Computer seems to be infected with virus or malware causing pop-ups and browser issues

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Computer seems to be infected with virus or malware causing pop-ups and browser issues, Not sure what this virus/malware is, or how to remove it.

Options

maloy View Member Profile	Nov 7 2009, 02:13 PM Post #1
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	My computer has a virus or some type of malware, but I am unsure what it is. Virus scanner doesn't seem to locate it, and Ad-Aware lists several 'unknown' items. My browser runs very slowly, and I have a hard time accessing certain websites associated with virus/malware scanners, such as Malwarebytes, so it is very difficult to get any anti-virus software. It also takes me very many tries to get into this forum. I occasionally get pop-ups as well. Please advise on what I can do, any help would be appreciated. DDS log: DDS (Ver_09-10-26.01) - NTFSx86 Run by Nick at 13:53:15.57 on Sat 11/07/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1189 [GMT -5:00] AV: avast! antivirus 4.8.1351 [VPS 091107-0] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe c:\progra~1\common~1\instal~1\update~1\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Nick\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz mWinlogon: Shell=Explorer.exe logon.exe BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File uRun: [<NO NAME>] uRun: [ATI Launchpad] uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [ATI DeviceDetect] "c:\program files\ati multimedia\\program files\ati multimedia\main\ATIDtct.EXE" mRun: [<NO NAME>] mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88" mRun: [fujabahij] Rundll32.exe "c:\windows\system32\wiparugo.dll",a mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253384945781 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: jowuhese.dll c:\windows\system32\wiparugo.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: fafahasev - {67cd69b9-d0e0-421f-9ec2-c7fbd893b7ed} - c:\windows\system32\wiparugo.dll STS: tokatiluy: {67cd69b9-d0e0-421f-9ec2-c7fbd893b7ed} - c:\windows\system32\wiparugo.dll LSA: Notification Packages = scecli waseyibe.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-19 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-19 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-19 20560] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-19 133104] =============== Created Last 30 ================ 2009-11-07 18:02:13 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-11-07 17:42:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-07 17:42:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-07 17:42:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 17:27:12 31748 ----a-w- c:\windows\system32\logon.exe ==================== Find3M ==================== 2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll 2009-09-19 21:22:13 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-19 21:22:02 189672 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-09-19 20:35:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-07 17:32:01 39424 --sha-w- c:\windows\system32\bakivige.dll 2009-08-07 17:27:00 52224 --sha-w- c:\windows\system32\jowuhese.dll 2009-08-07 17:27:00 52224 --sha-w- c:\windows\system32\kokemabo.dll 2009-08-07 17:27:00 52224 --sha-w- c:\windows\system32\waseyibe.dll 2009-08-07 17:32:01 91648 --sha-w- c:\windows\system32\wiparugo.dll ============= FINISH: 13:53:41.14 =============== This post has been edited by maloy: Nov 7 2009, 02:15 PM Attached File(s) Attach.txt ( 11.09k ) Number of downloads: 5 ark.txt ( 2.76k ) Number of downloads: 4

2 Pages

1 2 >

Replies (1 - 14)

jpshortstuff View Member Profile	Nov 7 2009, 02:20 PM Post #2
WhatTheTech Teacher Group: HJT Team Posts: 482 Joined: 15-June 07 From: UK Member No.: 136,795	Hi there, Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. 3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser. 4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise. 5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. -------------------- Trained at the What The Tech Classroom where you too could learn to help others. My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

maloy View Member Profile	Nov 7 2009, 03:53 PM Post #3
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	Ok, I ran ComboFix and attached is the log. Prior to that I was able to run Kaspersky and it seems that it elimited at least some of the viruses/malware. However on startup I still get the following message, which mentions one of the disinfected viruses: error loading wiparugo. Can you please advise how to get rid of that, and if I need a new hijack this log. Thank you. Attached File(s) ComboFix.txt ( 14.49k ) Number of downloads: 5

