BleepingComputer.com: i think my browser is hi-jacked

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

i think my browser is hi-jacked how do i remove this ?

#1 User is offline   david thomas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 20-June 09

Posted 20 June 2009 - 07:06 PM

Results of system analysis
AVZ 4.30 <http://z-oleg.com/secur/avz/>

List of processes
File name PID Description Copyright MD5 Information Results of system analysis
AVZ 4.30 <http://z-oleg.com/secur/avz/>

List of processes
File name PID Description Copyright MD5 Information
c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe
Script: Quarantine, Delete, BC delete, Terminate 844 Kaspersky Anti-Virus Copyright © Kaspersky Lab 1996-2008. ?? 201.26 kb, rsAh,
created: 11/11/2008 20:59:16,
modified: 04/02/2009 19:24:40
Command line:
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r
c:\program files\intel\wifi\bin\evteng.exe
Script: Quarantine, Delete, BC delete, Terminate 900 Intel® PROSet/Wireless Event Log Service Copyright © Intel Corporation 1999-2008 ?? 840.00 kb, rsAh,
created: 02/10/2008 12:26:42,
modified: 02/10/2008 12:26:42
Command line:
"C:\Program Files\Intel\WiFi\bin\EvtEng.exe"
c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate 3344 Windows Explorer © Microsoft Corporation. All rights reserved. ?? 1009.50 kb, rsAh,
created: 16/03/2006 03:54:27,
modified: 14/04/2008 01:12:19
Command line:
C:\WINDOWS\Explorer.EXE
c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate 2056 Internet Explorer © Microsoft Corporation. All rights reserved. ?? 623.84 kb, rsAh,
created: 16/03/2006 13:11:34,
modified: 08/03/2009 15:09:26
Command line:
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3724 CREDAT:79873
c:\program files\common files\intel\wirelesscommon\ifrmewrk.exe
Script: Quarantine, Delete, BC delete, Terminate 3944 Intel® PROSet/Wireless Framework Copyright © Intel Corporation 1999-2008 ?? 1164.00 kb, rsAh,
created: 02/10/2008 11:57:52,
modified: 02/10/2008 11:57:52
Command line:
"C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate 1124 Java™ Quick Starter Service Copyright © 2004 ?? 149.40 kb, rsAh,
created: 14/03/2009 09:30:53,
modified: 21/05/2009 11:34:05
Command line:
"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
c:\program files\common files\intel\wirelesscommon\regsrvc.exe
Script: Quarantine, Delete, BC delete, Terminate 1212 Intel® PROSet/Wireless Registry Service Copyright © Intel Corporation 1999-2008 ?? 456.00 kb, rsAh,
created: 02/10/2008 11:56:44,
modified: 02/10/2008 11:56:44
Command line:
"C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe"
c:\program files\intel\wifi\bin\s24evmon.exe
Script: Quarantine, Delete, BC delete, Terminate 1960 Intel® Wireless Management Service Copyright © Intel Corporation 1999-2008 ?? 884.00 kb, rsAh,
created: 02/10/2008 12:06:56,
modified: 02/10/2008 12:06:56
Command line:
"C:\Program Files\Intel\WiFi\bin\S24EvMon.exe"
c:\program files\sony\vaio power management\spmgr.exe
Script: Quarantine, Delete, BC delete, Terminate 3604 SPM Module Copyright 2003-2006 Sony Corporation ?? 212.00 kb, rsAh,
created: 16/03/2006 18:44:23,
modified: 13/12/2005 23:43:40
Command line:
"C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
c:\program files\sony\wireless switch setting utility\switcher.exe
Script: Quarantine, Delete, BC delete, Terminate 3828 Wireless Switch Setting Utility Copyright 2004-2006 Sony Corp. ?? 172.00 kb, rsAh,
created: 16/03/2006 18:44:39,
modified: 14/02/2006 13:11:46
Command line:
"C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
c:\windows\system32\wbem\wmiprvse.exe
Script: Quarantine, Delete, BC delete, Terminate 3412 WMI © Microsoft Corporation. All rights reserved. ?? 222.50 kb, rsAh,
created: 16/03/2006 13:08:23,
modified: 06/02/2009 11:10:02
Command line:
C:\WINDOWS\system32\wbem\wmiprvse.exe-Embedding
c:\program files\intel\wifi\bin\zcfgsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 3920 Intel® PROSet/Wireless Zero Config Service Copyright © Intel Corporation 1999-2008 ?? 1336.00 kb, rsAh,
created: 02/10/2008 12:16:00,
modified: 02/10/2008 12:16:00
Command line:
"C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
Detected:53, recognized as trusted 46
Module name Handle Description Copyright MD5 Used by processes
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP8\Bases\kjim.kdl
Script: Quarantine, Delete, BC delete 947912704 Script Heuristics Engine Copyright © Kaspersky Lab 1997-2009. -- 844
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP8\Bases\klavemu.kdl
Script: Quarantine, Delete, BC delete 943718400 Heuristics engine Copyright © Kaspersky Lab 1997-2009. -- 844
C:\Program Files\Common Files\Intel\WirelessCommon\FrameworkPlugins\ConnMgr.dll
Script: Quarantine, Delete, BC delete 14942208 Intel® PROSet/Wireless WiFi Module Copyright © Intel Corporation 1999-2008 -- 3944
C:\Program Files\Common Files\Intel\WirelessCommon\FrameworkPlugins\WiWiTray.dll
Script: Quarantine, Delete, BC delete 14286848 Intel® PROSet/Wireless Combined Task Tray Module Copyright © Intel Corporation 1999-2008 -- 3944
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Framework Copyright © Intel Corporation 1999-2008 ?? 3944
C:\Program Files\Common Files\Intel\WirelessCommon\PsRegApi.dll
Script: Quarantine, Delete, BC delete 11730944 Intel® PROSet/Wireless Registry API Module Copyright © Intel Corporation 1999-2008 -- 900, 3944, 1960, 3828, 3412, 3920
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Registry Service Copyright © Intel Corporation 1999-2008 ?? 1212
C:\Program Files\Common Files\Intel\WirelessCommon\TraceApi.dll
Script: Quarantine, Delete, BC delete 12451840 Intel® PROSet/Wireless Trace API Module Copyright © Intel Corporation 1999-2008 -- 900, 3944, 1960, 3828, 3412, 3920
C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_6BC68FE03E7B66EC.dll
Script: Quarantine, Delete, BC delete 40828928 Google Toolbar for Internet Explorer Copyright © 2000-2009 -- 2056
C:\Program Files\Intel\WiFi\bin\DbEngine.dll
Script: Quarantine, Delete, BC delete 115015680 Intel® PROSet/Wireless Secure DB Engine Copyright © Intel Corporation 1999-2008 -- 3944, 3920
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Event Log Service Copyright © Intel Corporation 1999-2008 ?? 900
C:\Program Files\Intel\WiFi\bin\IntStngs.dll
Script: Quarantine, Delete, BC delete 3538944 Intel® PROSet/Wireless Application Settings Module Copyright © Intel Corporation 1999-2008 -- 900, 3944, 1960, 3920
C:\Program Files\Intel\WiFi\bin\IWMSPROV.DLL
Script: Quarantine, Delete, BC delete 3473408 -- 1960, 3412
C:\Program Files\Intel\WiFi\bin\KmmdlPlugins\SupplicantPlugin.dll
Script: Quarantine, Delete, BC delete 21823488 Intel® PROSet/Wireless Supplicant Plugin Copyright © Intel Corporation 2007-2008 -- 1960
C:\Program Files\Intel\WiFi\bin\KmmdlPlugins\WSCPlugin.dll
Script: Quarantine, Delete, BC delete 119144448 Intel® PROSet/Wireless WSC Plugin Module Copyright © Intel Corporation 2007-2008 -- 1960
C:\Program Files\Intel\WiFi\bin\MurocApi.dll
Script: Quarantine, Delete, BC delete 5111808 Intel® PROSet/Wireless Muroc API Module Copyright © Intel Corporation 1999-2008 -- 900, 3944, 3920
C:\Program Files\Intel\WiFi\bin\PfMgrApi.dll
Script: Quarantine, Delete, BC delete 268435456 Intel® PROSet/Wireless Profile Manager API Module Copyright © Intel Corporation 1999-2008 -- 900, 3944, 3920
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® Wireless Management Service Copyright © Intel Corporation 1999-2008 ?? 1960
C:\Program Files\Intel\WiFi\bin\S24MUDLL.dll
Script: Quarantine, Delete, BC delete 118947840 Intel® PROSet/Wireless S24EvMon Module Copyright © Intel Corporation 1999-2008 -- 900, 3944, 3920
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Zero Config Service Copyright © Intel Corporation 1999-2008 ?? 3920
C:\Program Files\Java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete 4194304 Java™ Quick Starter Service Copyright © 2004 ?? 1124
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Script: Quarantine, Delete, BC delete 1840119808 Java™ Quick Starter binary Copyright © 2004 -- 2056
C:\Program Files\Sony\VAIO Power Management\SPMDrv.dll
Script: Quarantine, Delete, BC delete 11534336 SPM driver Copyright 2003-2006 Sony Corporation -- 3604
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
Script: Quarantine, Delete, BC delete 4194304 SPM Module Copyright 2003-2006 Sony Corporation ?? 3604
C:\PROGRA~1\GOOGLE~1\GoogleAFE.dll
Script: Quarantine, Delete, BC delete 59703296 GoogleAFE.dll © Google. All rights reserved. -- 2056
C:\WINDOWS\system32\netprovcredman.dll
Script: Quarantine, Delete, BC delete 268435456 Intel® Network Provider Credential Manager Copyright © Intel Corporation 2007-2008 -- 3344, 2056
Modules detected:544, recognized as trusted 518

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\WINDOWS\system32\DRIVERS\s24trans.sys
Script: Quarantine, Delete, BC delete BACC8000 003000 (12288) Intel WLAN Packet Driver Copyright © Intel Corporation, Inc. 2002-2007 Copyright © Symbol Technologies, Inc. 1995-1998
Modules detected - 136, recognized as trusted - 135

Services
Service Description Status File Group Dependencies
EvtEng
Service: Stop, Delete, Disable Intel® PROSet/Wireless Event Log Running C:\Program Files\Intel\WiFi\bin\EvtEng.exe
Script: Quarantine, Delete, BC delete RPCSS
JavaQuickStarterService
Service: Stop, Delete, Disable Java Quick Starter Running C:\Program Files\Java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete
RegSrvc
Service: Stop, Delete, Disable Intel® PROSet/Wireless Registry Service Running C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
Script: Quarantine, Delete, BC delete RPCSS
S24EventMonitor
Service: Stop, Delete, Disable Intel® PROSet/Wireless WiFi Service Running C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
Script: Quarantine, Delete, BC delete NDIS s24trans
getPlus® Helper
Service: Stop, Delete, Disable getPlus® Helper Not started C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
Script: Quarantine, Delete, BC delete RPCSS
GoogleDesktopManager-110408-113106
Service: Stop, Delete, Disable Google Desktop Manager 5.8.811.4345 Not started C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
Script: Quarantine, Delete, BC delete RPCSS
Image Converter video recording monitor for VAIO Entertainment
Service: Stop, Delete, Disable Image Converter video recording monitor for VAIO Entertainment Not started C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
Script: Quarantine, Delete, BC delete VAIO Entertainment Aggregation and Control Service
MSCSPTISRV
Service: Stop, Delete, Disable MSCSPTISRV Not started C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
Script: Quarantine, Delete, BC delete RPCSS
PACSPTISVR
Service: Stop, Delete, Disable PACSPTISVR Not started C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
Script: Quarantine, Delete, BC delete RPCSS
SonicStage Back-End Service
Service: Stop, Delete, Disable SonicStage Back-End Service Not started C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
Script: Quarantine, Delete, BC delete RPCSS
SPTISRV
Service: Stop, Delete, Disable Sony SPTI Service Not started C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Script: Quarantine, Delete, BC delete RPCSS
SSScsiSV
Service: Stop, Delete, Disable SonicStage SCSI Service Not started C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
Script: Quarantine, Delete, BC delete RPCSS
VAIO Entertainment TV Device Arbitration Service
Service: Stop, Delete, Disable VAIO Entertainment TV Device Arbitration Service Not started C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
Script: Quarantine, Delete, BC delete RPCSS
VAIOMediaPlatform-IntegratedServer-AppServer
Service: Stop, Delete, Disable VAIO Media Integrated Server Not started C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
Script: Quarantine, Delete, BC delete
VAIOMediaPlatform-IntegratedServer-HTTP
Service: Stop, Delete, Disable VAIO Media Integrated Server (HTTP) Not started C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
Script: Quarantine, Delete, BC delete VAIOMediaPlatform-IntegratedServer-AppServer
VAIOMediaPlatform-IntegratedServer-UPnP
Service: Stop, Delete, Disable VAIO Media Integrated Server (UPnP) Not started C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
Script: Quarantine, Delete, BC delete VAIOMediaPlatform-IntegratedServer-HTTP
VAIOMediaPlatform-Mobile-Gateway
Service: Stop, Delete, Disable VAIO Media Gateway Server Not started VAIOMediaPlatform-Mobile-Gateway.sys
Script: Quarantine, Delete, BC delete
VCI
Service: Stop, Delete, Disable VAIO Cooporated Initialisation Not started C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
Script: Quarantine, Delete, BC delete
VzCdbSvc
Service: Stop, Delete, Disable VAIO Entertainment Database Service Not started C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
Script: Quarantine, Delete, BC delete RPCSS
VzFw
Service: Stop, Delete, Disable VAIO Entertainment File Import Service Not started C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
Script: Quarantine, Delete, BC delete RPCSS
WSearch
Service: Stop, Delete, Disable Windows Search Not started C:\WINDOWS\system32\SearchIndexer.exe
Script: Quarantine, Delete, BC delete TermService
Detected - 123, recognized as trusted - 102

