win32.zafi.b

View previous topic View next topic Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 7:49 am

my moms computer got this and I can't get rid of it. PLEASE HELP. Here is my logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:02 AM, on 1/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\EHOME\bak\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\I386\tfswctrl.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [vinclock] "C:\Documents and Settings\Marita Moore\Application Data\Google\ocboo1892823.exe" 2
O4 - HKLM\..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\EHOME\bak\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
O4 - HKLM\..\Run: [dla] C:\I386\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] C:\Program Files\Dell Photo AIO Printer 942\bak\dlbubmgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.75.0\Weather.exe" -auto

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 7:51 am

O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOlDial.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - [You must be registered and logged in to see this link.]
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: StarOpen - Sonic Solutions - (no file)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 17954 bytes

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.zafi.b

Post by Belahzur on Fri Jan 09, 2009 5:06 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [vinclock] "C:\Documents and Settings\Marita Moore\Application Data\Google\ocboo1892823.exe" 2
    O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.75.0\Weather.exe" -auto
    O15 - Trusted Zone: *.whataboutadog.com
    O23 - Service: StarOpen - Sonic Solutions - (no file)


  • Press "Fix Checked"
  • Close Hijack This.


Delete this folder in bold:
C:\Program Files\MyWaySA


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 8:38 pm

ComboFix 09-01-08.05 - Gena Lincecum 2009-01-09 14:20:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.368 [GMT -6:00]
Running from: c:\documents and settings\Gena Lincecum\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Gena Lincecum\Application Data\WeatherDPA
c:\documents and settings\Gena Lincecum\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Gena Lincecum\Application Data\Zango
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\1126079.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\1252495.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\221540.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\2698688.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\2811593.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\3240891.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\3398086.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\3854426.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\3893227.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\3893642.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\486061.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\640557.sdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000067645
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000068115
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\10674
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\10928
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\11213
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\126694
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1317
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13546
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14207
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14575
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15024
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15596
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16204
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\164251
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\166055
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17040
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17362
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18906
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\19052
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\19616
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1973

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

w

Post by genamarie on Fri Jan 09, 2009 8:39 pm

c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\202699
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20478
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20517
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20898
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22254
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\225064
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\228229
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\26340
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\265045
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\28383
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\28812
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\29115
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\29283
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\304155
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\308719
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32242
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32541
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34174
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34374
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34706
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35015
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35047
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\351786
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\36079
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\3611
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\372500
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\378860
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\38456
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\38465
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\38492
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\391432
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\41215
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\42479
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\42506
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43120
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43719
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43979
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44878
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\460342
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\476910
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\477253
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4974
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\50887
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51194
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51666
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52335
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\532492
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\53842
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\5508
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\56644
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\569262
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\57137
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\578458
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58804
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59844
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6292
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\636465
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\637848
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64451
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6556
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6559
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6561

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 8:39 pm

c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\66836
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67226
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67466
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67491
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68076
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68942
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\70086
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\713199
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72748
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\73282
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\73723
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\737665
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\74326
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744370
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744807
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744963
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745019
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745136
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745137
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745146
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745263
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\746328
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\746718
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\74777
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751223
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753250
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753366
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753461
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\78600
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79257
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79432
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79819
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80657
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80663
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80670
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\82511
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83282
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83329
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83706
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\85547
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\86470
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\87410
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\87439
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\87995
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\90835
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\91986
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93921
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95598
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95926
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\9775
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\98183
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\dynamic\ustat\3786.dat
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\avatar.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\btntrans.idx
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\components.cdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\cursors.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\default.cdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 8:40 pm

c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\icons2.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\progress.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
c:\documents and settings\Gena Lincecum\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
c:\program files\WinBudget
c:\program files\WinBudget\bin\matrix.dat
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\AutoRun.inf