jpshortstuff View Member Profile	Nov 7 2009, 04:46 PM Post #4
WhatTheTech Teacher Group: HJT Team Posts: 482 Joined: 15-June 07 From: UK Member No.: 136,795	Hi, OK, first let's get your Java updated. Open the Control Panel and click Add/Remove Programs. Find this on the list and click Remove: Java 2 Runtime Environment, SE v1.4.2_03 You can get the latest version from here: http://www.java.com/en/download/index.jsp Next, let's run a general AntiVirus scan to get a second opinion. Go here to run an online scanner from ESET. Note: You will need to use Internet explorer for this scan Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activeX control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. Please post a new DDS log as well, and let me know whether you are still getting that error message on startup, as well as how your computer is generally behaving. -------------------- Trained at the What The Tech Classroom where you too could learn to help others. My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

maloy View Member Profile	Nov 7 2009, 08:58 PM Post #5
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	Hi, and thanks for your help. The browser still seems to be experiencing some issues, but not as bad as before. There are no more pop-ups but it runs and opens slow. Also everytime I run Kaspersky it seems to find new infected files. The online anti-virus program you suggested did not find anything however. And there is still a problem on start-up, but this time it says 'cannot find logon.exe'. Here is the new DDS Log DDS (Ver_09-10-26.01) - NTFSx86 Run by Nick at 20:52:16.81 on Sat 11/07/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1484 [GMT -5:00] AV: Kaspersky Internet Security On-access scanning enabled (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security enabled {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe C:\Documents and Settings\Nick\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ mWinlogon: Shell=Explorer.exe logon.exe BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88" mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253384945781 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: AtiExtEvent - Ati2evxx.dll Notify: klogon - c:\windows\system32\klogon.dll AppInit_DLLs: moyofilu.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli yujukaku.dll ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-19 133104] =============== Created Last 30 ================ 2009-11-07 21:57:54 0 d-----w- c:\program files\ESET 2009-11-07 21:56:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2009-11-07 21:56:18 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 20:57:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 20:31:28 0 d-sha-r- C:\cmdcons 2009-11-07 20:30:52 98816 ----a-w- c:\windows\sed.exe 2009-11-07 20:30:52 77312 ----a-w- c:\windows\MBR.exe 2009-11-07 20:30:52 267264 ----a-w- c:\windows\PEV.exe 2009-11-07 20:30:52 161792 ----a-w- c:\windows\SWREG.exe 2009-11-07 19:33:08 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2009-11-07 19:33:07 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-11-07 19:32:14 0 d-----w- c:\program files\Kaspersky Lab 2009-11-07 19:32:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-11-07 19:21:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2009-10-21 01:34:56 219664 ----a-w- c:\windows\system32\klogon.dll 2009-10-15 02:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys ==================== Find3M ==================== 2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll 2009-10-03 00:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys 2009-09-19 21:22:13 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-19 21:22:02 189672 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-09-19 20:35:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-09-14 19:42:46 32272 ----a-w- c:\windows\system32\drivers\klim5.sys 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-10 00:01:40 27675 ----a-w- c:\windows\system32\drivers\klopp.dat 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-08 00:50:12 51200 --sha-w- c:\windows\system32\fudoneze.dll 2009-08-08 00:50:12 51200 --sha-w- c:\windows\system32\moyofilu.dll 2009-08-08 00:50:12 51200 --sha-w- c:\windows\system32\yujukaku.dll ============= FINISH: 20:52:51.56 ===============

jpshortstuff View Member Profile	Nov 8 2009, 03:57 AM Post #6
WhatTheTech Teacher Group: HJT Team Posts: 482 Joined: 15-June 07 From: UK Member No.: 136,795	Hi, OK, let's clean the rest up. 1. Please open Notepad Click Start , then Run Type notepad.exe in the Run Box. 2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE File:: c:\windows\system32\fudoneze.dll c:\windows\system32\moyofilu.dll c:\windows\system32\yujukaku.dll Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 DDS:: TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt. After this, let me know how things are running. Please also provide a fresh DDS log, as well as a fresh RootRepeal log. Thanks. -------------------- Trained at the What The Tech Classroom where you too could learn to help others. My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

