Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have the Legmir Worm and the Trojan.Agent?


  • This topic is locked This topic is locked
39 replies to this topic

#1 Tamy

Tamy

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 13 June 2009 - 02:05 PM

:thumbup2: Hi Everyone,

I did a scan with Max Spyware detector and it said I had the legmir worm and Trojan.Agent? Also there is a Veiwpoint program that keeps appearing in my installed programs. I keep removing it but it comes back - not always though? I also deleted a couple weird looking Active X controls that had no name for them. IN march my Avast virus software caught JS:Fake Trojan
and an infected Mavinst.exe file? I have tried different scanners and can't find the Legmir Worm or Trojan.Agent. Any help would truly be appreciated!
Thank you
Tammy
:)

DDS (Ver_09-05-14.01) - NTFSx86
Run by Tammy at 12:35:16.67 on Sat 06/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.550 [GMT -6:00]

AV: avast! antivirus 4.8.1335 [VPS 090613-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Tammy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AOL Fast Start] "c:\program files\america online 9.0\AOL.EXE" -b
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\tammy\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232590663530
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232682664984
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-7 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-7 138680]
S1 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2009-1-20 281856]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-7 352920]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]

=============== Created Last 30 ================

2009-06-13 11:18 50,910 a------- C:\VETlog.dmp
2009-06-13 11:01 <DIR> --dsh--- c:\documents and settings\tammy\UserData
2009-06-13 09:59 63 a------- c:\windows\system\SysSD.dll
2009-06-13 09:47 <DIR> a-dshr-- C:\autorun.inf
2009-06-13 09:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-06-13 09:07 <DIR> --d----- c:\program files\MetaStream
2009-06-12 17:12 <DIR> --d----- c:\program files\Secunia
2009-06-12 16:21 <DIR> --d----- c:\program files\ESET

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-02 13:12 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-04-28 22:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 22:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-01-24 09:12 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLbx.DAT
2009-01-23 22:41 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLck.DAT
2009-01-22 21:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012009012220090123\index.dat

============= FINISH: 12:36:01.70 ===============

BC AdBot (Login to Remove)

 


#2 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 13 June 2009 - 10:33 PM

I seem to have another problem as well! When I tried to run the online scanners - it will not let me? I think I may have a problem with Java - but not sure - it seems to work for everthing else. I tried the Kapersky online scanner and a couple others and they won't work? Just wondering if I do have a problem for sure? Right now I'm running Dr web cureit - will let you know what it finds!


Thank you!
Tammy

Hello Tamy,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman

Edited by The weatherman, 14 June 2009 - 01:23 AM.


#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 22 June 2009 - 01:39 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#4 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 22 June 2009 - 09:05 AM

Hi Net_Surfer - here is the DDS info


DDS (Ver_09-05-14.01) - NTFSx86
Run by TAMMY HENDERSON at 7:55:00.93 on Mon 06/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.319 [GMT -6:00]

AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Atwin\Atwin2k.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TAMMY HENDERSON\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
TCP: {0924ECE7-E96C-4E38-8110-3D00E454B514} = 205.171.3.65,205.171.3.62
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: ?????SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-15 28544]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-5-28 213520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 206088]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================


==================== Find3M ====================

2009-06-19 16:54 2,895,904 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-19 16:54 23,704 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-28 12:59 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-12 23:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-12 23:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 23:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 09:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 15:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 15:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 15:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 15:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 15:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 05:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 06:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 14:45 24,520 a------- c:\docume~1\tammyh~1\applic~1\wklnhst.dat
2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-19 15:59 80,432 ac------ c:\docume~1\tammyh~1\applic~1\GDIPFONTCACHEV1.DAT
2008-12-24 14:36 346 a---h--- c:\documents and settings\tammy henderson\hpothb07.dat
2008-08-19 08:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 7:56:44.64 ===============

#5 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 22 June 2009 - 09:08 AM

I don't know how to zip and attach the other note pad file that it gave me (sorry)

Tammy

#6 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 22 June 2009 - 09:11 AM

Did I do this right?



