Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows xp all internet browsers hang after certain amount of time


  • This topic is locked This topic is locked
17 replies to this topic

#1 djo26

djo26

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 24 January 2010 - 09:32 PM

I was asked to post to this forum so here I am. I was given a friend's computer and have been trying to fix it all week, and have been unsuccessful. It's a Dell Inspiron 600m on Windows XP, Service Pack 3 with all the latest windows updates. It had AVG 8 free on it, then my friend installed Paretologic virus scanner on top of AVG 8. He also installed Malwarebytes. Then he gave it to me. I ran the virus scanner at security.symantec.com and that found nothing. I uninstalled the paretologic software. I tried to upgrade AVG free 8 to AVG free 9 and the install process froze, so I uninstalled both. (not sure if the uninstall for any of the virus software actually worked successfully, even though I did not get any errors.) I then installed the latest Kaspersky and it found Rootkit.Win32.TDSS.d so in my haste and not reading enough before running, I downloaded and ran ComboFix. It got to stage 32 and then froze. I eventually canceled it, reset the computer, and uninstalled it using combofix /uninstall. It looks like it did quarantine one file though, but I forget the name, it was a .sys file. I then ran a full scan with Kaspersky and that did not show any viruses. I also then ran a full scan of Malwarebytes and that found some cookies that I deleted. I thought I was in the clear, but the following issues still occur:

When I open any web browser, (IE, Firefox, and Chrome are installed on the machine) it will work fine for about a minute and then no browser can download anything and just waits when I click on any link or try to go to any page. If i restart the computer, the same thing happens. The network itself seems to work fine still as I can ping and use tracert to places like www.yahoo.com just fine. I uninstalled Chrome completey and uninstalled and re-installed Firefoxl. I have also run the command lines to reset the winsock and ip stack as found on other forums, all to no avail.

Since having this problem, I have also run super anti-spyware in safe mode and xdelbox, both of which have not seemed to find anything.

As instructed in another forum on this site, I have run DDS and RootRepeal, pasted the DDS log below, and will attach the zipped "attach" log, ark log, and kaspersky report. From looking at the ark log, I believe that the file that kaspersky originally had an issue with above is the 7n91f7.sys file. I have not done anything to the system since running DDS and RootRepeal and am awaiting instructions.


any help is appreciated.
thanks, dan



DDS (Ver_09-12-01.01) - NTFSx86
Run by ADMIN at 20:49:52.02 on Sun 01/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.439 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net1.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\ADMIN\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://media.fastclick.net/w/safepop.cgi?cid=76010&mid=192467&sid=29791&c=45
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://channels.aimtoday.com/search/aimtoolbar.jsp
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\ypager.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125169728815
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\u1qamcfa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-21 315408]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-19 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S1 7n91f7;7n91f7;c:\windows\system32\drivers\7n91f7.sys [2010-1-16 72192]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2006-8-8 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2006-8-8 69680]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]