maloy View Member Profile	Nov 8 2009, 10:15 AM Post #7
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	Hi. I ran Combofix as you suggested, however after it was done it went to Windows blue screen, and I had to manually restart the computer. So it looks like there was no log generated. I wasn't sure if I need to run it again. Anyway, the online browser seems to be working much better, but is still a little slow on start-up. There is a new error message on start-up too: error loadinhg jopisado.dll. Here is the new DDS log, and attached is the RootRepeal log. Let me know if I should run ComboFix again. DDS (Ver_09-10-26.01) - NTFSx86 Run by Nick at 9:58:01.31 on Sun 11/08/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1645 [GMT -5:00] AV: Kaspersky Internet Security On-access scanning enabled (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security enabled {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Nick\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: {2f32e627-cbb0-4ad3-adc0-bc96803fc30f} - tusavila.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88" mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [himizufego] Rundll32.exe "jopisado.dll",s mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253384945781 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: AtiExtEvent - Ati2evxx.dll Notify: klogon - c:\windows\system32\klogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-19 133104] =============== Created Last 30 ================ 2009-11-08 14:38:05 0 d-s---w- C:\Combo-Fix 2009-11-07 21:57:54 0 d-----w- c:\program files\ESET 2009-11-07 21:56:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2009-11-07 21:56:18 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 20:31:28 0 d-sha-r- C:\cmdcons 2009-11-07 20:30:52 98816 ----a-w- c:\windows\sed.exe 2009-11-07 20:30:52 77312 ----a-w- c:\windows\MBR.exe 2009-11-07 20:30:52 267264 ----a-w- c:\windows\PEV.exe 2009-11-07 20:30:52 161792 ----a-w- c:\windows\SWREG.exe 2009-11-07 19:33:08 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2009-11-07 19:33:07 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-11-07 19:32:14 0 d-----w- c:\program files\Kaspersky Lab 2009-11-07 19:32:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-11-07 19:21:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2009-10-21 01:34:56 219664 ----a-w- c:\windows\system32\klogon.dll 2009-10-15 02:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys ==================== Find3M ==================== 2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll 2009-10-03 00:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys 2009-09-19 21:22:13 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-19 21:22:02 189672 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-09-19 20:35:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-09-14 19:42:46 32272 ----a-w- c:\windows\system32\drivers\klim5.sys 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-10 00:01:40 27675 ----a-w- c:\windows\system32\drivers\klopp.dat 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL ============= FINISH: 9:58:28.54 =============== Attached File(s) RootRepeal_report_11_08_09__10_04_12_.txt ( 20.3k ) Number of downloads: 3

jpshortstuff View Member Profile	Nov 8 2009, 11:55 AM Post #8
WhatTheTech Teacher Group: HJT Team Posts: 482 Joined: 15-June 07 From: UK Member No.: 136,795	Hi, Is there a log at C:\ComboFix.txt? If so, please post it. If not, we'll carry on without it. -------------------- Trained at the What The Tech Classroom where you too could learn to help others. My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

maloy View Member Profile	Nov 8 2009, 02:10 PM Post #9
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	No there wasn't a new log produced, because application shut down early and windows went to blue screen. So the only log I have is the previous one, which is already posted here.

