1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Is Zwunzi a virus or?

Discussion in 'Malware and Virus Removal Archive' started by chas berlin, 2010/02/08.

Page 1 of 3
  1. 2010/02/08
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    chas berlin,
    #1
  2. 2010/02/08
    wildfire

    wildfire Getting Old

    Joined:
    2008/04/21
    Messages:
    4,649
    Likes Received:
    124
    Chas, cut and paste your logs into your posts... Ignore my last post in general security as you're already here ;)
     
    wildfire,
    #2


  3. to hide this advert.

  4. 2010/02/08
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Malware specialist - I'm now at school, so I will post the logs when I'm back home.
     
    chas berlin,
    #3
  5. 2010/02/08
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Thx Paddy. :)


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Administrator at 15:36:33.18 on Mon 02/08/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2371 [GMT -8:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi141.exe
    C:\Program Files\Zwunzi\zwunzi.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr
    C:\Program Files\Mozilla Firefox\firefox.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://mail.yahoo.com/
    uSearch Page = hxxp://google.com
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)" - "file:///S:/Azureus%20Downloads/Essentials%20of%20Interactive%20Physiology%20CD%20(9th%20Edition)/files/systems/media.html?fluids/bodfluid/13 "
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
    mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe "
    mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232051400706
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB} = 68.94.156.1,68.94.157.1
    TCP: {EE03ECD5-7F5E-4951-9473-40F69AD18F62} = 68.94.156.1,68.94.157.1
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: AutorunsDisabled - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll c:\windows\system32\guard32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 relog_ap
    LSA: Notification Packages = scecli
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\djslkzyo.default\
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://www.mail.yahoo.com
    FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071705000014.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-connections-per-server - 6
    FF - user.js: network.http.max-persistent-connections-per-server - 3
    FF - user.js: nglayout.initialpaint.delay - 750
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-6 11608]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-7-14 134344]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-7-14 25160]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-6 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-6 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-6 56816]
    R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-7-14 723632]
    R2 ocsterBackupDaemon;Ocster Backup Service;c:\program files\ocster backup\bin\backupDaemon.exe [2009-11-20 58592]
    R2 Zwunzi Service;Zwunzi Service;c:\documents and settings\all users\application data\zwunzi\zwunzi141.exe [2010-2-6 58720]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]
    S2 AntiVirUpgradeService;Avira Upgrade Service; "c:\docume~1\admini~1\locals~1\temp\avsetup_4a01d5f8\basic\avupgsvc.exe" /tempstart:" "c:\docume~1\admini~1\locals~1\temp\avsetup_4a01d5f8\basic\setup.exe" /notempcleanup /crossupgrade" --> c:\docume~1\admini~1\locals~1\temp\avsetup_4a01d5f8\basic\avupgsvc.exe [?]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-11-23 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-11-23 8456]
    S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2009-11-22 16456]
    S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2009-11-22 11088]
    S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; "c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]

    =============== Created Last 30 ================

    2010-02-06 08:44:56 0 d-----w- c:\docume~1\admini~1\applic~1\Free Mp3 Wma Ogg Converter
    2010-02-06 08:36:45 0 d-----w- c:\program files\Zwunzi
    2010-02-06 08:36:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Zwunzi
    2010-02-06 08:36:29 0 d-----w- c:\program files\Free Mp3 Wma Ogg Converter
    2010-02-06 07:59:59 24 ----a-w- c:\windows\system32\sysmwwod.dll
    2010-02-04 06:32:37 0 d-----w- c:\program files\CCleaner
    2010-01-15 06:43:07 0 d-----w- c:\windows\setup.pss
    2010-01-12 09:08:12 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
    2010-01-12 09:08:12 0 d-----w- c:\program files\Belarc
    2010-01-11 22:12:32 0 d-----w- C:\I386

    ==================== Find3M ====================

    2010-02-01 20:27:22 171552 ----a-w- c:\windows\system32\guard32.dll
    2010-02-01 20:27:20 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
    2010-01-29 06:07:41 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2010-01-13 23:34:19 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
    2010-01-06 22:15:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
    2010-01-06 22:15:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
    2009-12-23 21:49:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
    2009-12-23 21:49:04 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
    2009-12-23 21:48:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
    2009-12-23 21:48:05 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    2009-12-21 22:09:06 1430808 ----a-w- c:\windows\system32\AutoPartNt.exe
    2009-12-19 10:31:39 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2005-06-20 17:31:32 456384 ----a-w- c:\windows\inf\wlg-1103\ar5211.sys
    2004-11-04 13:08:50 212992 ----a-w- c:\windows\inf\wlg-1103\CopyWHQLDriver.exe

