Joined
·
16 Posts
Hi,
I had an infection before:
http://www.techsupportforum.com/f100/win32-zafi-never-seen-my-computer-so-bad-341213.html
All was well, installed McAfee and used Malwarebytes to scan regularly, then all of a sudden left the PC for the day came back and I had IE popups everywhere and a random exe crashing in the background.
It's strange because I never use IE
============================================================
DDS (Ver_09-03-16.01) - NTFSx86
Run by Damaja at 17:52:25.32 on 01/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1531 [GMT 1:00]
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Damaja\Desktop\Fix\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: {D7BF4552-94F1-42BD-F434-3604812C856D} - No File
BHO: {E2BA40A2-74F3-42BD-F434-2604812C8953} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-FKI4E.exe" /REG
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
dRun: [<NO NAME>] c:\windows\system32\config\system~1\locals~1\temp\vbxbt2.exe
dRun: [Windows Resurections] c:\windows\system32\config\system~1\locals~1\temp\vbxbt2.exe
dRun: [Diagnostic Manager] c:\windows\system32\config\system~1\locals~1\temp\1651903332.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {6DE95BA9-742F-4EA8-A1FE-6FC041DC236D} = 192.168.0.1
TCP: {93A6E486-59E2-411F-A8B8-5C356C97775F} = 87.194.0.51,87.194.0.52
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\zenonabi.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Notification Packages = scecli c:\windows\system32\zenonabi.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\damaja\applic~1\mozilla\firefox\profiles\v71zzt3r.default\
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
============= SERVICES / DRIVERS ===============
P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-1 73728]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-7 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-3-7 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-3-7 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-3-7 171400]
=============== Created Last 30 ================
2009-05-01 17:46 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-04-18 16:42 155 a------- c:\windows\system32\SelfDel.bat
2009-04-18 16:27 57,856 a------- c:\windows\system32\ak1.exe
2009-04-18 16:12 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-18 16:12 102,766 a------- c:\windows\system32\drivers\6323d0b2.sys
2009-04-18 16:11 <DIR> --d----- c:\docume~1\damaja\applic~1\pidle
2009-04-11 17:49 <DIR> --d----- c:\program files\Audacity
2009-04-11 17:32 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
==================== Find3M ====================
2009-05-01 17:46 823,296 a------- c:\windows\is-FKI4E.exe
2009-04-18 16:12 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-18 16:11 79,360 a--sh--- c:\windows\system32\famuheno.dll
2009-04-18 16:11 75,776 a--sh--- c:\windows\system32\vonatahi.exe
2009-04-02 14:21 84,480 a------- c:\windows\system32\ff_vfw.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-28 16:36 55,808 a------- c:\windows\system32\68WLmLpD.exe
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2008-07-26 18:14 47,360 a------- c:\docume~1\damaja\applic~1\pcouffin.sys
2008-10-04 13:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat
============= FINISH: 17:52:49.51 ===============
I had an infection before:
http://www.techsupportforum.com/f100/win32-zafi-never-seen-my-computer-so-bad-341213.html
All was well, installed McAfee and used Malwarebytes to scan regularly, then all of a sudden left the PC for the day came back and I had IE popups everywhere and a random exe crashing in the background.
It's strange because I never use IE
============================================================
DDS (Ver_09-03-16.01) - NTFSx86
Run by Damaja at 17:52:25.32 on 01/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1531 [GMT 1:00]
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Damaja\Desktop\Fix\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: {D7BF4552-94F1-42BD-F434-3604812C856D} - No File
BHO: {E2BA40A2-74F3-42BD-F434-2604812C8953} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-FKI4E.exe" /REG
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
dRun: [<NO NAME>] c:\windows\system32\config\system~1\locals~1\temp\vbxbt2.exe
dRun: [Windows Resurections] c:\windows\system32\config\system~1\locals~1\temp\vbxbt2.exe
dRun: [Diagnostic Manager] c:\windows\system32\config\system~1\locals~1\temp\1651903332.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {6DE95BA9-742F-4EA8-A1FE-6FC041DC236D} = 192.168.0.1
TCP: {93A6E486-59E2-411F-A8B8-5C356C97775F} = 87.194.0.51,87.194.0.52
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\zenonabi.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Notification Packages = scecli c:\windows\system32\zenonabi.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\damaja\applic~1\mozilla\firefox\profiles\v71zzt3r.default\
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
============= SERVICES / DRIVERS ===============
P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-1 73728]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-7 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-3-7 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-3-7 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-3-7 171400]
=============== Created Last 30 ================
2009-05-01 17:46 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-04-18 16:42 155 a------- c:\windows\system32\SelfDel.bat
2009-04-18 16:27 57,856 a------- c:\windows\system32\ak1.exe
2009-04-18 16:12 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-18 16:12 102,766 a------- c:\windows\system32\drivers\6323d0b2.sys
2009-04-18 16:11 <DIR> --d----- c:\docume~1\damaja\applic~1\pidle
2009-04-11 17:49 <DIR> --d----- c:\program files\Audacity
2009-04-11 17:32 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
==================== Find3M ====================
2009-05-01 17:46 823,296 a------- c:\windows\is-FKI4E.exe
2009-04-18 16:12 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-18 16:11 79,360 a--sh--- c:\windows\system32\famuheno.dll
2009-04-18 16:11 75,776 a--sh--- c:\windows\system32\vonatahi.exe
2009-04-02 14:21 84,480 a------- c:\windows\system32\ff_vfw.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-28 16:36 55,808 a------- c:\windows\system32\68WLmLpD.exe
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2008-07-26 18:14 47,360 a------- c:\docume~1\damaja\applic~1\pcouffin.sys
2008-10-04 13:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat
============= FINISH: 17:52:49.51 ===============
