Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer keeps "working" when I am connected to the net


  • This topic is locked This topic is locked
32 replies to this topic

#1 Erik_S

Erik_S

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 19 September 2009 - 12:44 PM

Hi

two weeks ago or so I noticed that when I am connected to the web (wirelessly) my machine - a PC laptop - keeps "doing" something. Lately, I have also had a couple of 'serious errors' (as evidenced also in one of the logs I am posting).

I have thrown all I could at it (Spybot, aSquared Free, and deep scans with Kaspersky, and... ahem, also SuperAntiSpyware), as I usually do, and nothing has come up. I have also checked running processes with Process Explorer and I can't see anything particularly suspicious. I also use Process Guard, as an additional line of defense. In despair, I also tried to run Combofix (I know, I shouldn't do that without good reasons), but I stopped on the way because it told me I had Norton IS 2006 and Threatfire installed. I was pretty sure I had removed those two a long time ago, but I tried to remove them again and while Norton went away thanks to the Norton Removal Tool (which I am sure I had already used in the past), I didn't manage to remove Threatfire, neither with the dedicated removal tool nor by eliminating files - so I abandoned the idea of running Combofix. I also tried to run SDfix but for some reason all I got was the terminal-like window and then nothing happened (it looked like it was progressing, but it stayed like that for hours). Since then, when I start up I get a Windowd notification telling me that Kaspersky is disabled, but then Kaspersky starts all fine and the notification goes away.

In other words, the machine is becoming a little bit erratic, and I am starting to worry because I do a lot of important work on it. I have stopped doing online banking and stuff like that just to be sure, because I suspect the system has become somewhat vulnerable.

Before I go crazy (the periodic whirring of the hard disk and the connected flashing of the hard disk light indicator, plus the evidence of online activity seen through BitMeter, are driving me mad now), I thought I'd drop by and ask you guys for some help, as this time I am really at a loss as to what may be happening (in the past, I have followed some of the tips and tricks on this forum and it worked very well every time - but this time it looks like I need some dedicated help.

I have also been looking carefully at what goes in and out with Port Explorer, but nothing suspicious seems to be popping up.

I paste/attach the dds and rr logs as requested. I have made backups etc.

I would be grateful if somebody could have a look and let me know what they think.

Andy

PS: the only significant change I have applied to the machine relatively recently is that I started using an iPod, and therefore installed the software designed to run it with the machine. I have also tried to system restore but for some reason it won't let me restore back to the earliest point.

PPS: another thing I noticed a few weeks ago is that documents would take quite a long time to open, and that the passing of URLs from - say - email software such as Eudora or Thunderbird to Firefox or Opera for opening would also take a rather long time (during hwich the email app would freeze, as they normally do until the URL has been passed). For the docs, I switched off DDE in the Open procedure and things improved dramatically. I think I did the same for URLs in Firefox.

PPPS: it's not Google Desktop, as it does it also when the GD is switched off.

PPPPS (sorry): another thing I noticed is that sometimes the notification window for the wireless connection will pop up, saying it has connected to my network (even though I was connected before), and at times it says that the connection is unsecured (but if I check in Network Connections, it says it's protected with WPA)

--- DDS log ---

DDS (Ver_09-07-30.01) - NTFSx86
Run by Andy at 16:19:30.60 on Sat 19.09.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1281 [GMT 2:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\Mozilla Firefox 3\firefox.exe
C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = about:blank
uStart Page = about:blank
uSearch Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = about:blank
mStart Page = about:blank
mDefault_Page_URL = about:blank
mDefault_Search_URL = about:blank
mSearch Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = about:blank
mCustomizeSearch = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [!1_ProcessGuard_Startup] "c:\program files\processguard\procguard.exe" -minimize
mRun: [SkyTel] SkyTel.EXE
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [ThpSrv] thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [!1_pgaccount] "c:\program files\processguard\pgaccount.exe"
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [NetTimer] c:\program files\nettimer v1.2\NTLaunch.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\flashget.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\dcsws2.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\flashget\Jccatch.dll
Name-Space Handler: http\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\flashget\Jccatch.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\5dzukqaz.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\mozilla firefox 3\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\andy\local settings\application data\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-6-6 6144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-27 194320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-3-17 1864824]
R2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2007-6-28 218376]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\processguard\DCSUserProt.exe [2007-12-26 69632]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-7-12 10240]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2007-12-26 24911]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-5-20 33792]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-6-6 35968]
S3 MSRSService;MSRS Recording System;c:\program files\nch swift sound\msrs\msrs.exe [2009-4-27 733188]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [2008-4-19 20936]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;c:\windows\system32\drivers\usbmm2x2.sys [2008-4-19 14596]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-09-19 16:10 <DIR> --d----- c:\program files\Trend Micro
2009-09-16 19:08 <DIR> --d----- c:\program files\VS Revo Group
2009-09-16 18:57 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-09-16 18:11 388,608 a------- c:\windows\system32\cmd.execf
2009-09-14 17:35 206 a------- c:\windows\system32\fbcb_g.dll
2009-09-14 17:35 206 a------- c:\windows\system32\facefb7_g.ocx
2009-09-12 14:39 1,463,516,674 a------- C:\WORK.zip
2009-09-12 08:21 116,840 -------- c:\windows\hpqins00.dat.temp
2009-09-12 08:14 <DIR> --d----- c:\docume~1\andy\applic~1\HpUpdate
2009-09-12 08:13 <DIR> --d----- c:\windows\Hewlett-Packard
2009-09-10 19:16 <DIR> --d----- C:\Traktor

==================== Find3M ====================

2009-09-19 16:20 216,212 a------- c:\windows\system32\pghash.dat
2009-09-19 16:19 5,021,216 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-09-19 15:13 475,700 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-09-19 11:41 164,906 a------- c:\windows\hpoins21.dat
2009-09-16 19:29 380,004 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-09-16 19:23 107,492 a------- c:\windows\system32\pguard.dat
2009-09-12 08:29 116,841 a------- c:\windows\hpqins00.dat
2009-09-11 09:36 107,547 a------- c:\windows\system32\drivers\klin.dat
2009-09-11 09:36 95,259 a------- c:\windows\system32\drivers\klick.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-12 19:06 70,671 a------- c:\windows\Huawei ModemsUninstall.exe
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2007-12-26 15:58 542 a------- c:\program files\Shortcut to procfreeze.lnk
2007-12-26 15:58 532 a------- c:\program files\Shortcut to fstrings.lnk
2007-12-26 15:58 532 a------- c:\program files\Shortcut to ffunlock.lnk
2008-03-18 10:02 2 a--shrot c:\windows\winstart.bat
2009-09-19 16:20 0 a--sh--- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 16:22:09.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:13 AM

Posted 06 October 2009 - 07:44 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 07 October 2009 - 11:42 AM

Hi

many thanks for picking this up - I confirm I still have the problems and I am going to run the DDS scan now and post the results once it's done.

Thanks

#4 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 07 October 2009 - 11:55 AM

Here is the DDS log. I did not attach the 2nd file because you did not ask me to do so, but I saved it so I can attach it if you need it. NB: it shows Threatfire as on - I tried to uninstall it several times but it keeps showing.

--- DDS log ---


DDS (Ver_09-07-30.01) - NTFSx86
Run by Andy at 17:49:41.53 on Wed 07.10.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1564 [GMT 2:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = about:blank
uStart Page = about:blank
uSearch Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = about:blank
mStart Page = about:blank
mDefault_Page_URL = about:blank
mDefault_Search_URL = about:blank
mSearch Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = about:blank
mCustomizeSearch = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [!1_ProcessGuard_Startup] "c:\program files\processguard\procguard.exe" -minimize
mRun: [SkyTel] SkyTel.EXE
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [ThpSrv] thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [!1_pgaccount] "c:\program files\processguard\pgaccount.exe"
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [NetTimer] c:\program files\nettimer v1.2\NTLaunch.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\flashget.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\dcsws2.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\flashget\Jccatch.dll
Name-Space Handler: http\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\flashget\Jccatch.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\5dzukqaz.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\mozilla firefox 3\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\andy\local settings\application data\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-6-6 6144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-27 194320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-3-17 1864824]
R2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2007-6-28 218376]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\processguard\DCSUserProt.exe [2007-12-26 69632]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-7-12 10240]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2007-12-26 24911]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-5-20 33792]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-6-6 35968]
S3 MSRSService;MSRS Recording System;c:\program files\nch swift sound\msrs\msrs.exe [2009-4-27 733188]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [2008-4-19 20936]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;c:\windows\system32\drivers\usbmm2x2.sys [2008-4-19 14596]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-09-19 16:23 15 a------- c:\documents and settings\andy\settings.dat
2009-09-19 16:10 <DIR> --d----- c:\program files\Trend Micro
2009-09-16 19:08 <DIR> --d----- c:\program files\VS Revo Group
2009-09-16 18:57 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-09-16 18:11 388,608 a------- c:\windows\system32\cmd.execf
2009-09-14 17:35 206 a------- c:\windows\system32\fbcb_g.dll
2009-09-14 17:35 206 a------- c:\windows\system32\facefb7_g.ocx
2009-09-12 14:39 1,463,516,674 a------- C:\WORK.zip
2009-09-12 08:21 116,840 -------- c:\windows\hpqins00.dat.temp
2009-09-12 08:14 <DIR> --d----- c:\docume~1\andy\applic~1\HpUpdate
2009-09-12 08:13 <DIR> --d----- c:\windows\Hewlett-Packard
2009-09-10 19:16 <DIR> --d----- C:\Traktor

==================== Find3M ====================

2009-10-07 17:49 107,492 a------- c:\windows\system32\pguard.dat
2009-10-07 17:49 26,912 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-07 17:49 217,740 a------- c:\windows\system32\pghash.dat
2009-10-07 17:49 5,234,208 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-10-07 17:48 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-07 07:52 495,812 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-09-22 16:53 107,547 a------- c:\windows\system32\drivers\klin.dat
2009-09-22 16:53 95,259 a------- c:\windows\system32\drivers\klick.dat
2009-09-19 11:41 164,906 a------- c:\windows\hpoins21.dat
2009-09-16 19:29 380,004 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-09-12 08:29 116,841 a------- c:\windows\hpqins00.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-12 19:06 70,671 a------- c:\windows\Huawei ModemsUninstall.exe
2007-12-26 15:58 542 a------- c:\program files\Shortcut to procfreeze.lnk
2007-12-26 15:58 532 a------- c:\program files\Shortcut to fstrings.lnk
2007-12-26 15:58 532 a------- c:\program files\Shortcut to ffunlock.lnk
2008-03-18 10:02 2 a--shrot c:\windows\winstart.bat

============= FINISH: 17:50:36.64 ===============

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:13 AM

Posted 12 October 2009 - 04:36 PM

Hello Erik S :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.




Although I see Threatfire in the Header I am not seeing it in the uninstall log. You say you have tried to uninstall it more than once. What happens when you try it?