=============== Created Last 30 ================

2010-01-21 20:53:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-21 20:53:34 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 20:53:34 0 d-----w- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2010-01-21 20:52:56 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-21 15:59:44 0 d-sha-r- C:\cmdcons
2010-01-21 05:59:45 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-21 05:59:45 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-21 05:57:32 0 d-----w- c:\program files\Kaspersky Lab
2010-01-21 05:57:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-01-21 00:58:19 0 d-----w- c:\program files\common files\Symantec Shared
2010-01-21 00:15:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-01-21 00:15:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-01-21 00:15:00 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-01-20 22:40:42 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2010-01-20 20:18:27 0 d-----w- c:\program files\GnuWin32
2010-01-20 18:50:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-20 18:50:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-20 17:43:01 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-20 15:38:47 0 d-sh--w- c:\documents and settings\admin\IECompatCache
2010-01-20 06:13:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-01-19 21:53:18 67291088 ------w- C:\kav2010_9.0.0.736en.exe
2010-01-18 06:56:30 66836 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-18 06:56:30 5180 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-18 06:56:30 4910112 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-18 06:56:30 44064 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-17 23:14:56 1365 ----a-w- C:\rollback.ini
2010-01-17 22:17:57 0 d-----w- c:\program files\common files\ParetoLogic
2010-01-17 22:17:57 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2010-01-17 22:17:57 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-01-17 01:47:19 0 d-sh--w- c:\documents and settings\admin\PrivacIE
2010-01-17 01:19:16 0 d-sh--w- c:\documents and settings\admin\IETldCache
2010-01-17 01:13:16 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-17 01:13:13 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-17 01:13:06 0 d-----w- c:\windows\ie8updates
2010-01-17 01:12:34 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-17 01:07:28 0 dc-h--w- c:\windows\ie8
2010-01-16 23:17:57 0 d-----w- c:\docume~1\alluse~1\applic~1\392AB
2010-01-16 05:54:17 72192 ----a-w- c:\windows\system32\drivers\7n91f7.sys
2010-01-15 04:36:25 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-01-15 04:36:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 04:36:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-15 04:36:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 04:36:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 22:40:14 0 d--h--w- C:\$AVG8.VAULT$
2010-01-13 21:24:27 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:05 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:03 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:14:03 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:14:03 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:03 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:14:03 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:14:01 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\dllcache\imapi2fs.dll
2009-11-13 22:57:16 62592 ------w- c:\windows\system32\dllcache\cdrom.sys
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\dllcache\imapi2.dll
2009-10-29 07:46:51 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2006-05-05 00:42:00 774144 ----a-w- c:\program files\RngInterstitial.dll

============= FINISH: 20:50:57.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 AM

Posted 31 January 2010 - 03:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 djo26

djo26
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 04 February 2010 - 10:41 PM

I was away for the week for work, but I'm back now and have the machine with me. I haven't touched it since my posting here. I'm also thinking about just telling my friend tough luck and re-imaging/installing from scratch.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 AM

Posted 05 February 2010 - 01:05 PM

Yes, TDSS still can stall Combofix so let's see if we can remove it.

First let's rule out a rootkit which can make our search much harder

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Posted Image
m0le is a proud member of UNITE

#5 djo26

djo26
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 05 February 2010 - 01:35 PM

Running from: C:\Documents and Settings\ADMIN\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\ADMIN\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...


Finished!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 AM

Posted 05 February 2010 - 01:39 PM

Okay, no sign of that. smile.gif

Please run MBAM in safe mode

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Now please run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 djo26

djo26
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 05 February 2010 - 03:28 PM

Malware Bytes Log:
Malwarebytes' Anti-Malware 1.44
Database version: 3694
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/5/2010 3:14:43 PM
mbam-log-2010-02-05 (15-14-43).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 204131
Time elapsed: 43 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\BearShare Applications\BearShare\Skins\PS.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0005403.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0005483.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\7n91f7.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


TDSSKiller log:
15:20:59:635 3516 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
15:20:59:635 3516 ================================================================================
15:20:59:635 3516 SystemInfo:

