Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] HI WTT, first post, Hijack This Log file, Plz Analyze

Started by iam777 , Nov 05 2009 03:12 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 iam777

iam777

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 05 November 2009 - 03:12 PM

HI WTT,

MY DDS and attachment and Root Repeal infomation included as updated information please advise!!!!
Thanks for your patient and professionalism.

Robert.



DDS (Ver_09-10-26.01) - NTFSx86
Run by Robert Moreno at 12:05:57.75 on Sat 11/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1079 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\Robert Moreno\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [MRC] "c:\program files\pc tune-up\PCTuneUp.exe" /MBRSTART
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Lachesis] c:\program files\razer\lachesis\razerhid.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238515282406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257289777281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2009-2-12 12032]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2009-2-12 39048]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\Usbicp.sys [2009-2-12 14592]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S4 gupdate1c9f365a63744fa;Google Update Service (gupdate1c9f365a63744fa);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2009-11-03 22:47:47 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-11-03 22:47:47 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-11-03 06:14:28 0 d-----w- c:\docume~1\robert~1\applic~1\#ISW.FS#
2009-11-02 14:00:23 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-11-01 13:42:51 696 ----a-w- c:\documents and settings\robert moreno\PCTuneUp.config
2009-10-31 20:16:33 0 d-----w- c:\program files\IObit
2009-10-31 19:14:07 249856 ----a-w- c:\windows\system32\Lachesis.cpl
2009-10-31 14:55:59 0 d-----w- C:\MyBackup
2009-10-27 17:22:42 0 d-----w- C:\MyBackupRobert
2009-10-27 17:04:28 0 d-----w- c:\program files\PC Tune-Up
2009-10-27 16:07:05 0 d-----w- C:\MyBackupRobertMoreno
2009-10-26 18:55:37 80 ----a-w- c:\windows\system32\ibfl.dat
2009-10-26 18:55:37 144 ----a-w- c:\windows\system32\lkfl.dat
2009-10-26 18:55:36 144 ----a-w- c:\windows\system32\pdfl.dat
2009-10-26 18:55:22 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-10-26 18:54:54 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-25 16:13:00 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-10-25 16:13:00 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-10-25 16:12:57 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-10-22 17:35:28 0 d-----w- c:\docume~1\robert~1\applic~1\Uniblue
2009-10-13 23:01:42 0 d-----w- c:\documents and settings\robert moreno\Downloads
2009-10-13 14:19:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK
2009-10-13 14:08:07 0 d-----w- c:\docume~1\robert~1\applic~1\CheckPoint
2009-10-13 14:07:40 0 d-----w- c:\program files\CheckPoint

==================== Find3M ====================

2009-11-07 14:28:26 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-17 05:39:40 72584 ----a-w- c:\windows\zllsputility.exe
2009-09-25 03:08:11 34328 ----a-w- c:\docume~1\robert~1\applic~1\GDIPFONTCACHEV1.DAT
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-04-27 19:13:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042720090428\index.dat

============= FINISH: 12:07:06.76 ===============






ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/07 13:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x927FD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\IswTmp\Logs\AK_DLL.swl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\IswTmp\Logs\ISWSHEX.swl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\IswTmp\Logs\ISWSVC.swl
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Robert Moreno\Local Settings\Temp\IswTmp\Logs\AK_DLL.swl
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Robert Moreno\Local Settings\Temp\IswTmp\Logs\ISWSHEX.swl
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Robert Moreno\Local Settings\Temp\IswTmp\Logs\TrustcheckerIEPlugin.swl
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1f542

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1fdba

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959f0600

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20dcc

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959e9d50

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a0e040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20ca4

#: 044 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1f148

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959f0e10

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a07d00

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a08120

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a12210

#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20efe

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22784

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1fa58

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959f0f80

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22176

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959eac30

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a0f750

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a0f130

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20524

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a06e40

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1ee80

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1ef2a

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20330

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22208

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a10050

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a10280

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a125c0

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1f076

#: 114 Function Name: NtOpenEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20e6e

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959ea720

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1e592

#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20d3c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a0a420

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b227ae

#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b20fa0

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a09ff0

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1efd4

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1ebfc

#: 167 Function Name: NtQuerySection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22b50

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1e84c

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b2249e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a11400

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a10a10

#: 194 Function Name: NtReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b2132a

#: 195 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b211f0

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959f0150

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a110a0

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b23028

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1e1fe

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959f08e0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1fc76

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x959eb050

#: 230 Function Name: NtSetInformationToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b2186c

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a118b0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22c90

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a0e940

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22d74

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22e9c

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a08cf0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x95a08a20

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1f80e

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b22a06

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b1f998

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b3071e

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b307e8

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b30852

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b30782

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b3027e

#: 312 Function Name: NtUserBuildHwndList
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b308b4