I want to run a different rootkit scan:

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.




Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall

Edited by thewall, 12 October 2009 - 04:48 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 13 October 2009 - 02:40 AM

Dear thewall

many thanks for picking this up.

Answers:

1) Threatfire

I run the app to remove it (removethreatfire3.0) and it tells me that Threatfire is not on the system. I rant it just now and it did the same. However, as you can see from the DDS log, it says that Threatfire is still on, and the same happens when I go to the Windows Security Center: if I disable Kaspersky, Security Centre still tells me Threatfire is on (and when Kaspersky is on, it says 'one or more' av programs are on).

2) GMER log

Here it goes:

-----

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-13 08:31:46
Windows 5.1.2600 Service Pack 2
Running: r23ve94d.exe; Driver: C:\DOCUME~1\Andy\LOCALS~1\Temp\uxtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xA8B041E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwConnectPort [0xA8B022F0]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwCreateFile [0xBAC0BC90]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwCreateKey [0xBAC0A72C]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xBA773A20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xA8B03F10]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xA8B04080]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xA8B04D00]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwCreateSymbolicLinkObject [0xBAC0B356]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwCreateThread [0xBAC0B6C6]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteKey [0xA8AF5860]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteValueKey [0xA8AF58E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xA8B04380]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateKey [0xA8AF5990]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateValueKey [0xA8AF5A40]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwFlushKey [0xA8AF5AF0]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwFsControlFile [0xBAC0BDDA]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwInitializeRegistry [0xA8AF5B70]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xA8B01E50]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey [0xA8AF6590]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey2 [0xA8AF5B90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwNotifyChangeKey [0xA8AF5C70]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwOpenFile [0xBAC0BAD8]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwOpenKey [0xBAC0A682]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenProcess [0xA8B03D00]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwOpenSection [0xBAC0B190]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwProtectVirtualMemory [0xBAC0B104]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryKey [0xA8AF5E30]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryMultipleValueKey [0xA8AF5EE0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xA8B052B0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryValueKey [0xA8AF5F90]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwReadVirtualMemory [0xBAC0B0D0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwReplaceKey [0xA8AF6070]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwRequestWaitReplyPort [0xBAC08CE2]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRestoreKey [0xA8AF6100]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xA8B055B0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSaveKey [0xA8AF6300]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwSetContextThread [0xBAC0B9DE]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xA8B05F60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationKey [0xA8AF6390]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xA8B00A10]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwSetSystemInformation [0xBAC0C550]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xBA77F0B0]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwSetValueKey [0xBAC0AABE]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwSuspendProcess [0xBAC0B13C]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwSuspendThread [0xBAC0BA32]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xA8B021B0]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwTerminateProcess [0xBAC0B0A6]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwTerminateThread [0xBAC0BA08]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwUnloadKey [0xA8AF6550]
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys (ProcessGuard Driver/DiamondCS) ZwWriteVirtualMemory [0xBAC0AFCA]

Code \SystemRoot\System32\DRIVERS\gmer.sys (GMER Driver http://www.gmer.net/GMER) ZwCreateProcess [0xA8D77878]
Code \SystemRoot\System32\DRIVERS\gmer.sys (GMER Driver http://www.gmer.net/GMER) ZwCreateProcessEx [0xA8D779BC]
Code \SystemRoot\System32\DRIVERS\gmer.sys (GMER Driver http://www.gmer.net/GMER) ZwCreateSection [0xA8D77556]
Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous
Code \SystemRoot\System32\DRIVERS\gmer.sys (GMER Driver http://www.gmer.net/GMER) NtCreateSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A34 12 Bytes [50, 1E, B0, A8, 90, 65, AF, ...]
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CA4 12 Bytes [3C, B1, C0, BA, 32, BA, C0, ...]
.text ntoskrnl.exe!IoIsOperationSynchronous 804EAF8E 5 Bytes JMP A8B06880 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F9AF4 5 Bytes JMP A8B06380 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
PAGE ntoskrnl.exe!NtCreateSection 8056CE25 7 Bytes JMP A8D7755A \SystemRoot\System32\DRIVERS\gmer.sys (GMER Driver http://www.gmer.net/GMER)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B3BC 7 Bytes JMP A8D779C0 \SystemRoot\System32\DRIVERS\gmer.sys (GMER Driver http://www.gmer.net/GMER)
PAGE ntoskrnl.exe!ZwCreateProcess 805C0020 5 Bytes JMP A8D7787C \SystemRoot\System32\DRIVERS\gmer.sys (GMER Driver http://www.gmer.net/GMER)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B959F62C 5 Bytes JMP 84110960

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] USER32.dll!VRipOutput + FFFA4DE7 7E412A78 4 Bytes [70, 11, 88, 00] {JO 0x13; MOV [EAX], AL}
.text C:\Program Files\a-squared Free\a2service.exe[1880] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0045494D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] USER32.dll!VRipOutput + FFFA4DE7 7E412A78 4 Bytes [70, 11, A2, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [BA7C5580] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [BA7C552C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [BA7DFAB8] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA7C4B9A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 82E327B0
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 82E327B0
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] 82E32660
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] 82E32660

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetModuleFileNameA] 00AC04A8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 00AC04D2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 00AC04FC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 00AC0526
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] 00AC0550
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC057A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetErrorMode] 00AC05A4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 00AC05CE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleFileNameW] 00AC05F8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0622
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 00AC064C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary] 00AC0676
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 00AC06A0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 00AC06CA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC06F4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 00AC071E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 00AC0748
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 00AC0772
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] 00AC079C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 00AC07C6
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 00AC07F0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameA] 00AC081A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 00AC0844
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC086E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 00AC0898
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 00AC08C2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary] 00AC08EC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameW] 00AC0916
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0940
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 00AC096A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 00AC0994
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary] 00AC09BE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 00AC09E8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 00AC0A12
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetErrorMode] 00AC0C0A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0C34
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] 00AC0C5E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] 00AC0C88
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] 00AC0CB2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] 00AC0CDC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] 00AC0D06
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameA] 00AC0D30
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameW] 00AC0D5A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0E56
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 00AC0E80
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 00AC0EAA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleFileNameW] 00AC0ED4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetErrorMode] 00AC0EFE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 00AC0F28
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 00AC0F52
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 00AC0F7C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] 00AC0FA6
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] 00AC0FD0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B20010
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetErrorMode] 00B2003A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameW] 00B20064
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] 00B2008E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 00B200B8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 00B200E2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] 00B2010C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] 00B20136
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary] 00B20160
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 00B2018A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 00B201B4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameA] 00B201DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 00B20208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 00B20232
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 00B2025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 00B20286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetModuleFileNameW] 00B202B0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 00B202DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 00B20304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] 00B2032E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B20358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] 00B20898
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!FreeLibrary] 00B208C2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] 00B208EC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] 00B20916
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetErrorMode] 00B20AE4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] 00B20B0E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] 00B20B38
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateProcessW] 00B20B62
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetModuleFileNameW] 00B20B8C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetProcAddress] 00B20BB6
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!FreeLibrary] 00B20BE0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] 00B20C0A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B20C34
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!FreeLibrary] 00AC01DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] 00AC025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] 00AC0286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 00AC025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetModuleFileNameA] 00AC0208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 00AC0286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!FreeLibrary] 00AC01DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!FreeLibrary] 00AC01DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] 00AC0286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleFileNameA] 00AC0208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] 00AC025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!SetErrorMode] 00AC032E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!GetModuleFileNameA] 00AC0208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!LoadLibraryW] 00AC0304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!GetModuleFileNameW] 00AC0232
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!LoadLibraryExW] 00AC02DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!GetProcAddress] 00AC025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!LoadLibraryA] 00AC0286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!FreeLibrary] 00AC01DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] 00AC01DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 00AC025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 00AC0286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] 00AC02B0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 00AC02DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleFileNameW] 00AC0232
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleFileNameA] 00AC0208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 00AC0304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] 00AC0286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!FreeLibrary] 00AC01DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 00AC025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetModuleFileNameA] 00AC0208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[396] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00AC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetModuleFileNameA] 00C604A8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 00C604D2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 00C604FC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 00C60526
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] 00C60550
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C6057A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetErrorMode] 00C605A4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 00C605CE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleFileNameW] 00C605F8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60622
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 00C6064C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary] 00C60676
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 00C606A0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 00C606CA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C606F4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 00C6071E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 00C60748
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 00C60772
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] 00C6079C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 00C607C6
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 00C607F0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameA] 00C6081A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 00C60844
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C6086E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 00C60898
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 00C608C2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary] 00C608EC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameW] 00C60916
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60940
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 00C6096A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 00C60994
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary] 00C609BE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 00C609E8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 00C60A12
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetErrorMode] 00C60C0A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60C34
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] 00C60C5E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] 00C60C88
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] 00C60CB2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] 00C60CDC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] 00C60D06
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameA] 00C60D30
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameW] 00C60D5A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60E56
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 00C60E80
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 00C60EAA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleFileNameW] 00C60ED4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetErrorMode] 00C60EFE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 00C60F28
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 00C60F52
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 00C60F7C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] 00C60FA6
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] 00C60FD0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00CC0010
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetErrorMode] 00CC003A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameW] 00CC0064
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] 00CC008E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 00CC00B8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 00CC00E2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] 00CC010C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] 00CC0136
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary] 00CC0160
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 00CC018A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 00CC01B4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameA] 00CC01DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 00CC0208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 00CC0232
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 00CC025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 00CC0286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetModuleFileNameW] 00CC02B0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 00CC02DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 00CC0304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] 00CC032E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00CC0358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] 00CC09BE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!FreeLibrary] 00CC09E8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] 00CC0A12
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] 00CC0A3C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetErrorMode] 00CC0C0A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] 00CC0C34
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] 00CC0C5E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateProcessW] 00CC0C88
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetModuleFileNameW] 00CC0CB2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetProcAddress] 00CC0CDC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!FreeLibrary] 00CC0D06
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] 00CC0D30
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00CC0D5A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetErrorMode] 00C6032E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleFileNameA] 00C60208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] 00C60304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleFileNameW] 00C60232
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 00C602DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] 00C6025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] 00C60286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!FreeLibrary] 00C601DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 00C6025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetModuleFileNameA] 00C60208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 00C60286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!FreeLibrary] 00C601DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!FreeLibrary] 00C601DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] 00C60286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleFileNameA] 00C60208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] 00C6025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 00C60304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00C60358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] 00C60286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!FreeLibrary] 00C601DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 00C6025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[3320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetModuleFileNameA] 00C60208

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 843C51D8

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBPDO-0 840F9980
Device \Driver\dmio \Device\DmControl\DmIoDaemon 843C71D8
Device \Driver\dmio \Device\DmControl\DmConfig 843C71D8
Device \Driver\dmio \Device\DmControl\DmPnP 843C71D8
Device \Driver\dmio \Device\DmControl\DmInfo 843C71D8
Device \Driver\usbehci \Device\USBPDO-1 840F8980
Device \Driver\usbuhci \Device\USBPDO-2 840F9980
Device \Driver\usbuhci \Device\USBPDO-3 840F9980
Device \Driver\usbuhci \Device\USBPDO-4 840F9980

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 843541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 843541D8
Device \Driver\Cdrom \Device\CdRom0 83C1E068
Device \Driver\USBSTOR \Device\000000a4 8388A980
Device \FileSystem\Rdbss \Device\FsWrap 837E1DF0
Device \Driver\Ftdisk \Device\HarddiskVolume3 843541D8
Device \Driver\Cdrom \Device\CdRom1 83C1E068
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 83BF33A8
Device \Driver\atapi \Device\Ide\IdePort0 83BF33A8
Device \Driver\atapi \Device\Ide\IdePort1 83BF33A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 83BF33A8
Device \Driver\USBSTOR \Device\000000a5 8388A980
Device \Driver\Cdrom \Device\CdRom2 83C1E068
Device \Driver\NetBT \Device\NetBt_Wins_Export 838546F0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3C27009C-F452-4EEE-9362-B734E39D6092} 838546F0
Device \Driver\NetBT \Device\NetbiosSmb 838546F0
Device \FileSystem\Srv \Device\LanmanServer 839BB468

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

Device \Driver\usbuhci \Device\USBFDO-0 840F9980
Device \Driver\usbuhci \Device\USBFDO-1 840F9980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8397F510
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8387AC78
Device \Driver\usbuhci \Device\USBFDO-2 840F9980
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8397F510
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8387AC78
Device \Driver\usbuhci \Device\USBFDO-3 840F9980
Device \FileSystem\Npfs \Device\NamedPipe 84133FB0
Device \Driver\usbehci \Device\USBFDO-4 840F8980
Device \Driver\Ftdisk \Device\FtControl 843541D8
Device \FileSystem\Msfs \Device\Mailslot 83A154D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{72049106-7EC0-43AD-B55C-21F1DFE55A57} 838546F0
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 83B211F0
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target1Lun0 83B211F0
Device \Driver\d347prt \Device\Scsi\d347prt1 83B211F0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 843D3588
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 843D3588
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 843D3588
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 843D3588
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 843D3588
Device \FileSystem\Cdfs \Cdfs 83974510
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module _________ BA6B8000-BA6D0000 (98304 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:1088] 82E73000
Thread System [4:1092] 82E73000
Thread System [4:1096] 82E40620
Thread System [4:1100] 82E40620
Thread System [4:1108] 82E42610
Thread System [4:1112] 82E42610
Thread System [4:1116] 82E42610
Thread System [4:1120] 82E40620

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x35 0x24 0x00 0xC8 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x73 0x4A 0x15 0xE3 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x18 0x74 0xD8 0x2D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xD1 0x29 0x34 0xAF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x41 0x53 0x49 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x45 0x00 0x02 0x35 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z0 0x45 0x00 0x02 0x35 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z0 0x1F 0x44 0x8E 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z1 0xAD 0x44 0x8E 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z2 0xAD 0x44 0x8E 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z3 0xAD 0x44 0x8E 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z4 0xAD 0x44 0x8E 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 593935603
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 2019833738
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAC 0x10 0x1D 0x0F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAC 0x10 0x1D 0x0F ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:13 AM

Posted 13 October 2009 - 10:23 AM

You're welcome. :(

We can take care of the ThreatFire warnings. That is WMI still reporting it as being there when it is gone. Happens every once in awhile.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 13 October 2009 - 02:38 PM

Hi there

Many thanks.

This is exactly where I stopped when I was self-diagnosing before, because I wasn't sure if the fact that Combofix reported Threatfire to be running was a real danger or not. You have given me the confidence to go ahead, for which I thank you, and all went fine.

I am not sure if you meant I should post the Combofix log or attach it, but anyway here it is, below. If you want it as an attachment please let me know.

Thanks

Andy

---

ComboFix 09-10-13.01 - Andy 13.10.2009 20:12.6.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1556 [GMT 2:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\102f8a.msi
c:\windows\system32\dumphive.exe
c:\windows\system32\fbcb_g.dll
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-07 18:51 . 2009-10-07 18:51 -------- d-----w- c:\program files\Panda Security
2009-09-24 18:53 . 2009-09-24 18:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-19 14:23 . 2009-09-19 14:24 15 ----a-w- c:\documents and settings\Andy\settings.dat
2009-09-19 14:10 . 2009-09-19 14:10 -------- d-----w- c:\program files\Trend Micro
2009-09-16 17:08 . 2009-09-16 17:08 -------- d-----w- c:\program files\VS Revo Group
2009-09-16 16:57 . 2009-09-16 16:57 -------- d-----w- c:\program files\Windows Installer Clean Up