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 8:41 pm

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-09 01:36 . 2009-01-09 01:36 d-------- c:\program files\Trend Micro
2009-01-09 00:33 . 2009-01-09 00:50 d-------- c:\documents and settings\Gena Lincecum\.housecall6.6
2009-01-07 22:59 . 2009-01-07 23:14 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2008-12-18 10:41 . 2008-12-18 10:41 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-11 22:20 . 2008-12-11 22:20 d-------- c:\program files\Common Files\Adobe AIR
2008-12-11 22:08 . 2008-12-11 22:08 d-------- c:\program files\NOS
2008-12-11 22:08 . 2008-12-13 19:51 d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 23:16 5,012 ----a-w c:\documents and settings\Gena Lincecum\Application Data\wklnhst.dat
2009-01-07 23:10 --------- d-----w c:\program files\MySpace
2009-01-07 23:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-07 23:09 --------- d-----w c:\program files\Logitech
2009-01-07 23:08 --------- d-----w c:\program files\Common Files\Logitech
2009-01-07 22:08 --------- d-----w c:\program files\LimeWire
2009-01-06 01:55 --------- d-----w c:\program files\Norton SystemWorks
2008-12-18 16:41 --------- d-----w c:\program files\Java
2008-12-17 03:49 --------- d-----w c:\documents and settings\Steve Moore\Application Data\HPAppData
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-12 04:20 --------- d-----w c:\program files\Common Files\Adobe
2008-12-11 00:53 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-22 23:49 0 ---ha-w c:\documents and settings\Default User\hpothb07.dat
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-10-16 13:11 13,824 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2007-11-09 00:58 338 ---ha-w c:\documents and settings\Gena Lincecum\hpothb07.dat
2007-04-28 05:25 0 ---ha-w c:\documents and settings\Steve Moore\hpothb07.dat
2006-10-29 00:36 0 ----a-w c:\documents and settings\Steve Moore\Application Data\wklnhst.dat
2006-05-03 07:34 0 ---ha-w c:\documents and settings\Guest\hpothb07.dat
2006-03-16 07:46 399 ---ha-w c:\documents and settings\Gena Lincecum\Application Data\hpothb07.dat
2005-08-09 02:49 0 ---ha-w c:\documents and settings\LocalService\hpothb07.dat
2005-07-27 06:07 0 ---ha-w c:\documents and settings\NetworkService\hpothb07.dat
2005-07-20 02:24 164 ---ha-w c:\documents and settings\All Users\hpothb07.dat
.

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 8:42 pm

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-09-09 06:18:10 c:\program files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe

----a-w 1,388,544 2004-06-30 19:33:04 c:\program files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

----a-w 339,968 2004-08-25 18:52:00 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 50,688 2003-12-06 04:08:04 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 180,269 2006-08-23 23:52:11 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2004-01-07 07:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 57,344 2004-10-12 22:54:30 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 90,112 2002-10-07 06:23:20 c:\program files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe

----a-w 69,632 2002-04-17 16:42:56 c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe

----a-w 135,168 2004-06-29 17:23:32 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

----a-w 267,064 2007-09-05 23:03:52 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 289,576 2008-09-10 22:40:06 c:\program files\iTunes\iTunesHelper.exe

----a-w 49,263 2006-07-26 08:03:14 c:\program files\Java\jre1.5.0_08\bin\bak\jusched.exe

----a-w 489,472 2005-12-07 15:26:30 c:\program files\Logitech\Video\bak\CameraAssistant.exe

----a-w 73,728 2005-12-07 15:33:16 c:\program files\Logitech\Video\bak\InstallHelper.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-09-06 20:09:14 c:\program files\QuickTime\QTTask.exe

----a-w 728,176 2006-04-19 14:30:04 c:\program files\The Weather Channel FW\Desktop Weather\bak\DesktopWeather.exe

----a-w 59,392 2004-08-10 10:04:42 c:\windows\EHOME\bak\ehtray.exe

----a-w 15,360 2004-08-10 11:00:00 c:\windows\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 11:00:00 c:\windows\SYSTEM32\ctfmon.exe

----a-w 262,144 2004-11-01 22:22:22 c:\windows\SYSTEM32\bak\ElkCtrl.exe

----a-w 225,280 2005-12-09 20:32:18 c:\windows\SYSTEM32\bak\LVCOMSX.EXE

----a-w 122,939 2004-08-13 07:05:00 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [N/A]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [N/A]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [N/A]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [N/A]
"DW4"="c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [N/A]
"AOL Dialer"="c:\program files\Common Files\AOL\ACS\AOlDial.exe" [N/A]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe" [2005-09-19 970752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\bak\SMax4PNP.exe" [2004-06-30 1388544]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe" [2002-04-17 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe" [2003-12-05 50688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe" [2004-06-29 135168]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"ehTray"="c:\windows\EHOME\bak\ehtray.exe" [2004-08-10 59392]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\i386\tfswctrl.exe" [2004-08-13 122939]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\bak\dlbubmgr.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe" [2002-10-07 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" [2004-08-25 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe" [2005-09-09 57344]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
"DellMCM"="" [N/A]