Drivers
Service Description Status File Group Dependencies
s24trans
Driver: Unload, Delete, Disable WLAN Transport Running C:\WINDOWS\system32\DRIVERS\s24trans.sys
Script: Quarantine, Delete, BC delete NDIS
Abiosdsk
Driver: Unload, Delete, Disable Abiosdsk Not started Abiosdsk.sys
Script: Quarantine, Delete, BC delete Primary disk
abp480n5
Driver: Unload, Delete, Disable abp480n5 Not started abp480n5.sys
Script: Quarantine, Delete, BC delete SCSI miniport
adpu160m
Driver: Unload, Delete, Disable adpu160m Not started adpu160m.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Aha154x
Driver: Unload, Delete, Disable Aha154x Not started Aha154x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78u2
Driver: Unload, Delete, Disable aic78u2 Not started aic78u2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78xx
Driver: Unload, Delete, Disable aic78xx Not started aic78xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
AliIde
Driver: Unload, Delete, Disable AliIde Not started AliIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
amsint
Driver: Unload, Delete, Disable amsint Not started amsint.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc
Driver: Unload, Delete, Disable asc Not started asc.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3350p
Driver: Unload, Delete, Disable asc3350p Not started asc3350p.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3550
Driver: Unload, Delete, Disable asc3550 Not started asc3550.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Atdisk
Driver: Unload, Delete, Disable Atdisk Not started Atdisk.sys
Script: Quarantine, Delete, BC delete Primary disk
cd20xrnt
Driver: Unload, Delete, Disable cd20xrnt Not started cd20xrnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Changer
Driver: Unload, Delete, Disable Changer Not started Changer.sys
Script: Quarantine, Delete, BC delete Filter
CmdIde
Driver: Unload, Delete, Disable CmdIde Not started CmdIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
Cpqarray
Driver: Unload, Delete, Disable Cpqarray Not started Cpqarray.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dac960nt
Driver: Unload, Delete, Disable dac960nt Not started dac960nt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dpti2o
Driver: Unload, Delete, Disable dpti2o Not started dpti2o.sys
Script: Quarantine, Delete, BC delete SCSI miniport
hpn
Driver: Unload, Delete, Disable hpn Not started hpn.sys
Script: Quarantine, Delete, BC delete SCSI miniport
i2omgmt
Driver: Unload, Delete, Disable i2omgmt Not started i2omgmt.sys
Script: Quarantine, Delete, BC delete SCSI Class
i2omp
Driver: Unload, Delete, Disable i2omp Not started i2omp.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ini910u
Driver: Unload, Delete, Disable ini910u Not started ini910u.sys
Script: Quarantine, Delete, BC delete SCSI miniport
IntelIde
Driver: Unload, Delete, Disable IntelIde Not started IntelIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
lbrtfdc
Driver: Unload, Delete, Disable lbrtfdc Not started lbrtfdc.sys
Script: Quarantine, Delete, BC delete System Bus Extender
MEMSWEEP2
Driver: Unload, Delete, Disable MEMSWEEP2 Not started C:\WINDOWS\system32\17E.tmp
Script: Quarantine, Delete, BC delete
mraid35x
Driver: Unload, Delete, Disable mraid35x Not started mraid35x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
PCIDump
Driver: Unload, Delete, Disable PCIDump Not started PCIDump.sys
Script: Quarantine, Delete, BC delete PCI Configuration
PDCOMP
Driver: Unload, Delete, Disable PDCOMP Not started PDCOMP.sys
Script: Quarantine, Delete, BC delete
PDFRAME
Driver: Unload, Delete, Disable PDFRAME Not started PDFRAME.sys
Script: Quarantine, Delete, BC delete
PDRELI
Driver: Unload, Delete, Disable PDRELI Not started PDRELI.sys
Script: Quarantine, Delete, BC delete
PDRFRAME
Driver: Unload, Delete, Disable PDRFRAME Not started PDRFRAME.sys
Script: Quarantine, Delete, BC delete
perc2
Driver: Unload, Delete, Disable perc2 Not started perc2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
perc2hib
Driver: Unload, Delete, Disable perc2hib Not started perc2hib.sys
Script: Quarantine, Delete, BC delete Filter
ql1080
Driver: Unload, Delete, Disable ql1080 Not started ql1080.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Ql10wnt
Driver: Unload, Delete, Disable Ql10wnt Not started Ql10wnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql12160
Driver: Unload, Delete, Disable ql12160 Not started ql12160.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1240
Driver: Unload, Delete, Disable ql1240 Not started ql1240.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1280
Driver: Unload, Delete, Disable ql1280 Not started ql1280.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Simbad
Driver: Unload, Delete, Disable Simbad Not started Simbad.sys
Script: Quarantine, Delete, BC delete Filter
Sparrow
Driver: Unload, Delete, Disable Sparrow Not started Sparrow.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_hi
Driver: Unload, Delete, Disable sym_hi Not started sym_hi.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_u3
Driver: Unload, Delete, Disable sym_u3 Not started sym_u3.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc810
Driver: Unload, Delete, Disable symc810 Not started symc810.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc8xx
Driver: Unload, Delete, Disable symc8xx Not started symc8xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
TosIde
Driver: Unload, Delete, Disable TosIde Not started TosIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
TosRfSnd
Driver: Unload, Delete, Disable Bluetooth Audio Device (WDM) from TOSHIBA Not started C:\WINDOWS\system32\drivers\TosRfSnd.sys
Script: Quarantine, Delete, BC delete
ultra
Driver: Unload, Delete, Disable ultra Not started ultra.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ViaIde
Driver: Unload, Delete, Disable ViaIde Not started ViaIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
WDICA
Driver: Unload, Delete, Disable WDICA Not started WDICA.sys
Script: Quarantine, Delete, BC delete
Detected - 218, recognized as trusted - 168

Autoruns
File name Status Startup method Description
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IntelWireless
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TkBellExe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Google Desktop Search
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IntelZeroConfig
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SonyPowerCfg
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {56F9679E-7826-4C84-81F3-532071A8BCC5}
C:\WINDOWS\System32\srchadmin.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}, DLLName
C:\WINDOWS\System32\vaiomov.scr
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, .DEFAULT\Control Panel\Desktop, scrnsave.exe
Autoruns items detected - 85, recognized as trusted - 77

Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
Script: Quarantine, Delete, BC delete BHO {3049C3E9-B461-4BC5-8870-4C09146192CA}
Delete
C:\PROGRA~1\GOOGLE~1\GoogleAFE.dll
Script: Quarantine, Delete, BC delete BHO GoogleAFE.dll © Google. All rights reserved. {CA6319C0-31B7-401E-A518-A07C3DB8F777}
Delete
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Script: Quarantine, Delete, BC delete BHO Java™ Quick Starter binary Copyright © 2004 {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
Delete
Elements detected - 13, recognized as trusted - 10

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
deskpan.dll
Script: Quarantine, Delete, BC delete Display Panning CPL Extension {42071714-76d4-11d1-8b24-00a0c9068ff3}
Shell extensions for file compression {764BF0E1-F219-11ce-972D-00AA00A14F56}
Encryption Context Menu {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Script: Quarantine, Delete, BC delete Autoplay for SlideShow {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
C:\Program Files\Sony\VAIO Power Management\SPMPanel.dll
Script: Quarantine, Delete, BC delete Sony Power Management Extensiond SPM Module Copyright 2003-2006 Sony Corporation {ED58A35B-B554-42AF-A26C-6F3D424200D3}
C:\Program Files\Real\RealPlayer\rpshell.dll
Script: Quarantine, Delete, BC delete Shell Extensions for RealOne Player {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
C:\WINDOWS\system32\propsys.dll
Script: Quarantine, Delete, BC delete Office Document Property Handler {97e467b4-98c6-4f19-9588-161b7773d6f6}
C:\Program Files\Windows Desktop Search\deskbar.dll
Script: Quarantine, Delete, BC delete Windows Search Deskbar {97090E2F-3062-4459-855B-014F0D3CDBB1}
C:\Program Files\Windows Desktop Search\msnlExt.dll
Script: Quarantine, Delete, BC delete Windows Desktop Search {13E7F612-F261-4391-BEA2-39DF4F3FA311}
Elements detected - 217, recognized as trusted - 205

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 10, recognized as trusted - 10

Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 2, recognized as trusted - 2

SPI/LSP settings
Namespace providers (NSP) Manufacturer Status EXE file Description GUID
Detected - 4, recognized as trusted - 4
Transport protocol providers (TSP, LSP) Manufacturer EXE file Description
Detected - 39, recognized as trusted - 39
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 28711 [1768] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 2240 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1110 LISTENING 0.0.0.0 22628 [844] c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 LISTENING 0.0.0.0 2144 [1124] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 CLOSE_WAIT 127.0.0.1 1056 [1124] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
19780 LISTENING 0.0.0.0 16551 [844] c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1808] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1512] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1050 LISTENING -- -- [2056] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1328] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3776 LISTENING -- -- [376] c:\windows\ehome\mcrdsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1512] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
Script: Quarantine, Delete, BC delete Microsoft Update Catalog Web Control © Microsoft Corporation. All rights reserved. {5AE58FCF-6F6A-49B2-B064-02492C66E3F4}
Delete http://catalog.update.microsoft.com/v7/sit...b?1229234525718
C:\WINDOWS\Downloaded Program Files\wlscBase.dll
Script: Quarantine, Delete, BC delete Windows Live OneCare Safety Scanner Base Module © Microsoft Corporation. All rights reserved {5ED80217-570B-4DA9-BF44-BE107C0EC166}
Delete http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
C:\Program Files\DivX\DivX Web Player\npdivx32.dll
Script: Quarantine, Delete, BC delete {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
Delete http://download.divx.com/player/DivXBrowserPlugin.cab
C:\WINDOWS\Downloaded Program Files\gp.ocx
Script: Quarantine, Delete, BC delete {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Delete http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
C:\WINDOWS\Downloaded Program Files\clearadjust.dll
Script: Quarantine, Delete, BC delete ClearAdjust Module Copyright 2001 - 2003, Microsoft Corp. {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
Delete http://download.microsoft.com/download/7/E...04/clearadj.cab
C:\WINDOWS\DOWNLO~1\ACTIVE~1.OCX
Script: Quarantine, Delete, BC delete {E001C731-5E37-4538-A5CB-8168736A2360}
Delete http://91.199.104.31/cab/ActiveQscan.cab
Elements detected - 11, recognized as trusted - 5

Control Panel Applets (CPL)
File name Description Manufacturer
C:\WINDOWS\system32\nvcpl.cpl
Script: Quarantine, Delete, BC delete NVIDIA nvCpl Control Panel Applet 1.0.7.3 © NVIDIA Corporation. All rights reserved.
C:\WINDOWS\system32\stac97.cpl
Script: Quarantine, Delete, BC delete STacGUI Module Copyright © 2004-2005, SigmaTel, Inc.
Elements detected - 30, recognized as trusted - 28

Active Setup
File name Description Manufacturer CLSID
Elements detected - 16, recognized as trusted - 16

HOSTS file
Hosts file record



127.0.0.1 localhost



Protocols and handlers
File name Type Description Manufacturer CLSID
Elements detected - 33, recognized as trusted - 33

Suspicious objects
File Description Type
C:\WINDOWS\system32\DRIVERS\klif.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook


--------------------------------------------------------------------------------

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 20/06/2009 11:52:21
Database loaded: signatures - 228068, NN profile(s) - 2, microprograms of healing - 56, signature database released 18.06.2009 19:50
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 123500
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: Disabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504460 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (805EBB3E->F315F1DA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (19) intercepted (805BC4F8->F315F7AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (1F) intercepted (805A45B4->F31611EA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (25) intercepted (80579084->F3160B9C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (806237B0->F315E950), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSymbolicLinkObject (34) intercepted (805C39C2->F3162B7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (35) intercepted (805D0FE0->F315F5AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) intercepted (80623C40->F315ED92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) intercepted (80623E10->F315EF92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (42) intercepted (8057924A->F3160EAC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805BDFD0->F3163084), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (80623FF0->F315F0A8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (8062425A->F315F110), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (54) intercepted (8057927E->F3160D5E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (61) intercepted (8058413A->F3162620), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (74) intercepted (8057A182->F31609F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (80624B82->F315EAB2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (805CB408->F315F3B2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (7D) intercepted (805AA3D2->F3162BA6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (805CB694->F315F2FE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryKey (A0) intercepted (80624EA8->F315F178), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryMultipleValueKey (A1) intercepted (806228FE->F315EE7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (806219E8->F315EC5A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (B4) intercepted (805D123E->F3162888), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (C1) intercepted (8062585C->F315E5D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (C8) intercepted (805A2D5A->F3161A74), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (80625168->F315E734), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (CE) intercepted (805D4982->F3162F56), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (CF) intercepted (80625264->F315E3D0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (D2) intercepted (805A3D48->F316108C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (D5) intercepted (805D1702->F315F6AC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (ED) intercepted (805C05F6->F316271A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (F0) intercepted (8060F3E4->F3162BD0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (80621D36->F315EB08), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (FD) intercepted (805D4A4A->F3162CB4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (FE) intercepted (805D48BC->F3162DE0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (FF) intercepted (80617798->F316254C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805D29AA->F315F47E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (115) intercepted (805B4394->F315F4F0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function FsRtlCheckLockForReadAccess (804EAF84) - machine code modification Method of JmpTo. jmp F3176626 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
Function IoIsOperationSynchronous (804EF912) - machine code modification Method of JmpTo. jmp F31769E0 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
>>> Function restored successfully !
Functions checked: 284, intercepted: 39, restored: 41
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 52
Number of modules loaded: 501
Scanning memory - complete
3. Scanning disks
Direct reading C:\Documents and Settings\DAVID THOMAS\Local Settings\Temp\~DF49C3.tmp
Direct reading C:\Documents and Settings\DAVID THOMAS\Local Settings\Temp\~DF5350.tmp
Direct reading C:\Documents and Settings\DAVID THOMAS\Local Settings\Temp\~DFE870.tmp
Direct reading C:\Documents and Settings\DAVID THOMAS\Local Settings\Temp\~DFE9FA.tmp
Direct reading C:\Documents and Settings\DAVID THOMAS\Local Settings\Temp\~DFEC20.tmp
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD3.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\ADIALHK.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\KLOEHK.DLL"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 118505, extracted from archives: 93713, malicious software found 0, suspicions - 0
Scanning finished at 20/06/2009 12:37:37
!!! Attention !!! Recovered 41 KiST functions during Anti-Rootkit operation
This may affect execution of several programs, so it is strongly recommended to reboot
Time of scanning: 00:45:22
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardBootCleaner - import list of deleted filesRegistry cleanup after deleting filesBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service TermService (Terminal Services)Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)Performance tweaking: disable service Alerter (Alerter)Performance tweaking: disable service Schedule (Task Scheduler)Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user access--------------------------------------------------------------------------------
File list



avp.exe
Script: Quarantine, Delete, BC delete, Terminate 840 ?? error getting file info
Command line:
avp.exe
Script: Quarantine, Delete, BC delete, Terminate 2328 ?? error getting file info
Command line:
c:\program files\intel\wifi\bin\evteng.exe
Script: Quarantine, Delete, BC delete, Terminate 936 Intel® PROSet/Wireless Event Log Service Copyright © Intel Corporation 1999-2008 ?? 840.00 kb, rsAh,
created: 02/10/2008 12:26:42,
modified: 02/10/2008 12:26:42
Command line:
"C:\Program Files\Intel\WiFi\bin\EvtEng.exe"
c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate 1868 Windows Explorer © Microsoft Corporation. All rights reserved. ?? 1009.50 kb, rsAh,
created: 16/03/2006 03:54:27,
modified: 14/04/2008 01:12:19
Command line:
C:\WINDOWS\Explorer.EXE
c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate 3980 Internet Explorer © Microsoft Corporation. All rights reserved. ?? 623.84 kb, rsAh,
created: 16/03/2006 13:11:34,
modified: 08/03/2009 15:09:26
Command line:
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3452 CREDAT:79873
c:\program files\common files\intel\wirelesscommon\ifrmewrk.exe
Script: Quarantine, Delete, BC delete, Terminate 2280 Intel® PROSet/Wireless Framework Copyright © Intel Corporation 1999-2008 ?? 1164.00 kb, rsAh,
created: 02/10/2008 11:57:52,
modified: 02/10/2008 11:57:52
Command line:
"C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate 1192 Java™ Quick Starter Service Copyright © 2004 ?? 149.40 kb, rsAh,
created: 14/03/2009 09:30:53,
modified: 21/05/2009 11:34:05
Command line:
"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
c:\program files\common files\intel\wirelesscommon\regsrvc.exe
Script: Quarantine, Delete, BC delete, Terminate 156 Intel® PROSet/Wireless Registry Service Copyright © Intel Corporation 1999-2008 ?? 456.00 kb, rsAh,
created: 02/10/2008 11:56:44,
modified: 02/10/2008 11:56:44
Command line:
"C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe"
c:\program files\intel\wifi\bin\s24evmon.exe
Script: Quarantine, Delete, BC delete, Terminate 1924 Intel® Wireless Management Service Copyright © Intel Corporation 1999-2008 ?? 884.00 kb, rsAh,
created: 02/10/2008 12:06:56,
modified: 02/10/2008 12:06:56
Command line:
"C:\Program Files\Intel\WiFi\bin\S24EvMon.exe"
c:\program files\sony\vaio power management\spmgr.exe
Script: Quarantine, Delete, BC delete, Terminate 2232 SPM Module Copyright 2003-2006 Sony Corporation ?? 212.00 kb, rsAh,
created: 16/03/2006 18:44:23,
modified: 13/12/2005 23:43:40
Command line:
"C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
c:\program files\sony\wireless switch setting utility\switcher.exe
Script: Quarantine, Delete, BC delete, Terminate 2260 Wireless Switch Setting Utility Copyright 2004-2006 Sony Corp. ?? 172.00 kb, rsAh,
created: 16/03/2006 18:44:39,
modified: 14/02/2006 13:11:46
Command line:
"C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
c:\windows\system32\wbem\wmiprvse.exe
Script: Quarantine, Delete, BC delete, Terminate 2948 WMI © Microsoft Corporation. All rights reserved. ?? 222.50 kb, rsAh,
created: 16/03/2006 13:08:23,
modified: 06/02/2009 11:10:02
Command line:
C:\WINDOWS\system32\wbem\wmiprvse.exe-Embedding
c:\program files\intel\wifi\bin\zcfgsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 2268 Intel® PROSet/Wireless Zero Config Service Copyright © Intel Corporation 1999-2008 ?? 1336.00 kb, rsAh,
created: 02/10/2008 12:16:00,
modified: 02/10/2008 12:16:00
Command line:
"C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
Detected:53, recognized as trusted 44
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files\Common Files\Intel\WirelessCommon\FrameworkPlugins\ConnMgr.dll
Script: Quarantine, Delete, BC delete 14942208 Intel® PROSet/Wireless WiFi Module Copyright © Intel Corporation 1999-2008 -- 2280
C:\Program Files\Common Files\Intel\WirelessCommon\FrameworkPlugins\WiWiTray.dll
Script: Quarantine, Delete, BC delete 14286848 Intel® PROSet/Wireless Combined Task Tray Module Copyright © Intel Corporation 1999-2008 -- 2280
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Framework Copyright © Intel Corporation 1999-2008 ?? 2280
C:\Program Files\Common Files\Intel\WirelessCommon\PsRegApi.dll
Script: Quarantine, Delete, BC delete 11730944 Intel® PROSet/Wireless Registry API Module Copyright © Intel Corporation 1999-2008 -- 936, 2280, 1924, 2260, 2948, 2268
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Registry Service Copyright © Intel Corporation 1999-2008 ?? 156
C:\Program Files\Common Files\Intel\WirelessCommon\TraceApi.dll
Script: Quarantine, Delete, BC delete 12451840 Intel® PROSet/Wireless Trace API Module Copyright © Intel Corporation 1999-2008 -- 936, 2280, 1924, 2260, 2948, 2268
C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_6BC68FE03E7B66EC.dll
Script: Quarantine, Delete, BC delete 40828928 Google Toolbar for Internet Explorer Copyright © 2000-2009 -- 3980
C:\Program Files\Intel\WiFi\bin\DbEngine.dll
Script: Quarantine, Delete, BC delete 115015680 Intel® PROSet/Wireless Secure DB Engine Copyright © Intel Corporation 1999-2008 -- 2280, 2268
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Event Log Service Copyright © Intel Corporation 1999-2008 ?? 936
C:\Program Files\Intel\WiFi\bin\IntStngs.dll
Script: Quarantine, Delete, BC delete 3538944 Intel® PROSet/Wireless Application Settings Module Copyright © Intel Corporation 1999-2008 -- 936, 2280, 1924, 2268
C:\Program Files\Intel\WiFi\bin\IWMSPROV.DLL
Script: Quarantine, Delete, BC delete 3473408 -- 1924, 2948
C:\Program Files\Intel\WiFi\bin\KmmdlPlugins\SupplicantPlugin.dll
Script: Quarantine, Delete, BC delete 21823488 Intel® PROSet/Wireless Supplicant Plugin Copyright © Intel Corporation 2007-2008 -- 1924
C:\Program Files\Intel\WiFi\bin\KmmdlPlugins\WSCPlugin.dll
Script: Quarantine, Delete, BC delete 119144448 Intel® PROSet/Wireless WSC Plugin Module Copyright © Intel Corporation 2007-2008 -- 1924
C:\Program Files\Intel\WiFi\bin\MurocApi.dll
Script: Quarantine, Delete, BC delete 5111808 Intel® PROSet/Wireless Muroc API Module Copyright © Intel Corporation 1999-2008 -- 936, 2280, 2268
C:\Program Files\Intel\WiFi\bin\PfMgrApi.dll
Script: Quarantine, Delete, BC delete 268435456 Intel® PROSet/Wireless Profile Manager API Module Copyright © Intel Corporation 1999-2008 -- 936, 2280, 2268
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® Wireless Management Service Copyright © Intel Corporation 1999-2008 ?? 1924
C:\Program Files\Intel\WiFi\bin\S24MUDLL.dll
Script: Quarantine, Delete, BC delete 119996416 Intel® PROSet/Wireless S24EvMon Module Copyright © Intel Corporation 1999-2008 -- 936, 2280, 2268
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
Script: Quarantine, Delete, BC delete 4194304 Intel® PROSet/Wireless Zero Config Service Copyright © Intel Corporation 1999-2008 ?? 2268
C:\Program Files\Java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete 4194304 Java™ Quick Starter Service Copyright © 2004 ?? 1192
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Script: Quarantine, Delete, BC delete 1840119808 Java™ Quick Starter binary Copyright © 2004 -- 3980
C:\Program Files\Sony\VAIO Power Management\SPMDrv.dll
Script: Quarantine, Delete, BC delete 11534336 SPM driver Copyright 2003-2006 Sony Corporation -- 2232
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
Script: Quarantine, Delete, BC delete 4194304 SPM Module Copyright 2003-2006 Sony Corporation ?? 2232
C:\PROGRA~1\GOOGLE~1\GoogleAFE.dll
Script: Quarantine, Delete, BC delete 58916864 GoogleAFE.dll © Google. All rights reserved. -- 3980
C:\WINDOWS\system32\netprovcredman.dll
Script: Quarantine, Delete, BC delete 268435456 Intel® Network Provider Credential Manager Copyright © Intel Corporation 2007-2008 -- 1868, 3980
Modules detected:449, recognized as trusted 425

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\WINDOWS\system32\DRIVERS\s24trans.sys
Script: Quarantine, Delete, BC delete BACFC000 003000 (12288) Intel WLAN Packet Driver Copyright © Intel Corporation, Inc. 2002-2007 Copyright © Symbol Technologies, Inc. 1995-1998
Modules detected - 136, recognized as trusted - 135