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-13 18:24 . 2008-03-27 09:40 0 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-13 18:24 . 2008-03-27 09:40 0 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-13 18:23 . 2008-03-27 09:40 5332256 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-13 18:21 . 2008-03-27 09:40 505100 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-13 18:06 . 2008-07-04 11:59 -------- d-----w- c:\program files\Mozilla Firefox 3
2009-10-13 17:57 . 2008-03-17 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-13 16:31 . 2007-05-28 15:10 -------- d-----w- c:\documents and settings\Andy\Application Data\MailWasherPro
2009-10-13 16:24 . 2007-05-29 16:32 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-13 07:25 . 2008-05-25 07:40 -------- d-----w- c:\program files\FlashGet
2009-10-13 05:55 . 2007-12-27 03:46 107492 ----a-w- c:\windows\system32\pguard.dat
2009-10-13 05:55 . 2007-12-27 03:46 217740 ----a-w- c:\windows\system32\pghash.dat
2009-09-28 06:25 . 2008-04-28 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-09-28 06:25 . 2008-04-28 13:01 59 ----a-w- c:\windows\wpd99.drv
2009-09-22 14:53 . 2008-03-27 09:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-22 14:53 . 2008-03-27 09:41 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-19 09:41 . 2009-08-14 07:15 164906 ----a-w- c:\windows\hpoins21.dat
2009-09-19 08:51 . 2009-01-08 09:06 -------- d-----w- c:\documents and settings\Andy\Application Data\Skype
2009-09-19 06:49 . 2009-01-08 09:08 -------- d-----w- c:\documents and settings\Andy\Application Data\skypePM
2009-09-19 06:36 . 2009-09-12 06:14 -------- d-----w- c:\documents and settings\Andy\Application Data\HpUpdate
2009-09-16 17:00 . 2008-09-22 11:43 -------- d-----w- c:\program files\MSECache
2009-09-16 16:53 . 2007-06-26 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-16 16:38 . 2006-06-06 14:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 15:41 . 2007-06-26 07:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-14 15:29 . 2008-03-17 09:11 -------- d-----w- c:\program files\a-squared Free
2009-09-14 15:28 . 2008-03-19 13:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-12 12:26 . 2009-09-12 12:39 1463516674 ----a-w- C:\WORK.zip
2009-09-12 08:06 . 2008-06-10 10:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 06:29 . 2009-07-29 13:44 116841 ----a-w- c:\windows\hpqins00.dat
2009-08-26 05:43 . 2006-06-06 11:34 -------- d-----w- c:\program files\Java
2009-08-23 19:09 . 2007-12-26 13:54 -------- d-----w- c:\program files\console_tools
2009-08-19 06:09 . 2009-08-17 14:49 -------- d-----w- c:\documents and settings\Andy\Application Data\HPAppData
2009-07-25 03:23 . 2009-04-15 05:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-12-26 13:58 . 2007-12-26 13:58 542 ----a-w- c:\program files\Shortcut to procfreeze.lnk
2007-12-26 13:58 . 2007-12-26 13:58 532 ----a-w- c:\program files\Shortcut to fstrings.lnk
2007-12-26 13:58 . 2007-12-26 13:58 532 ----a-w- c:\program files\Shortcut to ffunlock.lnk
2009-04-29 11:48 . 2009-04-29 11:48 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-04-22 05:10 . 2007-04-03 04:13 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-22 05:10 . 2007-04-03 04:13 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-22 05:10 . 2007-04-03 04:13 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-22 05:10 . 2007-04-03 04:13 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-22 05:10 . 2007-04-03 04:13 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-03-18 08:02 . 2008-03-18 08:02 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"!1_ProcessGuard_Startup"="c:\program files\ProcessGuard\procguard.exe" [2005-01-20 280064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2005-07-23 188416]
"!1_pgaccount"="c:\program files\ProcessGuard\pgaccount.exe" [2005-01-20 184320]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-29 1831936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2009-01-09 1448960]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-04 88204]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-05-19 299008]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-05-19 102400]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]
"TOSDCR"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-09 16207360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2007-9-30 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 08:39 282624 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
"midi2"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ ??O ?????????????????ehoP????????????????
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"a2free"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"InternetPal"=c:\program files\BySoft InternetPal\InternetPal.exe
"DialupMon.exe Startup"=c:\program files\Skynergy\DialupMon\DialupMon.exe Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Iusage"=c:\progra~1\INTERN~2\netdet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\StationRipper\\StationRipperConsole.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Xenu\\Xenu.exe"=
"c:\\kav\\kav7.0\\english\\setup.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.com"=
"c:\\Program Files\\EndNote 9\\EndNote.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\xampp\\xampplite\\apache\\bin\\apache.exe"=
"c:\\xampp\\xampplite\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Call Graph\\CallGraph.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2100:TCP"= 2100:TCP:*:Disabled:endnote
"2945:TCP"= 2945:TCP:*:Disabled:endnote_uom
"20:TCP"= 20:TCP:ftp

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [28.12.2004 00:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [6.06.2006 15:27 6144]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10.10.2006 11:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27.02.2007 10:39 32256]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\ProcessGuard\DCSUserProt.exe [26.12.2007 15:51 69632]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [12.07.2009 19:06 10240]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24.11.2008 22:31 29263712]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [26.12.2007 15:51 24911]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [20.05.2008 12:50 33792]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4.04.2007 13:58 24344]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6.06.2006 15:49 35968]
S3 MSRSService;MSRS Recording System;c:\program files\NCH Swift Sound\MSRS\msrs.exe [27.04.2009 11:59 733188]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16.02.2006 15:51 4096]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [19.04.2008 18:44 20936]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;c:\windows\system32\drivers\usbmm2x2.sys [19.04.2008 18:48 14596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Supplementary Scan -------
.
uLocal Page = about:blank
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel
LSP: c:\windows\system32\dcsws2.dll
Name-Space Handler: ftp\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\FlashGet\Jccatch.dll
Name-Space Handler: http\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\FlashGet\Jccatch.dll
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\5dzukqaz.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\Mozilla Firefox 3\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NetTimer - c:\program files\NetTimer v1.2\NTLaunch.exe
AddRemove-HijackThis - c:\documents and settings\Andy\Desktop\HijackThis.exe
AddRemove-Midi2Mtx - c:\music\Midi2Mtx\uninstall.exe
AddRemove-MidiDsm - c:\music\UMidDsm.exe
AddRemove-Mtx2Midi - c:\music\Mtx2Midi\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 20:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1916)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1972)
c:\windows\system32\dcsws2.dll

- - - - - - - > 'explorer.exe'(3724)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\Crypserv.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
c:\program files\Hp\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hp\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-10-13 20:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 18:31
ComboFix2.txt 2008-07-20 08:53
ComboFix3.txt 2008-03-20 15:06
ComboFix4.txt 2008-03-19 08:12
ComboFix5.txt 2009-10-13 18:09

Pre-Run: 4,216,614,912 bytes free
Post-Run: 4,093,804,544 bytes free

301 --- E O F --- 2008-07-09 05:59

Edited by thewall, 13 October 2009 - 02:56 PM.


#9 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 13 October 2009 - 02:40 PM

PS: I forgot to mention that I disconnected from the web before I ran Combofix. I just noticed you didn't ask me to do so - hope it's not a problem. I can rescan when connected if you want.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:13 AM

Posted 13 October 2009 - 07:08 PM

You don't have to disconnect from the Internet, CF will take care of that if it needs to.

We're going to remove the ThreatFire entry.

Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

SecCenter::
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.








You need to go to Add/Remove and uninstall the following leftover version of Java. These older versions can be exploited by Malware.


Java™ 6 Update 7
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 14 October 2009 - 01:10 PM

Hi there!

I removed the old Adobe Reader and Java, and ran the script.

The log is below.

One thing I should add is that of late (but not since we started working on this - shortly before then if I remember well), when I start up, Windows Explorer doesn't work. It's stuck, basically: I see the tray, the Start menu button etc., but nothing responds to clicks. I always have to bring up Task Manager, crudely kill the explorer.exe process, and start it again with a Run command. Then everything works fine.

Thought that may be of interest.

Below is the combofix log after running the anti-Threatfire script.

Many thanks again for your help,

Andy

---

ComboFix 09-10-13.04 - Andy 14.10.2009 18:58.7.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1599 [GMT 2:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andy\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-07 18:51 . 2009-10-07 18:51 -------- d-----w- c:\program files\Panda Security
2009-09-24 18:53 . 2009-09-24 18:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-19 14:23 . 2009-09-19 14:24 15 ----a-w- c:\documents and settings\Andy\settings.dat
2009-09-19 14:10 . 2009-09-19 14:10 -------- d-----w- c:\program files\Trend Micro
2009-09-16 17:08 . 2009-09-16 17:08 -------- d-----w- c:\program files\VS Revo Group
2009-09-16 16:57 . 2009-09-16 16:57 -------- d-----w- c:\program files\Windows Installer Clean Up

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 17:04 . 2008-03-27 09:40 5354272 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-14 17:04 . 2008-03-27 09:40 204320 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-14 16:55 . 2007-06-26 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-14 16:55 . 2007-12-27 03:46 107492 ----a-w- c:\windows\system32\pguard.dat
2009-10-14 16:55 . 2008-03-27 09:40 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-14 16:52 . 2007-12-27 03:46 217740 ----a-w- c:\windows\system32\pghash.dat
2009-10-14 16:51 . 2008-07-04 11:59 -------- d-----w- c:\program files\Mozilla Firefox 3
2009-10-14 16:48 . 2008-03-17 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-14 16:47 . 2008-03-27 09:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-14 16:47 . 2008-03-27 09:41 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 06:05 . 2008-03-27 09:40 506804 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-14 05:34 . 2007-05-28 15:10 -------- d-----w- c:\documents and settings\Andy\Application Data\MailWasherPro
2009-10-14 05:32 . 2007-05-29 16:32 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-13 07:25 . 2008-05-25 07:40 -------- d-----w- c:\program files\FlashGet
2009-09-28 06:25 . 2008-04-28 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-09-28 06:25 . 2008-04-28 13:01 59 ----a-w- c:\windows\wpd99.drv
2009-09-19 09:41 . 2009-08-14 07:15 164906 ----a-w- c:\windows\hpoins21.dat
2009-09-19 08:51 . 2009-01-08 09:06 -------- d-----w- c:\documents and settings\Andy\Application Data\Skype
2009-09-19 06:49 . 2009-01-08 09:08 -------- d-----w- c:\documents and settings\Andy\Application Data\skypePM
2009-09-19 06:36 . 2009-09-12 06:14 -------- d-----w- c:\documents and settings\Andy\Application Data\HpUpdate
2009-09-16 17:00 . 2008-09-22 11:43 -------- d-----w- c:\program files\MSECache
2009-09-16 16:38 . 2006-06-06 14:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 15:41 . 2007-06-26 07:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-14 15:29 . 2008-03-17 09:11 -------- d-----w- c:\program files\a-squared Free
2009-09-14 15:28 . 2008-03-19 13:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-12 12:26 . 2009-09-12 12:39 1463516674 ----a-w- C:\WORK.zip
2009-09-12 08:06 . 2008-06-10 10:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 06:29 . 2009-07-29 13:44 116841 ----a-w- c:\windows\hpqins00.dat
2009-08-26 05:43 . 2006-06-06 11:34 -------- d-----w- c:\program files\Java
2009-08-23 19:09 . 2007-12-26 13:54 -------- d-----w- c:\program files\console_tools
2009-08-19 06:09 . 2009-08-17 14:49 -------- d-----w- c:\documents and settings\Andy\Application Data\HPAppData
2009-07-25 03:23 . 2009-04-15 05:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-12-26 13:58 . 2007-12-26 13:58 542 ----a-w- c:\program files\Shortcut to procfreeze.lnk
2007-12-26 13:58 . 2007-12-26 13:58 532 ----a-w- c:\program files\Shortcut to fstrings.lnk
2007-12-26 13:58 . 2007-12-26 13:58 532 ----a-w- c:\program files\Shortcut to ffunlock.lnk
2009-04-29 11:48 . 2009-04-29 11:48 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-04-22 05:10 . 2007-04-03 04:13 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-22 05:10 . 2007-04-03 04:13 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-22 05:10 . 2007-04-03 04:13 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-22 05:10 . 2007-04-03 04:13 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-22 05:10 . 2007-04-03 04:13 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-03-18 08:02 . 2008-03-18 08:02 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2009-10-13_18.23.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-09 09:14 . 2009-10-14 16:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-06-09 09:14 . 2009-10-13 16:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-14 05:07 . 2009-10-14 16:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-06-09 09:14 . 2009-10-13 16:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"!1_ProcessGuard_Startup"="c:\program files\ProcessGuard\procguard.exe" [2005-01-20 280064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2005-07-23 188416]
"!1_pgaccount"="c:\program files\ProcessGuard\pgaccount.exe" [2005-01-20 184320]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-29 1831936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2009-01-09 1448960]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-04 88204]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-05-19 299008]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-05-19 102400]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]
"TOSDCR"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-09 16207360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2007-9-30 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 08:39 282624 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
"midi2"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ ??O ?????????????????ehoP??????????????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"a2free"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"InternetPal"=c:\program files\BySoft InternetPal\InternetPal.exe
"DialupMon.exe Startup"=c:\program files\Skynergy\DialupMon\DialupMon.exe Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Iusage"=c:\progra~1\INTERN~2\netdet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\StationRipper\\StationRipperConsole.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Xenu\\Xenu.exe"=
"c:\\kav\\kav7.0\\english\\setup.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.com"=
"c:\\Program Files\\EndNote 9\\EndNote.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\xampp\\xampplite\\apache\\bin\\apache.exe"=
"c:\\xampp\\xampplite\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Call Graph\\CallGraph.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2100:TCP"= 2100:TCP:*:Disabled:endnote
"2945:TCP"= 2945:TCP:*:Disabled:endnote_uom
"20:TCP"= 20:TCP:ftp

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [28.12.2004 00:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [6.06.2006 15:27 6144]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10.10.2006 11:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27.02.2007 10:39 32256]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\ProcessGuard\DCSUserProt.exe [26.12.2007 15:51 69632]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [12.07.2009 19:06 10240]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [26.12.2007 15:51 24911]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [20.05.2008 12:50 33792]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4.04.2007 13:58 24344]
S2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24.11.2008 22:31 29263712]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6.06.2006 15:49 35968]
S3 MSRSService;MSRS Recording System;c:\program files\NCH Swift Sound\MSRS\msrs.exe [27.04.2009 11:59 733188]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16.02.2006 15:51 4096]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [19.04.2008 18:44 20936]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;c:\windows\system32\drivers\usbmm2x2.sys [19.04.2008 18:48 14596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Supplementary Scan -------
.
uLocal Page = about:blank
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel
LSP: c:\windows\system32\dcsws2.dll
Name-Space Handler: ftp\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\FlashGet\Jccatch.dll
Name-Space Handler: http\JetCarIEClickCatcher - {FB5DA722-162B-11D3-8B9B-AA70B4B0B524} - c:\program files\FlashGet\Jccatch.dll
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\5dzukqaz.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\Mozilla Firefox 3\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 19:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1916)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1972)
c:\windows\system32\dcsws2.dll

- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-10-14 19:07
ComboFix-quarantined-files.txt 2009-10-14 17:07
ComboFix2.txt 2009-10-13 18:31
ComboFix3.txt 2008-07-20 08:53
ComboFix4.txt 2008-03-20 15:06
ComboFix5.txt 2009-10-14 16:57

Pre-Run: 4,214,030,336 bytes free
Post-Run: 4,172,759,040 bytes free

259 --- E O F --- 2008-07-09 05:59

Edited by thewall, 14 October 2009 - 02:11 PM.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:13 AM

Posted 14 October 2009 - 02:26 PM

I need to make sure I understand correctly. Once you go through the process with Task Manager then the Start button and Explore works OK.....is that correct?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 14 October 2009 - 03:37 PM

Hi, yes you are correct, once I do that it works fine - and please note it doesn't always happen, sometimes (e.g. now after I started up) it works fine.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:13 AM

Posted 14 October 2009 - 04:13 PM

That's a strange one and the fact it is intermittent makes it even harder to figure. This is a tool that will often fix Windows problems You can give it a try:


We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Erik_S

Erik_S
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 14 October 2009 - 05:40 PM

Hi, OK I've done that.

I can't give you any meaningful feedback about performance right now as I'd have to restart etc. and work a bit to get a feeling regarding any changes, but it's late now in this part of the world and I am working tomorrow... :(

But I'll give it a try tomorrow morning and let you know.

In the meantime, I would appreciate some feedback on your findings (if any) from the combofix logs etc., just to get an idea of how we are doing in general.

Many thanks again for your help - speak soon,

Andy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users