15:20:59:635 3516 OS Version: 5.1.2600 ServicePack: 3.0
15:20:59:635 3516 Product type: Workstation
15:20:59:635 3516 ComputerName: RYAN
15:20:59:635 3516 UserName: ADMIN
15:20:59:635 3516 Windows directory: C:\WINDOWS
15:20:59:635 3516 Processor architecture: Intel x86
15:20:59:635 3516 Number of processors: 1
15:20:59:635 3516 Page size: 0x1000
15:20:59:635 3516 Boot type: Normal boot
15:20:59:635 3516 ================================================================================
15:20:59:635 3516 UnloadDriverW: NtUnloadDriver error 2
15:20:59:635 3516 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:20:59:685 3516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:21:00:416 3516 UtilityInit: KLMD drop and load success
15:21:00:416 3516 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
15:21:00:416 3516 UtilityInit: KLMD open success
15:21:00:416 3516 UtilityInit: Initialize success
15:21:00:416 3516
15:21:00:416 3516 Scanning Services ...
15:21:00:416 3516 CreateRegParser: Registry parser init started
15:21:00:416 3516 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
15:21:00:416 3516 CreateRegParser: DisableWow64Redirection error
15:21:00:416 3516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:21:00:416 3516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
15:21:00:416 3516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:21:00:416 3516 wfopen_ex: Trying to KLMD file open
15:21:00:416 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
15:21:00:416 3516 wfopen_ex: File opened ok (Flags 2)
15:21:00:416 3516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3A4AF8
15:21:00:416 3516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:21:00:416 3516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
15:21:00:416 3516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:21:00:416 3516 wfopen_ex: Trying to KLMD file open
15:21:00:416 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
15:21:00:416 3516 wfopen_ex: File opened ok (Flags 2)
15:21:00:416 3516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3A49E8
15:21:00:416 3516 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
15:21:00:416 3516 CreateRegParser: EnableWow64Redirection error
15:21:00:416 3516 CreateRegParser: RegParser init completed
15:21:01:768 3516 GetAdvancedServicesInfo: Raw services enum returned 401 services
15:21:01:768 3516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:21:01:768 3516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:21:01:768 3516
15:21:01:768 3516 Scanning Kernel memory ...
15:21:01:768 3516 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
15:21:01:768 3516 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 873CA6F8
15:21:01:768 3516 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
15:21:01:768 3516
15:21:01:768 3516 DetectCureTDL3: DEVICE_OBJECT: 8738B030
15:21:01:768 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8738B030
15:21:01:778 3516 KLMD_ReadMem: Trying to ReadMemory 0x8738B030[0x38]
15:21:01:778 3516 DetectCureTDL3: DRIVER_OBJECT: 873CA6F8
15:21:01:778 3516 KLMD_ReadMem: Trying to ReadMemory 0x873CA6F8[0xA8]
15:21:01:778 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1B0BFB0[0x18]
15:21:01:778 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:01:778 3516 DetectCureTDL3: IrpHandler (0) addr: F76C5BB0
15:21:01:778 3516 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (2) addr: F76C5BB0
15:21:01:778 3516 DetectCureTDL3: IrpHandler (3) addr: F76BFD1F
15:21:01:778 3516 DetectCureTDL3: IrpHandler (4) addr: F76BFD1F
15:21:01:778 3516 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (9) addr: F76C02E2
15:21:01:778 3516 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (14) addr: F76C03BB
15:21:01:778 3516 DetectCureTDL3: IrpHandler (15) addr: F76C3F28
15:21:01:778 3516 DetectCureTDL3: IrpHandler (16) addr: F76C02E2
15:21:01:778 3516 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (22) addr: F76C1C82
15:21:01:778 3516 DetectCureTDL3: IrpHandler (23) addr: F76C699E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
15:21:01:778 3516 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
15:21:01:778 3516 TDL3_FileDetect: Processing driver: Disk
15:21:01:778 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:01:778 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:01:788 3516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:01:788 3516
15:21:01:788 3516 DetectCureTDL3: DEVICE_OBJECT: 873D0670
15:21:01:788 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873D0670
15:21:01:788 3516 KLMD_ReadMem: Trying to ReadMemory 0x873D0670[0x38]
15:21:01:788 3516 DetectCureTDL3: DRIVER_OBJECT: 873CA6F8
15:21:01:808 3516 KLMD_ReadMem: Trying to ReadMemory 0x873CA6F8[0xA8]
15:21:01:808 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1B0BFB0[0x18]
15:21:01:808 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:01:808 3516 DetectCureTDL3: IrpHandler (0) addr: F76C5BB0
15:21:01:808 3516 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (2) addr: F76C5BB0
15:21:01:808 3516 DetectCureTDL3: IrpHandler (3) addr: F76BFD1F
15:21:01:808 3516 DetectCureTDL3: IrpHandler (4) addr: F76BFD1F