jpshortstuff View Member Profile	Nov 9 2009, 01:58 AM Post #10
WhatTheTech Teacher Group: HJT Team Posts: 482 Joined: 15-June 07 From: UK Member No.: 136,795	OK. We need to run another CFScript then, slightly different one this time. Please do the same as before, with this script: QUOTE KillAll:: File:: C:\WINDOWS\system32\tusavila.dll DDS:: BHO: {2f32e627-cbb0-4ad3-adc0-bc96803fc30f} TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} mRun: [himizufego] IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} If it succeeds, please post the log it produces. Please post a new DDS log regardless of whether or not it works, and let me know how things are. Thanks. -------------------- Trained at the What The Tech Classroom where you too could learn to help others. My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

maloy View Member Profile	Nov 10 2009, 08:03 PM Post #11
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	I ran the new ComboFix, and it did fix the start up error message issue. Also all of the malware seems to be gone. There is a small problem though, which is that whenever I open the Internet browser it takes about 5 seconds to open. But that is a very minor issue, so thanks for helping me to get rid of the malware. Please let me know in case that browser problem can be fixed as well. Anyway here are the logs: ComboFix: ComboFix 09-11-07.02 - Nick 11/09/2009 22:17.3.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1609 [GMT -5:00] Running from: c:\documents and settings\Nick\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt AV: Kaspersky Internet Security On-access scanning disabled (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security disabled {2C4D4BC6-0793-4956-A9F9-E252435469C0} FILE :: "c:\windows\system32\tusavila.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\femizaji.dll c:\windows\system32\fihasine.dll c:\windows\system32\jopisado.dll c:\windows\system32\kisafigu.dll c:\windows\system32\retufuri.dll c:\windows\system32\toyoyavi.dll c:\windows\system32\tusavila.dll c:\windows\Tasks\jbqlhjqo.job . ((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 ))))))))))))))))))))))))))))))) . 2009-11-07 21:57 . 2009-11-07 21:57 -------- d-----w- c:\program files\ESET 2009-11-07 21:56 . 2009-11-07 21:56 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 21:52 . 2009-11-07 21:55 152576 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-07 19:37 . 2009-11-07 19:37 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll 2009-11-07 19:37 . 2009-11-07 19:37 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll 2009-11-07 19:37 . 2009-11-07 19:37 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll 2009-11-07 19:37 . 2009-11-07 19:37 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll 2009-11-07 19:37 . 2009-11-07 19:37 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll 2009-11-07 19:33 . 2009-11-07 19:33 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2009-11-07 19:33 . 2009-11-07 19:33 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-11-07 19:32 . 2009-11-10 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2009-11-07 19:32 . 2009-11-07 19:32 -------- d-----w- c:\program files\Kaspersky Lab 2009-11-07 19:21 . 2009-11-07 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-10-21 01:34 . 2009-10-21 01:34 219664 ----a-w- c:\windows\system32\klogon.dll 2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe 2009-10-15 02:18 . 2009-10-15 02:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-07 21:56 . 2005-10-11 16:52 -------- d-----w- c:\program files\Java 2009-11-07 19:23 . 2009-09-19 18:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0 2009-10-27 23:25 . 2009-09-19 17:40 -------- d-----w- c:\documents and settings\Nick\Application Data\AdobeUM 2009-10-06 00:05 . 2009-10-06 00:05 -------- d-----w- c:\documents and settings\Nick\Application Data\Apple Computer 2009-10-03 00:39 . 2009-10-03 00:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys 2009-10-02 11:42 . 2009-10-02 11:42 -------- d-----w- c:\documents and settings\Nick\Application Data\ICAClient 2009-10-02 11:42 . 2009-10-02 11:42 -------- d-----w- c:\program files\Citrix 2009-09-21 00:47 . 2009-09-21 00:46 -------- d-----w- c:\program files\QuickTime 2009-09-21 00:46 . 2009-09-21 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-09-21 00:46 . 2009-09-21 00:46 -------- d-----w- c:\program files\Common Files\Apple 2009-09-21 00:46 . 2009-09-21 00:46 -------- d-----w- c:\program files\Apple Software Update 2009-09-21 00:46 . 2009-09-21 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-09-20 02:19 . 2009-09-20 02:19 -------- d-----w- c:\program files\Google 2009-09-19 21:22 . 