05-04 17:25
ComboFix3.txt 2011-05-03 21:01
ComboFix4.txt 2011-05-02 14:49
ComboFix5.txt 2011-05-05 21:42
.
Pre-Run: 22,622,961,664 bytes free
Post-Run: 22,614,900,736 bytes free
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 27C44096D5DEE3295DEABDE630EC976E



Edited by johneangel, 05 May 2011 - 06:23 PM.


#27 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 05 May 2011 - 06:26 PM

ComboFix 11-05-05.01 - johnt 05/05/11 15:00:33.26.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.737 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\johnt\Desktop\CFScript..txt
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-05 20:11 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:11 . 2011-05-05 20:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 20:11 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 10:45 . 2011-05-03 10:45 -------- d-----w- c:\program files\ieSpell
2011-05-01 23:32 . 2011-05-01 23:33 -------- d-----w- c:\documents and settings\johnt\Local Settings\Application Data\Deployment
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-05-05 00:56 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-05 20:49 . 2010-04-18 19:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-05 20:49 . 2010-04-18 19:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 05:33 . 2009-07-10 18:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-07-12 02:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52 . 2011-02-10 16:48 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2011-02-08 13:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-05-02_14.45.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-05 21:53 . 2011-05-05 21:53 16384 c:\windows\temp\Perflib_Perfdata_5a0.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 37407 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0017.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 79216 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0015.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 79871 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0014.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 89928 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 14730 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0020.dat
+ 2011-04-22 20:00 . 2011-05-05 14:01 39396 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0017.dat
+ 2011-03-22 20:56 . 2011-05-05 14:01 79216 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat
- 2011-03-22 20:56 . 2011-05-01 17:14 79216 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat
+ 2011-02-17 22:45 . 2011-05-05 14:01 79872 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0014.dat
+ 2011-01-06 22:03 . 2011-05-05 14:01 89930 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90050 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2011-01-06 22:02 . 2011-05-04 18:18 90050 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2011-01-06 21:53 . 2011-05-04 18:18 56965 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-05 14:01 15033 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-04 18:18 90068 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0019.dat
- 2011-02-17 22:44 . 2011-05-01 08:53 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
+ 2011-02-17 22:44 . 2011-05-04 18:18 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-01-06 22:02 . 2011-05-04 18:18 90110 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-04-22 20:00 . 2011-05-05 14:01 39396 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0017.dat
- 2011-03-22 20:57 . 2011-05-01 17:14 79216 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat
+ 2011-03-22 20:57 . 2011-05-05 14:01 79216 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat
+ 2011-02-17 22:49 . 2011-05-05 14:01 79872 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0014.dat
+ 2011-01-06 21:35 . 2011-05-05 14:01 89930 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
- 2011-01-06 21:35 . 2011-05-01 08:54 90050 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2011-01-06 21:35 . 2011-05-04 18:18 90050 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2011-01-06 22:03 . 2011-05-04 18:18 56965 c:\windows\system32\ZoneLabs\avsys\bases\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-05 14:01 15033 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-04 18:18 90068 c:\windows\system32\ZoneLabs\avsys\bases\apu0019.dat
+ 2011-02-17 22:45 . 2011-05-04 18:18 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
- 2011-02-17 22:45 . 2011-05-01 08:53 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
- 2011-01-06 22:03 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-06 22:03 . 2011-05-04 18:18 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-03 00:58 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2011-01-03 00:58 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2011-05-05 14:01 . 2011-05-05 14:01 2993 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0000.dat
+ 2011-01-06 22:02 . 2011-05-05 14:01 3001 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0000.dat
+ 2011-01-06 21:35 . 2011-05-05 14:01 3001 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0000.dat
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2011-02-20 21:11 . 2011-02-03 05:40 157472 c:\windows\system32\javaws.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 157472 c:\windows\system32\javaws.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 145184 c:\windows\system32\javaw.exe
- 2011-02-20 21:11 . 2011-02-03 05:40 145184 c:\windows\system32\javaw.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 145184 c:\windows\system32\java.exe
- 2011-02-20 21:11 . 2011-02-03 05:40 145184 c:\windows\system32\java.exe
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2011-05-05 20:50 . 2011-05-05 20:50 180224 c:\windows\Installer\3636d4.msi
+ 2011-05-05 20:49 . 2011-05-05 20:49 677376 c:\windows\Installer\3636c6.msi
+ 2011-01-06 21:52 . 2011-05-02 23:59 2833920 c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-07-12 03:51 . 2011-04-18 22:46 42181064 c:\windows\system32\MRT.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\922b0.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-11-16 01:05 4364248 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/17/10 11:15 AM 66632]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/27/10 2:33 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/27/10 2:34 AM 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [01/08/10 1:03 AM 632792]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-05 15:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(712)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(964)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-05 15:12:30
ComboFix-quarantined-files.txt 2011-05-05 22:12
ComboFix2.txt 2011-05-04 17:25
ComboFix3.txt 2011-05-03 21:01
ComboFix4.txt 2011-05-02 14:49
ComboFix5.txt 2011-05-05 21:42
.
Pre-Run: 22,622,961,664 bytes free
Post-Run: 22,614,900,736 bytes free
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 27C44096D5DEE3295DEABDE630EC976E