15:21:01:808 3516 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (9) addr: F76C02E2
15:21:01:808 3516 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
15:21:01:808 3516 DetectCureTDL3: IrpHandler (14) addr: F76C03BB
15:21:01:828 3516 DetectCureTDL3: IrpHandler (15) addr: F76C3F28
15:21:01:828 3516 DetectCureTDL3: IrpHandler (16) addr: F76C02E2
15:21:01:828 3516 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (22) addr: F76C1C82
15:21:01:828 3516 DetectCureTDL3: IrpHandler (23) addr: F76C699E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
15:21:01:828 3516 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
15:21:01:828 3516 TDL3_FileDetect: Processing driver: Disk
15:21:01:828 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:01:828 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:01:868 3516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:01:868 3516
15:21:01:868 3516 DetectCureTDL3: DEVICE_OBJECT: 873D0030
15:21:01:868 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873D0030
15:21:01:868 3516 KLMD_ReadMem: Trying to ReadMemory 0x873D0030[0x38]
15:21:01:868 3516 DetectCureTDL3: DRIVER_OBJECT: 873CA6F8
15:21:01:868 3516 KLMD_ReadMem: Trying to ReadMemory 0x873CA6F8[0xA8]
15:21:01:868 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1B0BFB0[0x18]
15:21:01:868 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:01:868 3516 DetectCureTDL3: IrpHandler (0) addr: F76C5BB0
15:21:01:868 3516 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (2) addr: F76C5BB0
15:21:01:888 3516 DetectCureTDL3: IrpHandler (3) addr: F76BFD1F
15:21:01:888 3516 DetectCureTDL3: IrpHandler (4) addr: F76BFD1F
15:21:01:888 3516 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (9) addr: F76C02E2
15:21:01:888 3516 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (14) addr: F76C03BB
15:21:01:888 3516 DetectCureTDL3: IrpHandler (15) addr: F76C3F28
15:21:01:888 3516 DetectCureTDL3: IrpHandler (16) addr: F76C02E2
15:21:01:888 3516 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
15:21:01:888 3516 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
15:21:01:909 3516 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
15:21:01:909 3516 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
15:21:01:909 3516 DetectCureTDL3: IrpHandler (22) addr: F76C1C82
15:21:01:909 3516 DetectCureTDL3: IrpHandler (23) addr: F76C699E
15:21:01:909 3516 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
15:21:01:909 3516 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
15:21:01:909 3516 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
15:21:01:909 3516 TDL3_FileDetect: Processing driver: Disk
15:21:01:909 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:01:909 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:01:949 3516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:01:949 3516
15:21:01:949 3516 DetectCureTDL3: DEVICE_OBJECT: 87388030
15:21:01:949 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87388030
15:21:01:949 3516 DetectCureTDL3: DEVICE_OBJECT: 873CAB00
15:21:01:949 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873CAB00
15:21:01:949 3516 KLMD_ReadMem: Trying to ReadMemory 0x873CAB00[0x38]
15:21:01:949 3516 DetectCureTDL3: DRIVER_OBJECT: 8730DE40
15:21:01:949 3516 KLMD_ReadMem: Trying to ReadMemory 0x8730DE40[0xA8]
15:21:01:949 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1A9E058[0x1A]
15:21:01:949 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
15:21:01:949 3516 DetectCureTDL3: IrpHandler (0) addr: F752C6F2
15:21:01:949 3516 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (2) addr: F752C6F2
15:21:01:949 3516 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (14) addr: F752C712
15:21:01:949 3516 DetectCureTDL3: IrpHandler (15) addr: F7528852
15:21:01:949 3516 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
15:21:01:949 3516 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
15:21:01:969 3516 DetectCureTDL3: IrpHandler (22) addr: F752C73C
15:21:01:969 3516 DetectCureTDL3: IrpHandler (23) addr: F7533336
15:21:01:969 3516 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
15:21:01:969 3516 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
15:21:01:969 3516 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
15:21:01:969 3516 KLMD_ReadMem: Trying to ReadMemory 0xF7529864[0x400]
15:21:01:969 3516 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:21:01:969 3516 TDL3_FileDetect: Processing driver: atapi
15:21:01:969 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:21:01:969 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
15:21:02:019 3516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
15:21:02:019 3516
15:21:02:019 3516 Completed
15:21:02:019 3516
15:21:02:019 3516 Results:
15:21:02:019 3516 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:21:02:019 3516 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:21:02:019 3516 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:21:02:019 3516
15:21:02:029 3516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:21:02:029 3516 UtilityDeinit: KLMD(ARK) unloaded successfully