2009-09-19 20:37 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-19 21:22 . 2009-09-19 20:36 189672 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-09-19 20:35 . 2009-09-19 20:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-09-19 20:05 . 2009-09-19 19:35 -------- d-----w- c:\program files\EA GAMES 2009-09-19 19:51 . 2009-09-19 17:15 17856 ----a-w- c:\documents and settings\Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-19 19:51 . 2009-09-19 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-09-19 19:42 . 2009-09-19 19:42 -------- d-----w- c:\program files\Common Files\EasyInfo 2009-09-19 19:35 . 2005-10-11 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-19 19:25 . 2009-09-19 19:24 -------- d-----w- c:\program files\EPSON 2009-09-19 19:16 . 2009-09-19 19:16 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-09-19 19:08 . 2009-09-19 15:37 -------- d-----w- c:\documents and settings\Nick\Application Data\Jasc Software Inc 2009-09-19 19:08 . 2005-10-11 16:58 -------- d-----w- c:\program files\Jasc Software Inc 2009-09-19 19:04 . 2009-09-19 19:01 -------- d-----w- c:\program files\Rhapsody 2009-09-19 19:04 . 2005-10-11 17:00 -------- d-----w- c:\program files\Common Files\Real 2009-09-19 18:57 . 2009-09-19 18:57 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe 2009-09-19 18:33 . 2009-09-19 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-09-19 18:33 . 2009-09-19 18:33 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-09-19 18:26 . 2009-09-19 18:26 -------- d-----w- c:\documents and settings\Nick\Application Data\Malwarebytes 2009-09-19 18:26 . 2009-09-19 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-19 18:17 . 2009-09-19 18:17 -------- d-----w- c:\program files\Alwil Software 2009-09-19 18:13 . 2005-10-11 17:03 -------- d-----w- c:\program files\Symantec 2009-09-19 18:13 . 2005-10-11 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-09-19 18:12 . 2005-10-11 17:01 -------- d-----w- c:\program files\Common Files\Intuit 2009-09-19 18:11 . 2009-09-19 18:11 -------- d-----w- c:\documents and settings\Nick\Application Data\Sonic 2009-09-19 18:09 . 2009-09-19 18:09 -------- d-----w- c:\documents and settings\Nick\Application Data\Leadertech 2009-09-19 17:57 . 2009-09-19 15:37 -------- d--h--w- c:\documents and settings\Nick\Application Data\Gtek 2009-09-19 17:57 . 2005-10-11 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek 2009-09-19 17:51 . 2005-10-11 16:59 -------- d-----w- c:\program files\Common Files\AOL 2009-09-19 17:51 . 2005-10-11 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL 2009-09-19 17:47 . 2009-09-19 15:41 -------- d-----w- c:\program files\Common Files\ATI 2009-09-19 17:45 . 2009-09-19 17:45 9158 ----a-r- c:\documents and settings\Nick\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe 2009-09-19 17:45 . 2009-09-19 17:45 -------- d-----w- c:\program files\Common Files\ATI Technologies 2009-09-19 17:44 . 2009-09-19 17:44 -------- d-----w- c:\program files\DIFX 2009-09-19 17:44 . 2009-09-19 17:44 -------- d-----w- c:\program files\USB TV 2009-09-19 17:44 . 2009-09-19 17:44 -------- d-----w- c:\documents and settings\Nick\Application Data\InstallShield 2009-09-19 17:40 . 2009-09-19 17:40 -------- d-----w- c:\program files\Common Files\Adobe 2009-09-19 17:39 . 2009-09-19 17:39 -------- d-----w- c:\documents and settings\Nick\Application Data\ATI 2009-09-19 17:39 . 2009-09-19 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI 2009-09-19 17:38 . 2009-09-19 17:38 0 ----a-w- c:\windows\ativpsrm.bin 2009-09-19 17:37 . 2005-10-11 16:56 -------- d-----w- c:\program files\ATI Technologies 2009-09-19 17:30 . 2009-09-19 17:30 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-19 17:03 . 2009-09-19 17:03 -------- d-----w- c:\program files\Windows Media Connect 2 2009-09-19 16:31 . 2009-09-19 16:31 -------- d-----w- c:\program files\MSXML 4.0 2009-09-19 16:22 . 2009-09-19 16:22 -------- d-----w- c:\program files\MSBuild 2009-09-19 16:22 . 2009-09-19 16:22 -------- d-----w- c:\program files\Reference Assemblies 2009-09-19 16:18 . 2009-09-19 16:18 -------- d-----w- c:\program files\Common Files\SWF Studio 2009-09-19 16:13 . 2004-08-10 18:03 77859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-09-19 15:43 . 2009-09-19 15:42 -------- d-----w- c:\program files\ATI Multimedia 2009-09-19 15:41 . 2009-09-19 15:41 -------- d-----w- c:\program files\Windows Media Components 2009-09-19 15:41 . 2009-09-19 15:41 -------- d-----w- c:\program files\Common Files\CyberLink 2009-09-19 15:40 . 2005-10-11 16:53 -------- d-----w- c:\program files\Common Files\InstallShield 2009-09-14 19:42 . 2009-09-14 19:42 32272 ----a-w- c:\windows\system32\drivers\klim5.sys 2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 00:01 . 