Services
Service Description Status File Group Dependencies
EvtEng
Service: Stop, Delete, Disable Intel® PROSet/Wireless Event Log Running C:\Program Files\Intel\WiFi\bin\EvtEng.exe
Script: Quarantine, Delete, BC delete RPCSS
JavaQuickStarterService
Service: Stop, Delete, Disable Java Quick Starter Running C:\Program Files\Java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete
RegSrvc
Service: Stop, Delete, Disable Intel® PROSet/Wireless Registry Service Running C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
Script: Quarantine, Delete, BC delete RPCSS
S24EventMonitor
Service: Stop, Delete, Disable Intel® PROSet/Wireless WiFi Service Running C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
Script: Quarantine, Delete, BC delete NDIS s24trans
getPlus® Helper
Service: Stop, Delete, Disable getPlus® Helper Not started C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
Script: Quarantine, Delete, BC delete RPCSS
GoogleDesktopManager-110408-113106
Service: Stop, Delete, Disable Google Desktop Manager 5.8.811.4345 Not started C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
Script: Quarantine, Delete, BC delete RPCSS
Image Converter video recording monitor for VAIO Entertainment
Service: Stop, Delete, Disable Image Converter video recording monitor for VAIO Entertainment Not started C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
Script: Quarantine, Delete, BC delete VAIO Entertainment Aggregation and Control Service
MSCSPTISRV
Service: Stop, Delete, Disable MSCSPTISRV Not started C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
Script: Quarantine, Delete, BC delete RPCSS
PACSPTISVR
Service: Stop, Delete, Disable PACSPTISVR Not started C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
Script: Quarantine, Delete, BC delete RPCSS
SonicStage Back-End Service
Service: Stop, Delete, Disable SonicStage Back-End Service Not started C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
Script: Quarantine, Delete, BC delete RPCSS
SPTISRV
Service: Stop, Delete, Disable Sony SPTI Service Not started C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Script: Quarantine, Delete, BC delete RPCSS
SSScsiSV
Service: Stop, Delete, Disable SonicStage SCSI Service Not started C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
Script: Quarantine, Delete, BC delete RPCSS
VAIO Entertainment TV Device Arbitration Service
Service: Stop, Delete, Disable VAIO Entertainment TV Device Arbitration Service Not started C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
Script: Quarantine, Delete, BC delete RPCSS
VAIOMediaPlatform-IntegratedServer-AppServer
Service: Stop, Delete, Disable VAIO Media Integrated Server Not started C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
Script: Quarantine, Delete, BC delete
VAIOMediaPlatform-IntegratedServer-HTTP
Service: Stop, Delete, Disable VAIO Media Integrated Server (HTTP) Not started C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
Script: Quarantine, Delete, BC delete VAIOMediaPlatform-IntegratedServer-AppServer
VAIOMediaPlatform-IntegratedServer-UPnP
Service: Stop, Delete, Disable VAIO Media Integrated Server (UPnP) Not started C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
Script: Quarantine, Delete, BC delete VAIOMediaPlatform-IntegratedServer-HTTP
VAIOMediaPlatform-Mobile-Gateway
Service: Stop, Delete, Disable VAIO Media Gateway Server Not started VAIOMediaPlatform-Mobile-Gateway.sys
Script: Quarantine, Delete, BC delete
VCI
Service: Stop, Delete, Disable VAIO Cooporated Initialisation Not started C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
Script: Quarantine, Delete, BC delete
VzCdbSvc
Service: Stop, Delete, Disable VAIO Entertainment Database Service Not started C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
Script: Quarantine, Delete, BC delete RPCSS
VzFw
Service: Stop, Delete, Disable VAIO Entertainment File Import Service Not started C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
Script: Quarantine, Delete, BC delete RPCSS
WSearch
Service: Stop, Delete, Disable Windows Search Not started C:\WINDOWS\system32\SearchIndexer.exe
Script: Quarantine, Delete, BC delete TermService
Detected - 123, recognized as trusted - 102

Drivers
Service Description Status File Group Dependencies
s24trans
Driver: Unload, Delete, Disable WLAN Transport Running C:\WINDOWS\system32\DRIVERS\s24trans.sys
Script: Quarantine, Delete, BC delete NDIS
Abiosdsk
Driver: Unload, Delete, Disable Abiosdsk Not started Abiosdsk.sys
Script: Quarantine, Delete, BC delete Primary disk
abp480n5
Driver: Unload, Delete, Disable abp480n5 Not started abp480n5.sys
Script: Quarantine, Delete, BC delete SCSI miniport
adpu160m
Driver: Unload, Delete, Disable adpu160m Not started adpu160m.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Aha154x
Driver: Unload, Delete, Disable Aha154x Not started Aha154x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78u2
Driver: Unload, Delete, Disable aic78u2 Not started aic78u2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78xx
Driver: Unload, Delete, Disable aic78xx Not started aic78xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
AliIde
Driver: Unload, Delete, Disable AliIde Not started AliIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
amsint
Driver: Unload, Delete, Disable amsint Not started amsint.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc
Driver: Unload, Delete, Disable asc Not started asc.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3350p
Driver: Unload, Delete, Disable asc3350p Not started asc3350p.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3550
Driver: Unload, Delete, Disable asc3550 Not started asc3550.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Atdisk
Driver: Unload, Delete, Disable Atdisk Not started Atdisk.sys
Script: Quarantine, Delete, BC delete Primary disk
cd20xrnt
Driver: Unload, Delete, Disable cd20xrnt Not started cd20xrnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Changer
Driver: Unload, Delete, Disable Changer Not started Changer.sys
Script: Quarantine, Delete, BC delete Filter
CmdIde
Driver: Unload, Delete, Disable CmdIde Not started CmdIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
Cpqarray
Driver: Unload, Delete, Disable Cpqarray Not started Cpqarray.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dac960nt
Driver: Unload, Delete, Disable dac960nt Not started dac960nt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dpti2o
Driver: Unload, Delete, Disable dpti2o Not started dpti2o.sys
Script: Quarantine, Delete, BC delete SCSI miniport
hpn
Driver: Unload, Delete, Disable hpn Not started hpn.sys
Script: Quarantine, Delete, BC delete SCSI miniport
i2omgmt
Driver: Unload, Delete, Disable i2omgmt Not started i2omgmt.sys
Script: Quarantine, Delete, BC delete SCSI Class
i2omp
Driver: Unload, Delete, Disable i2omp Not started i2omp.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ini910u
Driver: Unload, Delete, Disable ini910u Not started ini910u.sys
Script: Quarantine, Delete, BC delete SCSI miniport
IntelIde
Driver: Unload, Delete, Disable IntelIde Not started IntelIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
lbrtfdc
Driver: Unload, Delete, Disable lbrtfdc Not started lbrtfdc.sys
Script: Quarantine, Delete, BC delete System Bus Extender
MEMSWEEP2
Driver: Unload, Delete, Disable MEMSWEEP2 Not started C:\WINDOWS\system32\17E.tmp
Script: Quarantine, Delete, BC delete
mraid35x
Driver: Unload, Delete, Disable mraid35x Not started mraid35x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
PCIDump
Driver: Unload, Delete, Disable PCIDump Not started PCIDump.sys
Script: Quarantine, Delete, BC delete PCI Configuration
PDCOMP
Driver: Unload, Delete, Disable PDCOMP Not started PDCOMP.sys
Script: Quarantine, Delete, BC delete
PDFRAME
Driver: Unload, Delete, Disable PDFRAME Not started PDFRAME.sys
Script: Quarantine, Delete, BC delete
PDRELI
Driver: Unload, Delete, Disable PDRELI Not started PDRELI.sys
Script: Quarantine, Delete, BC delete
PDRFRAME
Driver: Unload, Delete, Disable PDRFRAME Not started PDRFRAME.sys
Script: Quarantine, Delete, BC delete
perc2
Driver: Unload, Delete, Disable perc2 Not started perc2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
perc2hib
Driver: Unload, Delete, Disable perc2hib Not started perc2hib.sys
Script: Quarantine, Delete, BC delete Filter
ql1080
Driver: Unload, Delete, Disable ql1080 Not started ql1080.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Ql10wnt
Driver: Unload, Delete, Disable Ql10wnt Not started Ql10wnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql12160
Driver: Unload, Delete, Disable ql12160 Not started ql12160.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1240
Driver: Unload, Delete, Disable ql1240 Not started ql1240.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1280
Driver: Unload, Delete, Disable ql1280 Not started ql1280.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Simbad
Driver: Unload, Delete, Disable Simbad Not started Simbad.sys
Script: Quarantine, Delete, BC delete Filter
Sparrow
Driver: Unload, Delete, Disable Sparrow Not started Sparrow.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_hi
Driver: Unload, Delete, Disable sym_hi Not started sym_hi.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_u3
Driver: Unload, Delete, Disable sym_u3 Not started sym_u3.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc810
Driver: Unload, Delete, Disable symc810 Not started symc810.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc8xx
Driver: Unload, Delete, Disable symc8xx Not started symc8xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
TosIde
Driver: Unload, Delete, Disable TosIde Not started TosIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
TosRfSnd
Driver: Unload, Delete, Disable Bluetooth Audio Device (WDM) from TOSHIBA Not started C:\WINDOWS\system32\drivers\TosRfSnd.sys
Script: Quarantine, Delete, BC delete
ultra
Driver: Unload, Delete, Disable ultra Not started ultra.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ViaIde
Driver: Unload, Delete, Disable ViaIde Not started ViaIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
WDICA
Driver: Unload, Delete, Disable WDICA Not started WDICA.sys
Script: Quarantine, Delete, BC delete
Detected - 216, recognized as trusted - 166

Autoruns
File name Status Startup method Description
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IntelWireless
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TkBellExe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Google Desktop Search
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IntelZeroConfig
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SonyPowerCfg
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {56F9679E-7826-4C84-81F3-532071A8BCC5}
C:\WINDOWS\System32\srchadmin.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}, DLLName
C:\WINDOWS\System32\vaiomov.scr
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, .DEFAULT\Control Panel\Desktop, scrnsave.exe
Autoruns items detected - 85, recognized as trusted - 77

Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
Script: Quarantine, Delete, BC delete BHO {3049C3E9-B461-4BC5-8870-4C09146192CA}
Delete
C:\PROGRA~1\GOOGLE~1\GoogleAFE.dll
Script: Quarantine, Delete, BC delete BHO GoogleAFE.dll © Google. All rights reserved. {CA6319C0-31B7-401E-A518-A07C3DB8F777}
Delete
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Script: Quarantine, Delete, BC delete BHO Java™ Quick Starter binary Copyright © 2004 {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
Delete
Elements detected - 13, recognized as trusted - 10

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
deskpan.dll
Script: Quarantine, Delete, BC delete Display Panning CPL Extension {42071714-76d4-11d1-8b24-00a0c9068ff3}
Shell extensions for file compression {764BF0E1-F219-11ce-972D-00AA00A14F56}
Encryption Context Menu {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Script: Quarantine, Delete, BC delete Autoplay for SlideShow {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
C:\Program Files\Sony\VAIO Power Management\SPMPanel.dll
Script: Quarantine, Delete, BC delete Sony Power Management Extensiond SPM Module Copyright 2003-2006 Sony Corporation {ED58A35B-B554-42AF-A26C-6F3D424200D3}
C:\Program Files\Real\RealPlayer\rpshell.dll
Script: Quarantine, Delete, BC delete Shell Extensions for RealOne Player {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
C:\WINDOWS\system32\propsys.dll
Script: Quarantine, Delete, BC delete Office Document Property Handler {97e467b4-98c6-4f19-9588-161b7773d6f6}
C:\Program Files\Windows Desktop Search\deskbar.dll
Script: Quarantine, Delete, BC delete Windows Search Deskbar {97090E2F-3062-4459-855B-014F0D3CDBB1}
C:\Program Files\Windows Desktop Search\msnlExt.dll
Script: Quarantine, Delete, BC delete Windows Desktop Search {13E7F612-F261-4391-BEA2-39DF4F3FA311}
Elements detected - 217, recognized as trusted - 205

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 10, recognized as trusted - 10

Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 2, recognized as trusted - 2

SPI/LSP settings
Namespace providers (NSP) Manufacturer Status EXE file Description GUID
Detected - 4, recognized as trusted - 4
Transport protocol providers (TSP, LSP) Manufacturer EXE file Description
Detected - 39, recognized as trusted - 39
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 2208 [1768] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 14391 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 2272 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1037 LISTENING 0.0.0.0 51266 [2884] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
1110 LISTENING 0.0.0.0 55323 [840] avp.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 CLOSE_WAIT 127.0.0.1 1059 [1192] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 LISTENING 0.0.0.0 2212 [1192] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
19780 LISTENING 0.0.0.0 28889 [840] avp.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1808] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1808] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1512] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1053 LISTENING -- -- [3980] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1936] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1936] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3776 LISTENING -- -- [1328] c:\windows\ehome\mcrdsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1512] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
Script: Quarantine, Delete, BC delete Microsoft Update Catalog Web Control © Microsoft Corporation. All rights reserved. {5AE58FCF-6F6A-49B2-B064-02492C66E3F4}
Delete http://catalog.update.microsoft.com/v7/sit...b?1229234525718
C:\WINDOWS\Downloaded Program Files\wlscBase.dll
Script: Quarantine, Delete, BC delete Windows Live OneCare Safety Scanner Base Module © Microsoft Corporation. All rights reserved {5ED80217-570B-4DA9-BF44-BE107C0EC166}
Delete http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
C:\Program Files\DivX\DivX Web Player\npdivx32.dll
Script: Quarantine, Delete, BC delete {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
Delete http://download.divx.com/player/DivXBrowserPlugin.cab
C:\WINDOWS\Downloaded Program Files\gp.ocx
Script: Quarantine, Delete, BC delete {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Delete http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
C:\WINDOWS\Downloaded Program Files\clearadjust.dll
Script: Quarantine, Delete, BC delete ClearAdjust Module Copyright 2001 - 2003, Microsoft Corp. {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
Delete http://download.microsoft.com/download/7/E...04/clearadj.cab
C:\WINDOWS\DOWNLO~1\ACTIVE~1.OCX
Script: Quarantine, Delete, BC delete {E001C731-5E37-4538-A5CB-8168736A2360}
Delete http://91.199.104.31/cab/ActiveQscan.cab
Elements detected - 11, recognized as trusted - 5