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 AM

Posted 05 February 2010 - 03:49 PM

Okay nothing there.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Finally try Combofix again, using the instructions below.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Delete the copy of Combofix that you have.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 djo26

djo26
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 05 February 2010 - 04:45 PM

exeHelper by Raktor
Build 20091220
Run at 16:16:02 on 02/05/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
**************************************************************************************

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as ADMIN on 02/05/2010 at 16:17:38.


Processes terminated by Rkill or while it was running:


C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Documents and Settings\ADMIN\Desktop\rkill.scr


Rkill completed on 02/05/2010 at 16:17:42.

******************************************************************************************

ComboFix 10-02-05.02 - ADMIN 02/05/2010 16:23:21.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.423 [GMT -5:00]
Running from: c:\documents and settings\ADMIN\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SETC5.tmp
c:\windows\EventSystem.log
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-05 18:54 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 18:54 . 2010-02-05 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 18:54 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 21:02 . 2010-01-21 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-21 20:53 . 2010-01-21 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-21 20:53 . 2010-01-21 20:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 20:53 . 2010-01-21 20:53 -------- d-----w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com
2010-01-21 20:52 . 2010-01-21 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-21 05:59 . 2010-01-21 05:59 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-21 05:59 . 2010-01-21 05:59 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-21 05:57 . 2010-02-05 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-21 05:57 . 2010-01-21 05:57 -------- d-----w- c:\program files\Kaspersky Lab
2010-01-21 00:58 . 2010-01-21 01:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-21 00:15 . 2010-01-21 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-21 00:15 . 2010-01-21 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-21 00:15 . 2010-01-21 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-20 20:18 . 2010-01-20 20:18 -------- d-----w- c:\program files\GnuWin32
2010-01-20 18:50 . 2010-01-20 18:50 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-20 18:50 . 2010-01-20 18:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-20 17:50 . 2010-01-20 17:50 -------- d-----w- c:\documents and settings\ADMIN\Application Data\vlc
2010-01-20 17:43 . 2010-01-20 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-20 15:38 . 2010-01-20 15:38 -------- d-sh--w- c:\documents and settings\ADMIN\IECompatCache
2010-01-20 06:13 . 2010-01-20 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-20 03:00 . 2010-01-20 03:00 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-20 02:57 . 2005-02-07 17:12 18328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 21:53 . 2010-01-19 21:31 67291088 ------w- C:\kav2010_9.0.0.736en.exe
2010-01-18 06:56 . 2010-01-20 18:24 44064 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-18 06:56 . 2010-01-20 18:24 4910112 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-17 22:17 . 2010-01-20 18:14 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-17 22:17 . 2010-01-20 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-17 22:17 . 2010-01-17 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-01-17 22:17 . 2010-01-17 22:17 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Downloaded Installations
2010-01-17 01:55 . 2010-01-21 05:53 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Temp
2010-01-17 01:47 . 2010-01-17 01:47 -------- d-sh--w- c:\documents and settings\ADMIN\PrivacIE
2010-01-17 01:23 . 2010-01-17 01:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-17 01:19 . 2010-01-17 01:19 -------- d-sh--w- c:\documents and settings\ADMIN\IETldCache
2010-01-17 01:13 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-17 01:13 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-17 01:13 . 2010-01-18 08:04 -------- d-----w- c:\windows\ie8updates
2010-01-17 01:12 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-17 01:07 . 2010-01-17 01:12 -------- dc-h--w- c:\windows\ie8
2010-01-16 23:17 . 2010-01-16 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\392AB