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Fri Jan 09, 2009 8:42 pm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\GeoCodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"dlbu_device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-09 99376]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2008-04-17 3744]
R4 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2008-04-17 3904]
R4 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~1\NORTON~2\NPROTECT.EXE [2005-10-03 95832]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-11 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-03 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D38C6F61-Gena Lincecum).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2009-01-04 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Marita Moore.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 11:13]

2009-01-06 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-05 22:02]

2009-01-04 c:\windows\Tasks\sunday internet scan.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-05 22:02]

2009-01-09 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-03 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-09 14:27:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3604859514-1380642712-1159693288-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65326A2B-D6C8-96CB-DD09-7CC1C8E382C7}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ealkdboglc"=hex:66,61,62,6b,65,63,6a,65,6a,6f,6c,64,00,fc
"daalillp"=hex:64,62,6a,6d,6e,70,6f,6e,62,67,70,62,6e,68,6c,63,69,63,61,69,6c,
68,64,6a,67,67,61,65,70,6e,68,63,6e,66,6a,65,67,6a,63,62,00,00

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* ]
"tLastAnalysisTerminationTime"=hex:9a,99,99,19,99,55,e3,40
"tLastOptimizationTerminationTime"=hex:00,00,00,00,00,00,00,00
"nAnalysisTerminationStatus"=dword:00000000
"nOptimizationTerminationStatus"=dword:00000000
"tLastAnalysisResultsTime"=hex:9a,99,99,19,99,55,e3,40
"tLastOptimizationResultsTime"=hex:00,00,00,00,00,00,00,00
"bResultDataInitialized"=dword:00000001
"nBytesPerCluster"=dword:00001000
"nTotalClusters"=dword:0241419a
"nStartRunNumberOfDirs"=dword:0000170c
"nStartRunNumberOfFiles"=dword:00028544
"nStartRunNumberOfFraggedFiles"=dword:000019d5
"nStartRunNumberOfFragments"=dword:00006c3a
"nStartRunFraggedPercentTimesTen"=dword:00000075
"nStartRunFreeClusters"=dword:00000000
"nStartRunNumberOfFreeSpaces"=dword:00000000
"nStartRunNumberOfMftFragments"=dword:00000000
"nStartRunNumberOfPagefileFragments"=dword:00000000
"nEndRunNumberOfFraggedFiles"=dword:000019d5
"nEndRunNumberOfFragments"=dword:00006c3a
"nEndRunFraggedPercentTimesTen"=dword:00000075
"nEndRunFreeClusters"=dword:00effa7b
"nEndRunNumberOfFreeSpaces"=dword:00003795
"nEndRunNumberOfMftFragments"=dword:00000000
"nEndRunNumberOfPagefileFragments"=dword:00000000
"nStatsMaxDepth"=dword:0000000a
"nEndRunFraggedFilesListSize"=dword:0000000a