2009-09-10 00:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat 2009-09-04 21:03 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-01 20:29 . 2009-09-01 20:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys 2009-08-29 08:08 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-08-10 17:51 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL . ((((((((((((((((((((((((((((( SnapShot@2009-11-07_20.38.22 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-10 03:23 . 2009-11-10 03:23 16384 c:\windows\temp\Perflib_Perfdata_5d8.dat - 2009-09-19 15:35 . 2009-11-07 19:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-09-19 15:35 . 2009-11-08 00:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-09-19 15:35 . 2009-11-08 00:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-09-19 15:35 . 2009-11-07 19:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-11-08 00:50 . 2009-11-08 00:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-09-19 15:35 . 2009-11-07 19:29 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-11-07 21:56 . 2009-11-07 21:56 149280 c:\windows\system32\javaws.exe + 2009-11-07 21:56 . 2009-11-07 21:56 145184 c:\windows\system32\javaw.exe + 2009-11-07 21:56 . 2009-11-07 21:56 145184 c:\windows\system32\java.exe + 2009-11-07 21:56 . 2009-11-07 21:56 537600 c:\windows\Installer\43f303.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2f32e627-cbb0-4ad3-adc0-bc96803fc30f}] tusavila.dll [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440] "EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"= "c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\avp.exe"= R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/19/2009 9:19 PM 133104] . Contents of the 'Scheduled Tasks' folder 2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 02:19] 2009-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 02:19] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-09 22:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(984) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(720) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\PnkBstrA.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************ . Completion time: 2009-11-10 22:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-10 03:30 ComboFix2.txt 2009-11-07 20:44 Pre-Run: 134,969,847,808 bytes free Post-Run: 134,970,171,392 bytes free - - End Of File - - 1187DD6EE478E22CD0D9B70575140C3B DDS: DDS (Ver_09-10-26.01) - NTFSx86 Run by Nick at 23:45:47.51 on Mon 11/09/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1537 [GMT -5:00] AV: Kaspersky Internet Security On-access scanning enabled (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security enabled {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Nick\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: {2f32e627-cbb0-4ad3-adc0-bc96803fc30f} - tusavila.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88" mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253384945781 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: AtiExtEvent - Ati2evxx.dll Notify: klogon - c:\windows\system32\klogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-19 133104] =============== Created Last 30 ================ 2009-11-07 21:57:54 0 d-----w- c:\program files\ESET 2009-11-07 21:56:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2009-11-07 21:56:18 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 20:31:28 0 d-sha-r- C:\cmdcons 2009-11-07 20:30:52 98816 ----a-w- c:\windows\sed.exe 2009-11-07 20:30:52 77312 ----a-w- c:\windows\MBR.exe 2009-11-07 20:30:52 267264 ----a-w- c:\windows\PEV.exe 2009-11-07 20:30:52 161792 ----a-w- c:\windows\SWREG.exe 2009-11-07 19:33:08 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2009-11-07 19:33:07 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-11-07 19:32:14 0 d-----w- c:\program files\Kaspersky Lab 2009-11-07 19:32:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-11-07 19:21:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2009-10-21 01:34:56 219664 ----a-w- c:\windows\system32\klogon.dll 2009-10-15 02:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys ==================== Find3M ==================== 2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll 2009-10-03 00:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys 2009-09-19 21:22:13 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-19 21:22:02 189672 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-09-19 20:35:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-09-14 19:42:46 32272 ----a-w- c:\windows\system32\drivers\klim5.sys 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL ============= FINISH: 23:46:18.12 ===============

