Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Need help removing re-generating virus/trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 28 October 2009 - 08:58 PM

Hi guys ... thanks in advance for all your cooperation and assistance. This problem made itself known around 10/25/09 when i attempted to manually update and was denied access. Have included all the 'baseline' reports you specified and have tried to run MalwareBytes but was denied access. When accessing both ATF and Ccleaner, Zone Alarm provides notice that each program will 'monitor keystrokes and all keyboard activities associated with this computer' ... access is routinely denied, however the program still loads and seems to function properly. When trying to access MalwareBytes (previously loaded), access was denied ... files moved i was told ... couldn't even access the 'un-install option'. Went to their site and re-downloaded the program, however installation was halted by Zone Alarm's notice "MB wants to monitor keyboard activities" ... access denied and installation terminated. Inquiry of the file names all lead to the 'Vundo' infection so i attempted the 'self-help' fix listed and downloaded VundoFix, ran it (twice) and got a clean bill ... No Virtumundo files found ... with that, i am lost and confused. WinPatrol keeps identifying programs (dlls) wanting to be added to the 'startup setting' and are rountinely denied but the 'notices' are becoming a nuisance. I've received notices on all the files listed above and several others you may find in the reports. Through WinPatrol, Zone Alarm, ATF and Ccleaner, i have managed to delete these files repeatedly only to have them regenerate almost faster than a re-start. The first indication a problem existed was when i forwarded email (which sent) but the mail page returned to a 'compose' screen instead of the forwarded email and the 'back to mssgs' option disappeared. This led me to the manual update attempt and the subsequent repeat problems. All hidden files were 'accessed' before running scans as well as the ATF, Ccleaner and a fresh boot ... no HJT is included because i wasn't instructed to run one, yet ... sorry if you expected it. Just let me know and i'll get right on that. Thankx, granny Mouse Reports per request: DDS (Ver_09-06-26.01) - NTFSx86 Run by Owner at 22:01:11.17 on Wed 10/28/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.289 [GMT -4:00] AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Documents and Settings\Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [<NO NAME>] mRun: [rutogalug] Rundll32.exe "c:\windows\system32\deporare.dll",a StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229356346359 DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229356304359 DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Notify: igfxcui - igfxsrvc.dll AppInit_DLLs: c:\windows\system32\deporare.dll,gidahumu.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: zonutoyes - {b5be6fba-a402-499e-b1f3-0c7214a1bbc0} - c:\windows\system32\deporare.dll STS: jugezatag: {b5be6fba-a402-499e-b1f3-0c7214a1bbc0} - c:\windows\system32\deporare.dll LSA: Notification Packages = ze.dll fotobike.dll ============= SERVICES / DRIVERS =============== R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-22 150544] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-22 365448] S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] =============== Created Last 30 ================ 2009-10-28 12:50 61,440 ---sh--- c:\windows\system32\wuniferi.dll 2009-10-28 12:50 51,712 ---sh--- c:\windows\system32\wuganabu.dll 2009-10-28 12:50 38,400 ---sh--- c:\windows\system32\nijopido.dll 2009-10-25 20:59 <DIR> --d----- C:\VundoFix Backups 2009-10-25 00:29 <DIR> --d----- c:\program files\mutwgm 2009-10-17 12:43 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat ==================== Find3M ==================== 2009-10-28 21:47 2,195,084 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-10-28 21:47 166,276,128 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-10-25 23:32 14,336 a------- c:\windows\system32\svchost.exe 2009-10-12 22:19 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-08-29 04:08 916,480 a------- c:\windows\system32\wininet.dll 2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe 2009-08-04 10:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe 2009-07-28 12:49 51,712 a--sh--- c:\windows\system32\hezigotu.dll 2009-07-28 12:50 51,712 a--sh--- c:\windows\system32\jadelamo.dll 2009-07-28 12:49 89,088 a--sh--- c:\windows\system32\nominenu.dll 2009-07-28 12:49 61,440 a--sh--- c:\windows\system32\vonowiya.dll ============= FINISH: 22:01:49.82 =============== ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/28 22:05 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: ACPI.sys Image Path: ACPI.sys Address: 0xF84E9000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2189184 File Visible: - Signed: - Status: - Name: aeaudio.sys Image Path: C:\WINDOWS\system32\drivers\aeaudio.sys Address: 0xF8A44000 Size: 4384 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xEFBC1000 Size: 138496 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF84A1000 Size: 96512 File Visible: - Signed: - Status: - Name: ATMFD.DLL Image Path: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys Address: 0xF8BB2000 Size: 3072 File Visible: - Signed: - Status: - Name: BATTC.SYS Image Path: C:\WINDOWS\System32\DRIVERS\BATTC.SYS Address: 0xF8950000 Size: 16384 File Visible: - Signed: - Status: - Name: bcm4sbxp.sys Image Path: C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys Address: 0xF85B8000 Size: 43136 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF8A6E000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF8948000 Size: 12288 File Visible: - Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xF8638000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys Address: 0xF85E8000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS Address: 0xF8578000 Size: 53248 File Visible: - Signed: - Status: - Name: compbatt.sys Image Path: compbatt.sys Address: 0xF894C000 Size: 10240 