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files]
@="10"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\0]
"nSize"=dword:04e20000
"nFragments"=dword:000004e0
"File Name"="\\System Volume Information\\catalog.wci\\00010003.ci"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\1]
"nSize"=dword:01eb0000
"nFragments"=dword:000002a0
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP129\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\2]
"nSize"=dword:01f10000
"nFragments"=dword:000001b6
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP164\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\3]
"nSize"=dword:01f10000
"nFragments"=dword:00000156
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP197\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\4]
"nSize"=dword:1cdfd000
"nFragments"=dword:00000126
"File Name"="\\Documents and Settings\\Marita Moore\\My Documents\\My Videos\\May 05 Ashley - Clip 002.avi"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\5]
"nSize"=dword:01f10000
"nFragments"=dword:000000bf
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP190\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\6]
"nSize"=dword:00630000
"nFragments"=dword:000000a9
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP179\\snapshot\\Repository\\FS\\OBJECTS.DATA"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\7]
"nSize"=dword:00630000
"nFragments"=dword:00000099
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP166\\snapshot\\Repository\\FS\\OBJECTS.DATA"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\8]
"nSize"=dword:00550000
"nFragments"=dword:00000095
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP166\\snapshot\\_REGISTRY_USER_NTUSER_S-1-5-21-3604859514-1380642712-1159693288-1007"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\9]
"nSize"=dword:01f10000
"nFragments"=dword:0000007d
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP167\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Largest Free Spaces]
"0"=dword:00044be2
"1"=dword:00041005
"2"=dword:00039439
"3"=dword:00031d61
"4"=dword:0002ee64
"5"=dword:0002e527
"6"=dword:0002d962
"7"=dword:0002cd9b
"8"=dword:0002a7e7
"9"=dword:00029af1
.
Completion time: 2009-01-09 14:31:25
ComboFix-quarantined-files.txt 2009-01-09 20:31:04

Pre-Run: 65,534,459,904 bytes free
Post-Run: 65,941,667,840 bytes free

575 --- E O F --- 2008-12-18 09:01:14

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.zafi.b

Post by Belahzur on Fri Jan 09, 2009 8:49 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

AWF::
c:\program files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe
c:\program files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
c:\program files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Java\jre1.5.0_08\bin\bak\jusched.exe
c:\program files\Logitech\Video\bak\CameraAssistant.exe
c:\program files\Logitech\Video\bak\InstallHelper.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\The Weather Channel FW\Desktop Weather\bak\DesktopWeather.exe
c:\windows\EHOME\bak\ehtray.exe
c:\windows\SYSTEM32\bak\ctfmon.exe
c:\windows\SYSTEM32\bak\ElkCtrl.exe
c:\windows\SYSTEM32\bak\LVCOMSX.EXE
c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Sat Jan 10, 2009 12:00 am

ComboFix 09-01-08.05 - Gena Lincecum 2009-01-09 17:44:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.390 [GMT -6:00]
Running from: c:\documents and settings\Gena Lincecum\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gena Lincecum\Desktop\CFscript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-09 01:36 . 2009-01-09 01:36 d-------- c:\program files\Trend Micro
2009-01-09 00:33 . 2009-01-09 00:50 d-------- c:\documents and settings\Gena Lincecum\.housecall6.6
2009-01-07 22:59 . 2009-01-07 23:14 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2008-12-18 10:41 . 2008-12-18 10:41 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-11 22:20 . 2008-12-11 22:20 d-------- c:\program files\Common Files\Adobe AIR
2008-12-11 22:08 . 2008-12-11 22:08 d-------- c:\program files\NOS
2008-12-11 22:08 . 2008-12-13 19:51 d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 23:51 --------- d-----w c:\program files\QuickTime
2009-01-09 23:51 --------- d-----w c:\program files\iTunes
2009-01-07 23:16 5,012 ----a-w c:\documents and settings\Gena Lincecum\Application Data\wklnhst.dat
2009-01-07 23:10 --------- d-----w c:\program files\MySpace
2009-01-07 23:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-07 23:09 --------- d-----w c:\program files\Logitech
2009-01-07 23:08 --------- d-----w c:\program files\Common Files\Logitech
2009-01-07 22:08 --------- d-----w c:\program files\LimeWire
2009-01-06 01:55 --------- d-----w c:\program files\Norton SystemWorks
2008-12-18 16:41 --------- d-----w c:\program files\Java
2008-12-17 03:49 --------- d-----w c:\documents and settings\Steve Moore\Application Data\HPAppData
2008-12-12 04:20 --------- d-----w c:\program files\Common Files\Adobe
2008-12-11 00:53 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-22 23:49 0 ---ha-w c:\documents and settings\Default User\hpothb07.dat
2007-11-09 00:58 338 ---ha-w c:\documents and settings\Gena Lincecum\hpothb07.dat
2007-04-28 05:25 0 ---ha-w c:\documents and settings\Steve Moore\hpothb07.dat
2006-10-29 00:36 0 ----a-w c:\documents and settings\Steve Moore\Application Data\wklnhst.dat
2006-05-03 07:34 0 ---ha-w c:\documents and settings\Guest\hpothb07.dat
2006-03-16 07:46 399 ---ha-w c:\documents and settings\Gena Lincecum\Application Data\hpothb07.dat
2005-08-09 02:49 0 ---ha-w c:\documents and settings\LocalService\hpothb07.dat
2005-07-27 06:07 0 ---ha-w c:\documents and settings\NetworkService\hpothb07.dat
2005-07-20 02:24 164 ---ha-w c:\documents and settings\All Users\hpothb07.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 10:04:42 59,392 ----a-w c:\windows\EHOME\ehtray.exe
- 2009-01-08 03:51:28 8,854 ----a-r c:\windows\Installer\{415CDA53-9100-476F-A7B2-476691E117C7}\Uninstall_Smart_Web__2DD09EA994C6415885A0C8BB7A14CB08.exe
+ 2009-01-09 21:24:30 8,854 ----a-r c:\windows\Installer\{415CDA53-9100-476F-A7B2-476691E117C7}\Uninstall_Smart_Web__2DD09EA994C6415885A0C8BB7A14CB08.exe
+ 2004-08-13 07:05:00 122,939 ----a-w c:\windows\SYSTEM32\dla\tfswctrl.exe
+ 2004-08-10 10:04:42 59,392 ----a-w c:\windows\SYSTEM32\DLLCACHE\ehtray.exe
+ 2004-11-01 22:22:22 262,144 ----a-w c:\windows\SYSTEM32\ElkCtrl.exe
+ 2005-12-09 20:32:18 225,280 ----a-w c:\windows\SYSTEM32\LVCOMSX.EXE
+ 2009-01-09 23:51:35 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"DW4"="c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-04-19 728176]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe" [2005-09-19 970752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-05 267064]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"dla"="c:\i386\tfswctrl.exe" [2004-08-13 122939]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\GeoCodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"dlbu_device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Sat Jan 10, 2009 12:01 am