Control Panel Applets (CPL)
File name Description Manufacturer
C:\WINDOWS\system32\nvcpl.cpl
Script: Quarantine, Delete, BC delete NVIDIA nvCpl Control Panel Applet 1.0.7.3 © NVIDIA Corporation. All rights reserved.
C:\WINDOWS\system32\stac97.cpl
Script: Quarantine, Delete, BC delete STacGUI Module Copyright © 2004-2005, SigmaTel, Inc.
Elements detected - 30, recognized as trusted - 28

Active Setup
File name Description Manufacturer CLSID
Elements detected - 16, recognized as trusted - 16

HOSTS file
Hosts file record



127.0.0.1 localhost



Protocols and handlers
File name Type Description Manufacturer CLSID
Elements detected - 33, recognized as trusted - 33

Suspicious objects
File Description Type
C:\WINDOWS\system32\DRIVERS\klif.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook


--------------------------------------------------------------------------------

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 20/06/2009 13:01:57
Database loaded: signatures - 228068, NN profile(s) - 2, microprograms of healing - 56, signature database released 18.06.2009 19:50
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 123500
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: Disabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504460 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (805EBB3E->F39461DA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtClose (19) intercepted (805BC4F8->F39467AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805A45B4->F39481EA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateFile (25) intercepted (80579084->F3947B9C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (806237B0->F3945950), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (805C39C2->F3949B7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (805D0FE0->F39465AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (80623C40->F3945D92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80623E10->F3945F92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeviceIoControlFile (42) intercepted (8057924A->F3947EAC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BDFD0->F394A084), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80623FF0->F39460A8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (8062425A->F3946110), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtFsControlFile (54) intercepted (8057927E->F3947D5E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (8058413A->F3949620), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8057A182->F39479F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80624B82->F3945AB2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805CB408->F39463B2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenSection (7D) intercepted (805AA3D2->F3949BA6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenThread (80) intercepted (805CB694->F39462FE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80624EA8->F3946178), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (806228FE->F3945E7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (806219E8->F3945C5A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueueApcThread (B4) intercepted (805D123E->F3949888), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (8062585C->F39455D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (805A2D5A->F3948A74), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (80625168->F3945734), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtResumeThread (CE) intercepted (805D4982->F3949F56), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (80625264->F39453D0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSecureConnectPort (D2) intercepted (805A3D48->F394808C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (805D1702->F39466AC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (805C05F6->F394971A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSystemInformation (F0) intercepted (8060F3E4->F3949BD0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80621D36->F3945B08), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendProcess (FD) intercepted (805D4A4A->F3949CB4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805D48BC->F3949DE0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSystemDebugControl (FF) intercepted (80617798->F394954C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805D29AA->F394647E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (805B4394->F39464F0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (804EAF84) - machine code modification Method of JmpTo. jmp F395D626 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804EF912) - machine code modification Method of JmpTo. jmp F395D9E0 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 39, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 50
Analyzer: process under analysis is 1924 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 936 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1192 C:\Program Files\Java\jre6\bin\jqs.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
Analyzer: process under analysis is 156 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 2232 C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Number of modules loaded: 411
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD3.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\ADIALHK.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\KLOEHK.DLL"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 461, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 20/06/2009 13:03:01
Time of scanning: 00:01:10
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardBootCleaner - import list of deleted filesRegistry cleanup after deleting filesBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service TermService (Terminal Services)Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)Performance tweaking: disable service Alerter (Alerter)Performance tweaking: disable service Schedule (Task Scheduler)Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user access--------------------------------------------------------------------------------
File list

================
DDS Log


DDS (Ver_09-05-14.01) - NTFSx86
Run by DAVID THOMAS at 0:42:26.35 on 21/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.206 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\DAVID THOMAS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\progra~1\google~1\GoogleAFE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1229234525718
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229137697812
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229234772109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\KLOEHK.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-12-21 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-16 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-16 808448]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-2-15 13224]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-15 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17e.tmp --> c:\windows\system32\17E.tmp [?]
S4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S4 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-06-21 00:02 <DIR> --d----- c:\docume~1\davidt~1\applic~1\Uniblue
2009-06-21 00:01 <DIR> --d----- c:\program files\Uniblue
2009-06-21 00:01 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-06-20 13:06 <DIR> --d----- c:\program files\Trend Micro
2009-06-19 21:31 11,264 a------- c:\windows\system32\drivers\uzi3ndyy.sys
2009-06-13 20:05 <DIR> --d----- c:\program files\Toshiba
2009-06-12 17:50 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-10 00:43 <DIR> --d----- C:\PerfLogs
2009-06-09 20:09 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 20:09 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-08 08:00 <DIR> --d----- c:\program files\Wanadoo
2009-06-08 07:49 17,134 a------- c:\windows\system32\PCANDIS5.sys
2009-06-08 07:49 81,920 a------- c:\windows\system32\W32N50.dll
2009-06-06 20:10 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-06-06 20:10 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-06-06 20:08 11,648 ac------ c:\windows\system32\dllcache\scsiprnt.sys
2009-06-06 20:07 62,496 ac------ c:\windows\system32\dllcache\s3mtrio.dll
2009-06-06 20:06 86,097 ac------ c:\windows\system32\dllcache\reslog32.dll
2009-06-06 20:05 112,574 ac------ c:\windows\system32\dllcache\ptserlp.sys
2009-06-06 20:04 105,984 ac------ c:\windows\system32\dllcache\phdsext.ax
2009-06-06 20:03 39,424 ac------ c:\windows\system32\dllcache\ovcoms.exe
2009-06-06 20:02 51,552 ac------ c:\windows\system32\dllcache\ntgrip.sys
2009-06-06 20:02 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-06-06 20:02 9,344 ac------ c:\windows\system32\dllcache\ntapm.sys
2009-06-06 20:02 7,552 ac------ c:\windows\system32\dllcache\nsmmc.sys
2009-06-06 20:02 28,672 ac------ c:\windows\system32\dllcache\nscirda.sys
2009-06-06 19:57 35,392 ac------ c:\windows\system32\dllcache\n9i128.dll
2009-06-06 19:56 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-06-06 19:55 7,424 ac------ c:\windows\system32\dllcache\mammoth.sys
2009-06-06 19:54 26,442 ac------ c:\windows\system32\dllcache\lanepic5.sys
2009-06-06 19:53 45,632 ac------ c:\windows\system32\dllcache\ip5515.sys
2009-06-06 19:52 26,624 ac------ c:\windows\system32\dllcache\icam3ext.dll
2009-06-06 19:51 391,199 ac------ c:\windows\system32\dllcache\hsf_k56k.sys
2009-06-06 19:50 48,128 ac------ c:\windows\system32\dllcache\hpgt33tk.dll
2009-06-06 19:49 92,160 ac------ c:\windows\system32\dllcache\fuusd.dll
2009-06-06 19:48 45,568 ac------ c:\windows\system32\dllcache\esuni.dll
2009-06-06 19:47 171,520 ac------ c:\windows\system32\dllcache\el99xn51.sys
2009-06-06 19:46 952,007 ac------ c:\windows\system32\dllcache\diwan.sys
2009-06-06 19:45 63,208 ac------ c:\windows\system32\dllcache\dc21x4.sys
2009-06-06 19:44 39,936 ac------ c:\windows\system32\dllcache\cnxt1803.sys
2009-06-06 19:43 66,082 ac------ c:\windows\system32\dllcache\c_20269.nls
2009-06-06 19:42 17,152 ac------ c:\windows\system32\dllcache\atitunep.sys
2009-06-06 19:41 148,352 ac------ c:\windows\system32\dllcache\3dfxvsm.sys
2009-06-06 19:41 689,216 ac------ c:\windows\system32\dllcache\3dfxvs.dll
2009-06-06 19:41 762,780 ac------ c:\windows\system32\dllcache\3cwmcru.sys
2009-06-06 19:41 11,264 ac------ c:\windows\system32\dllcache\1394vdbg.sys
2009-06-06 19:40 7,168 ac------ c:\windows\system32\dllcache\wamregps.dll
2009-06-06 19:40 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-06-06 19:40 19,968 ac------ c:\windows\system32\dllcache\inetsloc.dll
2009-06-06 19:40 169,984 ac------ c:\windows\system32\dllcache\iisui.dll
2009-06-06 19:40 7,680 ac------ c:\windows\system32\dllcache\inetmgr.exe
2009-06-06 19:40 14,336 ac------ c:\windows\system32\dllcache\iisreset.exe
2009-06-06 19:40 5,632 ac------ c:\windows\system32\dllcache\iisrstap.dll
2009-06-06 19:40 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-06 19:40 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-06-06 18:03 15,872 ac------ c:\windows\system32\dllcache\smierrsm.dll
2009-06-06 18:03 10,240 ac------ c:\windows\system32\dllcache\snmpstup.dll
2009-06-06 18:03 5,632 ac------ c:\windows\system32\dllcache\smimsgif.dll
2009-06-06 18:03 5,632 ac------ c:\windows\system32\dllcache\smierrsy.dll
2009-05-30 02:56 <DIR> --d----- c:\docume~1\davidt~1\applic~1\Windows Search
2009-05-29 22:58 <DIR> --d----- c:\program files\Windows Desktop Search
2009-05-27 21:56 44 a------- c:\windows\system32\mhncache.dat
2009-05-27 02:33 <DIR> --d----- c:\program files\MetaGeek
2009-05-25 14:12 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-25 13:42 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-25 13:40 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-25 13:40 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-25 13:40 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-25 13:40 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-25 13:40 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-25 13:40 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-25 13:40 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-25 12:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Epitiro
2009-05-25 12:22 <DIR> --d----- c:\program files\isposure
2009-05-25 12:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-25 12:21 <DIR> --d----- c:\program files\thinkbroadband.com
2009-05-24 01:27 2,945 a------- c:\windows\imsins.BAK

==================== Find3M ====================

2009-06-20 13:15 2,974,752 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-20 13:15 786,464 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-20 13:15 25,368 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-20 13:15 4,816 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-20 07:54 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-06-20 07:54 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-20 07:54 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-26 18:45 87,370 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-16 22:56 203,776 a------- c:\windows\system32\clrviddc.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-01-11 23:58 75 ---shr-- c:\windows\3DXCT.BIN
2006-05-03 11:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-12-13 09:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121320081214\index.dat

============= FINISH: 0:43:56.72 ===============

Attached File(s)

  • Attached File  DDS.txt (17.24K)
    Number of downloads: 0
  • Attached File  Attach.txt (10.57K)
    Number of downloads: 3

This post has been edited by Orange Blossom: 20 June 2009 - 08:04 PM
Reason for edit: Deactivate link and set DDS log apart for easier reading. ~ OB

#2 User is offline   Net_Surfer 

  • Forum Addict
  • Find Topics
  • Group: Banned
  • Posts: 2,154
  • Joined: 27-April 08
  • Gender:Male

Posted 26 June 2009 - 02:52 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.
-----------------------------------------------------------
We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Kind regards
Net_Surfer
:)

#3 User is offline   david thomas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 20-June 09

Posted 27 June 2009 - 05:13 PM

not sure if i am doing this right ! my vaio is slow and i am always having problems with the internet explorer...also with java..real player...abode..it is a real nightmare now..downloads are slow as hell..here is the file you asked for below..thank you very much i am very greatfull...
DDS (Ver_09-06-26.01) - NTFSx86
Run by DAVID THOMAS at 22:53:00.64 on 27/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.465 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\DAVID THOMAS\My Documents\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\progra~1\google~1\GoogleAFE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1229234525718
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229137697812
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229234772109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\KLOEHK.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-12-21 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-16 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-16 808448]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-2-15 13224]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-15 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17e.tmp --> c:\windows\system32\17E.tmp [?]
S4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S4 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-06-21 00:02 <DIR> --d----- c:\docume~1\davidt~1\applic~1\Uniblue
2009-06-20 13:06 <DIR> --d----- c:\program files\Trend Micro
2009-06-19 21:31 11,264 a------- c:\windows\system32\drivers\uzi3ndyy.sys
2009-06-13 20:05 <DIR> --d----- c:\program files\Toshiba
2009-06-12 17:50 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-10 00:43 <DIR> --d----- C:\PerfLogs
2009-06-09 20:09 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 20:09 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-08 08:00 <DIR> --d----- c:\program files\Wanadoo
2009-06-08 07:49 17,134 a------- c:\windows\system32\PCANDIS5.sys
2009-06-08 07:49 81,920 a------- c:\windows\system32\W32N50.dll
2009-06-06 20:10 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-06-06 20:10 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-06-06 20:08 11,648 ac------ c:\windows\system32\dllcache\scsiprnt.sys
2009-06-06 20:07 62,496 ac------ c:\windows\system32\dllcache\s3mtrio.dll
2009-06-06 20:06 86,097 ac------ c:\windows\system32\dllcache\reslog32.dll
2009-06-06 20:05 112,574 ac------ c:\windows\system32\dllcache\ptserlp.sys
2009-06-06 20:04 105,984 ac------ c:\windows\system32\dllcache\phdsext.ax
2009-06-06 20:03 39,424 ac------ c:\windows\system32\dllcache\ovcoms.exe
2009-06-06 20:02 51,552 ac------ c:\windows\system32\dllcache\ntgrip.sys
2009-06-06 20:02 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-06-06 20:02 9,344 ac------ c:\windows\system32\dllcache\ntapm.sys
2009-06-06 20:02 7,552 ac------ c:\windows\system32\dllcache\nsmmc.sys
2009-06-06 20:02 28,672 ac------ c:\windows\system32\dllcache\nscirda.sys
2009-06-06 19:57 35,392 ac------ c:\windows\system32\dllcache\n9i128.dll
2009-06-06 19:56 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-06-06 19:55 7,424 ac------ c:\windows\system32\dllcache\mammoth.sys
2009-06-06 19:54 26,442 ac------ c:\windows\system32\dllcache\lanepic5.sys
2009-06-06 19:53 45,632 ac------ c:\windows\system32\dllcache\ip5515.sys
2009-06-06 19:52 26,624 ac------ c:\windows\system32\dllcache\icam3ext.dll
2009-06-06 19:51 391,199 ac------ c:\windows\system32\dllcache\hsf_k56k.sys
2009-06-06 19:50 48,128 ac------ c:\windows\system32\dllcache\hpgt33tk.dll
2009-06-06 19:49 92,160 ac------ c:\windows\system32\dllcache\fuusd.dll
2009-06-06 19:48 45,568 ac------ c:\windows\system32\dllcache\esuni.dll
2009-06-06 19:47 171,520 ac------ c:\windows\system32\dllcache\el99xn51.sys
2009-06-06 19:46 952,007 ac------ c:\windows\system32\dllcache\diwan.sys
2009-06-06 19:45 63,208 ac------ c:\windows\system32\dllcache\dc21x4.sys
2009-06-06 19:44 39,936 ac------ c:\windows\system32\dllcache\cnxt1803.sys
2009-06-06 19:43 66,082 ac------ c:\windows\system32\dllcache\c_20269.nls
2009-06-06 19:42 17,152 ac------ c:\windows\system32\dllcache\atitunep.sys
2009-06-06 19:41 148,352 ac------ c:\windows\system32\dllcache\3dfxvsm.sys
2009-06-06 19:41 689,216 ac------ c:\windows\system32\dllcache\3dfxvs.dll
2009-06-06 19:41 762,780 ac------ c:\windows\system32\dllcache\3cwmcru.sys
2009-06-06 19:41 11,264 ac------ c:\windows\system32\dllcache\1394vdbg.sys
2009-06-06 19:40 7,168 ac------ c:\windows\system32\dllcache\wamregps.dll
2009-06-06 19:40 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-06-06 19:40 19,968 ac------ c:\windows\system32\dllcache\inetsloc.dll
2009-06-06 19:40 169,984 ac------ c:\windows\system32\dllcache\iisui.dll
2009-06-06 19:40 7,680 ac------ c:\windows\system32\dllcache\inetmgr.exe
2009-06-06 19:40 14,336 ac------ c:\windows\system32\dllcache\iisreset.exe
2009-06-06 19:40 5,632 ac------ c:\windows\system32\dllcache\iisrstap.dll
2009-06-06 19:40 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-06 19:40 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-06-06 18:03 15,872 ac------ c:\windows\system32\dllcache\smierrsm.dll
2009-06-06 18:03 10,240 ac------ c:\windows\system32\dllcache\snmpstup.dll
2009-06-06 18:03 5,632 ac------ c:\windows\system32\dllcache\smimsgif.dll
2009-06-06 18:03 5,632 ac------ c:\windows\system32\dllcache\smierrsy.dll
2009-05-30 02:56 <DIR> --d----- c:\docume~1\davidt~1\applic~1\Windows Search
2009-05-29 22:58 <DIR> --d----- c:\program files\Windows Desktop Search

==================== Find3M ====================

2009-06-27 17:09 794,656 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-27 17:09 25,368 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-27 17:09 4,844 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-27 17:09 2,974,752 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-20 07:54 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-06-20 07:54 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-20 07:54 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-26 18:45 87,370 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-16 22:56 203,776 a------- c:\windows\system32\clrviddc.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-01-11 23:58 75 ---shr-- c:\windows\3DXCT.BIN
2006-05-03 11:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-12-13 09:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121320081214\index.dat

============= FINISH: 22:53:30.92 ===============

Attached File(s)


#4 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 29 June 2009 - 05:57 AM

Hi david thomas,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

-----------------------------------------------------------------------------------------

You have a rootkit so we need to remove that first.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Then

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.

  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Let's see how it likes that? :thumbup2:
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#5 User is offline   david thomas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 20-June 09

Posted 02 July 2009 - 04:13 PM

THESE ARE TEH RESULTS OF THE SCANS..THANKS..ComboFix 09-07-01.04 - DAVID THOMAS 02/07/2009 17:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.501 [GMT 1:00]
Running from: c:\documents and settings\DAVID THOMAS\Desktop\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1246a56.msp
c:\windows\Installer\12e69.msi
c:\windows\Installer\142cf32.msp
c:\windows\Installer\142cf3e.mspMalwarebytes' Anti-Malware 1.31
Database version: 1489Malwarebytes' Anti-Malware 1.31
Database version: 1489
Windows 5.1.2600 Service Pack 2

11/12/2008 20:10:16
mbam-log-2008-12-11 (20-10-16).txt

Scan type: Quick Scan
Objects scanned: 649
Time elapsed: 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Windows 5.1.2600 Service Pack 2

11/12/2008 20:08:18
mbam-log-2008-12-11 (20-08-18).txt

Scan type: Quick Scan
Objects scanned: 2
Time elapsed: 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

c:\windows\Installer\1c47a5.msi
c:\windows\Installer\1fff80.msi
c:\windows\Installer\454af4.msp
c:\windows\Installer\454af5.msp
c:\windows\Installer\454af6.msp
c:\windows\Installer\454af7.msp
c:\windows\Installer\454af8.msp
c:\windows\Installer\454af9.msp
c:\windows\Installer\454afa.msp
c:\windows\Installer\454afb.msp
c:\windows\Installer\454afc.msp
c:\windows\Installer\45aea58.msi
c:\windows\Installer\45aea5c.msi
c:\windows\Installer\49bc4f3.msi
c:\windows\Installer\49bc4f4.msp
c:\windows\Installer\49bc4f5.msp
c:\windows\Installer\49bc4f6.msp
c:\windows\Installer\49bc4f7.msp
c:\windows\Installer\49bc4f8.msp
c:\windows\Installer\49bc4f9.msp
c:\windows\Installer\49bc4fa.msp
c:\windows\Installer\49bc4fb.msp
c:\windows\Installer\49bc4fc.msp
c:\windows\Installer\4a4cc65.msi
c:\windows\Installer\4a4cc66.msp
c:\windows\Installer\4a4cc67.msp
c:\windows\Installer\4a4cc68.msp
c:\windows\Installer\4a4cc69.msp
c:\windows\Installer\4a4cc6a.msp
c:\windows\Installer\4a4cc6b.msp
c:\windows\Installer\4a4cc6c.msp
c:\windows\Installer\4a4cc6d.msp
c:\windows\Installer\4a4cc6e.msp
c:\windows\Installer\4a4cc6f.msp
c:\windows\Installer\4a7d3fd.msi
c:\windows\Installer\4e88d9e.msp
c:\windows\Installer\4ebf0f.msi
c:\windows\Installer\4ebf10.msp
c:\windows\Installer\4ebf11.msp
c:\windows\Installer\4ebf12.msp
c:\windows\Installer\4ebf13.msp
c:\windows\Installer\4ebf14.msp
c:\windows\Installer\4ebf15.msp
c:\windows\Installer\4ebf16.msp
c:\windows\Installer\4ebf17.msp
c:\windows\Installer\4ebf18.msp
c:\windows\Installer\549cbda.msi
c:\windows\Installer\7059d38.msi
c:\windows\Installer\7059d3e.msi
c:\windows\Installer\bfa76.msp
c:\windows\Installer\d2f30.msp
c:\windows\Installer\d2f43.msp
c:\windows\Installer\d2f56.msp
c:\windows\Installer\e764f3.msi
c:\windows\system32\sslibfg.dll
c:\windows\system32\sslibkh.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-06-20 23:02 . 2009-06-20 23:02 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Uniblue
2009-06-20 12:06 . 2009-06-20 12:06 -------- d-----w- c:\program files\Trend Micro
2009-06-19 20:31 . 2009-06-19 20:31 11264 ----a-w- c:\windows\system32\drivers\uzi3ndyy.sys
2009-06-13 19:05 . 2009-06-13 19:05 -------- d-----w- c:\program files\Toshiba
2009-06-13 18:49 . 2009-06-13 18:49 152576 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-12 16:50 . 2009-06-12 16:50 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 23:43 . 2009-06-09 23:43 -------- d-----w- C:\PerfLogs
2009-06-09 19:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 19:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-08 07:00 . 2009-06-08 07:00 -------- d-----w- c:\program files\Wanadoo
2009-06-08 06:49 . 2009-06-08 06:49 17134 ----a-w- c:\windows\system32\PCANDIS5.sys
2009-06-08 06:49 . 2009-06-08 06:49 81920 ----a-w- c:\windows\system32\W32N50.dll
2009-06-06 19:10 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-06-06 19:10 . 2008-04-13 23:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-06-06 19:08 . 2001-08-17 12:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-06-06 19:07 . 2001-08-17 21:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2009-06-06 19:06 . 2001-08-17 21:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-06-06 19:05 . 2001-08-17 12:28 112574 -c--a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-06-06 19:04 . 2004-08-10 12:00 20992 -c--a-w- c:\windows\system32\dllcache\permchk.dll
2009-06-06 19:03 . 2001-08-17 21:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-06-06 19:02 . 2001-08-17 11:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-06-06 19:02 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-06-06 19:02 . 2001-08-17 12:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-06-06 19:02 . 2001-08-17 12:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-06-06 19:02 . 2008-04-13 17:54 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2009-06-06 18:57 . 2001-08-17 13:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2009-06-06 18:56 . 2001-08-17 13:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-06-06 18:55 . 2001-08-17 12:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2009-06-06 18:54 . 2001-08-17 11:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2009-06-06 18:53 . 2001-08-17 11:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2009-06-06 18:52 . 2001-08-17 21:36 26624 -c--a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-06-06 18:51 . 2001-08-17 12:28 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2009-06-06 18:50 . 2001-08-17 21:36 48128 -c--a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-06-06 18:49 . 2001-08-17 21:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2009-06-06 18:48 . 2001-08-17 21:36 45568 -c--a-w- c:\windows\system32\dllcache\esuni.dll
2009-06-06 18:47 . 2001-08-17 11:11 171520 -c--a-w- c:\windows\system32\dllcache\el99xn51.sys
2009-06-06 18:46 . 2001-08-17 11:14 952007 -c--a-w- c:\windows\system32\dllcache\diwan.sys
2009-06-06 18:45 . 2001-08-17 11:12 63208 -c--a-w- c:\windows\system32\dllcache\dc21x4.sys
2009-06-06 18:44 . 2001-08-17 11:11 39936 -c--a-w- c:\windows\system32\dllcache\cnxt1803.sys
2009-06-06 18:43 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-06-06 18:42 . 2001-08-17 11:49 17152 -c--a-w- c:\windows\system32\dllcache\atitunep.sys
2009-06-06 18:41 . 2001-08-17 11:48 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-06-06 18:41 . 2001-08-17 13:55 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-06-06 18:41 . 2001-08-17 12:28 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-06-06 18:41 . 2001-08-17 13:06 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-06-06 18:40 . 2004-08-10 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-06-06 18:40 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-06-06 18:40 . 2004-08-10 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-06-06 18:40 . 2004-08-10 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-06-06 18:40 . 2004-08-10 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-06-06 18:40 . 2004-08-10 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-06-06 18:40 . 2004-08-10 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2009-06-06 18:40 . 2004-08-10 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-06 17:03 . 2004-08-10 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2009-06-06 17:03 . 2004-08-10 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smierrsy.dll
2009-06-06 17:03 . 2004-08-10 12:00 15872 -c--a-w- c:\windows\system32\dllcache\smierrsm.dll
2009-06-06 17:03 . 2004-08-10 12:00 10240 -c--a-w- c:\windows\system32\dllcache\snmpstup.dll
2009-06-04 21:03 . 2009-06-05 22:09 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 16:49 . 2008-12-21 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-02 16:40 . 2008-12-21 20:27 794656 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-02 16:40 . 2008-12-21 20:27 4844 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-02 16:40 . 2008-12-21 20:27 2974752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-02 16:40 . 2008-12-21 20:27 25368 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-02 15:50 . 2008-12-21 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-30 21:46 . 2008-12-23 16:06 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\AIMP
2009-06-28 07:16 . 2008-08-04 11:32 11904 ----a-w- c:\windows\system32\drivers\s24trans.sys
2009-06-20 06:54 . 2008-01-29 18:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-20 06:54 . 2008-12-21 20:28 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-20 06:54 . 2008-12-21 20:28 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-20 06:54 . 2009-02-04 18:24 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-06-20 06:54 . 2009-02-04 18:24 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-06-19 23:06 . 2009-05-25 11:22 -------- d-----w- c:\program files\isposure
2009-06-14 00:17 . 2006-03-16 17:53 -------- d-----w- c:\program files\Google
2009-06-13 18:52 . 2009-01-01 09:26 -------- d-----w- c:\program files\Java
2009-06-09 20:03 . 2009-05-29 21:58 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-07 18:23 . 2009-01-18 22:19 -------- d-----w- c:\program files\Common Files\Real
2009-06-05 22:09 . 2008-12-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-04 21:48 . 2006-03-16 17:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-30 20:47 . 2009-05-30 20:47 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\InterVideo
2009-05-30 01:56 . 2009-05-30 01:56 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Windows Search
2009-05-27 20:56 . 2009-05-27 20:56 44 ----a-w- c:\windows\system32\mhncache.dat
2009-05-26 19:37 . 2008-12-11 17:56 35648 ----a-w- c:\documents and settings\DAVID THOMAS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 17:45 . 2006-03-16 12:12 87370 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-26 17:18 . 2009-05-25 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Epitiro
2009-05-25 12:42 . 2009-05-25 12:42 -------- d-----w- c:\program files\MSBuild
2009-05-25 12:41 . 2009-05-25 12:41 -------- d-----w- c:\program files\Reference Assemblies
2009-05-25 11:21 . 2009-05-25 11:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 11:21 . 2009-05-25 11:21 -------- d-----w- c:\program files\thinkbroadband.com
2009-05-25 10:01 . 2006-03-16 13:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 10:33 . 2008-12-13 01:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 21:52 . 2009-05-17 21:52 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-17 21:52 . 2009-05-17 21:52 -------- d-----w- c:\program files\eRightSoft
2009-05-17 07:08 . 2009-05-17 06:54 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Auslogics
2009-05-17 06:43 . 2006-03-16 17:44 -------- d-----w- c:\program files\Sony
2009-05-17 06:30 . 2009-05-17 06:30 -------- d-----r- c:\program files\Skype
2009-05-17 06:30 . 2009-05-17 06:30 -------- d-----w- c:\program files\Common Files\Skype
2009-05-17 06:30 . 2008-12-24 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-16 21:56 . 2009-05-16 21:56 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-05-16 21:50 . 2009-05-16 21:50 390664 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Real\RealPlayer\setup\AU_setup6.exe
2009-05-16 20:09 . 2009-02-15 22:44 -------- d-----w- c:\program files\Sony Ericsson
2009-05-16 19:59 . 2009-05-16 19:59 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Ashampoo
2009-05-16 19:32 . 2009-05-16 19:17 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\IObit
2009-05-16 19:17 . 2009-05-16 19:17 -------- d-----w- c:\program files\IObit
2009-05-16 19:11 . 2008-12-17 01:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-13 05:15 . 2006-03-16 02:54 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 14:12 . 2006-03-16 12:36 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-09 23:20 . 2009-05-05 23:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-09 18:49 . 2009-05-06 22:49 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\DivX
2009-05-07 15:32 . 2006-03-16 02:54 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2006-03-16 02:54 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-03-16 02:54 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-04 22:00 . 2009-04-04 21:58 152576 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-01-11 22:58 . 2009-01-11 22:58 75 --sh--r- c:\windows\3DXCT.BIN
2006-05-03 10:06 . 2009-05-17 21:52 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-05-17 21:52 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-05-17 21:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-06 7557120]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-02 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-02 1191936]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-24 30192]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-04 206088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-09-23 15:24 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 19:29 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 20:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 17:06 24592]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [16/03/2006 03:55 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [16/03/2006 03:55 808448]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [15/02/2009 23:45 13224]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [15/12/2008 00:12 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17E.tmp --> c:\windows\system32\17E.tmp [?]
S4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S4 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-21 20:09]

2009-07-02 c:\windows\Tasks\User_Feed_Synchronization-{6E5E2C6C-4A5D-48D6-AE4B-EF499B4DC54A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\17E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4093953640-597678797-4006432925-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1440)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\Apvfb.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-07-02 17:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 16:55

Pre-Run: 5,024,309,248 bytes free
Post-Run: 5,009,629,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut

338 --- E O F --- 2009-06-13 18:49Malwarebytes' Anti-Malware 1.31
Database version: 1489
Windows 5.1.2600 Service Pack 2

11/12/2008 20:01:31
mbam-log-2008-12-11 (20-01-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 91874
Time elapsed: 22 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.38
Database version: 2363
Windows 5.1.2600 Service Pack 3

02/07/2009 19:05:19
mbam-log-2009-07-02 (19-05-19).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 175540
Time elapsed: 36 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

THIS IS THE SCAN RESULTS YOU NEEDED COMBO-FIX & MALWARE BYTES..THANKS ..

#6 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 02 July 2009 - 05:43 PM

Hi David Thomas,

Can you perform a full scan with MBAM please and post the results.

Can you also repost the Combofix log as they got mixed up with the MBAM log last time.

Thanks :thumbup2:
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#7 User is offline   david thomas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 20-June 09

Posted 03 July 2009 - 05:51 PM

HERE IS THE COMBO-FIX LOG................ComboFix 09-07-01.04 - DAVID THOMAS 02/07/2009 17:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.501 [GMT 1:00]
Running from: c:\documents and settings\DAVID THOMAS\Desktop\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1246a56.msp
c:\windows\Installer\12e69.msi
c:\windows\Installer\142cf32.msp
c:\windows\Installer\142cf3e.msp
c:\windows\Installer\1c47a5.msi
c:\windows\Installer\1fff80.msi
c:\windows\Installer\454af4.msp
c:\windows\Installer\454af5.msp
c:\windows\Installer\454af6.msp
c:\windows\Installer\454af7.msp
c:\windows\Installer\454af8.msp
c:\windows\Installer\454af9.msp
c:\windows\Installer\454afa.msp
c:\windows\Installer\454afb.msp
c:\windows\Installer\454afc.msp
c:\windows\Installer\45aea58.msi
c:\windows\Installer\45aea5c.msi
c:\windows\Installer\49bc4f3.msi
c:\windows\Installer\49bc4f4.msp
c:\windows\Installer\49bc4f5.msp
c:\windows\Installer\49bc4f6.msp
c:\windows\Installer\49bc4f7.msp
c:\windows\Installer\49bc4f8.msp
c:\windows\Installer\49bc4f9.msp
c:\windows\Installer\49bc4fa.msp
c:\windows\Installer\49bc4fb.msp
c:\windows\Installer\49bc4fc.msp
c:\windows\Installer\4a4cc65.msi
c:\windows\Installer\4a4cc66.msp
c:\windows\Installer\4a4cc67.msp
c:\windows\Installer\4a4cc68.msp
c:\windows\Installer\4a4cc69.msp
c:\windows\Installer\4a4cc6a.msp
c:\windows\Installer\4a4cc6b.msp
c:\windows\Installer\4a4cc6c.msp
c:\windows\Installer\4a4cc6d.msp
c:\windows\Installer\4a4cc6e.msp
c:\windows\Installer\4a4cc6f.msp
c:\windows\Installer\4a7d3fd.msi
c:\windows\Installer\4e88d9e.msp
c:\windows\Installer\4ebf0f.msi
c:\windows\Installer\4ebf10.msp
c:\windows\Installer\4ebf11.msp
c:\windows\Installer\4ebf12.msp
c:\windows\Installer\4ebf13.msp
c:\windows\Installer\4ebf14.msp
c:\windows\Installer\4ebf15.msp
c:\windows\Installer\4ebf16.msp
c:\windows\Installer\4ebf17.msp
c:\windows\Installer\4ebf18.msp
c:\windows\Installer\549cbda.msi
c:\windows\Installer\7059d38.msi
c:\windows\Installer\7059d3e.msi
c:\windows\Installer\bfa76.msp
c:\windows\Installer\d2f30.msp
c:\windows\Installer\d2f43.msp
c:\windows\Installer\d2f56.msp
c:\windows\Installer\e764f3.msi
c:\windows\system32\sslibfg.dll
c:\windows\system32\sslibkh.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-06-20 23:02 . 2009-06-20 23:02 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Uniblue
2009-06-20 12:06 . 2009-06-20 12:06 -------- d-----w- c:\program files\Trend Micro
2009-06-19 20:31 . 2009-06-19 20:31 11264 ----a-w- c:\windows\system32\drivers\uzi3ndyy.sys
2009-06-13 19:05 . 2009-06-13 19:05 -------- d-----w- c:\program files\Toshiba
2009-06-13 18:49 . 2009-06-13 18:49 152576 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-12 16:50 . 2009-06-12 16:50 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 23:43 . 2009-06-09 23:43 -------- d-----w- C:\PerfLogs
2009-06-09 19:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 19:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-08 07:00 . 2009-06-08 07:00 -------- d-----w- c:\program files\Wanadoo
2009-06-08 06:49 . 2009-06-08 06:49 17134 ----a-w- c:\windows\system32\PCANDIS5.sys
2009-06-08 06:49 . 2009-06-08 06:49 81920 ----a-w- c:\windows\system32\W32N50.dll
2009-06-06 19:10 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-06-06 19:10 . 2008-04-13 23:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-06-06 19:08 . 2001-08-17 12:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-06-06 19:07 . 2001-08-17 21:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2009-06-06 19:06 . 2001-08-17 21:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-06-06 19:05 . 2001-08-17 12:28 112574 -c--a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-06-06 19:04 . 2004-08-10 12:00 20992 -c--a-w- c:\windows\system32\dllcache\permchk.dll
2009-06-06 19:03 . 2001-08-17 21:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-06-06 19:02 . 2001-08-17 11:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-06-06 19:02 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-06-06 19:02 . 2001-08-17 12:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-06-06 19:02 . 2001-08-17 12:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-06-06 19:02 . 2008-04-13 17:54 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2009-06-06 18:57 . 2001-08-17 13:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2009-06-06 18:56 . 2001-08-17 13:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-06-06 18:55 . 2001-08-17 12:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2009-06-06 18:54 . 2001-08-17 11:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2009-06-06 18:53 . 2001-08-17 11:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2009-06-06 18:52 . 2001-08-17 21:36 26624 -c--a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-06-06 18:51 . 2001-08-17 12:28 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2009-06-06 18:50 . 2001-08-17 21:36 48128 -c--a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-06-06 18:49 . 2001-08-17 21:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2009-06-06 18:48 . 2001-08-17 21:36 45568 -c--a-w- c:\windows\system32\dllcache\esuni.dll
2009-06-06 18:47 . 2001-08-17 11:11 171520 -c--a-w- c:\windows\system32\dllcache\el99xn51.sys
2009-06-06 18:46 . 2001-08-17 11:14 952007 -c--a-w- c:\windows\system32\dllcache\diwan.sys
2009-06-06 18:45 . 2001-08-17 11:12 63208 -c--a-w- c:\windows\system32\dllcache\dc21x4.sys
2009-06-06 18:44 . 2001-08-17 11:11 39936 -c--a-w- c:\windows\system32\dllcache\cnxt1803.sys
2009-06-06 18:43 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-06-06 18:42 . 2001-08-17 11:49 17152 -c--a-w- c:\windows\system32\dllcache\atitunep.sys
2009-06-06 18:41 . 2001-08-17 11:48 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-06-06 18:41 . 2001-08-17 13:55 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-06-06 18:41 . 2001-08-17 12:28 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-06-06 18:41 . 2001-08-17 13:06 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-06-06 18:40 . 2004-08-10 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-06-06 18:40 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-06-06 18:40 . 2004-08-10 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-06-06 18:40 . 2004-08-10 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-06-06 18:40 . 2004-08-10 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-06-06 18:40 . 2004-08-10 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-06-06 18:40 . 2004-08-10 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2009-06-06 18:40 . 2004-08-10 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-06 17:03 . 2004-08-10 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2009-06-06 17:03 . 2004-08-10 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smierrsy.dll
2009-06-06 17:03 . 2004-08-10 12:00 15872 -c--a-w- c:\windows\system32\dllcache\smierrsm.dll
2009-06-06 17:03 . 2004-08-10 12:00 10240 -c--a-w- c:\windows\system32\dllcache\snmpstup.dll
2009-06-04 21:03 . 2009-06-05 22:09 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 16:49 . 2008-12-21 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-02 16:40 . 2008-12-21 20:27 794656 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-02 16:40 . 2008-12-21 20:27 4844 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-02 16:40 . 2008-12-21 20:27 2974752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-02 16:40 . 2008-12-21 20:27 25368 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-02 15:50 . 2008-12-21 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-30 21:46 . 2008-12-23 16:06 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\AIMP
2009-06-28 07:16 . 2008-08-04 11:32 11904 ----a-w- c:\windows\system32\drivers\s24trans.sys
2009-06-20 06:54 . 2008-01-29 18:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-20 06:54 . 2008-12-21 20:28 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-20 06:54 . 2008-12-21 20:28 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-20 06:54 . 2009-02-04 18:24 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-06-20 06:54 . 2009-02-04 18:24 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-06-19 23:06 . 2009-05-25 11:22 -------- d-----w- c:\program files\isposure
2009-06-14 00:17 . 2006-03-16 17:53 -------- d-----w- c:\program files\Google
2009-06-13 18:52 . 2009-01-01 09:26 -------- d-----w- c:\program files\Java
2009-06-09 20:03 . 2009-05-29 21:58 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-07 18:23 . 2009-01-18 22:19 -------- d-----w- c:\program files\Common Files\Real
2009-06-05 22:09 . 2008-12-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-04 21:48 . 2006-03-16 17:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-30 20:47 . 2009-05-30 20:47 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\InterVideo
2009-05-30 01:56 . 2009-05-30 01:56 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Windows Search
2009-05-27 20:56 . 2009-05-27 20:56 44 ----a-w- c:\windows\system32\mhncache.dat
2009-05-26 19:37 . 2008-12-11 17:56 35648 ----a-w- c:\documents and settings\DAVID THOMAS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 17:45 . 2006-03-16 12:12 87370 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-26 17:18 . 2009-05-25 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Epitiro
2009-05-25 12:42 . 2009-05-25 12:42 -------- d-----w- c:\program files\MSBuild
2009-05-25 12:41 . 2009-05-25 12:41 -------- d-----w- c:\program files\Reference Assemblies
2009-05-25 11:21 . 2009-05-25 11:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 11:21 . 2009-05-25 11:21 -------- d-----w- c:\program files\thinkbroadband.com
2009-05-25 10:01 . 2006-03-16 13:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 10:33 . 2008-12-13 01:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 21:52 . 2009-05-17 21:52 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-17 21:52 . 2009-05-17 21:52 -------- d-----w- c:\program files\eRightSoft
2009-05-17 07:08 . 2009-05-17 06:54 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Auslogics
2009-05-17 06:43 . 2006-03-16 17:44 -------- d-----w- c:\program files\Sony
2009-05-17 06:30 . 2009-05-17 06:30 -------- d-----r- c:\program files\Skype
2009-05-17 06:30 . 2009-05-17 06:30 -------- d-----w- c:\program files\Common Files\Skype
2009-05-17 06:30 . 2008-12-24 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-16 21:56 . 2009-05-16 21:56 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-05-16 21:50 . 2009-05-16 21:50 390664 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Real\RealPlayer\setup\AU_setup6.exe
2009-05-16 20:09 . 2009-02-15 22:44 -------- d-----w- c:\program files\Sony Ericsson
2009-05-16 19:59 . 2009-05-16 19:59 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Ashampoo
2009-05-16 19:32 . 2009-05-16 19:17 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\IObit
2009-05-16 19:17 . 2009-05-16 19:17 -------- d-----w- c:\program files\IObit
2009-05-16 19:11 . 2008-12-17 01:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-13 05:15 . 2006-03-16 02:54 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 14:12 . 2006-03-16 12:36 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-09 23:20 . 2009-05-05 23:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-09 18:49 . 2009-05-06 22:49 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\DivX
2009-05-07 15:32 . 2006-03-16 02:54 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2006-03-16 02:54 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-03-16 02:54 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-04 22:00 . 2009-04-04 21:58 152576 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-01-11 22:58 . 2009-01-11 22:58 75 --sh--r- c:\windows\3DXCT.BIN
2006-05-03 10:06 . 2009-05-17 21:52 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-05-17 21:52 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-05-17 21:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-06 7557120]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-02 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-02 1191936]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-24 30192]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-04 206088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-09-23 15:24 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 19:29 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 20:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 17:06 24592]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [16/03/2006 03:55 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [16/03/2006 03:55 808448]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [15/02/2009 23:45 13224]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [15/12/2008 00:12 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17E.tmp --> c:\windows\system32\17E.tmp [?]
S4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S4 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-21 20:09]

