Hello Victorio,
I have analyzed your log as best as I could and input my thoughts/findings in the attached analyzed version of your log.
There are still suspicious files, programs, process and malware reminants present as far as I could see.
>>> BADDIE, must remove!09/27/2005 10:57 AM 19,528 c:\windows\000001_.tmp
~ More in SYSTEM32 folder:
>>> You Should check out the info on the following link to see if it applies to you (since you also have WinPcap installed recently): http://www.symantec.com/smb/security...038-99&tabid=2W32i - - - - 53,299 03-02-2002 c:\windows\system32\pthreadvc.dll
>>> You have ZoneAlarm, so make sure Windows Firewall is disabled.12/17/2006 03:28 PM 4,212 zllictbl.dat
>>> I guess you are using IE7 cause this is used by IE7's Phishing Site filtering function.09/05/2006 11:01 PM 2,451,824 ieapfltr.dat
>>> BADDIE, must remove!07/30/2006 04:22 PM 21,508 mlfcache.dat
~ Following should be safe but examine file properties to make sure, if not sure remove this one as it would eventually get downloaded again if it is required by a web site or an installed program:
=====] Directory Analysis - PROGRAM FILES:W32i DLL ENU 1.0.0.11 shp 356,352 02-04-2000 c:\windows\downloaded program files\tdserver.ocx
W32i DLL ENU 2.0.0.17 shp 937,200 05-03-2006 c:\windows\downloaded program files\uploader.ocx
>>> Suspicious, see above comment on pthreadvc.dll!12/14/2006 01:58 PM <DIR> WinPcap
>>> Suspicious, did you install this?02/07/2006 01:27 AM <DIR> RegistryFix
Note: Programs with vague, general names such as RegistryFix, SpywareCleaner with NO version numbers given and the download page suggests that you click on OPEN instead of SAVE at the download prompt is VERY VERY suspicious and generally a characteristics of Spyware programs....at the least, a rogue program.
=====] Directory Analysis - WINDOWS folder:
>>> ZoneAlarm related logs files, could be valueable to investigate when done delete the contents as it could consume quite a bit of HD space.12/17/2006 03:27 PM <DIR> Internet Logs
>>> Examine the contents of this folder as well.10/05/2005 10:07 PM <DIR> Downloaded Installations
>>> Not much info on this but should be safe.10/04/2005 09:14 PM <DIR> tiinst
=====] Process Analysis - User-based processes with their Services:
Image Name PID Services
========================= ====== =============================================
>>> This program is not necessarily a malicious program itself however often causes/contributes to actual adware installations once it is installed.DesktopWeather.exe
Look up the properties of this program to find its 'CREATE DATE" then use the same date in MM-DD-YYYY format to enter in the Filter By Date Search that comes up at the end of AnalyzerXP which I can see you did not use.
>>> You have ZoneAlarm but this is a service/process that is used by Windows Firewall, it is highly recommended that you disabled Windows Firewall and disable the Startup of its related services in the Service Control panel as well: Application Layer Gateway Service and Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS).alg.exe 2244 ALG
Did you have IE running when you run the scan? I forgot to tell you that you should NOT have IE running during the scan so it could spot the orphan iexplorer.exe processes:
~ This way the module based process scan in the next section would be much easier to analyze, at this point it is way too crowded!iexplore.exe 4044 N/A
iexplore.exe 4052 N/A
iexplore.exe 4060 N/A
iexplore.exe 2168 N/A
iexplore.exe 2908 N/A
~ I suggest till system starts running normal, you disable (uncheck the boxes next to) all startup entries using StartupControlPanel (EXCEPT those that belong to ZoneAlarm and Virus/Spyware scanner such as Panda and Windows Defender)
~ Then close all other programs and especially Internet Explorer instances and run another scan please also use the Filter by date using the instructions I gave.
~ If Wheather no longer available to look up its create date, then use TODAY's date for the Filter By Date scan at the end, ok?
Please review my notes and wait for follow up of Jholland and/or PP as well.
~TL
Reply With Quote