jpshortstuff View Member Profile	Nov 11 2009, 02:18 AM Post #12
WhatTheTech Teacher Group: HJT Team Posts: 482 Joined: 15-June 07 From: UK Member No.: 136,795	Hi, OK, looks like the main infection is gone, let's try and clean up a little more and see if we can find out what's hindering your browser. I take it this is Internet Explorer? First, open notepad, then copy/paste the following text into the notepad Window. Save it as "fix.reg", be sure to include the quotes. QUOTE REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2f32e627-cbb0-4ad3-adc0-bc96803fc30f}] [-HKEY_CLASSES_ROOT\CLSID\{2f32e627-cbb0-4ad3-adc0-bc96803fc30f}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"=- [-HKEY_CLASSES_ROOT\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=- [-HKEY_CLASSES_ROOT\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}] Once saved, please right-click on fix.reg and select Merge, and click Yes at the prompt. Next, please try and run MalwareBytes' AntiMalware. Be sure to update it, then run a Quick Scan. If it finds anything, please post the log it provides. Post another DDS log, and let me know if things are any better. -------------------- Trained at the What The Tech Classroom where you too could learn to help others. My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

maloy View Member Profile	Nov 13 2009, 08:30 PM Post #13
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	Hi. I ran Malwarebytes and the log is below, followed by new DDS log. Internet Explorer is still loading up very slow when I launch a new window. When the window is open however and I just open another website it is functioning fine. Malwarebytes log: Malwarebytes' Anti-Malware 1.41 Database version: 3151 Windows 5.1.2600 Service Pack 3 11/11/2009 8:08:45 PM mbam-log-2009-11-11 (20-08-45).txt Scan type: Full Scan (C:\\|) Objects scanned: 155604 Time elapsed: 23 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP70\A0009158.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP74\A0012430.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP74\A0012598.sys (Rootkit.Agent) -> Quarantined and deleted successfully. DDS log: DDS (Ver_09-10-26.01) - NTFSx86 Run by Nick at 16:40:35.64 on Fri 11/13/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1528 [GMT -5:00] AV: Kaspersky Internet Security On-access scanning enabled (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security enabled {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Documents and Settings\Nick\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88" mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253384945781 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: AtiExtEvent - Ati2evxx.dll Notify: klogon - c:\windows\system32\klogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-19 133104] =============== Created Last 30 ================ 2009-11-12 00:41:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-12 00:41:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-12 00:41:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 21:57:54 0 d-----w- c:\program files\ESET 2009-11-07 21:56:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2009-11-07 21:56:18 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 20:31:28 0 d-sha-r- C:\cmdcons 2009-11-07 20:30:52 98816 ----a-w- c:\windows\sed.exe 2009-11-07 20:30:52 77312 ----a-w- c:\windows\MBR.exe 2009-11-07 20:30:52 267264 ----a-w- c:\windows\PEV.exe 2009-11-07 20:30:52 161792 ----a-w- c:\windows\SWREG.exe 2009-11-07 19:33:08 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2009-11-07 19:33:07 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-11-07 19:32:14 0 d-----w- c:\program files\Kaspersky Lab 2009-11-07 19:32:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-11-07 19:21:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2009-10-21 01:34:56 219664 ----a-w- c:\windows\system32\klogon.dll 2009-10-15 02:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys ==================== Find3M ==================== 2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll 2009-10-03 00:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys 2009-09-19 21:22:13 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-19 21:22:02 189672 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-09-19 20:35:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL ============= FINISH: 16:41:17.32 ===============