    ============= FINISH: 15:37:18.21 ===============


    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/12/2008 4:47:17 PM
    System Uptime: 2/8/2010 11:52:36 AM (4 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | GA-K8NF-9 / K8NF-9-RH
    Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 2010/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 33 GiB total, 16.064 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    M: is FIXED (NTFS) - 434 GiB total, 129.24 GiB free.
    P: is FIXED (NTFS) - 144 GiB total, 68.993 GiB free.
    S: is FIXED (NTFS) - 74 GiB total, 5.839 GiB free.
    W: is FIXED (NTFS) - 15 GiB total, 12.109 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 108Mbps High Speed Wireless Network Adapter
    Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_2051168C&REV_01\4&13699180&0&3848
    Manufacturer: OEM
    Name: 108Mbps High Speed Wireless Network Adapter
    PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_2051168C&REV_01\4&13699180&0&3848
    Service: AR5211

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia 5130c-2
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia 5130c-2
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd

    ==== System Restore Points ===================

    RP164: 1/11/2010 9:30:12 PM - Revo Uninstaller's restore point - Windows Internet Explorer 7
    RP165: 1/12/2010 3:01:19 AM - Software Distribution Service 3.0
    RP166: 1/13/2010 3:01:18 AM - Software Distribution Service 3.0
    RP167: 1/13/2010 6:27:42 PM - Software Distribution Service 3.0
    RP168: 1/14/2010 7:46:10 AM - Revo Uninstaller's restore point - Windows Defender
    RP169: 1/14/2010 7:48:00 AM - Removed Windows Defender
    RP170: 1/14/2010 9:10:03 AM - Installed Windows Internet Explorer 8.
    RP171: 1/15/2010 9:51:42 AM - System Checkpoint
    RP172: 1/16/2010 10:18:54 AM - Avira AntiVir Personal - 1/16/2010 10:18
    RP173: 1/18/2010 1:19:26 AM - System Checkpoint
    RP174: 1/19/2010 5:10:49 AM - System Checkpoint
    RP175: 1/20/2010 6:27:24 AM - System Checkpoint
    RP176: 1/21/2010 6:47:24 AM - System Checkpoint
    RP177: 1/22/2010 7:13:51 AM - System Checkpoint
    RP178: 1/23/2010 8:13:51 AM - System Checkpoint
    RP179: 1/24/2010 9:37:25 AM - System Checkpoint
    RP180: 1/25/2010 10:24:30 AM - System Checkpoint
    RP181: 1/26/2010 10:47:32 AM - System Checkpoint
    RP182: 1/27/2010 11:05:27 AM - System Checkpoint
    RP183: 1/28/2010 11:21:56 AM - System Checkpoint
    RP184: 1/29/2010 11:26:52 AM - System Checkpoint
    RP185: 1/30/2010 12:10:18 PM - System Checkpoint
    RP186: 1/31/2010 3:27:58 PM - System Checkpoint
    RP187: 2/2/2010 2:15:13 AM - System Checkpoint
    RP188: 2/3/2010 11:44:11 AM - System Checkpoint
    RP189: 2/3/2010 8:51:09 PM - Revo Uninstaller's restore point - Windows Internet Explorer 8
    RP190: 2/4/2010 8:54:47 PM - System Checkpoint
    RP191: 2/5/2010 11:39:49 PM - Installed Windows Media Format 9 Series Runtime Setup
    RP192: 2/6/2010 12:28:56 AM - Installed Windows Media Format 9 Series Runtime Setup
    RP193: 2/6/2010 12:37:54 AM - Revo Uninstaller's restore point - MP3 WAV WMA Converter
    RP194: 2/6/2010 12:43:40 AM - Revo Uninstaller's restore point - AVS Audio Converter version 5.1
    RP195: 2/7/2010 12:51:10 AM - System Checkpoint
    RP196: 2/8/2010 2:43:01 AM - System Checkpoint

    ==== Installed Programs ======================

    7-Zip 4.57
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9
    Adobe Shockwave Player 11
    Apple Software Update
    Athlon 64 Processor Driver
    Audacity 1.2.6
    Avira AntiVir Personal - Free Antivirus
    Belarc Advisor 8.1
    BroadJump Client Foundation
    Burn My Files
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Utilities CameraWindow
    Canon Utilities Digital Photo Professional 3.4
    Canon Utilities PhotoStitch
    Canon Utilities Picture Style Editor
    Canon Utilities WFT-E1/E2/E3 Utility
    Canon ZoomBrowser EX Memory Card Utility
    CCleaner
    Combined Community Codec Pack 2009-09-09
    COMODO Firewall Pro
    Compatibility Pack for the 2007 Office system
    Creative Audio Console
    Creative Jukebox Driver
    Creative MediaSource
    Creative NOMAD Jukebox Zen Xtra
    Duplicate Cleaner 1.4.3
    EASEUS Partition Master 4.1.1 Home Edition
    FLAC 1.2.1b (remove only)
    Free Mp3 Wma Ogg Converter 7.0.1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    iTunes
    iTunes Alarm Clock 2.0
    IZArc 3.81
    Java(TM) 6 Update 17
    Java(TM) 6 Update 7
    KhalInstallWrapper
    Malwarebytes' Anti-Malware
    MetaProducts Download Express
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Bootvis
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft LifeCam
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Standard
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Move Media Player
    Mozilla Firefox (3.5.6)
    MSVC80_x86
    MSVC80_x86_v2
    Nero7 Ultra Edition
    Nokia Connectivity Cable Driver
    NVIDIA Drivers
    Ocster Backup Free 1.21
    PC Connectivity Solution
    PhotoDVD 3.0.9.6
    Picasa 3
    Plugin version 2.0
    QuickTime
    Realtek AC'97 Audio
    Revo Uninstaller 1.85
    Seagate*DiscWizard
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Skypeâ„¢ 4.1
    Spybot - Search & Destroy
    SpywareBlaster 4.2
    SUPERAntiSpyware Free Edition
    TRENDnet TEW-441PC/TEW-443PI 802.11g Wireless Cardbus/PCI Adapter Driver and Utility
    Tweak UI
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VoiceText (tm)
    Vuze
    WAV MP3 Converter 3.8 build 968
    WebFldrs XP
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer 3.1 (KB893803)
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Search 4.0
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinFast(R) Display Driver
    WinRAR archiver
    WinZip Self-Extractor
    Zwunzi 1.0 build 141

    ==== Event Viewer Messages From Past Week ========

    2/4/2010 12:09:18 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    2/1/2010 10:43:09 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    2/1/2010 10:43:09 PM, error: Service Control Manager [7000] - The Avira Upgrade Service service failed to start due to the following error: The system cannot find the path specified.
    2/1/2010 10:41:41 PM, error: Service Control Manager [7034] - The WMDM PMSP Service service terminated unexpectedly. It has done this 1 time(s).
    2/1/2010 10:41:41 PM, error: Service Control Manager [7034] - The MSCamSvc service terminated unexpectedly. It has done this 1 time(s).
    2/1/2010 10:41:41 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    2/1/2010 10:41:41 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
    2/1/2010 10:41:41 PM, error: Service Control Manager [7034] - The Atheros Configuration Service service terminated unexpectedly. It has done this 1 time(s).
    2/1/2010 10:41:41 PM, error: Service Control Manager [7034] - The Acronis Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================
     
    chas berlin,
    #4
  6. 2010/02/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #5
  7. 2010/02/08
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Broni, I feel stupid. I hadn't run MalwareBytes since zwunzi showed up. Virus scanner missed it. :eek:

    Will run GMER after restart.


    Malwarebytes' Anti-Malware 1.44
    Database version: 3711
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    2/8/2010 7:19:48 PM
    mbam-log-2010-02-08 (19-19-48).txt

    Scan type: Quick Scan
    Objects scanned: 127516
    Time elapsed: 4 minute(s), 44 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 1
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 4

    Memory Processes Infected:
    C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi141.exe (Adware.Agent) -> Unloaded process successfully.
    C:\Program Files\Zwunzi\zwunzi.exe (Adware.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\Program Files\Zwunzi\zwunzi.dll (Adware.Zwunzi) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zwunzi (Adware.Zwunzi) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi (Adware.Zwunzi) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\zwunzi service (Adware.Zwunzi) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\Zwunzi (Adware.Zwunzi) -> Quarantined and deleted successfully.
    C:\Program Files\Zwunzi (Adware.Zwunzi) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi141.exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Zwunzi\zwunzi.exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Zwunzi\uninstall.exe (Adware.Zwunzi) -> Quarantined and deleted successfully.
    C:\Program Files\Zwunzi\zwunzi.dll (Adware.Zwunzi) -> Quarantined and deleted successfully.
     
    chas berlin,
    #6
  8. 2010/02/08
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-02-08 20:41:37
    Windows 5.1.2600 Service Pack 2
    Running: qv6zbr39.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugrdqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB0BD6BDA]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB0BD61B8]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB0BD6840]
    SSDT BAF42676 ZwCreateKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB0BD609A]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB0BD806A]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB0BD8302]
    SSDT BAF4266C ZwCreateThread
    SSDT BAF4267B ZwDeleteKey
    SSDT BAF42685 ZwDeleteValueKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB0BD5A92]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB0BD7CEC]
    SSDT BAF4268A ZwLoadKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB0BD643C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB0BD6A1C]
    SSDT BAF42658 ZwOpenProcess
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB0BD66CC]
    SSDT BAF4265D ZwOpenThread
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB0BD7720]
    SSDT BAF42694 ZwReplaceKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB0BD8648]
    SSDT BAF4268F ZwRestoreKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB0BD7A88]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xB0BD6DC0]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB0BD7E9A]
    SSDT BAF42680 ZwSetValueKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB0BD63D6]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB0BD65C0]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB0AB90B0]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB0BD5E32]

    ---- Kernel code sections - GMER 1.0.15 ----

    ? mfegh.sys The system cannot find the file specified. !

    ---- EOF - GMER 1.0.15 ----
     
    chas berlin,
    #7
  9. 2010/02/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I still need HJT log.
     
    broni,
    #8
    chas berlin likes this.
  10. 2010/02/08
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Sorry Broni, been juggling.
    It's coming right up.
     
    chas berlin,
    #9
  11. 2010/02/08
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:30:37 PM, on 2/8/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe "
    O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)" - "file:///S:/Azureus%20Downloads/Essentials%20of%20Interactive%20Physiology%20CD%20(9th%20Edition)/files/systems/media.html?fluids/bodfluid/13 "
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232051400706
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE03ECD5-7F5E-4951-9473-40F69AD18F62}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS4\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS5\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: c:\windows\system32\guard32.dll C:\WINDOWS\system32\guard32.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AVSETUP_4a01d5f8\basic\avupgsvc.exe (file missing)
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: Ocster Backup Service (ocsterBackupDaemon) - Unknown owner - c:\Program Files\Ocster Backup\bin\backupDaemon.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8054 bytes
     
    chas berlin,
    #10
  12. 2010/02/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #11
  13. 2010/02/09
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Broni, should the Kaspesky scan take this long? I started it almost an hour ago, and it's not to the point where I hit settings yet.
     
    chas berlin,
    #12
  14. 2010/02/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Stop it.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
    broni,
    #13
  15. 2010/02/09
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Kaspersky is ready to scan the computer. Which one you want me to use?
     
    chas berlin,
    #14
  16. 2010/02/09
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Started ESET, but wasn't asked to allow the ActiveX. It's now downliading database.
     
    chas berlin,
    #15
  17. 2010/02/09
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=e55c9fbc7b24f64b83f2033b057d4add
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-02-09 08:51:30
    # local_time=2010-02-09 12:51:30 (-0800, Pacific Standard Time)
    # country= "United States "
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 100 0 42024490 0 0
    # compatibility_mode=3073 16777213 80 100 38781 35735682 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=112176
    # found=0
    # cleaned=0
    # scan_time=3055
     
    chas berlin,
    #16
  18. 2010/02/09
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:05:04 AM, on 2/9/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Vuze\Azureus.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe "
    O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)" - "file:///S:/Azureus%20Downloads/Essentials%20of%20Interactive%20Physiology%20CD%20(9th%20Edition)/files/systems/media.html?fluids/bodfluid/13 "
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232051400706
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE03ECD5-7F5E-4951-9473-40F69AD18F62}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS4\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CS5\Services\Tcpip\..\{0AC63FC9-2CD2-490E-BF41-FF1BC08EB0BB}: NameServer = 68.94.156.1,68.94.157.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: c:\windows\system32\guard32.dll C:\WINDOWS\system32\guard32.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AVSETUP_4a01d5f8\basic\avupgsvc.exe (file missing)
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: Ocster Backup Service (ocsterBackupDaemon) - Unknown owner - c:\Program Files\Ocster Backup\bin\backupDaemon.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8210 bytes
     
    chas berlin,
    #17
  19. 2010/02/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    ===============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [unless you have paid version]
    - O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)" - "file:///S:/Azureus%20Downloads/Essentials%20of%20Interactive%20Physiology%20CD%20(9th%20Edition)/files/systems/media.html?fluids/bodfluid/13 "
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [unless you have paid version]


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #18
  20. 2010/02/09
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Broni, Avira ran last night and found these objects: A0035048.exe / A0035049.exe / A0035051.exe and A0035051.dll AND these detections: TR/Trash.Gen (3 of these assoc w/ the 3 .exe files and TR/DropSoftomat.An assoc w/ the .dll file

    When Attempting to delete Java 6 update 12 (though Add/Remove) Comodo gave message: MSIA22.ttmp trying to access smss.exe in memory AND MSIA22.tmp trying to access System in memory AND MSIA22.tmp trying to access csrss.exe ini memory
    (Java 6 update 17 is also on the system)

    I stopped and that's on the screen now.
    What should I do?
     
    chas berlin,
    #19
  21. 2010/02/09
    chas berlin

    chas berlin Inactive Thread Starter

    Joined:
    2008/06/03
    Messages:
    1,578
    Likes Received:
    2
    Another Comodo messsage: MSIA22.tmp tying to access winlogon.exe in memory. and then MSIA22 trying to access services.exe in memory.
    And now trying to access svchost.exe (there was another, but I missed the name).
     
    Last edited: 2010/02/09
    chas berlin,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...