#28 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 06 May 2011 - 03:28 AM

nasdaq

Delete all posts from yesterday. Don't read they're garbage. I had problems with computer and myself.
I corrected language and erratic problems when I used bold options. The bold would bold the selected sentence and at the same time would unbold a bolded section and also bold another section. I had a Bold Trojan. Ha, ha. I bolded all the bolds, it's working now.

Me confused. Added "Add Reply" to your post today & made 3 edits. Combofix logs in 3rd edit.
Are logs to be always posted or using edit okay?
I used bold option which Bolded erractically. Where are directions for using bold & tabs?
Gave up after an hour of trying to correct the bold problem.
Posted combofix logs again as a "Add Reply" to this Post.

Important Edits of first reply today, may 5

1. Is MBAM still infected? Removed mbam per instructions & installed from majorgeeks, Cnet wouldn't download. Observed during scan the "scanning filesystem objects for infection" count instantly jump from about 1,400 to over 28,000 objects. Similar to before. See Item 3. below. Me thinks such a jump indicates malware infestation. Is such a jump normal??

2. You advised to update to Adobe Flash Player 10.2.159.1. I'm already updated to 10.2.159.1. My update infested? Do I need to uninstall old 10.2.159.1 and replace with new 10.2.159.1?

3. Added combofix log after completing most fixes.
Above question 2. is now unnecessary since answer is in the log. But, too burn out to decipher.

Busy performing repairs suggested. I'll edit this reply as needed. Thanks for your continuing help, especially for the professional, thorough answering of almost each question. I appreciate your answers since I trying to learn how handle the repair. Tried a class but couldn't keep up. Your patience appreciated.

You (swif) can generate more & larger donations by showing those you help the hours spent by the technician. I suggest that between "Support the forum!" and "Donate" a line be added similar to:

SpywareInfo Forum technician Nasdaq's Total Time repairing johneangel's computer as of May 5, 2011 at 09:58 AM is 5 hrs 30 minutes.

When customers see the Total Time the technician spent, they can't help but donate.
Total Time to be updated manually or automatically, shown with each response.
I should get a discount for this great and honest suggestion.

My rough estimate of your total time assisting me on my current problems is on the order of 5 hours. Considering my financial status, age, lack of a retirement program and Social Security as my only income source, I will calculate my donation at about $15/hr. I'm assuming you have a full time job and that computer repair you do with swif ispart time work you do at home. I want to be reasonable and fair.

1. Correct my estimate of your repair time for this repair.
Include hour estimate for your previous help. I never sent check. Don't make payment online since after using PayPal on Ebay, began getting bogus demands for payments for things I never purchased. Thus, I make payments by telephone, nothing online.

2. Should I "Enable scanning of network files" in ZA?
Since Malware can infect any file on my computer, I'm paranoid.
Thus, even though ZA's default setting didn't check "Enable scanning of network files" in "On-Access Scanning" options, it's now checked. I don't understand " network files". I don't belong to a network, only use comcast. I'm showing my ignorance and confusion.

ZoneAlarm settings selected:
*checked in "Advanced Options". "On-Access Scanning":
*Enable On-Access Scanning [recommended]
*Scan when reading and writing [recommended]
[Scans a file when it's opened, saved or executed.]
*Enable scanning of network files.

3. Observed during old mbam scans that the "scanning filesystem objects for infection" count instantly jump from about 750 to over 25,000 objects. I googled this erratic jump, but found nothing. I forgot to include this in my initial comments. This was a clear indication of mbam infection that I let pass. Can't remember when this jumping started.

4. Should I delete (3 passes) all saved "program installations" that I save on C: before running them? I save download programs in case I have to reinstall.

5. When is it safe and unsafe to use safe mode(sm) or safe mode with networking(smn)?
Can existing malware get worse when I connect to the web?
My answer, yes if it can get thru ZA, SpywareBlaster, MS defenses, etc.
Can existing malware on my computer become active in both safe modes?

ComboFix 11-05-05.01 - johnt 05/05/11 15:00:33.26.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.737 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\johnt\Desktop\CFScript..txt
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-05 20:11 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:11 . 2011-05-05 20:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 20:11 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 10:45 . 2011-05-03 10:45 -------- d-----w- c:\program files\ieSpell
2011-05-01 23:32 . 2011-05-01 23:33 -------- d-----w- c:\documents and settings\johnt\Local Settings\Application Data\Deployment
2011-04-26 21:35 . 2011-04-26 21:35 -------- d-----w- C:\New Folder
2011-04-26 13:33 . 2011-04-26 13:33 -------- d-sh--w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\IETldCache
2011-04-25 21:07 . 2011-05-05 00:56 -------- d-----w- c:\documents and settings\mark1
2011-04-23 21:46 . 2011-04-23 21:52 -------- d-----w- C:\hijack this apr 23
2011-04-09 20:13 . 2011-04-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eFi01845lLaAa01845
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-05 20:49 . 2010-04-18 19:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-05 20:49 . 2010-04-18 19:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 05:33 . 2009-07-10 18:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-07-12 02:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 16:52 . 2011-02-10 16:48 53248 ----a-w- c:\windows\runepson.exe
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2011-02-08 13:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-05-02_14.45.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-05 21:53 . 2011-05-05 21:53 16384 c:\windows\temp\Perflib_Perfdata_5a0.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 37407

c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0017.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 79216

c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0015.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 79871

c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0014.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 89928

c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-05-05 14:01 . 2011-05-05 14:01 14730

c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0020.dat
+ 2011-04-22 20:00 . 2011-05-05 14:01 39396

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0017.dat
+ 2011-03-22 20:56 . 2011-05-05 14:01 79216

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat
- 2011-03-22 20:56 . 2011-05-01 17:14 79216

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat
+ 2011-02-17 22:45 . 2011-05-05 14:01 79872

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0014.dat
+ 2011-01-06 22:03 . 2011-05-05 14:01 89930

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90050

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2011-01-06 22:02 . 2011-05-04 18:18 90050

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2011-01-06 21:53 . 2011-05-04 18:18 56965

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-05 14:01 15033

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-04 18:18 90068

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0019.dat
- 2011-02-17 22:44 . 2011-05-01 08:53 90097

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
+ 2011-02-17 22:44 . 2011-05-04 18:18 90097

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat
- 2011-01-06 22:02 . 2011-05-01 08:53 90110

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-01-06 22:02 . 2011-05-04 18:18 90110

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0017.dat
+ 2011-04-22 20:00 . 2011-05-05 14:01 39396 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0017.dat
- 2011-03-22 20:57 . 2011-05-01 17:14 79216 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat
+ 2011-03-22 20:57 . 2011-05-05 14:01 79216 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat
+ 2011-02-17 22:49 . 2011-05-05 14:01 79872 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0014.dat
+ 2011-01-06 21:35 . 2011-05-05 14:01 89930 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
- 2011-01-06 21:35 . 2011-05-01 08:54 90050 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2011-01-06 21:35 . 2011-05-04 18:18 90050 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2011-01-06 22:03 . 2011-05-04 18:18 56965 c:\windows\system32\ZoneLabs\avsys\bases\bl0021.dat
+ 2011-04-21 11:43 . 2011-05-05 14:01 15033 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
+ 2011-04-02 01:18 . 2011-05-04 18:18 90068 c:\windows\system32\ZoneLabs\avsys\bases\apu0019.dat
+ 2011-02-17 22:45 . 2011-05-04 18:18 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
- 2011-02-17 22:45 . 2011-05-01 08:53 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat
- 2011-01-06 22:03 . 2011-05-01 08:53 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-06 22:03 . 2011-05-04 18:18 90110 c:\windows\system32\ZoneLabs\avsys\bases\apu0017.dat
+ 2011-01-03 00:58 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2011-01-03 00:58 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2011-05-05 14:01 . 2011-05-05 14:01 2993

c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0000.dat
+ 2011-01-06 22:02 . 2011-05-05 14:01 3001

c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0000.dat
+ 2011-01-06 21:35 . 2011-05-05 14:01 3001 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0000.dat
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2011-02-20 21:11 . 2011-02-03 05:40 157472 c:\windows\system32\javaws.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 157472 c:\windows\system32\javaws.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 145184 c:\windows\system32\javaw.exe
- 2011-02-20 21:11 . 2011-02-03 05:40 145184 c:\windows\system32\javaw.exe
+ 2011-05-05 20:49 . 2011-05-05 20:49 145184 c:\windows\system32\java.exe
- 2011-02-20 21:11 . 2011-02-03 05:40 145184 c:\windows\system32\java.exe
+ 2004-08-04 10:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2011-05-05 20:50 . 2011-05-05 20:50 180224 c:\windows\Installer\3636d4.msi
+ 2011-05-05 20:49 . 2011-05-05 20:49 677376 c:\windows\Installer\3636c6.msi
+ 2011-01-06 21:52 . 2011-05-02 23:59 2833920 c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-07-12 03:51 . 2011-04-18 22:46 42181064 c:\windows\system32\MRT.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\922b0.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Privacy Suite RiskMonitor"="" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-11-16 01:05 4364248 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free Video Zilla\\FVZilla.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/17/10 11:15 AM 66632]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/27/10 2:33 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/27/10 2:34 AM 493032]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC

Tools\sMonitor\StartManSvc.exe [01/08/10 1:03 AM 632792]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-12-07 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-05 15:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(712)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(964)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-05 15:12:30
ComboFix-quarantined-files.txt 2011-05-05 22:12
ComboFix2.txt 2011-05-04 17:25
ComboFix3.txt 2011-05-03 21:01
ComboFix4.txt 2011-05-02 14:49
ComboFix5.txt 2011-05-05 21:42
.
Pre-Run: 22,622,961,664 bytes free
Post-Run: 22,614,900,736 bytes free
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 27C44096D5DEE3295DEABDE630EC976E






#29 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 06 May 2011 - 06:54 AM

1. Is MBAM still infected? Removed mbam per instructions and installed from majorgeeks, couldn't download from Cnet. I observed during mbam scanning that the running number count of "scanning filesystem objects for infection" would jump from about 1,400 to over 28,000 objects. Different from before. See Item 3. below. I thought this jump indicated the infection of mbam. Is jump normal??

If MBAM scan 28,000 objects that is good. If the report shows that infections were found then fix them.
MBAM is updated often so when you want to check your computer make sure you have the latest version.

===

2. You say to update to Adobe Flash Player 10.2.159.1... I'm already updated to that.
Do I need to uninstall existing Adobe Flash Player 10.2.159.1 and replace with new Adobe Flash Player 10.2.159.1. My update is infested??

Then you are good and safe on that issue.

===

To generate more donations for you by stimulating those you help to donate, I suggest that between "Support the forum!" and "Donate" a line be added similar to.

We are all volonteers and our services are free. This policy will not change.
For the maintenance of this site contributions are accepted and used for that purpose only.
===

2. Should I "Enable scanning of network files" in ZA?
Since Malware can infect any file on my computer, I'm paranoid.
Thus, even though ZA's default setting didn't check "Enable scanning of network files" in "On-Access Scanning" options, It's
now checked. I don't understand "network files". I don't belong to a network, only use comcast. I'm showing my
ignorance and confusion.

If enabled and the network setting does not slow down you computer let it do it.
This option I think is for people who are connected to a wireless router and have many users on a local network.
===

3. After removing Malwarebytes with Add or Remove Programs in Control Panel, same as "add/remove programs applet".
But many MBAM files left on computer. Searched malwarebytes, 11file and mbam, 122 files.

Leave them alone. Never delete files that you do not know what they are.
There are too many to delete or check.
If all is well leave them.
===

Your log is looking good.

How is the computer performing?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#30 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 06 May 2011 - 09:19 PM

nasdaq

Computer is working good, but 3 major problems.

3 major problem

Problem 1 needs resolving

AntiMalwareGuard (AMG) at AntiMalwareGuard.com continues to get unchecked in SpywareBlaster. I rechecked it in SpywareBlaster and will continue checking it. I also added to the firewall's block list, 69.43.160.144 the address that ZA found for AntiMalwareGuard.com. I'll know this evening and tomorrow if this will stop, block AntiMalwareGuard. Should I notify ZA, MBAM and SAS of this malware, seems they should already be doing something?

Below Originally Posted 03 May 2011 - 03:40 PM

"In SpywareBlaster (SWB) there is one Restricted Site that keeps getting unchecked: AntiMalwareGuard (AMG) at AntiMalwareGuard.com. After I run ComboFix, I'll manually check mark AMG in SWB and use computer, constantly checking SWB to find the malware that unchecks AMG in SWB, and always checking when ZA warnings pops up indicating malware has been deleted, renamed, quarantined or will be deleted, renamed or quarantined on next boot. After I determine malware that unchecks AMG malware in SWB, I'll add AMG to ZAFW's "blocked list"."

Problem 2 needs resolving. Perhaps Problem 1 causing this problem?

Desktop icons load twice and sometimes (or always?) with icon and fonts to difficult to read.
Occurs every week or so.
All font sizes reduce on web sites and on all computer files.
That running sfc /scannow corrects change indicates that a hidden, protected system file has been changed.

Last nite, left computer running a sfc /scannow with monitor off, conserves energy.
On my initial bootup this morning, I accidentally pressed the on button on my computer that was still on. The computer rebooted and when the desktop screen loaded all icons appear instantly as they should: rottentomato.com a red tomatoe, ZA a purple Z, internet explorer a big lower case e. But after a couple hours and a few reboots all the icons and fonts became very small.

When malware present, desktop loads Microsoft's default icons per file extension. And a second later, the icons start changing individually or in small groups to legitimate program icons & to icons I've changed. The change takes about 3 or 4 seconds.

Now that computer is faster, I'll select a desktop icon program to lock and save arrangement. But this might not work unless we can eliminate desktop display malware.

Question 1
I checked and "Enable write combining" is still unselected since enabling it would further slow down loasding of desktop icon. Okay?

I read in a file some place in my computer desktop proxy. Don't know anything so I googled and nothing clear. Search Cnet and found purpose. Dell installed it for temporary control of my computer. I'll uninstall it and it'll be installed when I connect to Dell.

Question 2 Probably stupid question, why would Dell use a program that could get hacked into.
Could Dell's "desktop proxy" have been a malware path into my computer?

Ran quick scan with new installation of MBAM, no malware. See below.

After remaining problems are resolved I will have Dell's technician repair online or assist me in repairing unavailable Recovery Module.
And finally, remove repairing programs from desktop and uninstall ComboFix.

Problem/Question 3 ?
Sometimes swif options on this page don't work properly. Is my computer at fault or is it the swif's web page.
Tried using spell check and lost whole page which I had edited and not saved. Dam, keep forgetting to save.

Last question.
Is using the safe mode with networking for loading, updating and then scanning with ZA better than doing it in normal mode?
Same question for MBAM, SAS.

thanks, john

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6515

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/05/11 1:20:45 PM
mbam-log-2011-05-05 (13-20-45).txt

Scan type: Quick scan
Objects scanned: 160133
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




#31 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 07 May 2011 - 06:55 AM

AntiMalwareGuard (AMG) at AntiMalwareGuard.com continues to get unchecked in SpywareBlaster. I rechecked it in SpywareBlaster and will continue checking it. I also added to the firewall's block list, 69.43.160.144 the address that ZA found for AntiMalwareGuard.com. I'll know this evening and tomorrow if this will stop, block AntiMalwareGuard. Should I notify ZA, MBAM and SAS of this malware, seems they should already be doing something?


You are blocking the site with ZoneAlarm. You are safe.

You can test it by going to www.AntiMalwareGuard.com. You should be blocked.
If not DO NOT download anything just close the windows.

I just tried it and I was informed by norton that it was a ROGUE site.
===

Last nite, left computer running a sfc /scannow with monitor off, conserves energy.
On my initial bootup this morning, I accidentally pressed the on button on my computer that was still on. The computer rebooted and when the desktop screen loaded all icons appear instantly as they should: rottentomato.com a red tomatoe, ZA a purple Z, internet explorer a big lower case e. But after a couple hours and a few reboots all the icons and fonts became very small.

When malware present, desktop loads Microsoft's default icons per file extension. And a second later, the icons start changing individually or in small groups to legitimate program icons & to icons I've changed. The change takes about 3 or 4 seconds.

Now that computer is faster, I'll select a desktop icon program to lock and save arrangement. But this might not work unless we can eliminate desktop display malware.


I now oa no virus or malware that changes the icons.

How many Icons do you have on your Desktop.
If you have too many it can cause havoc, or the Maxiconcache is damaged.

http://www.techrepub...-xp-pro/5164407

Just check it out and let me know what value you have.
Let me know also how many icons you have now.
===


Problem/Question 3 ?
Sometimes swif options on this page don't work properly. Is my computer at fault or is it the swif's web page.
Tried using spell check and lost whole page which I had edited and not saved. Dam, keep forgetting to save.


What options are you referring to.
Are you using Internet Explorer or Firefox?
It could be some problem with your cookies.

p.s. I normally use NotePad to prepare my reply.
If I lose the SWI page I can always copy my not page write-up and paste it to the SWI page.
===

Last question.
Is using the safe mode with networking for loading, updating and then scanning with ZA better than doing it in normal mode?
Same question for MBAM, SAS.


For downloading Notworking is file. While scanning the computer I would do it in Normal Mode.
===

When you are ready to remove the tools using this.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall
===

The other removal tools can just be deleted.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#32 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 07 May 2011 - 04:58 PM

Good morning nasdaq.

I'll try to be brief.....
*****************************************
swif 1
How many Icons do you have on your Desktop.

A1
55 desktop icons before clean up.
Deleted 15 icons after moving swif repair associated applications, a zipped folder, internet shortcuts and docs to new folder on C drive.
Logs & text docs saved to notepad.
Now 40 icons on desktop: 3 sys folders, 33 internet shortcuts, 3 shortcuts and 1 text doc.
No applications on desktop.

Q1 Does having applications on desktop increased chances of malware infestation?

*****************************************
swif 2
If you have too many (icons) it can cause havoc, or the Maxiconcache is damaged.
http://www.techrepub...-xp-pro/5164407
Just check it out and let me know what value you have.
Let me know also how many icons you have now.

A2
The Max Cache Icons value data is 2000 after registry edited as directed.
41 icons
after adding a short cut to techrepublic and rebooting.

*****************************************
swif 3
What options are you referring to.
Are you using Internet Explorer or Firefox?
It could be some problem with your cookies.

A3
Both IE* and swif options worked perfectly today. The glich is gone.

Referred to options of both IE* and swif.
I do prepare my response on Notepad and then paste it into Add Reply box.
Once in the box I do some editing which uses IE options, mouse's rt click options and file options.
Swif options are used and normally visible at the top.

I set my cookies to default in Internet Properties/Privacy window when posting and editing.
I lost the page because I tried using swif's spell checker which evidently I did not set up properly.
I'll fix this before I next use the spell checker.
Notepad doesn't have spellchecker, so I paste in MS Works and manually make changes in notepad and then paste.

******************************************
******************************************
Remaining problems:

P1
Using Dell technician to repair the broken Recovery Console after all malware is removed is probably my best action.

Q2 Does the fact that I've never been unable to complete a restore with a System Restore point suggest that whatever is preventing System Restore from working is also preventing the Recovery Console from working? I'd like your opinion.

Q3 If the Recovery Console is repaired am I going to be able to use for making repairs or modifications when I have complete instructions? Or is just for use by experts like yourself making it a good idea to have it repaired?
********************
P2
My System Restore is not working and I'm not sure if it ever has.
Tomorrow or Monday, I'll try to execute a System Restore as follows:
1. Turn off System Restore.
2. Reboot
3. Clean & defrag with Internet Properties(delete TIF's, Cookies & History); CCleaner default, Auslogics Disk Defrag & Registry Mechanic.
4. Reboot, some checking without any cleaning or defrag.
5. Reboot, turn on System Restore, create a System Restore point.
6. Turn off computer.
7 . Turn on computer and do a System Restore.

There are 6 Restore points currently in System Restore and I know none of them will work because I've changed files using Reg Mechanics to: "Clean your Disks", "Clean your Registry" followed by "Defragment your Registry". Any file change in the files save in any of the Restore Point prevents System Restore from working. CCleaner and Auslogics DD also change files.

Q4 What are your suggestions for running System Restore point?

******************************
P3
Google.com not working. I messed it up trying to permanently disable "google instant". Made changes in the registry strictly following instructions, but something went bonkers.

Q5 Do you know how to uninstall or rebuild google.com(not google.co.uk which I use) or can you suggest web sites?
Google.co.uk gives many British answers and sites. I've googled for suggestions, but none are pertinent.
Please suggest pertinent key words: install or reinstall google.com "corrupted google.com" "repair corrupted google.com" "not working"

The end is near.

thanks, john

***********************************

Edited by johneangel, 07 May 2011 - 05:26 PM.


#33 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 08 May 2011 - 07:10 AM

Q1 Does having applications on desktop increased chances of malware infestation?

NO!

33 internet shortcuts,?
Why Internet shortcuts on the desktop?

I would create new folders (name them by topic) and move the shorcuts to the appropriate folder. Your call.
===

Reset the System restore.

Reset your computer restore point, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has
administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn OFF System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
=*=

Keep in mind that any time a tool removes some files in a system restore point you damage the whole system restore and it must be recreated.

<<<

Open a Google windows.

In the bottom do you have this option Go to Google.com?
Click it and see what happens. If successful save the link.
Remove the bad one.

This is the link I get when I try it.
http://www.google.com/ig
===
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#34 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 08 May 2011 - 04:04 PM

nasdaq

System Restore Problem

Tried your suggestion, didn't work.
I finally found the problem with System Restore after googling and googling:
MAJOR INFECTION
I deleted "all files" including system files in the System Volume Information folder. Had to do this in safe mode, couldn't delete some files that were being used elsewhere in normal mode. Additionally, had to be extremely fast in "safe mode" or computer and screen would freeze. Only options available to me was to hold "on button" in until shut down occurred. Years ago, I learned this was the best button option to select during xp installation for me.

Q1 Computer freezing in safe mode is not normal. What causes computer to freeze? Malware or what I'm doing?

Made a SR point and used it.
System Restore screen popped up showing the Restoring Settings graphic counter and then the computer rebooted.
Next, a SR screen popped up with: Restoration Completed, 2 choices, choose another restoration point or undo this restoration.
I have never seen this screen before.

With this ability to make a working Recovery Point, I'll determine which programs prevents SR from working.

Not today.







#35 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 09 May 2011 - 06:31 AM

Try this and see if safe mode is repaired.

; Save this text in bold as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"


; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Delete the Fix.reg file when done.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#36 johneangel

johneangel

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 13 May 2011 - 05:07 PM

nasdaq,

Computer working good, maybe excellently. No redirecting, warnings. Safe modes, no problems. Ran ZA updating & scan in sm+networking.

Burned out with too much computer. I'm slow typing, not too quick.
Haven't had time to determine what programs are preventing System Restore from working. But since I'm now able to delete interferring files, I can now make a Restore Point. I can't even remember if I was able to Restore it once only? Very short short-term memomy. I'll get back to you next week.

Determined what is stopping google.com from having "Search settings". Finally, remembered I stopped google from creating cookies for stealing my searching habits. That process accounts for msg saying cookies are disabled...

next week

#37 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,079 posts

Posted 09 May 2014 - 06:05 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button