Attached File  Attach.txt   6.13KB   18 downloads

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:53 PM

Posted 22 June 2009 - 04:55 PM

Yep, you did. Hang on, an HJT team member will be with you soon. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:53 AM

Posted 22 June 2009 - 08:05 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
I can see that you have the registry cleaner program RegCure installed
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is
up to the user, so just take this as a recommendation from my side.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • Gmer log
  • log.txt
  • info.txt (Attach this one)
Thanks

unite.jpg


#9 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 23 June 2009 - 12:10 PM

Hi Syler,
So nice to meet you!
There was a problem with the download Rsit - will copy and paste what it said. Here are the other logs first

Malwarebytes:

Malwarebytes' Anti-Malware 1.38
Database version: 2325
Windows 5.1.2600 Service Pack 3

6/23/2009 9:14:07 AM
mbam-log-2009-06-23 (09-14-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138780
Time elapsed: 51 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Gmer Report:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 10:30:13
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF3D8BA72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xF3D8C01E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF3D8DA82]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF3D8D438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xF3D8B1E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF3D8F3E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF3D8BE1A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF3D8B62A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xF3D8B82A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF3D8D744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xF3D8F8F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF3D8B940]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF3D8B9A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF3D8D5FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF3D8EEA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF3D8D294]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xF3D8B34A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xF3D8BC40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF3D8F40E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xF3D8BB96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xF3D8BA10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF3D8B714]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xF3D8B4F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF3D8F110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF3D8AE6A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF3D8E30C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xF3D8AFCC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF3D8F7C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF3D8AC68]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF3D8D924]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF3D8BF18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF3D8EFA2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF3D8F438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xF3D8B3A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF3D8F51C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF3D8F648]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF3D8EDD4]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3964DF0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF3D8BD5C]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 4 Bytes CALL E9420002
.text ntoskrnl.exe!_abnormal_termination + 311 804E296D 3 Bytes [B4, D8, F3]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [1C, F5, D8, F3, 48, F6, D8, ...]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E875A 3 Bytes JMP F3DA25A2 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!IoIsOperationSynchronous + 4 804E875E 1 Byte [73]
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512919 5 Bytes JMP F3DA21E8 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6F755A0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6F75190] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F6F74FC0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6F88670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6F88670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\usbccgp.sys[NTOSKRNL.EXE!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\usbscan.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\usbprint.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F6F75770] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F6F74FC0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F6F75190] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F6F755A0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F6F74FC0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F6F75770] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6F755A0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6F75190] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ipfltdrv.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [F6F88520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \FileSystem\Fastfat \Fat B9523D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----



And this is what come up in a new window for the rsit:

High security alert!!!
You are not permitted to download the file "RSIT.exe" because it is infected with the virus "PossibleThreat".

URL = http://images.malwareremoval.com/random/RSIT.exe

File quarantined as: .

http://www.fortinet.com/VirusEncyclopedia/...=PossibleThreat

Now what do I do? (sad smile)

I do appreciate you trying to help me Syler!

Best Regards,
Tammy

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:53 AM

Posted 23 June 2009 - 06:07 PM

Hi Tammy,

Rsit should not be detected as bad, I can assure you that it is not a malware. Sometimes AV's do detect some of the tool we use
for malware removal as malware, this is not the case.

You will need to add Rsit to your AV's exception list if you no how to do that, if not just temporarily disable your AV, download and
run Rsit, then enable your AV again and post back with the logs. Can you also let me no what problems you are having which you
think are malware related, as your logs so far don't show anything.

Thanks

unite.jpg


#11 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 23 June 2009 - 11:15 PM

Dear Syler,

I'm sorry I have no control over this - this is my work computer and the company we have is doing this, Is there something else we can try?

So Sorry,
Tammy

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:53 AM

Posted 23 June 2009 - 11:22 PM

If this is a works computer why aren't your IT people dealing with it and why does that mean you can't run Rsit?

Edited by syler, 23 June 2009 - 11:23 PM.

unite.jpg


#13 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 23 June 2009 - 11:41 PM

Sorry Syler,
It is my so called personel computer - It is actually something to do with the phone software - or something and the dip shi*t that thinks he knows something - doesn't - I know more than he does and I know diddlie - ha!
I think? Hey - no problem - ok? Thanks for trying though!

Warm regards,
Tammy

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:53 AM

Posted 23 June 2009 - 11:46 PM

Tamy, are you saying that your issue is resolved then?

unite.jpg


#15 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:08:53 PM

Posted 24 June 2009 - 09:04 AM

Hi Syler,
No my problem is not resolved - I do think I have a virus - I think it is the iexplore virus - after checking around a bit. My problem is that I have mutiple iexplore.exe's in my task manager and sometimes it will go crazy opening window after window and it's hard to stop it. I was trying to learn how to read the hijack this logs to see itf I could find it my self. Oh and the registry cleaner that is on my computer - my co-worker that a spoke of previously is the one that put it on here - and ran it but I wouldn't let him fix the 1168 problems it found - because I knew they are not a good Idea - I had read horror stories on these things - Anyway - I just have not unistalled it is all!

Tammy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users