jpshortstuff View Member Profile	Nov 15 2009, 05:45 AM Post #14
WhatTheTech Teacher Group: HJT Team Posts: 482 Joined: 15-June 07 From: UK Member No.: 136,795	Hi, Sorry about the delay in responding, busy weekend. OK, is it just this Internet Explorer problem that remains? Anything else? Please run RootRepeal again (same as before) and post a log, just so we can rule out any last Rootkit interference. -------------------- Trained at the What The Tech Classroom where you too could learn to help others. My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

maloy View Member Profile	Nov 17 2009, 05:44 PM Post #15
New Member Group: Members Posts: 13 Joined: 20-January 08 Member No.: 184,896	Yes, just the explorer issue. Here is the Root Repeal log you requested: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/16 18:49 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_iastor.sys Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys Address: 0xA3DBB000 Size: 872448 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0x9F6C5000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\av11.tmp Status: Allocation size mismatch (API: 19865600, Raw: 0) SSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef35ee #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3e6e #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4984 #: 035 Function Name: NtCreateEvent Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4ef6 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4150 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2498 #: 043 Function Name: NtCreateMutant Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4dce #: 044 Function Name: NtCreateNamedPipeFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef31f4 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4c8a #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef33b0 #: 051 Function Name: NtCreateSemaphore Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef5028 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef6c6a #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3b0c #: 056 Function Name: NtCreateWaitablePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4d2c #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef665c #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2a5c #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2dea #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef45d8 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef762c #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2f2c #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2fd6 #: 084 Function Name: NtFsControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef43e4 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef66ee #: 098 Function Name: NtLoadKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2474 #: 099 Function Name: NtLoadKey2 Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2486 #: 108 Function Name: NtMapViewOfSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef6d1e #: 111 Function Name: NtNotifyChangeKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3122 #: 114 Function Name: NtOpenEvent Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4f98 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3ef0 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef263e #: 120 Function Name: NtOpenMutant Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef4e66 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef37f4 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef6c94 #: 126 Function Name: NtOpenSemaphore Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef50ca #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3718 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3080 #: 161 Function Name: NtQueryMultipleValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2ca8 #: 167 Function Name: NtQuerySection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef7036 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef28f8 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef6984 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2b70 #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2312 #: 194 Function Name: NtReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef5454 #: 195 Function Name: NtReplyWaitReceivePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef531a #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef63fc #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef9e8e #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef750e #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef22aa #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef46be #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3d2a #: 230 Function Name: NtSetInformationToken Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef5cac #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef67e8 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef7176 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef2780 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef725a #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef7382 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef6588 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef396c #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef38c2 #: 267 Function Name: NtUnmapViewOfSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef6eec #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9ef3a4c Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04c76 #: 227 Function Name: NtGdiMaskBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04d40 #: 237 Function Name: NtGdiPlgBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04daa #: 292 Function Name: NtGdiStretchBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04cda #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f0488a #: 312 Function Name: NtUserBuildHwndList Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04e0c #: 323 Function Name: NtUserCallOneParam Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04c42 #: 378 Function Name: NtUserFindWindowEx Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04a78 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f047f2 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04b7a #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f0483e #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f049ca #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04920 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04974 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04b0a #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04a2a #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04742 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9f04798 ==EOF==

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 22nd November 2009 - 12:21 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides