Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virus/Malware which Totally disables FireWall


  • This topic is locked This topic is locked
23 replies to this topic

#1 MiranSMS

MiranSMS

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovenia
  • Local time:08:14 AM

Posted 10 July 2009 - 10:35 AM

Hello!

I am infected with some Virus/Malware which has totally disabled my Firewall.
Recently I was using Sygate Personal Firewall and AVG Free Edition antivirus.

One day I noticed in my Firewall strange process named "CSRCS.EXE".
I manually tried to kill it within Sygate Firewall. I rebooted my computer and (avg free edition) detected:
"TROJAN HORSE ROOTKIT-AGENT.DI" but was unable to remove it.
I also noticed that my Sygate firewall didn't start anymore. Reinstalling didn't help.
I tryed System Restore to previous checkpoint but it did not help either.
Another problem was that some autorun-virus spreaded on every usb flash drives I had connected recently (autorun.inf file was infected on all drives). And when I used those usb flash drives on other computers it spreaded along. I manually disabled autorun function on WinXP on all computers and deleted all infected files (autorun.inf) on my usb flash drives.

I used Online Eset Scanner which has removed csrcs.exe, rootkit-agent.di and autorun-virus.
I also checked computer with "Malwarebytes' Anti-Malware" and "Ad-Aware".

Now I am using only Kaspersky Internet Security but firewall and Network Attack Blocker is still disabled by virus. Kaspersky has found "korn.exe" and some other threads on my computer and successfully removed them. But it can not remove firewall blocking virus. Kaspersky doesn't even detect the virus/malware. Virus obviously starts when WinXP is booted and disables FireWall. My computer also takes very very long to boot sometimes even more than 5 minutes.That never happened before I got infected.
I tried to install Windows Service Pack 3 to improve protection but following error occurs every time I try to run it:
"The file c:\windows\system32\drivers\ndis.sys is open or use by another application".
I will put Kaspersky report after dds.

Thank you for all your help.
----------------------------------------------------------------------------------


DDS (Ver_09-05-14.01) - NTFSx86
Run by Miran at 16:01:16,90 on pet 10.07.2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1250.386.1033.18.2015.1213 [GMT 2:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Miran\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Miran\Desktop\dds.bat

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: xplorer2 Toolbar: {db35fda8-77e3-4784-92c2-ee7345e91af4} - c:\program files\xplorer2\tbxpl0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet101\tools\BitCometBHO_1.2.2.28.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: xplorer2 Toolbar: {db35fda8-77e3-4784-92c2-ee7345e91af4} - c:\program files\xplorer2\tbxpl0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: xplorer2 Toolbar: {db35fda8-77e3-4784-92c2-ee7345e91af4} - c:\program files\xplorer2\tbxpl0.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\miran\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &D&ownload &with BitComet - c:\program files\bitcomet101\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet101\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet101\BitComet.exe/AddAllLink.htm
IE: + Offline &Explorer: Download the link - file://c:\program files\offline explorer enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\offline explorer enterprise\Add_AllO.htm
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: I&zvoz v Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet101\tools\BitCometBHO_1.2.2.28.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi5b88~1\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244832446187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: DeviceNP - DeviceNP.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll,c:\progra~1\kasper~1\kasper~2\mzvkbd.dll,c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~2\adialhk.dll,c:\progra~1\kasper~1\kasper~2\kloehk.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = SbHpNp scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\miran\applic~1\mozilla\firefox\profiles\ouhamohr.default\
FF - plugin: c:\documents and settings\miran\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-8-14 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-6-14 13184]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-6-12 226832]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-8-14 5840]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-12-2 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-12-2 14336]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-9-6 221184]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-12-5 1489688]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-5-9 193840]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-5-9 47616]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-5-9 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-7-24 41216]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-07-10 15:39 <DIR> --d----- C:\6e0d7500491f9e807d3f9982dadb4b
2009-07-06 03:25 5,002 a------- C:\miranbanner.pkl
2009-07-06 02:36 5,002 a------- C:\banner.p
2009-06-27 13:56 <DIR> --d----- C:\ExportOffline
2009-06-27 13:32 <DIR> --d----- C:\download
2009-06-27 13:05 <DIR> --d----- c:\docume~1\miran\applic~1\Offline Explorer
2009-06-27 13:04 <DIR> --d----- c:\program files\Offline Explorer Enterprise
2009-06-24 13:12 <DIR> --d----- C:\osseminarska
2009-06-15 19:34 54 a------- c:\windows\Musician.INI
2009-06-15 19:34 <DIR> --d----- c:\program files\Notation
2009-06-14 20:58 268,648 a------- c:\windows\system32\mucltui.dll
2009-06-14 20:58 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-13 01:10 <DIR> --d-h--- c:\windows\PIF
2009-06-12 20:04 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-12 20:04 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-06-12 20:04 4,218,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-12 20:04 679,968 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-12 20:04 35,084 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-12 20:04 4,452 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-12 20:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-06-12 19:03 <DIR> --d----- c:\program files\Kaspersky Lab
2009-06-12 18:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-12 18:18 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 18:18 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 18:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-07-08 17:17 204,275 a------- c:\windows\system32\nvModes.dat
2009-06-12 20:26 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-06-08 00:54 256 a------- c:\documents and settings\miran\pool.bin
2009-06-06 12:38 96,702 a------- c:\windows\system32\drivers\40540e1d.sys
2009-06-06 12:09 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-03 17:32 81,920 a------- c:\docume~1\miran\applic~1\ezpinst.exe
2008-10-03 17:32 47,360 a------- c:\docume~1\miran\applic~1\pcouffin.sys
2008-05-27 00:19 8 ---shr-- c:\windows\system32\277969C8C1.sys
2008-05-27 00:18 88 ---shr-- c:\windows\system32\3AECC525D0.sys
2009-04-03 23:20 88 ---shr-- c:\windows\system32\F81C34AD20.sys
2009-04-03 23:20 3,610 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:01:39,67 ===============
--------------------------------------------------------------------------------------------------
---KASPERSKY REPORT---
--------------------------------------------------------------------------------------------------
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
12.6.2009 20:14:37 Task completed
12.6.2009 20:13:12 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
12.6.2009 20:30:27 Task completed
12.6.2009 20:30:06 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
12.6.2009 22:35:27 Task started
12.6.2009 22:35:36 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
12.6.2009 22:35:54 Detected: http://www.viruslist.com/en/advisories/29320 C:\Program Files\microsoft office2003 slo\office11\outlook.exe
12.6.2009 22:36:05 Detected: http://www.viruslist.com/en/advisories/35364 C:\Program Files\microsoft office2003 slo\office11\excel.exe
12.6.2009 22:36:07 Detected: http://www.viruslist.com/en/advisories/34572 C:\Program Files\microsoft office2003 slo\office11\powerpnt.exe
12.6.2009 22:36:07 Detected: http://www.viruslist.com/en/advisories/33981 C:\Program Files\winamp5531\winamp.exe
12.6.2009 22:36:11 Detected: http://www.viruslist.com/en/advisories/35201 C:\Program Files\wireshark\wireshark.exe
12.6.2009 22:36:13 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
12.6.2009 22:36:19 Detected: http://www.viruslist.com/en/advisories/35377 C:\Program Files\microsoft office2003 slo\office11\winword.exe
12.6.2009 22:36:38 Detected: http://www.viruslist.com/en/advisories/30150 C:\Program Files\microsoft office2003 slo\office11\mspub.exe
12.6.2009 22:36:44 Detected: http://www.viruslist.com/en/advisories/35091 C:\Program Files\quicktime\quicktimeplayer.exe
12.6.2009 22:50:09 Task stopped
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
12.6.2009 22:53:12 Task stopped
12.6.2009 22:53:04 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
12.6.2009 22:54:12 Task started
12.6.2009 22:54:18 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
12.6.2009 22:54:26 Detected: http://www.viruslist.com/en/advisories/35364 C:\Program Files\microsoft office2003 slo\office11\excel.exe
12.6.2009 22:54:27 Detected: http://www.viruslist.com/en/advisories/29320 C:\Program Files\microsoft office2003 slo\office11\outlook.exe
12.6.2009 22:54:28 Detected: http://www.viruslist.com/en/advisories/34572 C:\Program Files\microsoft office2003 slo\office11\powerpnt.exe
12.6.2009 22:54:29 Detected: http://www.viruslist.com/en/advisories/33981 C:\Program Files\winamp5531\winamp.exe
12.6.2009 22:54:29 Detected: http://www.viruslist.com/en/advisories/35201 C:\Program Files\wireshark\wireshark.exe
12.6.2009 22:54:29 Detected: http://www.viruslist.com/en/advisories/35377 C:\Program Files\microsoft office2003 slo\office11\winword.exe
12.6.2009 22:54:30 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
12.6.2009 22:54:41 Detected: http://www.viruslist.com/en/advisories/30150 C:\Program Files\microsoft office2003 slo\office11\mspub.exe
12.6.2009 22:54:41 Detected: http://www.viruslist.com/en/advisories/35091 C:\Program Files\quicktime\quicktimeplayer.exe
12.6.2009 23:04:06 Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\flash.ocx
12.6.2009 23:04:32 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msxml6.dll
12.6.2009 23:05:50 Detected: http://www.viruslist.com/en/advisories/34451 C:\WINDOWS\system32\java.exe
12.6.2009 23:05:52 Detected: Trojan.Win32.Midgare.yda C:\WINDOWS\system32\korn.exe
12.6.2009 23:05:54 Untreated: Trojan.Win32.Midgare.yda C:\WINDOWS\system32\korn.exe Postponed
12.6.2009 23:06:19 Detected: http://www.viruslist.com/en/advisories/35091 C:\WINDOWS\system32\QuickTime.qts
12.6.2009 23:08:54 Detected: http://www.viruslist.com/en/advisories/34012 C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
12.6.2009 23:08:55 Detected: http://www.viruslist.com/en/advisories/34012 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
12.6.2009 23:09:53 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
12.6.2009 23:09:53 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
12.6.2009 23:09:59 Detected: Trojan.Win32.Midgare.yda C:\WINDOWS\system32\korn.exe
12.6.2009 23:15:18 Deleted: Trojan.Win32.Midgare.yda C:\WINDOWS\system32\korn.exe
12.6.2009 23:15:18 Task completed
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
13.6.2009 1:06:34 Task completed
13.6.2009 1:06:33 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
13.6.2009 15:21:24 Task completed
13.6.2009 15:21:13 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
13.6.2009 15:21:13 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
13.6.2009 15:19:55 Detected: http://www.viruslist.com/en/advisories/34012 C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
13.6.2009 15:19:55 Detected: http://www.viruslist.com/en/advisories/34012 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
13.6.2009 15:18:01 Detected: http://www.viruslist.com/en/advisories/35091 C:\WINDOWS\system32\QuickTime.qts
13.6.2009 15:17:08 Detected: http://www.viruslist.com/en/advisories/34451 C:\WINDOWS\system32\java.exe
13.6.2009 15:14:43 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msxml6.dll
13.6.2009 15:13:58 Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\flash.ocx
13.6.2009 14:55:13 Detected: http://www.viruslist.com/en/advisories/35091 C:\Program Files\quicktime\quicktimeplayer.exe
13.6.2009 14:55:11 Detected: http://www.viruslist.com/en/advisories/30150 C:\Program Files\microsoft office2003 slo\office11\mspub.exe
13.6.2009 14:54:58 Detected: http://www.viruslist.com/en/advisories/35377 C:\Program Files\microsoft office2003 slo\office11\winword.exe
13.6.2009 14:54:42 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
13.6.2009 14:54:40 Detected: http://www.viruslist.com/en/advisories/35201 C:\Program Files\wireshark\wireshark.exe
13.6.2009 14:54:36 Detected: http://www.viruslist.com/en/advisories/33981 C:\Program Files\winamp5531\winamp.exe
13.6.2009 14:54:33 Detected: http://www.viruslist.com/en/advisories/34572 C:\Program Files\microsoft office2003 slo\office11\powerpnt.exe
13.6.2009 14:54:27 Detected: http://www.viruslist.com/en/advisories/35364 C:\Program Files\microsoft office2003 slo\office11\excel.exe
13.6.2009 14:54:20 Detected: http://www.viruslist.com/en/advisories/29320 C:\Program Files\microsoft office2003 slo\office11\outlook.exe
13.6.2009 14:53:06 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
14.6.2009 16:34:56 Task stopped
14.6.2009 16:34:14 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
14.6.2009 16:35:04 Task started
14.6.2009 16:35:55 Detected: http://www.viruslist.com/en/advisories/29320 c:\program files\microsoft office2003 slo\office11\outlook.exe
14.6.2009 16:36:07 Detected: http://www.viruslist.com/en/advisories/33981 c:\program files\winamp5531\winamp.exe
14.6.2009 16:36:14 Detected: http://www.viruslist.com/en/advisories/34572 c:\program files\microsoft office2003 slo\office11\powerpnt.exe
14.6.2009 16:36:15 Detected: http://www.viruslist.com/en/advisories/35364 c:\program files\microsoft office2003 slo\office11\excel.exe
14.6.2009 16:36:21 Detected: http://www.viruslist.com/en/advisories/35201 c:\program files\wireshark\wireshark.exe
14.6.2009 16:36:30 Detected: http://www.viruslist.com/en/advisories/31822 c:\program files\bonjour\mdnsresponder.exe
14.6.2009 16:36:37 Detected: http://www.viruslist.com/en/advisories/35377 c:\program files\microsoft office2003 slo\office11\winword.exe
14.6.2009 16:37:19 Detected: http://www.viruslist.com/en/advisories/30150 c:\program files\microsoft office2003 slo\office11\mspub.exe
14.6.2009 17:15:41 Detected: http://www.viruslist.com/en/advisories/33062 c:\Documents and Settings\Miran\Local Settings\Application Data\Google\Chrome\Application\1.0.154.65\gears.dll
14.6.2009 19:37:32 Detected: http://www.viruslist.com/en/advisories/34012 c:\program files\Adobe\Adobe Bridge CS3\browser\plugins\NPSWF32.dll
14.6.2009 19:42:05 Task stopped
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
19.6.2009 0:38:04 Task completed
19.6.2009 0:38:04 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
19.6.2009 0:38:11 Task completed
19.6.2009 0:38:11 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
24.6.2009 14:31:49 Task completed
24.6.2009 14:31:49 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
24.6.2009 18:29:20 Task started
24.6.2009 18:29:23 Detected: Worm.Win32.AutoIt.oa G:\akkdwf.exe/jghdyvbgfxdfgu.au3.tbl.decoded
24.6.2009 18:29:48 Deleted: Worm.Win32.AutoIt.oa G:\akkdwf.exe
24.6.2009 18:29:57 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
24.6.2009 18:30:16 Detected: http://www.viruslist.com/en/advisories/29320 C:\Program Files\microsoft office2003 slo\office11\outlook.exe
24.6.2009 18:30:16 Detected: http://www.viruslist.com/en/advisories/35364 C:\Program Files\microsoft office2003 slo\office11\excel.exe
24.6.2009 18:30:20 Detected: http://www.viruslist.com/en/advisories/33981 C:\Program Files\winamp5531\winamp.exe
24.6.2009 18:30:21 Detected: http://www.viruslist.com/en/advisories/35201 C:\Program Files\wireshark\wireshark.exe
24.6.2009 18:30:21 Detected: http://www.viruslist.com/en/advisories/34572 C:\Program Files\microsoft office2003 slo\office11\powerpnt.exe
24.6.2009 18:30:22 Detected: http://www.viruslist.com/en/advisories/35377 C:\Program Files\microsoft office2003 slo\office11\winword.exe
24.6.2009 18:30:26 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
24.6.2009 18:30:55 Detected: http://www.viruslist.com/en/advisories/30150 C:\Program Files\microsoft office2003 slo\office11\mspub.exe
24.6.2009 18:30:57 Detected: http://www.viruslist.com/en/advisories/35091 C:\Program Files\quicktime\quicktimeplayer.exe
24.6.2009 18:31:06 Task completed
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
24.6.2009 22:20:36 Task started
24.6.2009 22:20:48 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
24.6.2009 22:21:03 Detected: http://www.viruslist.com/en/advisories/29320 C:\Program Files\microsoft office2003 slo\office11\outlook.exe
24.6.2009 22:21:10 Detected: http://www.viruslist.com/en/advisories/35364 C:\Program Files\microsoft office2003 slo\office11\excel.exe
24.6.2009 22:21:17 Detected: http://www.viruslist.com/en/advisories/34572 C:\Program Files\microsoft office2003 slo\office11\powerpnt.exe
24.6.2009 22:21:19 Detected: http://www.viruslist.com/en/advisories/33981 C:\Program Files\winamp5531\winamp.exe
24.6.2009 22:21:19 Detected: http://www.viruslist.com/en/advisories/35377 C:\Program Files\microsoft office2003 slo\office11\winword.exe
24.6.2009 22:21:20 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
24.6.2009 22:21:20 Detected: http://www.viruslist.com/en/advisories/35201 C:\Program Files\wireshark\wireshark.exe
24.6.2009 22:21:24 Detected: http://www.viruslist.com/en/advisories/30150 C:\Program Files\microsoft office2003 slo\office11\mspub.exe
24.6.2009 22:21:27 Detected: http://www.viruslist.com/en/advisories/35091 C:\Program Files\quicktime\quicktimeplayer.exe
24.6.2009 22:30:26 Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\flash.ocx
24.6.2009 22:30:50 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msxml6.dll
24.6.2009 22:32:01 Detected: http://www.viruslist.com/en/advisories/34451 C:\WINDOWS\system32\java.exe
24.6.2009 22:32:32 Detected: http://www.viruslist.com/en/advisories/35091 C:\WINDOWS\system32\QuickTime.qts
24.6.2009 22:34:53 Detected: http://www.viruslist.com/en/advisories/34012 C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
24.6.2009 22:34:53 Detected: http://www.viruslist.com/en/advisories/34012 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
24.6.2009 22:35:48 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
24.6.2009 22:35:48 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
24.6.2009 22:35:53 Task completed
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
24.6.2009 22:43:41 Task started
24.6.2009 22:43:45 Detected: http://www.viruslist.com/en/advisories/34580 C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.api
24.6.2009 22:43:46 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
24.6.2009 22:43:50 Detected: http://www.viruslist.com/en/advisories/35364 C:\Program Files\microsoft office2003 slo\office11\excel.exe
24.6.2009 22:43:50 Detected: http://www.viruslist.com/en/advisories/29320 C:\Program Files\microsoft office2003 slo\office11\outlook.exe
24.6.2009 22:43:50 Detected: http://www.viruslist.com/en/advisories/34572 C:\Program Files\microsoft office2003 slo\office11\powerpnt.exe
24.6.2009 22:43:51 Detected: http://www.viruslist.com/en/advisories/33981 C:\Program Files\winamp5531\winamp.exe
24.6.2009 22:43:51 Detected: http://www.viruslist.com/en/advisories/35201 C:\Program Files\wireshark\wireshark.exe
24.6.2009 22:43:51 Detected: http://www.viruslist.com/en/advisories/35377 C:\Program Files\microsoft office2003 slo\office11\winword.exe
24.6.2009 22:43:53 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
24.6.2009 22:44:01 Detected: http://www.viruslist.com/en/advisories/30150 C:\Program Files\microsoft office2003 slo\office11\mspub.exe
24.6.2009 22:44:01 Detected: http://www.viruslist.com/en/advisories/35091 C:\Program Files\quicktime\quicktimeplayer.exe
24.6.2009 23:04:09 Detected: http://www.viruslist.com/en/advisories/33062 C:\Documents and Settings\Miran\Local Settings\Application Data\Google\Chrome\Application\2.0.172.33\gears.dll
24.6.2009 23:36:02 Task stopped
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
26.6.2009 20:53:55 Task completed
26.6.2009 20:53:51 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
9.7.2009 21:02:11 Task completed
9.7.2009 21:02:11 Task started
Quick Scan: completed 10.7.2009 16:20:11 (events: 20, objects: 50807, time: 00:16:08)
10.7.2009 16:04:03 Task started
10.7.2009 16:04:13 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
10.7.2009 16:04:24 Detected: http://www.viruslist.com/en/advisories/29320 C:\Program Files\microsoft office2003 slo\office11\outlook.exe
10.7.2009 16:04:25 Detected: http://www.viruslist.com/en/advisories/35364 C:\Program Files\microsoft office2003 slo\office11\excel.exe
10.7.2009 16:04:29 Detected: http://www.viruslist.com/en/advisories/35126 C:\Program Files\winamp5531\winamp.exe
10.7.2009 16:04:29 Detected: http://www.viruslist.com/en/advisories/35201 C:\Program Files\wireshark\wireshark.exe
10.7.2009 16:04:29 Detected: http://www.viruslist.com/en/advisories/34572 C:\Program Files\microsoft office2003 slo\office11\powerpnt.exe
10.7.2009 16:04:32 Detected: http://www.viruslist.com/en/advisories/31822 C:\Program Files\Bonjour\mDNSResponder.exe
10.7.2009 16:04:34 Detected: http://www.viruslist.com/en/advisories/35377 C:\Program Files\microsoft office2003 slo\office11\winword.exe
10.7.2009 16:04:46 Detected: http://www.viruslist.com/en/advisories/30150 C:\Program Files\microsoft office2003 slo\office11\mspub.exe
10.7.2009 16:14:25 Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\flash.ocx
10.7.2009 16:14:49 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msxml6.dll
10.7.2009 16:18:24 Detected: Backdoor.Win32.NewRest.ao C:\WINDOWS\system32\drivers\40540e1d.sys
10.7.2009 16:18:24 Untreated: Backdoor.Win32.NewRest.ao C:\WINDOWS\system32\drivers\40540e1d.sys Postponed
10.7.2009 16:18:48 Detected: http://www.viruslist.com/en/advisories/34012 C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
10.7.2009 16:19:42 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
10.7.2009 16:19:42 Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
10.7.2009 16:19:47 Detected: Backdoor.Win32.NewRest.ao C:\WINDOWS\system32\drivers\40540e1d.sys
10.7.2009 16:20:11 Deleted: Backdoor.Win32.NewRest.ao C:\WINDOWS\system32\drivers\40540e1d.sys
10.7.2009 16:20:11 Task completed
-------------------------------------------------------------------------------------------------

Attached Files


Edited by MiranSMS, 10 July 2009 - 10:42 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:14 PM

Posted 19 July 2009 - 02:35 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 MiranSMS

MiranSMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovenia
  • Local time:08:14 AM

Posted 20 July 2009 - 10:56 AM

Hello. :thumbup2:

I did not try to change anything.
Here is my fresh dds.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Miran at 17:50:55,13 on pon 20.07.2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1250.386.1033.18.2015.992 [GMT 2:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Miran\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\eclipse\eclipse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PyScripter19\PyScripter.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Documents and Settings\Miran\Desktop\dds.bat
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Miran\Desktop\dds.bat

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: xplorer2 Toolbar: {db35fda8-77e3-4784-92c2-ee7345e91af4} - c:\program files\xplorer2\tbxpl0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet101\tools\BitCometBHO_1.2.2.28.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: xplorer2 Toolbar: {db35fda8-77e3-4784-92c2-ee7345e91af4} - c:\program files\xplorer2\tbxpl0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: xplorer2 Toolbar: {db35fda8-77e3-4784-92c2-ee7345e91af4} - c:\program files\xplorer2\tbxpl0.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\miran\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &D&ownload &with BitComet - c:\program files\bitcomet101\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet101\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet101\BitComet.exe/AddAllLink.htm
IE: + Offline &Explorer: Download the link - file://c:\program files\offline explorer enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\offline explorer enterprise\Add_AllO.htm
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: I&zvoz v Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet101\tools\BitCometBHO_1.2.2.28.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi5b88~1\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244832446187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: DeviceNP - DeviceNP.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll,c:\progra~1\kasper~1\kasper~2\mzvkbd.dll,c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~2\adialhk.dll,c:\progra~1\kasper~1\kasper~2\kloehk.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = SbHpNp scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\miran\applic~1\mozilla\firefox\profiles\ouhamohr.default\
FF - plugin: c:\documents and settings\miran\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-8-14 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-6-14 13184]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-6-12 226832]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-8-14 5840]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-12-2 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-12-2 14336]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-9-6 221184]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-12-5 1489688]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-5-9 193840]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-5-9 47616]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-5-9 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-7-24 41216]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-07-10 19:10 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-06 03:25 5,002 a------- C:\miranbanner.pkl
2009-07-06 02:36 5,002 a------- C:\banner.p
2009-06-27 13:56 <DIR> --d----- C:\ExportOffline
2009-06-27 13:32 <DIR> --d----- C:\download
2009-06-27 13:05 <DIR> --d----- c:\docume~1\miran\applic~1\Offline Explorer
2009-06-27 13:04 <DIR> --d----- c:\program files\Offline Explorer Enterprise
2009-06-24 13:12 <DIR> --d----- C:\osseminarska

==================== Find3M ====================

2009-07-19 02:27 4,497,952 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-19 02:27 737,312 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-07-19 02:27 37,268 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-19 02:27 4,648 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-07-17 16:12 204,275 a------- c:\windows\system32\nvModes.dat
2009-06-12 20:26 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-06-12 20:26 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-12 20:26 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-06-08 00:54 256 a------- c:\documents and settings\miran\pool.bin
2009-06-06 12:09 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-03 17:32 81,920 a------- c:\docume~1\miran\applic~1\ezpinst.exe
2008-10-03 17:32 47,360 a------- c:\docume~1\miran\applic~1\pcouffin.sys
2008-05-27 00:19 8 ---shr-- c:\windows\system32\277969C8C1.sys
2008-05-27 00:18 88 ---shr-- c:\windows\system32\3AECC525D0.sys
2009-04-03 23:20 88 ---shr-- c:\windows\system32\F81C34AD20.sys
2009-04-03 23:20 3,610 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:51:20,30 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 22 July 2009 - 10:11 PM

Hello MiranSMS :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 MiranSMS

MiranSMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovenia
  • Local time:08:14 AM

Posted 23 July 2009 - 12:14 PM

Hello thewall. :thumbup2:

Is it O.K. to still use Kaspersky or should I disable it while we are performing the clean-up?

Here is my Gmer log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-23 19:04:18
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB82A31DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xB82A37AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xB82A51EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xB82A4B9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xB82A2950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB82A6B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xB82A35AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xB82A2D92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xB82A2F92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xB82A4EAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xB82A7084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xB82A30A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xB82A3110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xB82A4D5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xB82A6620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xB82A49F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xB82A2AB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xB82A33B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xB82A6BA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xB82A32FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xB82A3178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xB82A2E7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xB82A2C5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xB82A6888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xB82A25D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xB82A5A74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xB82A2734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xB82A6F56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xB82A23D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xB82A508C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xB82A36AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xB82A671A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xB82A6BD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xB82A2B08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xB82A6CB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xB82A6DE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xB82A654C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xB82A347E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xB82A34F0]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
Code 8A505500 pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6551E8
Device \Driver\NDIS \Device\Ndis [8A472982] NDIS.sys[.reloc]

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A446980
Device \Driver\NetBT \Device\NetBT_Tcpip_{59068BF4-02ED-4AB3-925B-2D142D145DAC} 86B9B1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5E21E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5E21E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5E21E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5E21E8
Device \Driver\usbuhci \Device\USBPDO-1 8A446980
Device \Driver\usbehci \Device\USBPDO-2 8A43F7D8
Device \Driver\usbuhci \Device\USBPDO-3 8A446980
Device \Driver\usbuhci \Device\USBPDO-4 8A446980
Device \Driver\usbuhci \Device\USBPDO-5 8A446980
Device \Driver\usbehci \Device\USBPDO-6 8A43F7D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6571E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6571E8
Device \Driver\Cdrom \Device\CdRom0 8A441980

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 23 July 2009 - 02:03 PM

You can keep it active unless we are doing something that specifically calls for it to be disabled. I'll let you know if that is the case. I'll be back a little later.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 23 July 2009 - 04:26 PM

Make sure you don't try installing Service Pack 3 until your computer is clean. Doing so can cause problems on an infected machine.

Let' try SAS first and see what it does:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 MiranSMS

MiranSMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovenia
  • Local time:08:14 AM

Posted 25 July 2009 - 10:48 AM

I have checked all 3 things mentioned above and unchecked all others.
Here is SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/25/2009 at 04:14 PM

Application Version : 4.26.1006

Core Rules Database Version : 4019
Trace Rules Database Version: 1959

Scan type : Complete Scan
Total Scan Time : 01:52:37

Memory items scanned : 598
Memory threats detected : 0
Registry items scanned : 9498
Registry threats detected : 2
File items scanned : 223508
File threats detected : 16

Adware.Tracking Cookie
C:\Documents and Settings\Miran\Cookies\miran@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Miran\Cookies\miran@ad.httpool[1].txt
C:\Documents and Settings\Miran\Cookies\miran@atdmt[2].txt
C:\Documents and Settings\Miran\Cookies\miran@atwola[1].txt
C:\Documents and Settings\Miran\Cookies\miran@doubleclick[1].txt
C:\Documents and Settings\Miran\Cookies\miran@banners.salomon[1].txt
C:\Documents and Settings\Miran\Cookies\miran@2o7[1].txt
C:\Documents and Settings\Miran\Cookies\miran@ads2.dnevnik[2].txt
C:\Documents and Settings\Miran\Cookies\miran@tacoda[1].txt
C:\Documents and Settings\Miran\Cookies\miran@ad.yieldmanager[1].txt
C:\Documents and Settings\Miran\Cookies\miran@adbrite[1].txt
C:\Documents and Settings\Miran\Cookies\miran@zedo[1].txt
C:\Documents and Settings\Miran\Cookies\miran@advertising[1].txt
C:\Documents and Settings\Miran\Cookies\miran@perf.overture[1].txt
C:\Documents and Settings\Miran\Cookies\miran@accounts[1].txt
C:\Documents and Settings\Miran\Cookies\miran@banners[1].txt

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 25 July 2009 - 11:55 AM

Let's run this next:

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 MiranSMS

MiranSMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovenia
  • Local time:08:14 AM

Posted 26 July 2009 - 07:07 AM

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 6.0.2900.2180
Mozilla Firefox 3.0.11 (sl)
.
C:\ [Fixed-NTFS] .. ( Total:97 Go - Free:23 Go )
D:\ [Fixed-NTFS] .. ( Total:135 Go - Free:3 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
.
Scan : 12:01.19
Path : C:\Documents and Settings\Miran\Desktop\Rooter.exe
User : Miran ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (628)
______ \??\C:\WINDOWS\system32\csrss.exe (692)
______ \??\C:\WINDOWS\system32\winlogon.exe (724)
______ C:\WINDOWS\system32\services.exe (772)
______ C:\WINDOWS\system32\lsass.exe (788)
______ C:\WINDOWS\System32\svchost.exe (936)
______ C:\WINDOWS\system32\svchost.exe (1000)
______ c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (1060)
______ C:\WINDOWS\system32\svchost.exe (1104)
______ C:\WINDOWS\System32\svchost.exe (1148)
______ C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (1200)
______ C:\WINDOWS\system32\svchost.exe (1328)
______ C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (1488)
______ C:\WINDOWS\Explorer.EXE (1728)
______ c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe (1864)
______ C:\WINDOWS\system32\RUNDLL32.EXE (2008)
______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (256)
______ C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe (292)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (408)
______ C:\WINDOWS\system32\AccelerometerSt.exe (400)
______ C:\WINDOWS\system32\rundll32.exe (424)
______ C:\Program Files\Intel\AMT\atchk.exe (520)
______ C:\WINDOWS\system32\spoolsv.exe (532)
______ C:\WINDOWS\System32\SCardSvr.exe (672)
______ C:\Program Files\Java\jre6\bin\jusched.exe (780)
______ C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe (1372)
______ C:\WINDOWS\system32\ctfmon.exe (1352)
______ C:\Program Files\Intel\AMT\atchksrv.exe (1552)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1716)
______ C:\WINDOWS\system32\ifxspmgt.exe (1180)
______ C:\WINDOWS\system32\IFXTCS.exe (1896)
______ C:\Documents and Settings\Miran\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe (2064)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2068)
______ C:\Program Files\Intel\AMT\LMS.exe (2216)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (2252)
______ C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe (2376)
______ C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe (2452)
______ C:\WINDOWS\system32\nvsvc32.exe (2660)
______ C:\WINDOWS\system32\IfxPsdSv.exe (2688)
______ C:\WINDOWS\system32\PSIService.exe (2736)
______ C:\WINDOWS\system32\wdfmgr.exe (3760)
______ C:\Program Files\Intel\AMT\UNS.exe (1336)
______ C:\WINDOWS\system32\wuauclt.exe (3224)
______ C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (3904)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2036)
______ C:\WINDOWS\System32\alg.exe (1580)
______ C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe (1924)
______ C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe (2572)
______ C:\WINDOWS\System32\svchost.exe (404)
______ C:\WINDOWS\System32\svchost.exe (2976)
______ C:\WINDOWS\system32\wscntfy.exe (5004)
______ C:\Documents and Settings\Miran\Desktop\Rooter.exe (4348)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:104855837184)
\Device\Harddisk0\Partition0 (Start_Offset:104855869440 | Length:145192642560)
\Device\Harddisk0\Partition2 (Start_Offset:104855901696 | Length:145192610304)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-606747145-682003330-1003Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-606747145-682003330-1003UA.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 12:01.38
.
C:\Rooter$\Rooter_1.txt - (26/07/2009 | 12:01.38)

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 26 July 2009 - 08:42 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 MiranSMS

MiranSMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovenia
  • Local time:08:14 AM

Posted 26 July 2009 - 11:37 AM

I have installed ComboFix but it did not ask me to install Microsoft Windows Recovery Console.
ComboFix has started without Microsoft Windows Recovery Console installation.
Should I install it manually?

Here is ComboFix log:

ComboFix 09-07-25.06 - Miran 26.07.2009 18:08.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.386.1033.18.2015.1339 [GMT 2:00]
Running from: c:\documents and settings\Miran\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Miran\Application Data\wiaserva.log
c:\documents and settings\Miran\Application Data\wiaservg.log
c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-26 10:01 . 2009-07-26 10:01 -------- d-----w- C:\Rooter$
2009-07-25 12:10 . 2009-07-26 16:21 117760 ----a-w- c:\documents and settings\Miran\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-25 12:09 . 2009-07-25 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-25 12:09 . 2009-07-25 12:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-25 12:09 . 2009-07-25 12:09 -------- d-----w- c:\documents and settings\Miran\Application Data\SUPERAntiSpyware.com
2009-07-22 19:39 . 2009-07-22 19:42 -------- d-----w- c:\program files\Subtitle Workshop
2009-07-22 15:58 . 2009-07-22 15:58 -------- d-----w- c:\documents and settings\Miran\.nbprofiler
2009-07-22 12:56 . 2009-07-22 12:56 -------- d-----w- c:\documents and settings\Miran\.netbeans-derby
2009-07-22 12:53 . 2009-07-22 12:53 -------- d-----w- c:\documents and settings\Miran\.netbeans
2009-07-22 12:52 . 2009-07-22 12:52 -------- d-----w- c:\documents and settings\Miran\.netbeans-registration
2009-07-22 12:52 . 2009-07-22 12:52 -------- d-----w- c:\program files\sges-v3-prelude
2009-07-22 12:50 . 2009-07-22 12:50 -------- d-----w- C:\Sun
2009-07-22 12:44 . 2009-07-22 12:49 -------- d-----w- c:\program files\NetBeans 6.7
2009-07-22 12:43 . 2009-07-22 12:53 -------- d-----w- c:\documents and settings\Miran\.nbi
2009-07-20 17:14 . 2009-07-20 17:14 56320 ----a-w- c:\windows\system32\ghost.dll
2009-07-17 18:18 . 2009-07-17 18:21 -------- d-----w- c:\documents and settings\Miran\Local Settings\Application Data\Temp
2009-07-10 17:10 . 2009-07-12 15:18 -------- d-----w- c:\windows\system32\NtmsData
2009-07-07 15:42 . 2009-07-07 15:42 152576 ----a-w- c:\documents and settings\Miran\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-27 11:56 . 2009-06-27 11:57 -------- d-----w- C:\ExportOffline
2009-06-27 11:32 . 2009-07-10 16:30 -------- d-----w- C:\download
2009-06-27 11:05 . 2009-07-10 16:31 -------- d-----w- c:\documents and settings\Miran\Application Data\Offline Explorer
2009-06-27 11:04 . 2009-06-27 11:32 -------- d-----w- c:\program files\Offline Explorer Enterprise

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 16:18 . 2009-01-25 17:17 -------- d-----w- c:\program files\Taskbar Shuffle
2009-07-26 16:17 . 2009-06-12 18:04 794656 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-26 16:17 . 2009-06-12 18:04 7573024 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-26 16:17 . 2009-06-12 18:04 61292 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-26 16:17 . 2009-06-12 18:04 4844 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-26 15:57 . 2009-06-12 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-26 01:04 . 2008-05-09 19:55 204275 ----a-w- c:\windows\system32\nvModes.dat
2009-07-25 12:09 . 2008-05-09 22:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-24 16:51 . 2008-08-01 18:33 -------- d-----w- c:\program files\eMule
2009-07-24 16:16 . 2008-05-09 22:39 131752 ----a-w- c:\documents and settings\Miran\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-24 16:06 . 2009-03-28 12:50 -------- d-----w- c:\documents and settings\Miran\Application Data\Audacity
2009-07-23 17:47 . 2008-05-15 10:35 -------- d-----w- c:\program files\eclipse
2009-07-23 17:30 . 2009-06-12 18:09 208616 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-12 14:40 . 2009-05-21 16:50 1 ----a-w- c:\documents and settings\Miran\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-07 15:43 . 2008-05-09 22:15 -------- d-----w- c:\program files\Java
2009-07-02 09:22 . 2009-05-30 23:58 256 ----a-w- c:\windows\system32\pool.bin
2009-06-26 17:41 . 2009-06-10 18:58 1878984 ----a-w- c:\documents and settings\Miran\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-15 17:34 . 2009-06-15 17:34 -------- d-----w- c:\program files\Notation
2009-06-14 19:10 . 2009-03-24 12:16 -------- d-----w- c:\documents and settings\Miran\Application Data\Wireshark
2009-06-12 18:26 . 2008-01-29 15:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-12 18:26 . 2009-06-12 18:04 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-12 18:26 . 2009-06-12 18:04 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-12 18:26 . 2009-06-12 18:09 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-06-12 18:26 . 2009-06-12 18:09 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-06-12 18:04 . 2009-06-12 17:03 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-12 17:15 . 2009-06-12 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-12 16:18 . 2009-06-12 16:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 23:04 . 2008-05-09 22:52 -------- d-----w- c:\program files\WinRAR361
2009-06-09 22:16 . 2008-05-09 22:35 -------- d-----w- c:\program files\ESET
2009-06-07 22:54 . 2009-06-01 16:11 256 ----a-w- c:\documents and settings\Miran\pool.bin
2009-06-07 22:46 . 2009-06-07 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-07 22:44 . 2009-05-30 23:49 -------- d-----w- c:\program files\Roxio
2009-06-07 22:37 . 2009-05-30 23:44 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-07 22:37 . 2009-06-07 22:37 -------- d-----w- c:\program files\Research In Motion
2009-06-06 22:01 . 2009-05-25 12:25 -------- d-----w- c:\program files\FirefoxPreloader
2009-06-06 21:59 . 2009-05-30 23:44 -------- d-----w- c:\program files\BlackBerry
2009-06-06 21:58 . 2009-05-30 23:49 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-06-06 21:55 . 2009-06-01 14:07 -------- d-----w- c:\program files\Eufony Free WAV MP3 Converter
2009-06-06 10:09 . 2004-12-02 09:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-01 14:33 . 2008-08-16 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-01 14:20 . 2009-03-18 18:15 -------- d-----w- c:\program files\Advanced PDF Password Recovery
2009-05-31 00:00 . 2009-05-31 00:00 -------- d-----w- c:\documents and settings\Miran\Application Data\Roxio
2009-05-30 23:58 . 2009-05-30 23:58 -------- d-----w- c:\documents and settings\Miran\Application Data\Research In Motion
2009-05-30 23:51 . 2009-05-30 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-05-30 23:50 . 2009-05-30 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-05-30 23:49 . 2009-05-30 23:49 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-05-30 23:49 . 2008-05-09 19:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-28 11:35 . 2009-02-21 12:05 -------- d-----w- c:\program files\PyScripter19
2009-05-26 11:20 . 2009-06-12 16:18 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-06-12 16:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 09:33 . 2009-02-04 14:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-21 17:06 . 2008-08-01 18:19 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-05-26 22:19 . 2008-05-26 22:19 8 --sh--r- c:\windows\system32\277969C8C1.sys
2008-05-26 22:18 . 2008-05-26 22:15 88 --sh--r- c:\windows\system32\3AECC525D0.sys
2009-04-03 21:20 . 2009-02-06 15:03 88 --sh--r- c:\windows\system32\F81C34AD20.sys
2009-04-03 21:20 . 2008-05-26 22:15 3610 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-13 19:20 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2009-06-06 10:09 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys
[-] 2009-06-06 10:09 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{db35fda8-77e3-4784-92c2-ee7345e91af4}"= "c:\program files\xplorer2\tbxpl1.dll" [2009-07-22 2215960]

[HKEY_CLASSES_ROOT\clsid\{db35fda8-77e3-4784-92c2-ee7345e91af4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db35fda8-77e3-4784-92c2-ee7345e91af4}]
2009-07-22 16:25 2215960 ----a-w- c:\program files\xplorer2\tbxpl1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{db35fda8-77e3-4784-92c2-ee7345e91af4}"= "c:\program files\xplorer2\tbxpl1.dll" [2009-07-22 2215960]

[HKEY_CLASSES_ROOT\clsid\{db35fda8-77e3-4784-92c2-ee7345e91af4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DB35FDA8-77E3-4784-92C2-EE7345E91AF4}"= "c:\program files\xplorer2\tbxpl1.dll" [2009-07-22 2215960]

[HKEY_CLASSES_ROOT\clsid\{db35fda8-77e3-4784-92c2-ee7345e91af4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-12-02 15360]
"Google Update"="c:\documents and settings\Miran\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-17 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-19 13524992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-19 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-02-26 177456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2008-01-25 677144]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-05-01 404248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-03-19 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-12-02 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 04:03 74752 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Miran^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Miran\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Miran^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Miran\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_06\\bin\\java.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21399:TCP"= 21399:TCP:BitComet 21399 TCP
"21399:UDP"= 21399:UDP:BitComet 21399 UDP
"3306:TCP"= 3306:TCP:MySQL Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29.1.2008 17:29 33808]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [14.8.2007 17:59 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [9.10.2006 13:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [14.6.2007 16:22 13184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24.7.2007 8:21 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [14.8.2007 17:59 5840]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23.6.2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23.6.2009 11:01 72944]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2.12.2004 11:00 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2.12.2004 11:00 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [6.9.2007 13:26 221184]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5.12.2008 2:47 1489688]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [9.5.2008 22:10 193840]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13.3.2008 18:02 26640]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [9.5.2008 22:58 47616]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23.6.2009 11:01 7408]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [9.5.2008 23:30 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [8.6.2007 9:06 172131]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24.7.2007 8:21 41216]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23.9.2005 7:01 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-606747145-682003330-1003Core.job
- c:\documents and settings\Miran\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-17 12:55]

2009-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-606747145-682003330-1003UA.job
- c:\documents and settings\Miran\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-17 12:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &D&ownload &with BitComet - c:\program files\BitComet101\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet101\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet101\BitComet.exe/AddAllLink.htm
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Enterprise\Add_AllO.htm
IE: I&zvoz v Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {C451A5A0-67CE-4AA8-9658-E2A1D50F3979} = 193.189.160.23 193.189.160.13
FF - ProfilePath - c:\documents and settings\Miran\Application Data\Mozilla\Firefox\Profiles\ouhamohr.default\
FF - plugin: c:\documents and settings\Miran\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 18:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
c:\windows\system32\rundll32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\documents and settings\Miran\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
.
**************************************************************************
.
Completion time: 2009-07-26 18:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 16:28

Pre-Run: 28.712.222.720 bytes free
Post-Run: 28.583.383.040 bytes free

265 --- E O F --- 2009-02-27 21:48

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 26 July 2009 - 11:53 AM

I may want you to install it manually but let's hold up for right now. I'll be back a little later.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 26 July 2009 - 06:28 PM

I'm checking on something. As soon as I get a reply on it I will have some more things we need to do.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 27 July 2009 - 04:38 PM

I do want you to do a manual install of the RC and then let CF run again. Microsoft has changed some of the info we were using around and I had to make sure I was giving you the right link and redo the instructions some. If something doesn't seem right let me know.


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website HERE and download the file on this site. Save it as it's originally named to your Desktop




Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users