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b30636

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b3046c

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b301e6

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b3056e

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b30232

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b303be

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b30314

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b30368

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b304fe

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b3041e

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b30136

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0x95b3018c

==EOF==








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:59 PM, on 11/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://home.microsof...arch/search.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} -

C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -

C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LogitechCommunicationsManager] rem "C:\Program Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] rem "C:\Program

Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...t/wuweb_site.ca

b?1238515282406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...6/client/muweb_

site.cab?1257289777281
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation -

C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies -

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -

Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common

Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common

Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. -

C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD

- C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6682 bytes


StartupList report, 11/5/2009, 3:37:30 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
Lachesis = C:\Program Files\Razer\Lachesis\razerhid.exe
StartCCC = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
LogitechCommunicationsManager = rem "C:\Program Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.exe"
LogitechQuickCamRibbon = rem "C:\Program Files\Logitech\QuickCam\Quickcam.exe"

/hide

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MRC = "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{10880D85-AAD9-4558-ABDC-2AB1552D831F}] *
StubPath = "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall

%SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT

/user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT

/user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINDOWS\system32\Rundll32.exe

c:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------







S Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name E
System Manufacturer Dell Computer Corporation
System Model DIM4400
System Type X86-based PC
Processor x86 Family 15 Model 1 Stepping 2 GenuineIntel ~1594 Mhz





Hi,

I know this is a very long post but it is required to explain my challenge accurately, and
maybe it can help others. If your not ZA is meant for informational purposes.
I am a customer deploying the Extreme Security ZA suite, in a private home occupied by
myself and my girlfriend. I am having major Trojan virus, spy/malware, hijack, and
operational issues. On Oct 22, 2009, I noticed my computer slowing and performing sluggish.

I contacted Kelly your ZA tech about this issue, citing isw and lsw issues and was told these

are logging files, its normal (see below). Furthermore I contacted Bill, ZA tech, about an

unauthorized password change, (that was protected by Identity Guard) that disallowed

myself from interacting with ZA (see below). Realize I have hardcopy’s of ZA passwords that I

use daily, and had used that specific one the night before, multiple times. Within the past

few days, I initiated, 2xs daily, ZA’s rootkit/ultra-deep scans revealing nothing. Yesterday ZA

toolbar, browser security, and the extreme security application were crashing, nullifying

and/or deleting security features and protections. Websites, along with ZA were apparently

opening ZA’s identity vault secured password protected applications, (see previous week’s

failed attempts below by Google, etc.) the two current examples being my Windows Logon

password and almost ALL Zone Alarm Custom Program Control Centers protections, which

were rendered useless, unknown to myself for approx 3-4 hour’s in the trusted and internet

zones. Internet Explorer 8 features, were changed, (which does not function correctly now)

and was locking up. I reinitiated program control, all additional ZA security were already

high, and ran scans again, as this unfolded, with no abnormal results. I had purchased and

initiated ZA’s third party Large PC tune up cleaner as well as the registry cleanup application

C.C. cleaner and Windows Advance Systems 3 registry, spyware removal and blocker

application all revealing no Trojans or abnormal activity at the time. Note these utilities are

employed daily and have not conflicted with ZA via alerts or logs.

At approx 21:05 to 21:16 (still yesterday, evening) I received approx 8 little punk (please

excuse the language) Trojans in quick succession (self-regenerating see below) named

JS.Ramif.a, emanating from Zone Alarms virtualization application #ISW.FS# from

C\:DocumentsandSettings\RobertMoreno\ApplicationData\#ISW.FS#\Normal\fffffffffffff931.

isw (see documentation below). ZA’s anti virus failed to repair or treat them all, but they

were quarantined, although other elements of the Trojan file was still attempting to

regenerate itself through Zone Alarm’s virtualization, quickly, and after approx four or five

attempts, I was able to delete fffffffffffXX.isw files but the remaining files, isw.sect.state,

state.isw, inuse.lck, were exhibiting corrupted behavior via the virtual (?) Trojan, which

according to multiple website Trojan verifiers’ is not a Trojan, even according to your own

online website, although obviously ZA’s On Access Scan has determined it is a Trojan. It

appears it is a shadow or mask program exhibiting Trojan behavior but in reality maybe a

hijacker or root kit corrupter, or combination of all three. Anyway they were deleted, had

their entire permissions revoked, modified to read only, and hidden in WinXp safe mode,

which has stopped the Trojan from multiplying and spreading, if it still exists in the files. I

am not taking that chance, until I’m sure.


My status at the moment:
Zone Alarm is consuming massive resources, especially when I engage shortcuts, or

in-window links, especially ZA links or buttons, causing lockups.
I can’t download any updates including window updates and the Internet Options panel,

when I have ZA up, has locked me out and ZA’s “lock the hosts file” feature and its entire

window has disappeared entirely.
Occasionally this morning websites were opening themselves, it hasn’t happened for the last

couple hours.
When I clear the Virtual file only a very few are deleted.
Accessing the internet, ZA automatically places my network in the trusted zone, rather than

the internet zone. And if I switch it, it switches back, although inconsistently.
My networks gateway is not operational.
My font’s change from page to page.
Email protection is not operational, I cant configure Outlook express to Zone Alarm.
My usual program alerts are not operational, with the exception of Microsoft’s IE8; there

have been MANY requests to access the internet from them, displayed as normal access

protocols that haven’t been issued previously (some of them) and /or haven’t been

requested for a long time, as logged, via ZA.
Before today, Identity lock id alerts and many program alerts were not being logged at all,

this occurred after I started to copy the logs to a different folder (See below).
The on access scanner is and has been operational inconsistently, returning errors. (See log

below).
The Forcefield application works inconsistently, displaying vastly conflicting data. One

moment there is zero (0) harmful data blocked coming from the internet the next moment

its 30 MB or more. Private Browser, and Status, only work occasionally. In addition I have

never been able to update from the Browser security window, nor does it attempt to.
My identity vault, set to high is set to off from time to time when reviewed.
Microsoft Internet Explorer 8 in definitely not functioning properly by itself and more

importantly in relation to Zone Alarm.
Zone Alarm Extreme Security is turning itself off as I am surfing the web to combat these

problems, although I can turn it back on quickly.
This morning an apparent Zone Alarm technical support pop-up appeared stating my

browser was unstable and requested I upload to unnamed ZA support staff via a ZA dialog

box, between 0-5 and 0-50 MB’s worth of “unstable ZA toolbar data” on my computer, or my

computers protected application data, or my computers protected system data. I note this

because the same dialog box event transpired via my ZA records, the last time my computer

was infected (?) like this, a few years ago, with the exact same (non) virus, exhibiting very

similar, as well as elevated damage then, to my computer and its peripherals via the virus

engine from my Zone Alarm Internet Security Suite. Was the Dialog box this morning from

Zone Alarm?


Updated Status 11/04/09 1:37pm

While running a ZA Virus Scan under a different Windows Logon User without Administrative

rights, the virus HiddenObject.Multi.Generic was found. I tried to repair it via ZA but that

failed as well as the attempted Quarantine. It locked up my computer for quite a long time

and when I finally rebooted and ran 3 scans as well as other security, utilities, and registry

protocols it can’t be found anywhere. In a new development I can’t disable, my network

connections, I have to disable the adapter itself. What is going on? Why didn’t ZA at least

quarantine and what can be done since obviously this rootkit is still here. Virus

Documenation as follows:

Description Anti-virus detected an infected file
Date / Time 2009-11-04 13:37:20-5:00
Type Treat
Virus name HiddenObject.Multi.Generic
Filename C:\Documents and Settings\Brian Moreno\Application

Data\#ISW.FS#\Privacy\ffffffffffffff4a.isw
Action Infected
Mode Manual
E-mail

Description Anti-virus attempted but failed to quarantine a virus or viruses
Date / Time 2009-11-04 13:37:20-5:00
Type Treat
Virus name HiddenObject.Multi.Generic
Filename C:\Documents and Settings\Brian Moreno\Application

Data\#ISW.FS#\Privacy\ffffffffffffff4a.isw
Action Quarantine failed
Mode Manual
E-mail




Rectification Request:
I need immediate stop-gap protocols please from ZA tech support staff to mitigate

Trojan/hijack/Spyware/Malware (?) damage, and reverse it.
The re-establishment of Extreme Zone Alarm Security, Forcefield protection, and Zone Alarm

browser toolbar, Identity protection and all its features.
Help in relation to IE8.
Since this apparently is a virtual app, HOW and why or in what way could it be

infected/hijacked? Realize I am not blaming ZA. Your product has worked very well much of

the time, I just want a detailed diagnosis, explanation, and resolution.
What is the optimal configuration to prevent this?

Supporting Documentation:
My Zone Alarm
ZoneAlarm Extreme Security version:9.1.008.000
TrueVector version:9.1.008.000
Driver version:9.1.008.000
Anti-virus engine version:8.0.2.42
Anti-virus signature DAT file version:996345216
AntiSpam version:6.0.0.2383
ZoneAlarm ForceField 1.5.53.4
ZoneAlarm ForceField Spyware Scanner 1.5.53.33
ZoneAlarm ForceField Anti-Phishing Database 1.2.104.0
ZoneAlarm ForceField Spyware Sites Database 03.990




The following is a small portion of Unauthorized attempted identity retrievals by online

website applications. With the exception of Zone Alarm and Large PC, which are known and

acceptable as ID Security was set to high.


Description Your [Windows Logon] was blocked from being sent to [www.google.com].
Rating Medium
Date / Time 2009-10-28 19:22:38-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy
Google.com web browser.

Description Your [Windows Logon] was blocked from being sent to

[www.friendconnect.gmodules.com].
Rating Medium
Date / Time 2009-10-28 19:22:38-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

Google Friend Connect is an online service by Google that allows users on the internet to

connect with their friends on different websites. Google Friend Connect is an Open Social ...

Google Friend Connect is an Open Social application offered by Google that started in May

2008. Google Friend Connect main focus is to simplify the connection between social and

non-social websites and standardize the handling and presentation of social applications and

contacts.




Description Your [Large PC Tune Up] was blocked from being sent to

[update.zonelabs.com].
Rating Medium
Date / Time 2009-10-28 19:03:58-4:00
Type IDLock
Program zlclient.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

Description Your [Windows Logon] was blocked from being sent to

[nmmclatchy.112.2o7.net].
Rating Medium
Date / Time 2009-10-28 20:13:56-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

112.2o7.net ---Omniture, An Adobe Company, funny, I can’t copy information from this

website. Opted out of their cookie process, revisit site later. Critics have accused Omniture of

attempting to hide the fact they are collecting data.[8] Critics claim they do this by sending

the information to a domain name that looks and sounds similar to an IP address used to

connect to devices on the local network and not the Internet. This has led to speculation that

the domain name is used to trick users or firewall rules.[9] Omniture's SiteCatalyst and

SearchCenter products use the 2o7.net domain name.[10]Omniture has been known to have

recurring delays of up to one to two days in reporting the web traffic data back to the

businesses buying their service. [11]Omniture collects data from Apple[8] and Adobe, who

use Omniture to collect usage statistics across their products.It is possible to stop tracking by

using the hosts file. Omniture is a publicly held online marketing and web analytics

company. On September 15, 2009, Omniture agreed to be purchased by Adobe

Systems.Omniture's latest offerings include SiteSearch and some social media tracking

capabilities. Integrations with other systems are offered under the title Genesis.

Description Your [Zone Alarm License] was blocked from being sent to

[www.google-analytics.com].
Rating Medium
Date / Time 2009-10-28 21:58:14-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 3
Source DNS
Destination DNS
Policy Personal Policy

Google Analytics is the enterprise-class web analytics solution that gives you rich insights

into your website traffic and marketing effectiveness. Powerful, flexible and easy-to-use

features now let you see and analyze your traffic data in an entirely new way.



Description Your [Zone Alarm License] was blocked from being sent to

[leadback.advertising.com].
Rating Medium
Date / Time 2009-10-28 21:58:14-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

Access Denied
You don't have permission to access "http://leadback.advertising.com/" on this server.
Reference #18.f961160.1256782257.2967ae1
LeadBack.com is owned by Advertising.com, a wholly owned subsidiary of AOL. The following

statement describes the overall company practices of Advertising.com,
© 2008 LeadBack.com is a product of Advertising.com, a Platform-A company
Advertising.com delivers advertisements across multiple channels and media, including to

web surfers who visit the largest third-party network in the industry – AOL's

Advertising.com.


Description Your [Zone Alarm License] was blocked from being sent to

[pa1.zonealarm.com].
Rating Medium
Date / Time 2009-10-28 21:58:06-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 25
Source DNS
Destination DNS
Policy Personal Policy

************************************************************************
Status report: message description. The request sent by the client was syntactically incorrect

().----Apache Tomcat/6.0.16 ,We did not find any results for pa1.zonealarm. A Zone Alarm

dialog box popped up with this alert indicating I did not have the extreme security control

center features available, and prompted me to buy Zone Alarm Extreme Security Again.

************************************************************************





Zone Alarm Virus Information:
Note there are only 5 quarantined Trojans. There were actually 8 present.


Description Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2009-11-02 21:05:54-5:00
Type On-Access scan
Virus name Trojan.JS.Ramif.a
Filename C:\Documents and Settings\Robert Moreno\Application

Data\#ISW.FS#\Normal\fffffffffffff931.isw
Action File repair failed
Mode Auto
E-mail

Attached Files


Edited by iam777, 07 November 2009 - 02:09 PM.

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 November 2009 - 04:43 PM

Posted Image


DO NOT use any TOOLS such as Combofix, SmitfraudFix, MBAM, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Posted Image
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Posted Image
  • Then click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.


Please don't attach the scans / logs, use "copy/paste". .

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 November 2009 - 08:09 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·