2010-01-15 04:36 . 2010-01-15 04:36 -------- d-----w- c:\documents and settings\ADMIN\Application Data\Malwarebytes
2010-01-15 04:36 . 2010-01-15 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-13 22:40 . 2010-01-15 20:59 -------- d-----w- C:\$AVG8.VAULT$
2010-01-13 21:24 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 03:00 . 2005-03-05 22:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 02:43 . 2005-02-07 16:53 -------- d-----w- c:\program files\Java
2010-01-21 21:02 . 2010-01-21 21:02 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-21 21:02 . 2010-01-21 21:02 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-21 20:54 . 2010-01-21 20:54 52224 ----a-w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-21 20:54 . 2010-01-21 20:54 117760 ----a-w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-21 06:08 . 2010-01-21 06:08 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-21 06:08 . 2010-01-21 06:08 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-01-21 06:08 . 2010-01-21 06:08 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-01-21 06:08 . 2010-01-21 06:08 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-01-21 06:08 . 2010-01-21 06:08 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-21 06:08 . 2010-01-21 06:08 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-01-21 02:22 . 2009-01-10 23:41 -------- d-----w- c:\program files\AVG
2010-01-20 22:38 . 2009-01-10 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-20 18:24 . 2010-01-18 06:56 5180 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-20 18:24 . 2010-01-18 06:56 66836 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-18 23:07 . 2007-05-14 04:31 -------- d-----w- c:\program files\CrossLoop
2009-12-31 06:24 . 2009-12-31 06:24 152576 ----a-w- c:\documents and settings\ADMIN\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-31 06:24 . 2009-12-31 06:24 79488 ----a-w- c:\documents and settings\ADMIN\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-21 19:14 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 22:18 . 2009-11-18 22:15 7803744 ------w- c:\documents and settings\All Users\Application Data\Sprint\Sprint SmartView\firmware\1\36\1250705635310\FlashCDMA_T598_01.12.02_00_sprint_015.003_000.exe
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2006-05-05 00:42 . 2006-05-05 00:42 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-20 3084288]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2004-10-08 610304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-7 24576]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-11 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-11 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-05 04:43 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPLAYSVR.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [10/14/2009 9:18 PM 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/19/2007 3:41 PM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\SYSTEM32\DRIVERS\klmouflt.sys [10/2/2009 7:39 PM 19472]
S1 7n91f7;7n91f7;\??\c:\windows\system32\drivers\7n91f7.sys --> c:\windows\system32\drivers\7n91f7.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\SYSTEM32\DRIVERS\tj2knd5.sys [8/8/2006 4:23 PM 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\SYSTEM32\DRIVERS\tj2kunic.sys [8/8/2006 4:23 PM 69680]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2005-04-26 c:\windows\Tasks\FRU Task 2002-06-11 17:56ewlett-Packard2002-06-11 17:56p psc 2100 series0873DBB30DAF953F7DCEA1BDCC4F78BFDB130745111789788.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-11 16:56]

2005-02-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2005-04-26 c:\windows\Tasks\WebReg 20050426163307.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2002-04-18 08:06]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://media.fastclick.net/w/safepop.cgi?cid=76010&mid=192467&sid=29791&c=45
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\u1qamcfa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-7n91f7
AddRemove-WeatherBug - c:\progra~1\AWS\WEATHE~1\REMOVE.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 16:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-02-05 16:42:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-05 21:42

Pre-Run: 17,351,110,656 bytes free
Post-Run: 18,707,345,408 bytes free

- - End Of File - - 9E8568B86D2911E21F5B6E2CACD95ECF



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 AM

Posted 05 February 2010 - 05:58 PM

Not sure what the 7n91f7.sys service is. It certainly looks malicious but I want to take a look.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please click here

Copy/paste the topic URL and then browse to this file:

CODE
c:\windows\system32\drivers\7n91f7.sys


Then click Send File.

Thanks thumbup2.gif

Posted Image
m0le is a proud member of UNITE

#11 djo26

djo26
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 05 February 2010 - 08:07 PM

file submitted, I had to resotre it from MalwareBytes Quarantine though. It is still restored and I have not touched it besides the upload.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 AM

Posted 05 February 2010 - 09:31 PM

Yes, that's a trojan file which is still showing on the Combofix log. Let's make sure this has gone for good.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\drivers\7n91f7.sys

Driver::
7n91f7


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#13 djo26

djo26
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 06 February 2010 - 11:30 AM

run combofix again, it updated itself to the latest version, here is the log:

ComboFix 10-02-05.04 - ADMIN 02/06/2010 10:52:51.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.448 [GMT -5:00]
Running from: c:\documents and settings\ADMIN\Desktop\comfix.exe
Command switches used :: c:\documents and settings\ADMIN\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\system32\drivers\7n91f7.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\7n91f7.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_7N91F7
-------\Service_7n91f7


((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-05 18:54 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 18:54 . 2010-02-05 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 18:54 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 21:02 . 2010-01-21 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-21 20:53 . 2010-01-21 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-21 20:53 . 2010-01-21 20:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 20:53 . 2010-01-21 20:53 -------- d-----w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com
2010-01-21 20:52 . 2010-01-21 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-21 05:59 . 2010-01-21 05:59 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-21 05:59 . 2010-01-21 05:59 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-21 05:57 . 2010-02-06 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-21 05:57 . 2010-01-21 05:57 -------- d-----w- c:\program files\Kaspersky Lab
2010-01-21 00:58 . 2010-01-21 01:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-21 00:15 . 2010-01-21 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-21 00:15 . 2010-01-21 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-21 00:15 . 2010-01-21 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-20 20:18 . 2010-01-20 20:18 -------- d-----w- c:\program files\GnuWin32
2010-01-20 18:50 . 2010-01-20 18:50 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-20 18:50 . 2010-01-20 18:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-20 17:50 . 2010-01-20 17:50 -------- d-----w- c:\documents and settings\ADMIN\Application Data\vlc
2010-01-20 17:43 . 2010-01-20 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-20 15:38 . 2010-01-20 15:38 -------- d-sh--w- c:\documents and settings\ADMIN\IECompatCache
2010-01-20 06:13 . 2010-01-20 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-20 03:00 . 2010-01-20 03:00 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-20 02:57 . 2005-02-07 17:12 18328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 21:53 . 2010-01-19 21:31 67291088 ------w- C:\kav2010_9.0.0.736en.exe
2010-01-18 06:56 . 2010-01-20 18:24 44064 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-18 06:56 . 2010-01-20 18:24 4910112 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-17 22:17 . 2010-01-20 18:14 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-17 22:17 . 2010-01-20 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-17 22:17 . 2010-01-17 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-01-17 22:17 . 2010-01-17 22:17 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Downloaded Installations
2010-01-17 01:55 . 2010-01-21 05:53 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Temp
2010-01-17 01:47 . 2010-01-17 01:47 -------- d-sh--w- c:\documents and settings\ADMIN\PrivacIE
2010-01-17 01:23 . 2010-01-17 01:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-17 01:19 . 2010-01-17 01:19 -------- d-sh--w- c:\documents and settings\ADMIN\IETldCache
2010-01-17 01:13 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-17 01:13 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-17 01:13 . 2010-01-18 08:04 -------- d-----w- c:\windows\ie8updates
2010-01-17 01:12 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-17 01:07 . 2010-01-17 01:12 -------- dc-h--w- c:\windows\ie8
2010-01-16 23:17 . 2010-01-16 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\392AB
2010-01-15 04:36 . 2010-01-15 04:36 -------- d-----w- c:\documents and settings\ADMIN\Application Data\Malwarebytes
2010-01-15 04:36 . 2010-01-15 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-13 22:40 . 2010-01-15 20:59 -------- d-----w- C:\$AVG8.VAULT$
2010-01-13 21:24 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 03:00 . 2005-03-05 22:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 02:43 . 2005-02-07 16:53 -------- d-----w- c:\program files\Java
2010-01-21 21:02 . 2010-01-21 21:02 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-21 21:02 . 2010-01-21 21:02 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-21 20:54 . 2010-01-21 20:54 52224 ----a-w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-21 20:54 . 2010-01-21 20:54 117760 ----a-w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-21 06:08 . 2010-01-21 06:08 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-21 06:08 . 2010-01-21 06:08 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-01-21 06:08 . 2010-01-21 06:08 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-01-21 06:08 . 2010-01-21 06:08 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-01-21 06:08 . 2010-01-21 06:08 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-21 06:08 . 2010-01-21 06:08 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-01-21 02:22 . 2009-01-10 23:41 -------- d-----w- c:\program files\AVG
2010-01-20 22:38 . 2009-01-10 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-20 18:24 . 2010-01-18 06:56 5180 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-20 18:24 . 2010-01-18 06:56 66836 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-18 23:07 . 2007-05-14 04:31 -------- d-----w- c:\program files\CrossLoop
2009-12-31 06:24 . 2009-12-31 06:24 152576 ----a-w- c:\documents and settings\ADMIN\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-31 06:24 . 2009-12-31 06:24 79488 ----a-w- c:\documents and settings\ADMIN\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-21 19:14 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 22:18 . 2009-11-18 22:15 7803744 ------w- c:\documents and settings\All Users\Application Data\Sprint\Sprint SmartView\firmware\1\36\1250705635310\FlashCDMA_T598_01.12.02_00_sprint_015.003_000.exe
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2006-05-05 00:42 . 2006-05-05 00:42 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-20 3084288]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2004-10-08 610304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-7 24576]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-11 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-11 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-05 04:43 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPLAYSVR.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [10/14/2009 9:18 PM 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/19/2007 3:41 PM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\SYSTEM32\DRIVERS\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\SYSTEM32\DRIVERS\tj2knd5.sys [8/8/2006 4:23 PM 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\SYSTEM32\DRIVERS\tj2kunic.sys [8/8/2006 4:23 PM 69680]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2005-04-26 c:\windows\Tasks\FRU Task 2002-06-11 17:56ewlett-Packard2002-06-11 17:56p psc 2100 series0873DBB30DAF953F7DCEA1BDCC4F78BFDB130745111789788.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-11 16:56]

2005-02-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2005-04-26 c:\windows\Tasks\WebReg 20050426163307.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2002-04-18 08:06]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://media.fastclick.net/w/safepop.cgi?cid=76010&mid=192467&sid=29791&c=45
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\u1qamcfa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 11:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-02-06 11:11:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 16:11
ComboFix2.txt 2010-02-05 21:42

Pre-Run: 18,656,083,968 bytes free
Post-Run: 18,638,811,136 bytes free

- - End Of File - - E3EB2F0BB6D3F1E15EC024492247F4B8


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 AM

Posted 06 February 2010 - 09:12 PM

Nearly done with the cleaning. How is the PC acting now?


This below is an ESET online scan, it shouldn't find too much to worry about.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#15 djo26

djo26
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 06 February 2010 - 11:30 PM

The computer seems to be functioning normally. The browsers that were locking up seem to be working now. I have not tried to install or uninstall any programs since the start of this to verify if it worked. Below is the ESET log


C:\Documents and Settings\ADMIN\Desktop\Rock Star\Desktop\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0007671.exe Win32/Adware.WBug.A application deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\A0007672.EXE Win32/Adware.WBug.A application deleted - quarantined





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users