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF8568000 Size: 36352 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xF8628000 Size: 61440 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEF6FD000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8AB0000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xEFCBB000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF8C12000 Size: 4096 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xEF341000 Size: 143744 File Visible: - Signed: - Status: - Name: fdc.sys Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys Address: 0xF8830000 Size: 27392 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xF8758000 Size: 44544 File Visible: - Signed: - Status: - Name: flpydisk.sys Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys Address: 0xF88B0000 Size: 20480 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xF8481000 Size: 129792 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF8A6A000 Size: 7936 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF84B9000 Size: 125056 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806EE000 Size: 131840 File Visible: - Signed: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS Address: 0xF8798000 Size: 36864 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS Address: 0xF8930000 Size: 28672 File Visible: - Signed: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys Address: 0xEFD97000 Size: 10368 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xEEB36000 Size: 264832 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys Address: 0xF85C8000 Size: 52480 File Visible: - Signed: - Status: - Name: ialmdd5.DLL Image Path: C:\WINDOWS\System32\ialmdd5.DLL Address: 0xBFA2E000 Size: 905216 File Visible: - Signed: - Status: - Name: ialmdev5.DLL Image Path: C:\WINDOWS\System32\ialmdev5.DLL Address: 0xBFA02000 Size: 180224 File Visible: - Signed: - Status: - Name: ialmdnt5.dll Image Path: C:\WINDOWS\System32\ialmdnt5.dll Address: 0xBF9E3000 Size: 126976 File Visible: - Signed: - Status: - Name: ialmnt5.sys Image Path: C:\WINDOWS\System32\DRIVERS\ialmnt5.sys Address: 0xF8251000 Size: 807872 File Visible: - Signed: - Status: - Name: ialmrnt5.dll Image Path: C:\WINDOWS\System32\ialmrnt5.dll Address: 0xBF9D5000 Size: 57344 File Visible: - Signed: - Status: - Name: Imapi.SYS Image Path: C:\WINDOWS\System32\Drivers\Imapi.SYS Address: 0xF8608000 Size: 42112 File Visible: - Signed: - Status: - Name: IntelC51.sys Image Path: C:\WINDOWS\system32\DRIVERS\IntelC51.sys Address: 0xF80CF000 Size: 1205920 File Visible: - Signed: - Status: - Name: IntelC52.sys Image Path: C:\WINDOWS\system32\DRIVERS\IntelC52.sys Address: 0xF803A000 Size: 609120 File Visible: - Signed: - Status: - Name: IntelC53.sys Image Path: C:\WINDOWS\system32\DRIVERS\IntelC53.sys Address: 0xF85A8000 Size: 57888 File Visible: - Signed: - Status: - Name: intelppm.sys Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys Address: 0xF8598000 Size: 36352 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys Address: 0xEFC51000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys Address: 0xEFD20000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF8538000 Size: 37248 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys Address: 0xF8840000 Size: 24576 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF8A38000 Size: 8192 File Visible: - Signed: - Status: - Name: klif.sys Image Path: C:\WINDOWS\System32\DRIVERS\klif.sys Address: 0xEFD53000 Size: 163840 File Visible: - Signed: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xEE773000 Size: 172416 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xF81F6000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF8458000 Size: 92928 File Visible: - Signed: - Status: - Name: lv302af.sys Image Path: C:\WINDOWS\system32\DRIVERS\lv302af.sys Address: 0xF8A98000 Size: 7168 File Visible: - Signed: - Status: - Name: LV302V32.SYS Image Path: C:\WINDOWS\system32\DRIVERS\LV302V32.SYS Address: 0xEF7CF000 Size: 2679424 File Visible: - Signed: - Status: - Name: LVPr2Mon.sys Image Path: C:\WINDOWS\system32\Drivers\LVPr2Mon.sys Address: 0xF8928000 Size: 18944 File Visible: - Signed: - Status: - Name: lvrs.sys Image Path: C:\WINDOWS\system32\DRIVERS\lvrs.sys Address: 0xEF715000 Size: 761344 File Visible: - Signed: - Status: - Name: LVUSBSta.sys Image Path: C:\WINDOWS\system32\drivers\LVUSBSta.sys Address: 0xF87A8000 Size: 35072 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xF8A72000 Size: 4224 File Visible: - Signed: - Status: - Name: Modem.SYS Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS Address: 0xF8820000 Size: 30080 File Visible: - Signed: - Status: - Name: MODEMCSA.sys Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys Address: 0xF8327000 Size: 16128 File Visible: - Signed: - Status: - Name: mohfilt.sys Image Path: C:\WINDOWS\system32\DRIVERS\mohfilt.sys Address: 0xF8810000 Size: 23520 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys Address: 0xF8898000 Size: 23040 File Visible: - Signed: - Status: - Name: mouhid.sys Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys Address: 0xEFD8F000 Size: 12160 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF8548000 Size: 42368 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys Address: 0xEEFB1000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys Address: 0xEFB26000 Size: 455296 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF88E0000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys Address: 0xF86B8000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys Address: 0xF8A10000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF8370000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF839E000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys Address: 0xF89FC000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys Address: 0xEF5CD000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys Address: 0xF7F5A000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF86D8000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys Address: 0xF8728000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys Address: 0xEFC77000 Size: 162816 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF88F0000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF83CB000 Size: 574976 File Visible: - Signed: - Status: - Name: ntoskrnl.exe Image Path: C:\WINDOWS\system32\ntoskrnl.exe Address: 0x804D7000 Size: 2189184 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF8BFC000 Size: 2944 File Visible: - Signed: - Status: - Name: OMCI.SYS Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS Address: 0xF7E3F000 Size: 12864 File Visible: - Signed: - Status: - Name: parport.sys Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys Address: 0xF8026000 Size: 80128 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF87C0000 Size: 19712 File Visible: - Signed: - Status: - Name: ParVdm.SYS Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS Address: 0xF8AC4000 Size: 6784 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF84D8000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF8B00000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS Address: 0xF87B8000 Size: 28672 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2189184 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xF7F71000 Size: 147456 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys Address: 0xF7F49000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys Address: 0xF8880000 Size: 17792 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys Address: 0xF89D4000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys Address: 0xF8688000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys Address: 0xF8698000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys Address: 0xF86A8000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys Address: 0xF8890000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2189184 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys Address: 0xEFB96000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF8A76000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys Address: 0xF85F8000 Size: 57600 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEF65D000 Size: 49152 File Visible: No Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys Address: 0xF89DC000 Size: 15744 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys Address: 0xF85D8000 Size: 64512 File Visible: - Signed: - Status: - Name: smwdm.sys Image Path: C:\WINDOWS\system32\drivers\smwdm.sys Address: 0xF7F95000 Size: 591808 File Visible: - Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF846F000 Size: 73472 File Visible: - Signed: - Status: - Name: srescan.sys Image Path: srescan.sys Address: 0xF838A000 Size: 81920 File Visible: No Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys Address: 0xEEF37000 Size: 333952 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys Address: 0xF8A5E000 Size: 4352 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xF8668000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys Address: 0xEFCC7000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS Address: 0xF8870000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys Address: 0xF86C8000 Size: 40704 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\System32\DRIVERS\update.sys Address: 0xF7EEB000 Size: 384768 File Visible: - Signed: - Status: - Name: usbaudio.sys Image Path: C:\WINDOWS\system32\drivers\usbaudio.sys Address: 0xF8648000 Size: 60032 File Visible: - Signed: - Status: - Name: usbccgp.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys Address: 0xF8940000 Size: 32128 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS Address: 0xF8A64000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xF87F0000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys Address: 0xF86F8000 Size: 59520 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS Address: 0xF8219000 Size: 147456 File Visible: - Signed: - Status: - Name: usbprint.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys Address: 0xF8910000 Size: 25856 File Visible: - Signed: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys Address: 0xF87E8000 Size: 20608 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF88D0000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS Address: 0xF823D000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF8558000 Size: 52352 File Visible: - Signed: - Status: - Name: vsdatant.sys Image Path: C:\WINDOWS\System32\vsdatant.sys Address: 0xEFBE3000 Size: 450560 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys Address: 0xF8788000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF8848000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xEF1EC000 Size: 83072 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS Address: 0xF8A3A000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2189184 File Visible: - Signed: - Status: - ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/28 22:06 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Processes ------------------- Path: System PID: 4 Status: - Path: C:\WINDOWS\system32\smss.exe PID: 420 Status: - Path: C:\WINDOWS\system32\csrss.exe PID: 644 Status: - Path: C:\WINDOWS\system32\winlogon.exe PID: 668 Status: - Path: C:\WINDOWS\system32\services.exe PID: 716 Status: - Path: C:\WINDOWS\system32\lsass.exe PID: 728 Status: - Path: C:\WINDOWS\system32\alg.exe PID: 800 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 896 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 996 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1104 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1132 Status: - Path: C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe PID: 1192 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1196 Status: - Path: C:\Program Files\Java\jre6\bin\jqs.exe PID: 1288 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1360 Status: - Path: C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe PID: 1476 Status: - Path: C:\WINDOWS\explorer.exe PID: 1572 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1612 Status: - Path: C:\WINDOWS\system32\spoolsv.exe PID: 1964 Status: - Path: C:\WINDOWS\system32\hkcmd.exe PID: 2104 Status: - Path: C:\Documents and Settings\Owner\Desktop\RootRepeal.exe PID: 2324 Status: - Path: C:\Program Files\Logitech\QuickCam\Quickcam.exe PID: 2396 Status: - Path: C:\Program Files\HP\HP Software Update\hpwuSchd2.exe PID: 2492 Status: - Path: C:\WINDOWS\system32\ctfmon.exe PID: 2620 Status: - Path: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe PID: 2704 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 2756 Status: - Path: C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe PID: 2800 Status: - Path: C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe PID: 3076 Status: - Path: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe PID: 3436 Status: - ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/28 22:06 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== SSDT ------------------- #: 000 Function Name: NtAcceptConnectPort Status: Not hooked #: 001 Function Name: NtAccessCheck Status: Not hooked #: 002 Function Name: NtAccessCheckAndAuditAlarm Status: Not hooked #: 003 Function Name: NtAccessCheckByType Status: Not hooked #: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm Status: Not hooked #: 005 Function Name: NtAccessCheckByTypeResultList Status: Not hooked #: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm Status: Not hooked #: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle Status: Not hooked #: 008 Function Name: NtAddAtom Status: Not hooked #: 009 Function Name: NtAddBootEntry Status: Not hooked #: 010 Function Name: NtAdjustGroupsToken Status: Not hooked #: 011 Function Name: NtAdjustPrivilegesToken Status: Not hooked #: 012 Function Name: NtAlertResumeThread Status: Not hooked #: 013 Function Name: NtAlertThread Status: Not hooked #: 014 Function Name: NtAllocateLocallyUniqueId Status: Not hooked #: 015 Function Name: NtAllocateUserPhysicalPages Status: Not hooked #: 016 Function Name: NtAllocateUuids Status: Not hooked #: 017 Function Name: NtAllocateVirtualMemory Status: Not hooked #: 018 Function Name: NtAreMappedFilesTheSame Status: Not hooked #: 019 Function Name: NtAssignProcessToJobObject Status: Not hooked #: 020 Function Name: NtCallbackReturn Status: Not hooked #: 021 Function Name: NtCancelDeviceWakeupRequest Status: Not hooked #: 022 Function Name: NtCancelIoFile Status: Not hooked #: 023 Function Name: NtCancelTimer Status: Not hooked #: 024 Function Name: NtClearEvent Status: Not hooked #: 025 Function Name: NtClose Status: Not hooked #: 026 Function Name: NtCloseObjectAuditAlarm Status: Not hooked #: 027 Function Name: NtCompactKeys Status: Not hooked #: 028 Function Name: NtCompareTokens Status: Not hooked #: 029 Function Name: NtCompleteConnectPort Status: Not hooked #: 030 Function Name: NtCompressKey Status: Not hooked #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc06c30 #: 032 Function Name: NtContinue Status: Not hooked #: 033 Function Name: NtCreateDebugObject Status: Not hooked #: 034 Function Name: NtCreateDirectoryObject Status: Not hooked #: 035 Function Name: NtCreateEvent Status: Not hooked #: 036 Function Name: NtCreateEventPair Status: Not hooked #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc034f0 #: 038 Function Name: NtCreateIoCompletion Status: Not hooked #: 039 Function Name: NtCreateJobObject Status: Not hooked #: 040 Function Name: NtCreateJobSet Status: Not hooked #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1e090 #: 042 Function Name: NtCreateMailslotFile Status: Not hooked #: 043 Function Name: NtCreateMutant Status: Not hooked #: 044 Function Name: NtCreateNamedPipeFile Status: Not hooked #: 045 Function Name: NtCreatePagingFile Status: Not hooked #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc07320 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1b760 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1b970 #: 049 Function Name: NtCreateProfile Status: Not hooked #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc20310 #: 051 Function Name: NtCreateSemaphore Status: Not hooked #: 052 Function Name: NtCreateSymbolicLinkObject Status: Not hooked #: 053 Function Name: NtCreateThread Status: Not hooked #: 054 Function Name: NtCreateTimer Status: Not hooked #: 055 Function Name: NtCreateToken Status: Not hooked #: 056 Function Name: NtCreateWaitablePort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc07410 #: 057 Function Name: NtDebugActiveProcess Status: Not hooked #: 058 Function Name: NtDebugContinue Status: Not hooked #: 059 Function Name: NtDelayExecution Status: Not hooked #: 060 Function Name: NtDeleteAtom Status: Not hooked #: 061 Function Name: NtDeleteBootEntry Status: Not hooked #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc03d20 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1ee90 #: 064 Function Name: NtDeleteObjectAuditAlarm Status: Not hooked #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1eab0 #: 066 Function Name: NtDeviceIoControlFile Status: Not hooked #: 067 Function Name: NtDisplayString Status: Not hooked #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1b0e0 #: 069 Function Name: NtDuplicateToken Status: Not hooked #: 070 Function Name: NtEnumerateBootEntries Status: Not hooked #: 071 Function Name: NtEnumerateKey Status: Not hooked #: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx Status: Not hooked #: 073 Function Name: NtEnumerateValueKey Status: Not hooked #: 074 Function Name: NtExtendSection Status: Not hooked #: 075 Function Name: NtFilterToken Status: Not hooked #: 076 Function Name: NtFindAtom Status: Not hooked #: 077 Function Name: NtFlushBuffersFile Status: Not hooked #: 078 Function Name: NtFlushInstructionCache Status: Not hooked #: 079 Function Name: NtFlushKey Status: Not hooked #: 080 Function Name: NtFlushVirtualMemory Status: Not hooked #: 081 Function Name: NtFlushWriteBuffer Status: Not hooked #: 082 Function Name: NtFreeUserPhysicalPages Status: Not hooked #: 083 Function Name: NtFreeVirtualMemory Status: Not hooked #: 084 Function Name: NtFsControlFile Status: Not hooked #: 085 Function Name: NtGetContextThread Status: Not hooked #: 086 Function Name: NtGetDevicePowerState Status: Not hooked #: 087 Function Name: NtGetPlugPlayEvent Status: Not hooked #: 088 Function Name: NtGetWriteWatch Status: Not hooked #: 089 Function Name: NtImpersonateAnonymousToken Status: Not hooked #: 090 Function Name: NtImpersonateClientOfPort Status: Not hooked #: 091 Function Name: NtImpersonateThread Status: Not hooked #: 092 Function Name: NtInitializeRegistry Status: Not hooked #: 093 Function Name: NtInitiatePowerAction Status: Not hooked #: 094 Function Name: NtIsProcessInJob Status: Not hooked #: 095 Function Name: NtIsSystemResumeAutomatic Status: Not hooked #: 096 Function Name: NtListenPort Status: Not hooked #: 097 Function Name: NtLoadDriver Status: Not hooked #: 098 Function Name: NtLoadKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1f560 #: 099 Function Name: NtLoadKey2 Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1f5e0 #: 100 Function Name: NtLockFile Status: Not hooked #: 101 Function Name: NtLockProductActivationKeys Status: Not hooked #: 102 Function Name: NtLockRegistryKey Status: Not hooked #: 103 Function Name: NtLockVirtualMemory Status: Not hooked #: 104 Function Name: NtMakePermanentObject Status: Not hooked #: 105 Function Name: NtMakeTemporaryObject Status: Not hooked #: 106 Function Name: NtMapUserPhysicalPages Status: Not hooked #: 107 Function Name: NtMapUserPhysicalPagesScatter Status: Not hooked #: 108 Function Name: NtMapViewOfSection Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc20590 #: 109 Function Name: NtModifyBootEntry Status: Not hooked #: 110 Function Name: NtNotifyChangeDirectoryFile Status: Not hooked #: 111 Function Name: NtNotifyChangeKey Status: Not hooked #: 112 Function Name: NtNotifyChangeMultipleKeys Status: Not hooked #: 113 Function Name: NtOpenDirectoryObject Status: Not hooked #: 114 Function Name: NtOpenEvent Status: Not hooked #: 115 Function Name: NtOpenEventPair Status: Not hooked #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc03a80 #: 117 Function Name: NtOpenIoCompletion Status: Not hooked #: 118 Function Name: NtOpenJobObject Status: Not hooked #: 119 Function Name: NtOpenKey Status: Not hooked #: 120 Function Name: NtOpenMutant Status: Not hooked #: 121 Function Name: NtOpenObjectAuditAlarm Status: Not hooked #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1d070 #: 123 Function Name: NtOpenProcessToken Status: Not hooked #: 124 Function Name: NtOpenProcessTokenEx Status: Not hooked #: 125 Function Name: NtOpenSection Status: Not hooked #: 126 Function Name: NtOpenSemaphore Status: Not hooked #: 127 Function Name: NtOpenSymbolicLinkObject Status: Not hooked #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1ce30 #: 129 Function Name: NtOpenThreadToken Status: Not hooked #: 130 Function Name: NtOpenThreadTokenEx Status: Not hooked #: 131 Function Name: NtOpenTimer Status: Not hooked #: 132 Function Name: NtPlugPlayControl Status: Not hooked #: 133 Function Name: NtPowerInformation Status: Not hooked #: 134 Function Name: NtPrivilegeCheck Status: Not hooked #: 135 Function Name: NtPrivilegeObjectAuditAlarm Status: Not hooked #: 136 Function Name: NtPrivilegedServiceAuditAlarm Status: Not hooked #: 137 Function Name: NtProtectVirtualMemory Status: Not hooked #: 138 Function Name: NtPulseEvent Status: Not hooked #: 139 Function Name: NtQueryAttributesFile Status: Not hooked #: 140 Function Name: NtQueryBootEntryOrder Status: Not hooked #: 141 Function Name: NtQueryBootOptions Status: Not hooked #: 142 Function Name: NtQueryDebugFilterState Status: Not hooked #: 143 Function Name: NtQueryDefaultLocale Status: Not hooked #: 144 Function Name: NtQueryDefaultUILanguage Status: Not hooked #: 145 Function Name: NtQueryDirectoryFile Status: Not hooked #: 146 Function Name: NtQueryDirectoryObject Status: Not hooked #: 147 Function Name: NtQueryEaFile Status: Not hooked #: 148 Function Name: NtQueryEvent Status: Not hooked #: 149 Function Name: NtQueryFullAttributesFile Status: Not hooked #: 150 Function Name: NtQueryInformationAtom Status: Not hooked #: 151 Function Name: NtQueryInformationFile Status: Not hooked #: 152 Function Name: NtQueryInformationJobObject Status: Not hooked #: 153 Function Name: NtQueryInformationPort Status: Not hooked #: 154 Function Name: NtQueryInformationProcess Status: Not hooked #: 155 Function Name: NtQueryInformationThread Status: Not hooked #: 156 Function Name: NtQueryInformationToken Status: Not hooked #: 157 Function Name: NtQueryInstallUILanguage Status: Not hooked #: 158 Function Name: NtQueryIntervalProfile Status: Not hooked #: 159 Function Name: NtQueryIoCompletion Status: Not hooked #: 160 Function Name: NtQueryKey Status: Not hooked #: 161 Function Name: NtQueryMultipleValueKey Status: Not hooked #: 162 Function Name: NtQueryMutant Status: Not hooked #: 163 Function Name: NtQueryObject Status: Not hooked #: 164 Function Name: NtQueryOpenSubKeys Status: Not hooked #: 165 Function Name: NtQueryPerformanceCounter Status: Not hooked #: 166 Function Name: NtQueryQuotaInformationFile Status: Not hooked #: 167 Function Name: NtQuerySection Status: Not hooked #: 168 Function Name: NtQuerySecurityObject Status: Not hooked #: 169 Function Name: NtQuerySemaphore Status: Not hooked #: 170 Function Name: NtQuerySymbolicLinkObject Status: Not hooked #: 171 Function Name: NtQuerySystemEnvironmentValue Status: Not hooked #: 172 Function Name: NtQuerySystemEnvironmentValueEx Status: Not hooked #: 173 Function Name: NtQuerySystemInformation Status: Not hooked #: 174 Function Name: NtQuerySystemTime Status: Not hooked #: 175 Function Name: NtQueryTimer Status: Not hooked #: 176 Function Name: NtQueryTimerResolution Status: Not hooked #: 177 Function Name: NtQueryValueKey Status: Not hooked #: 178 Function Name: NtQueryVirtualMemory Status: Not hooked #: 179 Function Name: NtQueryVolumeInformationFile Status: Not hooked #: 180 Function Name: NtQueueApcThread Status: Not hooked #: 181 Function Name: NtRaiseException Status: Not hooked #: 182 Function Name: NtRaiseHardError Status: Not hooked #: 183 Function Name: NtReadFile Status: Not hooked #: 184 Function Name: NtReadFileScatter Status: Not hooked #: 185 Function Name: NtReadRequestData Status: Not hooked #: 186 Function Name: NtReadVirtualMemory Status: Not hooked #: 187 Function Name: NtRegisterThreadTerminatePort Status: Not hooked #: 188 Function Name: NtReleaseMutant Status: Not hooked #: 189 Function Name: NtReleaseSemaphore Status: Not hooked #: 190 Function Name: NtRemoveIoCompletion Status: Not hooked #: 191 Function Name: NtRemoveProcessDebug Status: Not hooked #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1fdd0 #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1f7a0 #: 194 Function Name: NtReplyPort Status: Not hooked #: 195 Function Name: NtReplyWaitReceivePort Status: Not hooked #: 196 Function Name: NtReplyWaitReceivePortEx Status: Not hooked #: 197 Function Name: NtReplyWaitReplyPort Status: Not hooked #: 198 Function Name: NtRequestDeviceWakeup Status: Not hooked #: 199 Function Name: NtRequestPort Status: Not hooked #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc06840 #: 201 Function Name: NtRequestWakeupLatency Status: Not hooked #: 202 Function Name: NtResetEvent Status: Not hooked #: 203 Function Name: NtResetWriteWatch Status: Not hooked #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1fc20 #: 205 Function Name: NtResumeProcess Status: Not hooked #: 206 Function Name: NtResumeThread Status: Not hooked #: 207 Function Name: NtSaveKey Status: Not hooked #: 208 Function Name: NtSaveKeyEx Status: Not hooked #: 209 Function Name: NtSaveMergedKeys Status: Not hooked #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc06e80 #: 211 Function Name: NtSetBootEntryOrder Status: Not hooked #: 212 Function Name: NtSetBootOptions Status: Not hooked #: 213 Function Name: NtSetContextThread Status: Not hooked #: 214 Function Name: NtSetDebugFilterState Status: Not hooked #: 215 Function Name: NtSetDefaultHardErrorPort Status: Not hooked #: 216 Function Name: NtSetDefaultLocale Status: Not hooked #: 217 Function Name: NtSetDefaultUILanguage Status: Not hooked #: 218 Function Name: NtSetEaFile Status: Not hooked #: 219 Function Name: NtSetEvent Status: Not hooked #: 220 Function Name: NtSetEventBoostPriority Status: Not hooked #: 221 Function Name: NtSetHighEventPair Status: Not hooked #: 222 Function Name: NtSetHighWaitLowEventPair Status: Not hooked #: 223 Function Name: NtSetInformationDebugObject Status: Not hooked #: 224 Function Name: NtSetInformationFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc03f90 #: 225 Function Name: NtSetInformationJobObject Status: Not hooked #: 226 Function Name: NtSetInformationKey Status: Not hooked #: 227 Function Name: NtSetInformationObject Status: Not hooked #: 228 Function Name: NtSetInformationProcess Status: Not hooked #: 229 Function Name: NtSetInformationThread Status: Not hooked #: 230 Function Name: NtSetInformationToken Status: Not hooked #: 231 Function Name: NtSetIntervalProfile Status: Not hooked #: 232 Function Name: NtSetIoCompletion Status: Not hooked #: 233 Function Name: NtSetLdtEntries Status: Not hooked #: 234 Function Name: NtSetLowEventPair Status: Not hooked #: 235 Function Name: NtSetLowWaitHighEventPair Status: Not hooked #: 236 Function Name: NtSetQuotaInformationFile Status: Not hooked #: 237 Function Name: NtSetSecurityObject Status: Not hooked #: 238 Function Name: NtSetSystemEnvironmentValue Status: Not hooked #: 239 Function Name: NtSetSystemEnvironmentValueEx Status: Not hooked #: 240 Function Name: NtSetSystemInformation Status: Not hooked #: 241 Function Name: NtSetSystemPowerState Status: Not hooked #: 242 Function Name: NtSetSystemTime Status: Not hooked #: 243 Function Name: NtSetThreadExecutionState Status: Not hooked #: 244 Function Name: NtSetTimer Status: Not hooked #: 245 Function Name: NtSetTimerResolution Status: Not hooked #: 246 Function Name: NtSetUuidSeed Status: Not hooked #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1e5c0 #: 248 Function Name: NtSetVolumeInformationFile Status: Not hooked #: 249 Function Name: NtShutdownSystem Status: Not hooked #: 250 Function Name: NtSignalAndWaitForSingleObject Status: Not hooked #: 251 Function Name: NtStartProfile Status: Not hooked #: 252 Function Name: NtStopProfile Status: Not hooked #: 253 Function Name: NtSuspendProcess Status: Not hooked #: 254 Function Name: NtSuspendThread Status: Not hooked #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1c0f0 #: 256 Function Name: NtTerminateJobObject Status: Not hooked #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xefc1bf70 #: 258 Function Name: NtTerminateThread Status: Not hooked #: 259 Function Name: NtTestAlert Status: Not hooked #: 260 Function Name: NtTraceEvent Status: Not hooked #: 261 Function Name: NtTranslateFilePath Status: Not hooked #: 262 Function Name: NtUnloadDriver Status: Not hooked #: 263 Function Name: NtUnloadKey Status: Not hooked #: 264 Function Name: NtUnloadKeyEx Status: Not hooked #: 265 Function Name: NtUnlockFile Status: Not hooked #: 266 Function Name: NtUnlockVirtualMemory Status: Not hooked #: 267 Function Name: NtUnmapViewOfSection Status: Not hooked #: 268 Function Name: NtVdmControl Status: Not hooked #: 269 Function Name: NtWaitForDebugEvent Status: Not hooked #: 270 Function Name: NtWaitForMultipleObjects Status: Not hooked #: 271 Function Name: NtWaitForSingleObject Status: Not hooked #: 272 Function Name: NtWaitHighEventPair Status: Not hooked #: 273 Function Name: NtWaitLowEventPair Status: Not hooked #: 274 Function Name: NtWriteFile Status: Not hooked #: 275 Function Name: NtWriteFileGather Status: Not hooked #: 276 Function Name: NtWriteRequestData Status: Not hooked #: 277 Function Name: NtWriteVirtualMemory Status: Not hooked #: 278 Function Name: NtYieldExecution Status: Not hooked #: 279 Function Name: NtCreateKeyedEvent Status: Not hooked #: 280 Function Name: NtOpenKeyedEvent Status: Not hooked #: 281 Function Name: NtReleaseKeyedEvent Status: Not hooked #: 282 Function Name: NtWaitForKeyedEvent Status: Not hooked #: 283 Function Name: NtQueryPortInformationProcess Status: Not hooked ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/28 22:06 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Hidden Services ------------------- none found

Attached Files


    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 06:24 AM

Hi,

Please do the following:

Download ComboFix from either of these locations:
Link 1
Link 2


VERY IMPORTANT !!!
Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 29 October 2009 - 09:11 AM

Howdy CatByte ... love the name :) ... wow, that was a real challenge however, finally successful. ComboFix log follows. As for how it's acting; slower than usual, persistent popups, WinPatrol has identified a different 'program name' today, along with some of the others previously mentioned. Homepage is now being re-directed to 'm.www.yahoo.com' (that's a new one, today) ... to accomplish the task you requested, it took 3 downloads (and multiple attempts to get there) ... 1st contained corrupt files, 2nd claimed to be 'not a valid Win32 file', 3rd was re-downloading Link 1 and was successful ... had to open multiple pages (i think confusion worked in the long run) in order for WinPatrol to 'not interrupt' the download on the page i was accessing ... with split screen, active. ComboFix seemed to run without a problem and here's the log.

ComboFix 09-10-28.08 - Owner 10/29/2009 10:37.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.295 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dovamewo.dll
c:\windows\system32\fotobike.dll
c:\windows\system32\gidahumu.dll
c:\windows\system32\giyikara.dll
c:\windows\system32\jadelamo.dll
c:\windows\system32\kedisuzo.dll
c:\windows\system32\nijopido.dll
c:\windows\system32\nimuhoke.dll.tmp
c:\windows\system32\nominenu.dll
c:\windows\system32\sakalimo.dll
c:\windows\system32\vonowiya.dll
c:\windows\system32\wuganabu.dll
c:\windows\system32\yaruvofo.dll
c:\windows\system32\zulagovi.dll
c:\windows\Tasks\keprutad.job
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-26 00:59 . 2009-10-26 00:59 -------- d-----w- C:\VundoFix Backups
2009-10-25 04:29 . 2009-10-28 17:43 -------- d-----w- c:\program files\mutwgm
2009-10-08 02:49 . 2009-10-08 02:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 14:48 . 2009-08-22 18:08 167114784 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-29 14:42 . 2009-08-22 18:08 2238236 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-26 03:32 . 2002-06-25 21:47 14336 ----a-w- c:\windows\system32\svchost.exe
2009-10-13 02:19 . 2008-06-17 16:39 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-22 23:59 . 2008-06-17 13:04 35464 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 03:57 . 2009-09-20 03:57 -------- d-----w- c:\program files\MSBuild
2009-09-20 03:57 . 2009-09-20 03:57 -------- d-----w- c:\program files\Reference Assemblies
2009-09-20 03:15 . 2009-09-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-11 14:18 . 2002-06-25 21:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-06-25 21:41 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2002-03-05 12:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-06-25 21:47 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2008-06-17 13:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2002-06-25 21:43 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-06-25 21:43 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 13:15 . 2009-07-29 13:15 60928 --sha-w- c:\windows\system32\tanovivo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-6-17 221247]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\logishrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Logitech\\QuickCam\\Quickcam.exe"=


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\User_Feed_Synchronization-{245287B3-D295-4B19-A02C-38FD72D7C759}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{c674c59c-4970-4a98-96a2-ef4edb27481c} - jadelamo.dll
HKLM-Run-bakuweyuwa - fotobike.dll
SharedTaskScheduler-{b5be6fba-a402-499e-b1f3-0c7214a1bbc0} - c:\windows\system32\deporare.dll
SharedTaskScheduler-{7de2e170-b934-4133-98d8-2c28d4f7ba88} - c:\windows\system32\kedisuzo.dll
SSODL-zonutoyes-{b5be6fba-a402-499e-b1f3-0c7214a1bbc0} - c:\windows\system32\deporare.dll
SSODL-fokoyahey-{7de2e170-b934-4133-98d8-2c28d4f7ba88} - c:\windows\system32\kedisuzo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 10:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2009-10-29 10:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 14:50

Pre-Run: 101,128,634,368 bytes free
Post-Run: 101,159,579,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 0CD25E1E291E0D57588658D14A738450

****** PS: haven't done any surfing while this problem exists to offer more description however, i could not access your reply via the email link, had to access WTT home page, direct (multiple times) ... aside from the obvious, overall function seems normal and acceptable.
mouse

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 09:26 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Need_help_removing_re_generating_virus_trojan_t107988.html&view=findpost&p=606739#entry606739

Collect::
c:\windows\system32\tanovivo.dll

Folder::
c:\program files\mutwgm

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please do the following:

Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"

Drop MBAM.exe into inherit - that should free it up to run. Update Malwarebytes from the Update Tab

Run a quick scan. Delete anything it finds. Post the resulting log.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 29 October 2009 - 01:09 PM

Hey CatByte ... apparently MalwareBytes and any trail of it is gone ... so, i downloaded a fresh copy direct from their site. In regards to Inherit, it's downloaded but i didn't drag anything into it because Mbam and MS Updates are the only ones i tried to access before discovering there was a problem. Should i keep it (Inherit) on board or is it not necessary at this time ? Here's the reports: CF Script Log: Upload was successful MBam after cleaning: Malwarebytes' Anti-Malware 1.41 Database version: 3055 Windows 5.1.2600 Service Pack 3 10/29/2009 2:24:49 PM mbam-log-2009-10-29 (14-24-49).txt Scan type: Full Scan (C:\|) Objects scanned: 146955 Time elapsed: 22 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 32 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\system32\dovamewo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\fotobike.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\gidahumu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\giyikara.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\jadelamo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\kedisuzo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\nimuhoke.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\sakalimo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\wuganabu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\yaruvofo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\zulagovi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP481\A0051437.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP481\A0051454.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP481\A0051455.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP481\A0051487.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP482\A0051632.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP482\A0051633.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP482\A0051634.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051645.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051740.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051848.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051849.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051850.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051851.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051852.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051853.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051856.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051858.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051859.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D4EF7E6A-A0D9-4C1C-B020-85DB3D726247}\RP483\A0051860.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lodayija.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\zazuporo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. ------------------------------- While posting this, the page advance is now scrolling randomly ... making typing this a bit difficult. However, i also noticed the toolbars above are 'blacked-out' ... the address bar, tab identifier and buttons are viewable and active but the rest is not. Thanks for all your help so far ... this was more infested than i imagined. mouse

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 01:22 PM

Hi,

Please do the following:

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner:

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image

  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


NEXT

Please post a fresh DDS Log and Attach.txt

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 29 October 2009 - 01:22 PM

CatByte ... WinPatrol has just posted notification of another attempted change (manually denied) ... File Type Change Alert ... using program 'Run DLL as an App' ... change expected is C:\WINDOWS\system32\rundll32.exe - to - C:\WINDOWS\system32\ieframe.dll,OpenURL %l Again, this has been denied manually twice. Not sure if it should be accepted, please advise. mouse

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 01:59 PM

That's a Microsoft Internet Explorer shortcut path...should be Ok

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#9 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 29 October 2009 - 08:11 PM

Ok CatByte, sorry for the delay ... Kaspersky took forever (or so it seemed - couple hours anyway) ... strange though, it found NOTHING ... i guess that's a good thing but i have no report to post. The 'view report' screen was blank and i could not get back to the 'stats' page before it ... however i noticed 50,000+ objects scanned ... -0- value listed for each 'identifier' ... and the length of the run, but i don't remember what it said (roughly 2+ hrs). Here's the DDS and Attach files: DDS (Ver_09-06-26.01) - NTFSx86 Run by Owner at 21:46:53.42 on Thu 10/29/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.318 [GMT -4:00] AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229356346359 DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229356304359 DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-22 150544] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-22 365448] S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] =============== Created Last 30 ================ 2009-10-29 13:47 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-29 13:47 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-29 13:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-29 10:36 <DIR> a-dshr-- C:\cmdcons 2009-10-29 10:35 77,312 a------- c:\windows\MBR.exe 2009-10-29 10:35 236,544 a------- c:\windows\PEV.exe 2009-10-29 10:35 161,792 a------- c:\windows\SWREG.exe 2009-10-29 10:35 98,816 a------- c:\windows\sed.exe 2009-10-25 20:59 <DIR> --d----- C:\VundoFix Backups 2009-10-17 12:43 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat ==================== Find3M ==================== 2009-10-29 21:46 171,428,128 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-10-29 14:26 2,274,884 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-10-25 23:32 14,336 -------- c:\windows\system32\svchost.exe 2009-10-12 22:19 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-08-29 04:08 916,480 -------- c:\windows\system32\wininet.dll 2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 10:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe ============= FINISH: 21:47:24.21 =============== ***** As for the WinPatrol notice, thanks for the info ... when i see it again, i'll 'approve' the change ... it's been turned off while we're doing these tasks so i haven't seen it lately but i imagine i will again.

Attached Files



#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 10:17 PM

Your logs are clean.

Just some house keeping to do now:

Please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version 9.2)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Go to Start > Run > copy/paste the following text into the open run box > javacpl.cpl
> Press Enter > Select the Update tab > Click Update now


NEXT

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image




NEXT

Now to remove the rest of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

NOTE: If there are any remaining logs/tools on your desktop after running this tool > right click and delete them.


NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.


  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them

    Then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here


    If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#11 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 31 October 2009 - 07:37 PM

Dear CatByte, Please accept my sincerest apology for seeming to have fallen off the planet, kinda did. Dr's most of Friday and later that evening i checked the post and saw your reply about clean-up but it was toooo late to follow-through ... Today, i couldn't connect, period ... am using the second computer in this house (also infected) to touch base and let you know that i have not completed your last instructions AND Friday evening when Zone Alarm finished it's normal 'start-up' scan, it identified 3 trojan entries which were quarantined (can't give you the names until i'm back on the system tomorrow). Apparently the back-up battery is in need of replacement and finally after re-establishing a direct connection (excluding my puter) with the internet, at least one computer is almost working. To be honest, none of the 'preparation programs' have been run on this system yet, so let's not go there ... i'll start a new post one day, soon ... (maybe tomorrow but no promises there, either) ok, hope you're having a good Halloween ... will touch base one way or the other, later tomorrow ... if i'm realllllly lucky, both computers will be addressed :) ... yeah, i guess hoping for a miracle on Halloween is kinda odd, huh ?? thanks again, mouse .

#12 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 04 November 2009 - 11:30 PM

Catbyte, am not sure what is going on here but i am really dead in the water ... replaced the battery back-up and could not connet to the internet ...checked the cable and replaced it ... still cannot connect (offline since last post 10/31). Phoned Verizon (ISP provider) tech support and tried renewing IP and keep getting DNS problem notifications. Tech says the only resolve is to reformat and re-install XP ... please tell me that is not true. The router is functioning and this computer is connected through same, all cpu troubleshooting shows devices working properly ... for whatever reason, my computer indicates it cannot communicate with the DNS server. On Saturday, early morning 10/31, after reading your last 'clean-up' post i shut the computer down for the evening ... on next re-boot, all seemed well and i was accessing the site when the un-expected power failure shut me down, completely (2 windows open, no clean shut-down) ...that's how i discovered the back-up needed replaced. Haven't been able to connect online since. No updates to Adobe, can't download OTC, java won't update and i am praying maybe ERUNT can help fix this. I did run it as instructed before we started ... have no idea what to do next but maybe we at least have the tools to try. Please, if at all possible, can we avoid a re-install ? Patiently awaiting a miracle ... :pullhair: mouse

#13 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 04 November 2009 - 11:30 PM

dear Catbyte ... this was a repeat posting (1st said there was a problem so i did it again and it posted twice) ... so, i am overwriting the copy. btw, in a prvs post i mentioned that i'd share the '3 trojans Zone Alarm found' after running start-up scans on 10/31 (before power failure) and i looked for a log of them but apparently, once deleted i don't know how to recover what they were. I remember 2 of them said Win32 in the name (not sure if that helps any) - all 3 were identified as 'trojans', quarantined and deleted ... not sure if that has something to do with the DNS issue or not, am just remembering it happened. I sure hope you can help with this, i truely have no clue what happened or why. mouse

Edited by Granny Mouse, 04 November 2009 - 11:40 PM.


#14 Granny Mouse

Granny Mouse

    Authentic Member

  • Authentic Member
  • PipPip
  • 38 posts

Posted 05 November 2009 - 02:00 AM

woooooohooooo, there must be angels in our midst ... not sure how but after eliminating Zone Alarm from the current mix, connection is re-established. Am writing from my computer, now :) After disabling ZA and running MalwareBytes quickscan, i tried to update MB and Did so, successfully !!!! From version 3055 to 3103 ... ran a deep scan and it came back clean, no malicious items detected. Sooooo, i tried to connect to homepage and succeeded so i began the clean-up posted last ... Adobe, Java, OTC, combofix ... all successful. Went so far as to un-install Zone Alarm and download a fresh copy (haven't installed it just yet) ... just to be on the safe side, i'm gonna run the Kaspersky Online again and i'll let you know what, if anything, comes up. I have a few questions about some of your suggestions but i'll post those, tomorrow ... thanks for your patience and i'll update ya soon. mouse

#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 05 November 2009 - 04:15 AM

That's great news. ZA just may not be compatible with your system configuration. There are other Firewall alternatives (or are you using the suite which includes antivirus as well) Let me know and I can recommend a good free antivirus and firewall.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users