Royal Canadian Mounted Police Ukash Virus

Started by wilko, May 24, 2012, 08:29:03 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

wilko

#15
May 30, 2012, 01:45:30 AM
Hello Corrine,

ComboFix.txt log pasted below...

Notes:
Note that there is still 1 Trusted Site (adp.ca) which has to stay that way. It is a payroll site that needs to be "trusted" for its apps to work properly.

==========
ComboFix.txt
==========
ComboFix 12-05-29.01 - Joanne 05/29/2012  21:03:29.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3710.3115 [GMT -4:00]
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joanne\Desktop\CFScript.txt
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Joanne\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Joanne\Local Settings\Temp\IadHide5.dll
c:\program files\adobe\acrobat 7.0
c:\program files\adobe\acrobat 7.0\Resource\Cmap\AdobeFnt09.lst
c:\program files\adobe\acrobat 7.0\Resource\Font\AdobeFnt09.lst
c:\program files\adobe\acrobat 7.0\Resource\Font\Pfm\AdobeFnt09.lst
.
.
(((((((((((((((((((((((((   Files Created from 2012-04-28 to 2012-05-30  )))))))))))))))))))))))))))))))
.
.
2012-05-28 17:15 . 2012-05-28 17:15   --------   d-----w-   c:\program files\ESET
2012-05-25 21:38 . 2012-05-25 21:38   --------   d-----w-   c:\documents and settings\Joanne\Application Data\Malwarebytes
2012-05-25 21:38 . 2012-05-25 21:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-25 21:38 . 2012-05-25 21:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-05-25 21:38 . 2012-04-04 19:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-05-25 07:37 . 2012-05-25 19:10   --------   d-----w-   c:\windows\Microsoft Antimalware
2012-05-01 20:40 . 2012-05-01 20:40   --------   d-----w-   C:\TDSSKiller_Quarantine
2012-05-01 15:25 . 2012-05-01 15:25   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Softland
2012-05-01 15:10 . 2012-05-01 15:10   --------   d-----w-   c:\windows\MATS
2012-05-01 15:10 . 2012-05-01 15:10   --------   d-----w-   c:\program files\Microsoft Fix it Center
2012-05-01 14:13 . 2008-04-13 23:12   116224   -c--a-w-   c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-01 14:13 . 2001-08-18 02:36   23040   -c--a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2012-05-01 14:13 . 2008-04-13 23:12   18944   -c--a-w-   c:\windows\system32\dllcache\xrxscnui.dll
2012-05-01 14:13 . 2001-08-18 02:37   4608   -c--a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2012-05-01 14:13 . 2001-08-18 02:37   27648   -c--a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2012-05-01 14:13 . 2001-08-18 02:37   99865   -c--a-w-   c:\windows\system32\dllcache\xlog.exe
2012-05-01 14:13 . 2001-08-17 16:11   16970   -c--a-w-   c:\windows\system32\dllcache\xem336n5.sys
2012-05-01 14:13 . 2004-08-04 01:29   19455   -c--a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2012-05-01 14:13 . 2008-04-13 17:46   19200   -c--a-w-   c:\windows\system32\dllcache\wstcodec.sys
2012-05-01 14:13 . 2004-08-04 01:29   12063   -c--a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2012-05-01 14:13 . 2008-04-13 23:12   8192   -c--a-w-   c:\windows\system32\dllcache\wshirda.dll
2012-05-01 14:11 . 2001-08-17 17:28   604253   -c--a-w-   c:\windows\system32\dllcache\vmodem.sys
2012-05-01 14:10 . 2001-08-17 16:51   166784   -c--a-w-   c:\windows\system32\dllcache\tridxpm.sys
2012-05-01 14:09 . 2001-08-18 02:36   10240   -c--a-w-   c:\windows\system32\dllcache\swpidflt.dll
2012-05-01 14:08 . 2008-04-13 17:36   6912   -c--a-w-   c:\windows\system32\dllcache\smbclass.sys
2012-05-01 14:07 . 2001-08-18 02:36   62496   -c--a-w-   c:\windows\system32\dllcache\s3mtrio.dll
2012-05-01 14:06 . 2001-08-18 02:36   35328   -c--a-w-   c:\windows\system32\dllcache\psisload.dll
2012-05-01 14:05 . 2001-08-17 16:50   198144   -c--a-w-   c:\windows\system32\dllcache\nv3.sys
2012-05-01 14:04 . 2001-08-17 17:48   12416   -c--a-w-   c:\windows\system32\dllcache\msriffwv.sys
2012-05-01 14:03 . 2001-08-18 02:36   58880   -c--a-w-   c:\windows\system32\dllcache\m3092dc.dll
2012-05-01 14:02 . 2001-08-17 17:49   26624   -c--a-w-   c:\windows\system32\dllcache\irstusb.sys
2012-05-01 14:01 . 2001-08-17 18:56   353184   -c--a-w-   c:\windows\system32\dllcache\i740dnt5.dll
2012-05-01 14:00 . 2001-08-17 16:15   442240   -c--a-w-   c:\windows\system32\dllcache\fpnpbase.sys
2012-05-01 13:59 . 2001-08-17 16:12   50719   -c--a-w-   c:\windows\system32\dllcache\e1000nt5.sys
2012-05-01 13:58 . 2001-08-18 02:36   27648   -c--a-w-   c:\windows\system32\dllcache\cyzports.dll
2012-05-01 13:57 . 2008-04-13 23:11   121856   -c--a-w-   c:\windows\system32\dllcache\camext30.dll
2012-05-01 13:56 . 2001-08-17 17:12   3968   -c--a-w-   c:\windows\system32\dllcache\brfiltup.sys
2012-05-01 13:55 . 2001-08-17 18:07   55168   -c--a-w-   c:\windows\system32\dllcache\aic78u2.sys
2012-05-01 13:54 . 2001-08-17 18:56   66048   -c--a-w-   c:\windows\system32\dllcache\s3legacy.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 19:16 . 2012-04-15 19:41   419488   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-05-05 19:16 . 2011-05-15 15:55   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 20:42 . 2006-02-28 12:00   187776   ----a-w-   c:\windows\system32\drivers\acpi.sys
2012-04-11 13:14 . 2008-01-02 16:14   2148352   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-01-02 16:14   1862272   ----a-w-   c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2007-02-28 04:16   2026496   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-03-01 11:01 . 2006-02-28 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2011-10-11 32768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-16 1325936]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-16 904840]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-16 136544]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-09-19 87336]
"Netgear UDS Control Center"="c:\program files\NETGEAR\USB Control Center\Control Center.exe" [2011-06-28 21124096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Joint\Start Menu\Programs\Startup\
SpeedPlexer.lnk - c:\program files\SpeedPlexer\SpeedPlexer.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2011-10-10 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-10-10 805392]
ZoneAlarm Security.lnk - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42   72208   ----a-w-   c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\57xxSteelVine]
2008-01-22 15:28   1761280   ----a-w-   c:\program files\Silicon Image\57xx SteelVine\SteelVineManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyGarminAgent]
2010-03-16 13:36   337256   ----a-w-   c:\program files\Garmin\MyGarminAgent\myGarminAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-20 02:06   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayStatus]
2010-09-15 19:43   191208   ----a-w-   c:\program files\TrayStatus\TrayStatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"57xx SteelVine Manager"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"ACDaemon"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NETGEAR\\USB Control Center\\Control Center.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7423:UDP"= 7423:UDP:NETGEAR USB Control Center UDP Port
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [10/14/2010 6:08 PM 11352]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/6/2010 3:19 AM 169408]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 12:58 PM 1085440]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27016]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497280]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/10/2011 10:30 PM 3712]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [11/2/2011 9:24 AM 68896]
R2 QuickPDFTCPService0719;Quick PDF Tools Background Service;c:\program files\Quick PDF Tools\QuickPDFTCP0719.exe [4/27/2010 3:07 PM 1899008]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [12/17/2008 8:49 PM 16680]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [11/3/2011 10:44 AM 36744]
R3 NetgearUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\NetgearUDSMBus.sys [6/16/2011 3:36 PM 86912]
R3 NetgearUDSTcpBus;NetgearUDSTcpBus;c:\windows\system32\drivers\NetgearUDSTcpBus.sys [6/16/2011 3:35 PM 139648]
S0 SI3132B;SI3132B;c:\windows\system32\drivers\SI3132B.sys [1/2/2008 10:19 AM 67200]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 10:07 PM 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/15/2012 3:41 PM 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 10:07 PM 133104]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [3/6/2012 2:56 AM 137600]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [2/28/2006 8:00 AM 14336]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [6/23/2011 3:25 PM 157544]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [7/8/2010 7:09 AM 606056]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [5/16/2011 4:31 PM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [5/16/2011 4:31 PM 60544]
S4 57xx SteelVine Manager;57xx SteelVine;c:\program files\Silicon Image\57xx SteelVine\SteelVine.exe [1/22/2008 11:28 AM 1310720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
nosGetPlusHelper   REG_MULTI_SZ      nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 19:16]
.
2012-05-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-OFFICE01-Joanne.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 06:25]
.
2012-05-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-OFFICE01-Willie.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 06:25]
.
2012-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-05-30 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-05-29 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-05-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-20 15:21]
.
2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 02:07]
.
2012-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 02:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adp.ca
TCP: DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {A7C49732-4761-4A66-9945-BAF55E98E0E4} - hxxp://veatl.verint.com/cockpit/webclient/JDsAxV.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-29 21:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'lsass.exe'(900)
c:\windows\system32\relog_ap.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'explorer.exe'(388)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\docume~1\Joanne\LOCALS~1\Temp\IadHide5.dll
c:\progra~1\CheckPoint\ZoneAlarm\MailFrontier\mlfhook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(812)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\progra~1\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
.
**************************************************************************
.
Completion time: 2012-05-29  21:32:48 - machine was rebooted
ComboFix-quarantined-files.txt  2012-05-30 01:32
ComboFix2.txt  2012-05-26 03:10
.
Pre-Run: 272,330,825,728 bytes free
Post-Run: 272,357,339,136 bytes free
.
- - End Of File - - 97B7CF92287130B1CADBEEEE78CC0F82

Corrine

#16
May 30, 2012, 10:01:46 PM
Hi, wilko.

QuoteNote that there is still 1 Trusted Site (adp.ca) which has to stay that way. It is a payroll site that needs to be "trusted" for its apps to work properly.

That was why I left the decision to you.  :)

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector or, alternatively, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications
Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software:   http://www.brightfort.com/sbdownload_setup.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html.  If you have questions about WinPatrol, we have a forum here at LzD:  WinPatrol Help & Information.

Please let me know if you have any questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

wilko

#17
May 31, 2012, 12:18:29 AM
Hello Corrine,

First, thank you for your help. I will definitely make a ComboFix contribution. Does LandzDown Forum also accept contributions? If so, please let me know how.

Given the fact that ZA has let through 2 major infections in the last few months, I will be replacing it with Norton Internet Security 2012 on my wife's computer.  I chose Norton after reviewing trade mag test results and Passmark benchmark re protection performance and CPU overhead. My wife needs something as hands-off as possible otherwise I get a call every time a pop-up appears...

Do you also recommend I install SpywareBlaster on top of Norton? Does it do more/better than Norton? How resource hungry is it (the PC is a 3.2GHz P4 so I don't want to slow it down too much)?

I am still puzzled by the hard reboot event when I run DDS.SCR on the XP_PRO-SP3 machines. I tried running it on a laptop with the same XP version (same install disk) as Joanne's desktop. I get the same reboot behavior when I disable ZA or click "allow" when ZA prompts me about MBR.DAT trying to take control of the OS. As you suggested, that does smell like some kind of interraction btwn DDS and ZA. Perhaps ZA has some processes running in the background even when disabled that interract with the DDS scan and cause the reboot. On the other hand, DDS is supposed to be a scan-only tool so how does MBR.DAT pop up and try to install drivers??? Have you heard about or seen this type of interraction? I'm tempted to uninstall ZA completely on the laptop and try DDS again to see if the hard reboot still happens. Not that I have time to kill but my engineering background makes this an itch I can't help but scratch ;o)

I took a look at WinPatrol and it looks more like a set of utilities rather than an AV/AM. Are you suggesting I install it in addition to my selected AV/AM solution? There also seem to be issues with XP_PRO.

Thanks again Corrine for your help and patience.

Corrine

#18
May 31, 2012, 01:21:13 AM
Hi, wilko.

You are most welcome!  I'm sure the developer of ComboFix will appreciate a donation.  As to LandzDown Forum, no we don't accept contributions.  Instead, we suggest that people donate to the developers of the free tools that we use, as you indicated you are, or treat themselves to a licensed version of Malwarebytes, WinPatrol, or similar security tool.

Checkpoint hasn't been in the antivirus business for very long.  To quote a comment that a fellow MVP made in a topic at another site today:

QuoteZone Alarm - we see too many issues with this, and they're not always real easy to diagnose.

Since aswMBR didn't find any issues, I think it was Zone Alarm being persnickety and causing problems with DDS.   If you have problems removing Zone Alarm, this Zone Alarm KB topic may be useful:  I cannot find or run the ZoneAlarm uninstall program (XP/2000).  Another option is OPSWAT AppRemover.

With regard to SpyWareBlaster, it merely runs in the background.  Although from 2004, this tutorial at Bleeping Computer illustrates installation and updating of the program:  Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware.  I've used SpywareBlaster on every computer I've had since Windows 95!  You will need to check periodically for updates -- generally every month or so.

Yes, you are correct.  WinPatrol is more of a system monitor, which is my favorite aspect of the program.  Even on Windows Vista and Windows 7 with UAC, that doesn't tell me if a program adds itself to start-up, even though I did a custom install and unchecked that option.  WinPatrol alerts me and provides the option of blocking or allowing it.  It has a HOSTS file monitor, can be used to remove browser hijacks, control ActiveX and more.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages 1 2
User actions