2009-07-02 c:\windows\Tasks\User_Feed_Synchronization-{6E5E2C6C-4A5D-48D6-AE4B-EF499B4DC54A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\17E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4093953640-597678797-4006432925-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1440)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\Apvfb.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-07-02 17:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 16:55

Pre-Run: 5,024,309,248 bytes free
Post-Run: 5,009,629,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut

338 --- E O F --- 2009-06-13 18:49
THE MALWAREBYTES FOUND NOTHING BUT I WILL RUN AGAIN..ALSO VAIO TAKES A LONG TIME TO SHUT DOWN NOW ?...THANKS..

#8 User is offline   david thomas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 20-June 09

Posted 03 July 2009 - 06:55 PM

HERE IS THE MALWAREBYTES LOG AGAIN..Malwarebytes' Anti-Malware 1.38
Database version: 2369
Windows 5.1.2600 Service Pack 3

04/07/2009 00:50:53
mbam-log-2009-07-04 (00-50-53).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 175266
Time elapsed: 51 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 04 July 2009 - 04:43 AM

The logs are looking good, david thomas :thumbup2:

Let's run an online can to clean up.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Thanks :)
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#10 User is offline   david thomas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 20-June 09

Posted 05 July 2009 - 03:45 PM

I DONE THE ESET SCAN AND IT PICKED UP NOTHING..ALSO I AM GETTING A NOTICE FROM MY KASPERSKY SECURITY NOW & THEN SAYING GENERIC HOST PROCESS FOR WIN 32 SERVICES DETECTED:CONNECTION {SSL/TLS} ESTABLISHED.... DOES THIS MEAN ANYTHING ?...ALSO IS IT NORMAL FOR MY VAIO TO TAKE ONE HELL OF A LONG TIME TO SHUT DOWN...ALSO ALL OF THE TIME WHEN I AM POINTING THE CURSOR ON SOMETHING A LEFT & RIGHT WILL POP UP THEN GO...ALSO MY DOWNLOADS ARE VERY SLOW GONE....I HOPE THIS WILL HELP....THANKS ..

#11 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 05 July 2009 - 04:00 PM

View Postdavid thomas, on Jul 5 2009, 09:45 PM, said:

I AM GETTING A NOTICE FROM MY KASPERSKY SECURITY NOW & THEN SAYING GENERIC HOST PROCESS FOR WIN 32 SERVICES DETECTED:CONNECTION {SSL/TLS} ESTABLISHED.... DOES THIS MEAN ANYTHING ?...


No, that's a normal Microsoft connection.

-----------------------------------------------------

There is a bad driver present though. This could well be affecting some of the things you mention.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\windows\system32\17E.tmp

Driver::
MEMSWEEP2


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#12 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 08 July 2009 - 07:42 PM

Hi david thomas,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,

m0le
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#13 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 09 July 2009 - 06:34 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#14 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 10 July 2009 - 02:31 PM

Reopened at user's request.

Please post the Combofix log, david.

Thanks :thumbup2:
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#15 User is offline   david thomas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 20-June 09

Posted 11 July 2009 - 05:39 PM

HERE IS THE LOG..THANKS..ALSO A LONG TIME TO SHUTDOWN..HIBERNATE..ANY IDEAS..THANKS.. comboFix 09-07-09.08 - DAVID THOMAS 10/07/2009 19:30.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.520 [GMT 1:00]
Running from: c:\documents and settings\DAVID THOMAS\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\DAVID THOMAS\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point

FILE ::
"c:\windows\system32\17E.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-02 17:19 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 17:19 . 2009-07-02 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 17:19 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 17:19 . 2009-07-02 17:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 23:02 . 2009-06-20 23:02 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Uniblue
2009-06-20 12:06 . 2009-06-20 12:06 -------- d-----w- c:\program files\Trend Micro
2009-06-19 20:31 . 2009-06-19 20:31 11264 ----a-w- c:\windows\system32\drivers\uzi3ndyy.sys
2009-06-13 19:05 . 2009-06-13 19:05 -------- d-----w- c:\program files\Toshiba
2009-06-13 18:49 . 2009-06-13 18:49 152576 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-12 16:50 . 2009-06-12 16:50 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 18:47 . 2008-12-21 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-10 18:39 . 2008-12-21 20:27 794656 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-10 18:39 . 2008-12-21 20:27 4844 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-10 18:39 . 2008-12-21 20:27 2974752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-10 18:39 . 2008-12-21 20:27 25368 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-10 17:36 . 2008-12-21 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-05 00:15 . 2008-12-23 16:06 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\AIMP
2009-06-28 07:16 . 2008-08-04 11:32 11904 ----a-w- c:\windows\system32\drivers\s24trans.sys
2009-06-20 06:54 . 2008-01-29 18:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-20 06:54 . 2008-12-21 20:28 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-20 06:54 . 2008-12-21 20:28 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-20 06:54 . 2009-02-04 18:24 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-06-20 06:54 . 2009-02-04 18:24 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-06-19 23:06 . 2009-05-25 11:22 -------- d-----w- c:\program files\isposure
2009-06-14 00:17 . 2006-03-16 17:53 -------- d-----w- c:\program files\Google
2009-06-13 18:52 . 2009-01-01 09:26 -------- d-----w- c:\program files\Java
2009-06-09 20:03 . 2009-05-29 21:58 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-08 07:00 . 2009-06-08 07:00 -------- d-----w- c:\program files\Wanadoo
2009-06-08 06:49 . 2009-06-08 06:49 17134 ----a-w- c:\windows\system32\PCANDIS5.sys
2009-06-08 06:49 . 2009-06-08 06:49 81920 ----a-w- c:\windows\system32\W32N50.dll
2009-06-07 18:23 . 2009-01-18 22:19 -------- d-----w- c:\program files\Common Files\Real
2009-06-05 22:09 . 2008-12-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-05 22:09 . 2009-06-04 21:03 -------- d-----w- c:\program files\NOS
2009-06-04 21:48 . 2006-03-16 17:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-30 20:47 . 2009-05-30 20:47 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\InterVideo
2009-05-30 01:56 . 2009-05-30 01:56 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Windows Search
2009-05-27 20:56 . 2009-05-27 20:56 44 ----a-w- c:\windows\system32\mhncache.dat
2009-05-26 19:37 . 2008-12-11 17:56 35648 ----a-w- c:\documents and settings\DAVID THOMAS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 17:45 . 2006-03-16 12:12 87370 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-26 17:18 . 2009-05-25 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Epitiro
2009-05-25 12:42 . 2009-05-25 12:42 -------- d-----w- c:\program files\MSBuild
2009-05-25 12:41 . 2009-05-25 12:41 -------- d-----w- c:\program files\Reference Assemblies
2009-05-25 11:21 . 2009-05-25 11:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 11:21 . 2009-05-25 11:21 -------- d-----w- c:\program files\thinkbroadband.com
2009-05-25 10:01 . 2006-03-16 13:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 10:33 . 2008-12-13 01:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 21:52 . 2009-05-17 21:52 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-17 21:52 . 2009-05-17 21:52 -------- d-----w- c:\program files\eRightSoft
2009-05-17 07:08 . 2009-05-17 06:54 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Auslogics
2009-05-17 06:43 . 2006-03-16 17:44 -------- d-----w- c:\program files\Sony
2009-05-17 06:30 . 2009-05-17 06:30 -------- d-----r- c:\program files\Skype
2009-05-17 06:30 . 2009-05-17 06:30 -------- d-----w- c:\program files\Common Files\Skype
2009-05-17 06:30 . 2008-12-24 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-16 21:56 . 2009-05-16 21:56 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-05-16 21:50 . 2009-05-16 21:50 390664 ----a-w- c:\documents and settings\DAVID THOMAS\Application Data\Real\RealPlayer\setup\AU_setup6.exe
2009-05-16 20:09 . 2009-02-15 22:44 -------- d-----w- c:\program files\Sony Ericsson
2009-05-16 19:59 . 2009-05-16 19:59 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\Ashampoo
2009-05-16 19:32 . 2009-05-16 19:17 -------- d-----w- c:\documents and settings\DAVID THOMAS\Application Data\IObit
2009-05-16 19:17 . 2009-05-16 19:17 -------- d-----w- c:\program files\IObit
2009-05-16 19:11 . 2008-12-17 01:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-13 05:15 . 2006-03-16 02:54 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 14:12 . 2006-03-16 12:36 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2006-03-16 02:54 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2006-03-16 02:54 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-03-16 02:54 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-01-11 22:58 . 2009-01-11 22:58 75 --sh--r- c:\windows\3DXCT.BIN
2006-05-03 10:06 . 2009-05-17 21:52 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-05-17 21:52 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-05-17 21:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-02_16.50.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 18:46 . 2009-07-10 18:46 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
+ 2006-03-16 12:17 . 2009-07-10 17:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-03-16 12:17 . 2009-07-02 16:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-16 12:17 . 2009-07-10 17:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-16 12:17 . 2009-07-02 16:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-16 12:17 . 2009-07-10 17:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-16 12:17 . 2009-07-02 16:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-06 7557120]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-02 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-02 1191936]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-24 30192]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-04 206088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-09-23 15:24 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 19:29 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 20:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 17:06 24592]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [16/03/2006 03:55 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [16/03/2006 03:55 808448]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [15/02/2009 23:45 13224]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [15/12/2008 00:12 30192]
S4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S4 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-21 20:09]

2009-07-10 c:\windows\Tasks\User_Feed_Synchronization-{6E5E2C6C-4A5D-48D6-AE4B-EF499B4DC54A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4093953640-597678797-4006432925-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1452)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\Apvfb.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-07-10 19:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 18:53
ComboFix2.txt 2009-07-02 16:55

Pre-Run: 4,836,864,000 bytes free
Post-Run: 4,828,422,144 bytes free

239 --- E O F --- 2009-06-13 18:49

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users