Malware, cannot access web or move/copy files. Any hope?

Would it do any good to delete the file by going through the process found at the following link (tells how to take control of a file and then you can delete it).? http://www.howtogeek.com/howto/windows-vista/how-to-delete-a-system-file-in-windows-vista/
Thx in advance for any assistance you might be able to offer.

Hi Nathan,

Sounds like you've got quite a mess going there.

-- Is System Restore an option? Do you have any viable Restore points?
What about "Last Known Good Configuration?"
If we can get your compy into a workable state, then we can move on from there.

-- Do you have a usb thumbdrive? External Hard Drive?

Let us know and we'll go from there.

PP:)

Thanks a lot for your reply. Yes, a mess. System restore points wouldnt work and neither would last known config. I was finally able to get into my system and backup files via a portable usb drive. The plug and play services were disabled (as were many other services). I am not super technical but figured that out. I am now seeing if I can get online with it. If I can I will post here with some logs shortly.

Can anyone point me to a list of services and how they should be configured? These are found in the Administrative Tools. I cannot get online and dont know what should and shouldnt be enabled/disabled. Thanks for your help.

It has taken a week of afternoons but I finally got my computer back online and have updated malwarebytes, will run scans and then post logs and hope that I can get everything back to normal. Disregard my request for info on "services list" at this time. Thanks for this forum !

It has taken a week of afternoons but I finally got my computer back online and have updated malwarebytes, will run scans and then post logs and hope that I can get everything back to normal. Disregard my request for info on "services list" at this time. Thanks for this forum !

Great - post the logs when you can.

Let us know if you run into any more problems along the way.

PP:)

I ran malwarebytes partial scan (on accident) and got this, then ran a full scan (next paste)

Malwarebytes' Anti-Malware 1.44
Database version: 3793
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/25/2010 3:41:03 PM
mbam-log-2010-02-25 (15-41-01).txt

Scan type: Quick Scan
Objects scanned: 125869
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cmdlhost.dll (Spyware.Passwords) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cmdlhost.dll (Spyware.Passwords) -> No action taken.
C:\WINDOWS\system32\drivers\mueizoc.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\cmdlhost.dll (Spyware.Passwords) -> No action taken.
C:\WINDOWS\rencd40.dll (Trojan.Hiloti) -> No action taken.

Full scan report:
Malwarebytes' Anti-Malware 1.44
Database version: 3793
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/25/2010 4:28:09 PM
mbam-log-2010-02-25 (16-28-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 255863
Time elapsed: 40 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cmdlhost.dll (Spyware.Passwords) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cmdlhost.dll (Spyware.Passwords) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20100224-151156-626-monnid32.exe (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\system32\drivers\mueizoc.sys (Rootkit.Agent) -> No action taken.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Nathan at 17:58:39.10 on Thu 02/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2909 [GMT -6:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nathan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://cgi6.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewListedItems&since=2&userid=mrhugo&include=0&rows=200
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com
mURLSearchHooks: H - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
mRun: [Memeo AutoBackup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
dRunOnce: [ZAFFRegisterTrustCheckerIE] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-1-26 128016]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-7 486280]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-2-12 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-2-12 476528]
S1 uxtzvxad;uxtzvxad;\??\c:\windows\system32\drivers\uxtzvxad.sys --> c:\windows\system32\drivers\uxtzvxad.sys [?]
S3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-2-12 35448]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2008-11-7 25824]
S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2010-02-25 22:48:40 0 d-----w- c:\program files\ESET
2010-02-24 20:32:47 0 d-----w- c:\program files\SpywareBlaster
2010-02-23 23:00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 21:10:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 21:10:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 09:12:03 0 d-----w- c:\windows\system32\MpEngineStore
2010-02-18 23:32:33 792064 ----a-w- c:\windows\system32\drivers\mueizoc.sys
2010-02-18 23:32:16 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-02-15 19:04:09 0 d-----w- c:\program files\MSECache
2010-01-28 19:05:47 685 ----a-r- c:\windows\system32\hppapr08.dat
2010-01-28 19:05:47 327680 ----a-r- c:\windows\system32\hppcpr08.dll
2010-01-28 19:05:41 188416 ----a-r- c:\windows\system32\hppcew08.dll
2010-01-28 19:05:26 876544 ----a-r- c:\windows\system32\hpxp1522.dll
2010-01-28 19:05:26 733184 ----a-r- c:\windows\system32\hpptsp03.dll
2010-01-28 19:05:26 450560 ----a-r- c:\windows\system32\hppasc08.dll
2010-01-28 19:03:55 147504 ----a-w- c:\windows\hppins08.dat
2010-01-28 19:03:54 1116 ------w- c:\windows\hppmdl08.dat