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-09 99376]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2008-04-17 3744]
R4 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2008-04-17 3904]
R4 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~1\NORTON~2\NPROTECT.EXE [2005-10-03 95832]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-11 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-03 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D38C6F61-Gena Lincecum).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2009-01-04 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Marita Moore.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 11:13]

2009-01-06 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-05 22:02]

2009-01-04 c:\windows\Tasks\sunday internet scan.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-05 22:02]

2009-01-09 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Walgreens PhotoShow Media Manager - c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
HKCU-Run-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe
HKCU-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
HKCU-Run-AOL Dialer - c:\program files\Common Files\AOL\ACS\AOlDial.exe
HKLM-Run-UpdateManager - c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
HKLM-Run-SoundMAXPnP - c:\program files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
HKLM-Run-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
HKLM-Run-IAAnotif - c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe
HKLM-Run-ehTray - c:\windows\EHOME\bak\ehtray.exe
HKLM-Run-DVDLauncher - c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
HKLM-Run-Dell Photo AIO Printer 942 - c:\program files\Dell Photo AIO Printer 942\bak\dlbubmgr.exe
HKLM-Run-CamMonitor - c:\program files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe
HKLM-Run-DellMCM - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-09 17:51:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

win32.zafi.b

Post by genamarie on Sat Jan 10, 2009 12:02 am

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3604859514-1380642712-1159693288-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65326A2B-D6C8-96CB-DD09-7CC1C8E382C7}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ealkdboglc"=hex:66,61,62,6b,65,63,6a,65,6a,6f,6c,64,00,fc
"daalillp"=hex:64,62,6a,6d,6e,70,6f,6e,62,67,70,62,6e,68,6c,63,69,63,61,69,6c,
68,64,6a,67,67,61,65,70,6e,68,63,6e,66,6a,65,67,6a,63,62,00,00