==================== Find3M ====================

2010-02-22 20:01:36 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-19 00:12:18 98304 ----a-w- c:\windows\DUMP47e6.tmp
2009-05-05 09:12:48 2713 --sh--w- c:\windows\system32\digukifi.exe
2009-05-02 09:09:40 2713 --sh--w- c:\windows\system32\gemasaze.exe
2009-05-03 21:11:13 2713 --sh--w- c:\windows\system32\kololawo.exe
2009-05-03 03:10:26 2713 --sh--w- c:\windows\system32\libahupi.exe
2009-05-04 15:12:12 2713 --sh--w- c:\windows\system32\rejijejo.exe
2009-05-11 19:07:45 608 --sha-w- c:\windows\system32\winzvprt5.sys

============= FINISH: 17:58:48.43 ===============

Looks like you have a backdoor trojan that possibly has compromised any sensitive data on your machine. If you do online banking, etc..., you may want to monitor your accounts and change passwords via a clean computer.

--Please attach this file for me:
c:\windows\system32\fjhdyfhsn.bat

It's a baddie, so you can then delete it.

THEN:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let me know if you run into any trouble along the way.

PP:)

here is the file you asked me to attach. I am going to attempt to get rid of the file now. Thx again.

ComboFix 10-02-26.01 - Nathan 02/26/2010 17:06:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3216 [GMT -6:00]
Running from: c:\documents and settings\Nathan\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-746137067-839522115-1343024091-1003
c:\windows\EventSystem.log
c:\windows\jestertb.dll
c:\windows\system32\bszip.dll
c:\windows\system32\COMCTL32.OCA
c:\windows\system32\digukifi.exe
c:\windows\system32\drivers\mueizoc.sys
c:\windows\system32\gemasaze.exe
c:\windows\system32\kololawo.exe
c:\windows\system32\libahupi.exe
c:\windows\system32\rejijejo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mueizoc
-------\Service_mueizoc

((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-25 22:48 . 2010-02-25 22:48 -------- d-----w- c:\program files\ESET
2010-02-24 20:32 . 2010-02-24 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-24 20:32 . 2010-02-24 20:32 -------- d-----w- c:\program files\SpywareBlaster
2010-02-23 23:00 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 21:10 . 2010-02-23 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 21:10 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 09:12 . 2010-02-20 09:12 -------- d-----w- c:\windows\system32\MpEngineStore
2010-02-19 21:58 . 2010-02-19 21:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2010-02-19 21:55 . 2010-02-19 21:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-19 21:55 . 2010-02-19 21:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-18 23:20 . 2010-02-18 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-18 23:20 . 2010-02-18 23:20 -------- d-----w- c:\program files\NOS
2010-02-15 19:04 . 2010-02-15 19:04 -------- d-----w- c:\program files\MSECache
2010-01-28 19:05 . 2008-01-24 05:58 327680 ----a-r- c:\windows\system32\hppcpr08.dll
2010-01-28 19:05 . 2006-12-05 13:57 685 ----a-r- c:\windows\system32\hppapr08.dat
2010-01-28 19:05 . 2007-02-08 03:58 188416 ----a-r- c:\windows\system32\hppcew08.dll
2010-01-28 19:05 . 2008-01-07 02:22 733184 ----a-r- c:\windows\system32\hpptsp03.dll
2010-01-28 19:05 . 2007-06-22 22:08 876544 ----a-r- c:\windows\system32\hpxp1522.dll
2010-01-28 19:05 . 2007-02-08 04:07 450560 ----a-r- c:\windows\system32\hppasc08.dll
2010-01-28 19:03 . 2010-01-28 19:04 147504 ----a-w- c:\windows\hppins08.dat
2010-01-28 19:03 . 2008-01-07 14:19 1116 ------w- c:\windows\hppmdl08.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 20:35 . 2008-09-16 17:29 -------- d-----w- c:\program files\Mihov Picture Downloader
2010-02-24 21:14 . 2005-09-30 06:01 6153643 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-22 22:08 . 2009-05-06 19:11 144 ----a-w- c:\windows\system32\pdfl.dat
2010-02-22 20:33 . 2010-02-22 20:34 2570752 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-02-22 20:30 . 2010-02-22 20:31 2570752 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-02-22 20:01 . 2005-08-25 21:40 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-22 19:07 . 2010-02-22 19:08 25088 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-02-22 19:04 . 2010-02-22 19:05 39424 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-02-22 18:43 . 2010-02-22 18:45 35328 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-02-22 18:30 . 2010-02-22 18:32 80384 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-02-19 20:37 . 2010-02-19 20:39 27136 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-02-19 20:34 . 2010-02-19 20:35 2548736 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-02-19 20:34 . 2010-02-19 20:35 801792 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-02-19 20:17 . 2010-02-19 20:21 224248 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-19 00:12 . 2005-08-19 20:34 98304 ----a-w- c:\windows\DUMP47e6.tmp
2010-02-19 00:05 . 2010-02-19 00:06 2547200 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-02-18 23:32 . 2010-02-18 23:32 24 ----a-w- c:\documents and settings\NetworkService\Application Data\cqfyto.dat
2010-01-26 23:54 . 2010-01-26 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-01-26 23:43 . 2009-05-12 16:57 -------- d-----w- c:\documents and settings\Nathan\Application Data\CheckPoint
2010-01-19 00:02 . 2010-01-19 00:03 1240576 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-12-10 21:05 . 2009-12-10 21:06 1284608 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-12-04 22:30 . 2009-12-04 22:34 60416 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-12-04 00:14 . 2009-12-04 00:14 2637824 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-05-11 19:07 . 2009-05-11 19:07 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-19 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2008-11-06 144608]
"Memeo AutoBackup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2008-11-07 144608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 188416]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZAFFRegisterTrustCheckerIE"="-s" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-25 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-25 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-10-28 315392]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-3-15 241664]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 806912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/2/2007 9:08 AM 639224]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2/12/2009 4:12 AM 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [2/12/2009 4:12 AM 476528]
S1 uxtzvxad;uxtzvxad;\??\c:\windows\system32\drivers\uxtzvxad.sys --> c:\windows\system32\drivers\uxtzvxad.sys [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2/12/2009 4:11 AM 35448]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 1:38 PM 25824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cgi6.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewListedItems&since=2&userid=mrhugo&include=0&rows=200
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 17:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B71D1D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9e90cb8
\Driver\atapi -> 0x8b7901d8
\Driver\iaStor -> 0x8b71d1d8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(612)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Photodex\CompuPicPro\ScsiAccess.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-02-26 17:20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 23:20

Pre-Run: 67,330,707,456 bytes free
Post-Run: 67,257,434,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B2E9D1D0295F676CCFA491EF9D402336

Hi Nathan,

That looks better, but there is still a bunch left to address.

I'll have to get back to you over the weekend with the rest of the cleaning steps. Please do not use the ill computer until I can post the next steps to avoid re-infection.

PP:)

Hi Nathan,

Let's see if we can wrap this up, shall we?

-- Do you use or have you used Zan Image Printer?
I would like to see if this file is legit:
c:\windows\system32\winzvprt5.sys
Can you locate it and tell me if it belongs to Zan. (RightClick and look at properties) You'll need to enable the viewing of hidden files to see it.

Here are the next cleaning steps:

FIRST:
-- Reboot your machine and select the option for the Recovery Console.
Once in Recovery Console, type fixmbr at the command prompt and hit ENTER.

REBOOT.

NEXT:
Remove the following via Add/Remove Programs:
Adobe Reader 7.0
MyWay Search Assistant

Then, download and install the updated and more secure Adobe Reader 9

THEN:
Please download JavaRa.zip to your Desktop and Extract it to its own folder.
-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

THEN:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

FINALLY:
Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.

Let me know if you run into any problems along the way.

Cheers :)
PP

Tried to run the recovery console and it blue screened on me. I rebooted and it started up fine but I havent been able. I am supposed to F8 in startup, choose Dir Svcs Restore Mode (Windows Domain controllers only), then choose the operating system, correct? If not, what should I try now? Thx PP !

Huegs

here is the code I received: Stop: 0x0000007B (0xf78d2524, 0xc0000034, 0x00000000, 0x00000000).

Also, to answer your previous question about the Zan Image Printer. I am not familiar with it so dont know that it is necessary. I clicked on the properties and it didnt have any info.

Also, to answer your previous question about the Zan Image Printer. I am not familiar with it so dont know that it is necessary. I clicked on the properties and it didnt have any info.

OK - You can probably safely delete that file. No worries.

-- You ought to now have the option to choose the Recovery Console on restart since you installed it when you ran combofix.

If still no joy, we'll use a different method to fix the Master Boot Record.

BTW - Do you have your Windows CD?

PP:)

OK - You can probably safely delete that file. No worries.

-- You ought to now have the option to choose the Recovery Console on restart since you installed it when you ran combofix.

If still no joy, we'll use a different method to fix the Master Boot Record.

BTW - Do you have your Windows CD?

PP:)

I had tried to install the recovery console with the CD but it didnt work so when I installed combofix it installed it. To start the recovery console I just F8 during the startup then choose Dir Svcs Restore Mode (Windows Domain controllers only), then choose the operating system. Is that correct? If so, that is when it is blue screening so will have to go a different route.

Yes, have the Windows CD. Thx PP !

Yes, have the Windows CD. Thx PP !

Recovery Console ought to just show as an option before Windows boots normally.

No worries - let's just go ahead and use the Windows CD.

Rather than me just confusing you, please follow the steps in this linky to fix the Master Boot Record.

Then, pick up at the new combofix step I posted previously and run from there and post the requested logs.

Let me know if you hit any turbulence along the way.

Cheers :)
PP

I couldnt get my CD drive to recognize the Dell XP Reinstall disk (which is supposedly your XP operating system) to restore the MBR but finally found some info on the web how to repair the Master Boot Record with the Dell MediaDirect Repair Utility CD by downloading a file, burning a disk and then running a tiny program which appears to have fixed it (man, what a P-I-T-A). If anyone else has this problem do a search on google for "Journal ID: 10061C0GKY" which will take you to Dell's support page where I found the info.

Posting logs in a minute.....

windows installer would not let me remove the programs you instructed me to install so I had to go into regedit to fix Win installer and was then able to reboot. That fix was found here: http://support.microsoft.com/kb/315353 Shoot, could I run into any other problems? lol

windows installer would not let me remove the programs you instructed me to install....

I'm confused - did you mean "uninstall?"
If so, that's odd - those should go easily.

--- W/ regard to MBR, there are a number of easy ways go about that.
Personally, I prefer recovery console, but it can also be done with GMER's mbr.exe

I am not so sure there was an active MBR rootkit since the scan did say "user & kernel MBR OK." Still, better safe than sorry.

Will check for the new logs when I get home.

Cheers :)
PP

Yes, I meant "un"install so I could reinstall. The microsoft fix worked like a champ. Its been interesting to say the least......

BTW, I've somehow locked myself out of the forum so created another acct so I could get these logs posted. I have run combofix and kaspersky as you instructed. Lastly, you have to be wondering: "Is this guy going to ever go away?". lol

ComboFix 10-03-02.02 - Nathan 03/02/2010 16:44:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3097 [GMT -6:00]
Running from: c:\documents and settings\Nathan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nathan\Desktop\CFScript.txt
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

FILE ::
"c:\windows\cmdlhost.dll"
"c:\windows\rencd40.dll"
"c:\windows\system32\cmdlhost.dll"
"c:\windows\system32\drivers\uxtzvxad.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\GWFSPidGen.DLL
c:\windows\system32\MSIMRT.DLL
c:\windows\system32\MSIMRT32.DLL
c:\windows\system32\MSIMUSIC.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_uxtzvxad

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 20:35 . 2010-03-02 20:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-26 23:52 . 2010-03-01 19:40 -------- d-----w- c:\documents and settings\Nathan\Application Data\MailFrontier
2010-02-26 23:46 . 2010-03-02 20:27 144 ----a-w- c:\windows\system32\pdfl.dat
2010-02-26 23:46 . 2010-02-26 23:46 80 ----a-w- c:\windows\system32\ibfl.dat
2010-02-26 23:46 . 2009-10-17 06:39 72584 ----a-w- c:\windows\zllsputility.exe
2010-02-26 23:46 . 2009-10-13 00:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-02-26 23:44 . 2010-03-02 22:59 -------- d-----w- c:\windows\Internet Logs
2010-02-25 22:48 . 2010-02-25 22:48 -------- d-----w- c:\program files\ESET
2010-02-24 20:32 . 2010-02-24 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-24 20:32 . 2010-02-24 20:32 -------- d-----w- c:\program files\SpywareBlaster
2010-02-23 23:00 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 21:10 . 2010-02-23 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 21:10 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 09:12 . 2010-02-20 09:12 -------- d-----w- c:\windows\system32\MpEngineStore
2010-02-19 21:58 . 2010-02-19 21:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2010-02-19 21:55 . 2010-02-19 21:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-19 21:55 . 2010-02-19 21:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-18 23:20 . 2010-03-02 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-18 23:20 . 2010-02-18 23:20 -------- d-----w- c:\program files\NOS
2010-02-15 19:04 . 2010-02-15 19:04 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 21:17 . 2005-08-25 21:40 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-02 20:44 . 2005-08-19 20:44 -------- d-----w- c:\program files\Common Files\Java
2010-03-02 20:44 . 2010-03-02 20:44 503808 ----a-w- c:\documents and settings\Nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72f9ea5f-n\msvcp71.dll
2010-03-02 20:44 . 2010-03-02 20:44 499712 ----a-w- c:\documents and settings\Nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72f9ea5f-n\jmc.dll
2010-03-02 20:44 . 2010-03-02 20:44 348160 ----a-w- c:\documents and settings\Nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72f9ea5f-n\msvcr71.dll
2010-03-02 20:44 . 2010-03-02 20:44 61440 ----a-w- c:\documents and settings\Nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-307063d6-n\decora-sse.dll
2010-03-02 20:44 . 2010-03-02 20:44 12800 ----a-w- c:\documents and settings\Nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-307063d6-n\decora-d3d.dll
2010-03-02 20:44 . 2005-08-19 20:44 -------- d-----w- c:\program files\Java
2010-03-02 20:37 . 2005-08-25 22:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 20:35 . 2010-03-02 20:35 38784 ----a-w- c:\documents and settings\Nathan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 20:31 . 2010-03-02 20:31 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-02 20:18 . 2010-03-02 20:18 52635 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_26_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 52593 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_30_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 52592 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_28_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 13459313 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_20_full.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 52807 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_13_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 52588 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_18_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 52539 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_16_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 52891 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_11_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 53476 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_06_small.dmp.zip
2010-03-02 20:18 . 2010-03-02 20:18 53359 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_02_14_11_08_small.dmp.zip
2010-02-26 23:46 . 2009-05-06 19:11 -------- d-----w- c:\program files\CheckPoint
2010-02-26 23:45 . 2010-02-26 23:45 -------- d-----w- c:\program files\Zone Labs
2010-02-25 20:35 . 2008-09-16 17:29 -------- d-----w- c:\program files\Mihov Picture Downloader
2010-02-19 20:17 . 2010-02-19 20:21 224248 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-19 00:12 . 2005-08-19 20:34 98304 ----a-w- c:\windows\DUMP47e6.tmp
2010-02-19 00:05 . 2010-02-19 00:05 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat
2010-02-18 23:32 . 2010-02-18 23:32 24 ----a-w- c:\documents and settings\NetworkService\Application Data\cqfyto.dat
2010-01-28 19:04 . 2010-01-28 19:03 147504 ----a-w- c:\windows\hppins08.dat
2010-01-26 23:54 . 2010-01-26 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-01-26 23:43 . 2009-05-12 16:57 -------- d-----w- c:\documents and settings\Nathan\Application Data\CheckPoint
2009-12-17 23:14 . 2008-10-23 19:16 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-19 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2008-11-06 144608]
"Memeo AutoBackup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2008-11-07 144608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 188416]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZAFFRegisterTrustCheckerIE"="-s" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-25 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-25 113664]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-10-28 315392]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-3-15 241664]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 806912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
regidsvr REG_SZ c:\windows\system32\cmdlhost.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/2/2007 9:08 AM 639224]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 7:30 AM 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 7:30 AM 476528]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [10/14/2009 7:29 AM 35448]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 1:38 PM 25824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cgi6.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewListedItems&since=2&userid=mrhugo&include=0&rows=200
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 16:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B00F1D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9e90cb8
\Driver\atapi -> 0x8b0101d8
\Driver\iaStor -> 0x8b00f1d8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(880)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(3284)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(792)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Photodex\CompuPicPro\ScsiAccess.exe
c:\windows\stsystra.exe
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
c:\program files\CheckPoint\ZAForceField\ForceField.exe
.
**************************************************************************
.
Completion time: 2010-03-02 17:07:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 23:07
ComboFix2.txt 2010-02-26 23:20

Pre-Run: 67,616,317,440 bytes free
Post-Run: 67,600,195,584 bytes free

- - End Of File - - 7AA5747F7616B1E4136DED617E0B4BDF

KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0:
scan report
Tuesday, March 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build
2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, March 02, 2010 17:33:52
Records in database: 3687871

Scan settings
scan using the following databaseextended
Scan archivesyes
Scan e-mail databasesyes

Scan areaMy Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics
Objects scanned149753
Threats found1
Infected objects found3
Suspicious objects found0
Scan duration02:22:33

File nameThreatThreats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\mueizoc.sys.virInfected:
Rootkit.Win32.Agent.aioy1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_mueizoc_.sys.zipInfected:
Rootkit.Win32.Agent.aioy1

C:\System Volume
Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000028.sysInfected:
Rootkit.Win32.Agent.aioy1

Selected area has been scanned.

Lastly, you have to be wondering: "Is this guy going to ever go away?". lol

HA!
Allow me to refer you to This Thread....

I'm a pitbull, I tell ya.......

Anyhoo, that looks a bit better.

-- The GMER is popping up with the possible MBR issue again, but again is saying user & kernel MBR OK .

-- Is your ZoneAlarm operating properly? All these
vsmon_2nd_2010_03_02_14_11_11_small.dmp.zip in the combofix log make me wonder if it is experiencing some issues....

-- This one bothers me a bit, but it is probably just a remnant: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
regidsvr REG_SZ c:\windows\system32\cmdlhost.dll

Please update and run your MBA-M - have it remove what it finds.
Post me that log.
Don't forget to reboot after running MBA-M.

Let's see if MBA-M still detects that threat.

Cheers :)
PP

I reinstalled zonealarm as it wouldnt update after the problems.

This folder was installed right about the time I was infected:
C:\Program Files\NOS\bin It is something to do with Adobe. getPlusPlus_Adobe.exe Do you think it is legit. Also, are you familiar with these? \Administrator\Local Settings\Application Data\BVRP Software c:\documents and settings\Administrator\PrivacIE and c:\documents and settings\Administrator\IETldCache ?

Going to scan with Malwarebytes now. Thanks !

I reinstalled zonealarm as it wouldnt update after the problems.

This folder was installed right about the time I was infected:
C:\Program Files\NOS\bin It is something to do with Adobe. getPlusPlus_Adobe.exe Do you think it is legit. Also, are you familiar with these? \Administrator\Local Settings\Application Data\BVRP Software c:\documents and settings\Administrator\PrivacIE and c:\documents and settings\Administrator\IETldCache ?

Going to scan with Malwarebytes now. Thanks !

Adobe just recently started using NOS download manager.

The others are benign - don't know if they are needed, but they are legit.

Looking more closely at the last batch of combofix deletions, I wonder if they really are baddies or FPs....:
c:\windows\system32\GWFSPidGen.DLL
c:\windows\system32\MSIMRT.DLL
c:\windows\system32\MSIMRT32.DLL
c:\windows\system32\MSIMUSIC.DLL

PP:)

Looking more closely at the last batch of combofix deletions, I wonder if they really are baddies or FPs....:
c:\windows\system32\GWFSPidGen.DLL
c:\windows\system32\MSIMRT.DLL
c:\windows\system32\MSIMRT32.DLL
c:\windows\system32\MSIMUSIC.DLL

what are FPs?

what are FPs?

False positives.

We get those a lot - thing is, with the volume of infected users in all the security forums, the FPs often get chalked up as "collateral damage in the malware wars."

Unless, of course, removing them borks your machine... ;)

Looking more closely at the last batch of combofix deletions, I wonder if they really are baddies or FPs....:
c:\windows\system32\GWFSPidGen.DLL
c:\windows\system32\MSIMRT.DLL
c:\windows\system32\MSIMRT32.DLL
c:\windows\system32\MSIMUSIC.DLL

I think you are right about these files being FPs. Oh well....
Here is the latest scan log:

Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/2/2010 10:58:20 PM
mbam-log-2010-03-02 (22-58-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 262251
Time elapsed: 1 hour(s), 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\mueizoc.sys.vir (HackTool.Agent) -> Quarantined and deleted successfully.

I think you are right about these files being FPs. Oh well....

OK - That looks good. How are things running now?

-- You can get into C:\Qoobox\Quarantine and restore those deleted files if you so desire.
I would definitely recommend scanning them at
Just upload them for analysis.

Outside of that, you are probably good to go. Once you have restored those deletions, remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Cheers :)
PP

sent you a private message earlier today PP, not sure you got it. Ready to wrap it up. If you didnt get my message pls let me know. Thx !

sent you a private message earlier today PP, not sure you got it. Ready to wrap it up. If you didnt get my message pls let me know. Thx !

PM sent.

Let me know if you have any trouble with the last steps or if there are any issues remaining.

Cheers :)
PP