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* ]
"tLastAnalysisTerminationTime"=hex:9a,99,99,19,99,55,e3,40
"tLastOptimizationTerminationTime"=hex:00,00,00,00,00,00,00,00
"nAnalysisTerminationStatus"=dword:00000000
"nOptimizationTerminationStatus"=dword:00000000
"tLastAnalysisResultsTime"=hex:9a,99,99,19,99,55,e3,40
"tLastOptimizationResultsTime"=hex:00,00,00,00,00,00,00,00
"bResultDataInitialized"=dword:00000001
"nBytesPerCluster"=dword:00001000
"nTotalClusters"=dword:0241419a
"nStartRunNumberOfDirs"=dword:0000170c
"nStartRunNumberOfFiles"=dword:00028544
"nStartRunNumberOfFraggedFiles"=dword:000019d5
"nStartRunNumberOfFragments"=dword:00006c3a
"nStartRunFraggedPercentTimesTen"=dword:00000075
"nStartRunFreeClusters"=dword:00000000
"nStartRunNumberOfFreeSpaces"=dword:00000000
"nStartRunNumberOfMftFragments"=dword:00000000
"nStartRunNumberOfPagefileFragments"=dword:00000000
"nEndRunNumberOfFraggedFiles"=dword:000019d5
"nEndRunNumberOfFragments"=dword:00006c3a
"nEndRunFraggedPercentTimesTen"=dword:00000075
"nEndRunFreeClusters"=dword:00effa7b
"nEndRunNumberOfFreeSpaces"=dword:00003795
"nEndRunNumberOfMftFragments"=dword:00000000
"nEndRunNumberOfPagefileFragments"=dword:00000000
"nStatsMaxDepth"=dword:0000000a
"nEndRunFraggedFilesListSize"=dword:0000000a

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files]
@="10"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\0]
"nSize"=dword:04e20000
"nFragments"=dword:000004e0
"File Name"="\\System Volume Information\\catalog.wci\\00010003.ci"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\1]
"nSize"=dword:01eb0000
"nFragments"=dword:000002a0
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP129\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\2]
"nSize"=dword:01f10000
"nFragments"=dword:000001b6
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP164\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\3]
"nSize"=dword:01f10000
"nFragments"=dword:00000156
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP197\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\4]
"nSize"=dword:1cdfd000
"nFragments"=dword:00000126
"File Name"="\\Documents and Settings\\Marita Moore\\My Documents\\My Videos\\May 05 Ashley - Clip 002.avi"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\5]
"nSize"=dword:01f10000
"nFragments"=dword:000000bf
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP190\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\6]
"nSize"=dword:00630000
"nFragments"=dword:000000a9
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP179\\snapshot\\Repository\\FS\\OBJECTS.DATA"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\7]
"nSize"=dword:00630000
"nFragments"=dword:00000099
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP166\\snapshot\\Repository\\FS\\OBJECTS.DATA"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\8]
"nSize"=dword:00550000
"nFragments"=dword:00000095
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP166\\snapshot\\_REGISTRY_USER_NTUSER_S-1-5-21-3604859514-1380642712-1159693288-1007"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Fragmented Files\9]
"nSize"=dword:01f10000
"nFragments"=dword:0000007d
"File Name"="\\System Volume Information\\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\\RP167\\snapshot\\_REGISTRY_MACHINE_SOFTWARE"

[HKEY_LOCAL_MACHINE\software\Symantec\Speed Disk\Local Settings\Drive Results\H*NULL* \Largest Free Spaces]
"0"=dword:00044be2
"1"=dword:00041005
"2"=dword:00039439
"3"=dword:00031d61
"4"=dword:0002ee64
"5"=dword:0002e527
"6"=dword:0002d962
"7"=dword:0002cd9b
"8"=dword:0002a7e7
"9"=dword:00029af1
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\EHOME\ehRecvr.exe
c:\windows\EHOME\ehSched.exe
c:\program files\Norton SystemWorks\Norton GoBack\GBPoll.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton Antivirus\IWP\NPFMNTOR.EXE
c:\progra~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\DLLHOST.EXE
c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-01-09 17:56:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 23:56:26
ComboFix2.txt 2009-01-09 20:31:27

Pre-Run: 66,675,863,552 bytes free
Post-Run: 66,570,403,840 bytes free

302 --- E O F --- 2008-12-18 09:01:14

genamarie
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-09
OS OS : dell
Points Points : 28870
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.zafi.b

Post by Belahzur on Sat Jan 10, 2009 12:02 am

Hello.
Looks good now, what problems remain?

Press Start > Run
Type in:
ComboFix /u <== note the space between the x and /
Press enter.

This will uninstall Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32.zafi.b

Post by Doctor Inferno on Mon Mar 02, 2009 9:59 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104594
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum