Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Koobface/Virtumonde.sdn


  • This topic is locked This topic is locked
13 replies to this topic

#1 emjsky

emjsky

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 06 March 2010 - 06:34 PM

Hi, I'm new on here and am very glad to have found this site. My computer was infected a few days ago while on Facebook. I stupidly opened a link on email sent from a friend. I suspected Koobface so I ran my antivirus Eset (latest updates) but it did not detect anything. I rebooted the machine but then could not get on the internet at all. I ran Spyware Doctor overnight but the computer was accidently shut down so the only thing I could find was that it quarantined Virtumonde.sdn. I tried to get on the internet but Firefox and IE were being redirected to some bogus sites so basically hijacked. I ran TrendMicro stinger and got nothing. I loaded Kaspersky AV 2010 but didn't realize it was useless if I couldn't get on the internet but ran it anyway and go nothing. Installed Mbam w/updates and it did not detect Virtumonde.sdn. or Koobface. I was tempted to run TDSS but wasn't sure if I should. So here are the DDS and GMER logs. Any assistance would be greatly appreciated. I'm at my wits end with this one! many thx, Emie

DDS (Ver_09-12-01.01) - NTFSx86
Run by Emie at 10:32:54.71 on Sat 03/06/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.729 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LeapFrog Connect\CommandService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k netsvc6
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\LeapFrog Connect\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Emie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/ig
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Monitor] "e:\program files\leapfrog connect\Monitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\emie\startm~1\programs\startup\onenot~1.lnk - e:\program files\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238166102312
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\emie\applic~1\mozilla\firefox\profiles\v7fvxol1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\emie\application data\mozilla\firefox\profiles\v7fvxol1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\emie\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\emie\application data\mozilla\firefox\profiles\v7fvxol1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\emie\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\emie\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: e:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-3-29 40496]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-4 315408]
R1 o6ko;ML Display Class Docfile Intel;c:\windows\system32\drivers\o6ko.sys [2008-3-19 32768]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 srvoko6;Security List Class Service Secondary OpcEnum Fonts Control;c:\windows\system32\svchost.exe -k netsvc6 [2004-8-10 14336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-15 34064]

=============== Created Last 30 ================

2010-03-05 18:57:44 0 d-----w- c:\program files\Runtime Software
2010-03-05 16:06:12 0 d-----w- c:\docume~1\emie\applic~1\Malwarebytes
2010-03-05 16:06:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:05:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-05 16:05:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 16:05:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 01:28:22 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-05 01:28:21 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-05 01:27:03 0 d-----w- c:\program files\Kaspersky Lab
2010-03-05 01:27:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-03-05 01:23:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-03-03 21:11:17 1 ----a-w- c:\windows\ligh
2010-02-27 19:03:33 0 d-----w- c:\program files\iPod
2010-02-27 19:03:24 0 d-----w- c:\program files\iTunes
2010-02-25 19:10:57 0 d-----w- c:\docume~1\emie\applic~1\LG Electronics
2010-02-25 19:09:32 0 d-----w- c:\program files\LG Outlook Sync
2010-02-16 19:50:47 0 d-----w- C:\epson

==================== Find3M ====================

2010-01-18 01:24:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-18 01:24:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-03-28 19:43:35 110116 ----a-w- c:\program files\adobe_gamma.zip
2009-03-27 17:10:24 1878888 ----a-w- c:\program files\install_flash_player.exe
2006-02-18 22:06:56 693528 ----a-w- c:\program files\DScaler5008.exe

============= FINISH: 10:33:37.65 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/27/2009 11:06:43 AM
System Uptime: 3/6/2010 8:59:25 AM (2 hours ago)

Motherboard: Dell Inc. | | 0WF351
Processor: Intel® Pentium® M processor 1.70GHz | Microprocessor | 1696/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 29 GiB total, 6.057 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 82 GiB total, 7.044 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\34B40D21384FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\34B40D21384FC000
Service: NIC1394

==== System Restore Points ===================

RP1: 3/4/2010 4:18:47 PM - System Checkpoint
RP2: 3/4/2010 5:41:19 PM - Removed ESET Smart Security
RP3: 3/4/2010 6:09:16 PM - Installed Kaspersky Anti-Virus 2010.
RP4: 3/4/2010 8:18:06 PM - Removed Kaspersky Anti-Virus 2010.
RP5: 3/4/2010 8:26:48 PM - Installed Kaspersky Anti-Virus 2010.
RP6: 3/5/2010 8:46:58 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Acrobat 8.1.6 - CPSID_49167
Adobe Acrobat 8.1.6 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe Shockwave Player 11.5
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AiO_Scan
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom 440x 10/100 Integrated Controller
C-Major Audio
Conexant D110 MDC V.92 Modem
ConvertXtoDVD 3.8.0.193f
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Resource CD
DriveImage XML (Private Edition)
DScaler 5 Mpeg Decoders
EASUS Partition Manager™ 2009 Express
EasyBCD 1.7.1
EPSON TWAIN 5
Garmin USB Drivers
GemMaster Mystic
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
iOpus Secure Email Attachments (SEA)
iPhone Configuration Utility
iPodRip
iTunes
Java Auto Updater
Java™ 6 Update 18
Junk Mail filter update
Kaspersky Anti-Virus 2010
LeapFrog Connect
LeapFrog My Pals Plugin
LG Outlook Sync
LG USB Modem driver
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows XP Video Decoder Checkup Utility
mIWA
mLogView
mMHouse
MobileMe Control Panel
Modem Helper
Move Media Player
Mozilla Firefox (3.6)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSVCRT
MSXML 6.0 Parser
mToolkit
mWlsSafe
mWMI
MyBudgetPlanner
mZConfig
Nero 6
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
Otto
PDF Settings
Picasa 3
QFolder
QuickTime
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Sonic Encoders
Spybot - Search & Destroy
System Requirements Lab
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmdiper
TurboTax 2008 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
winpcap-nmap 4.02
WinRAR archiver
Yahoo! BrowserPlus
Yahoo! Software Update

==== Event Viewer Messages From Past Week ========

3/5/2010 1:49:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
3/5/2010 1:48:19 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/4/2010 6:01:04 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/4/2010 4:35:43 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
3/4/2010 2:40:08 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
3/4/2010 10:52:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/4/2010 10:52:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec kl1 KLIF MRxSmb NetBIOS NetBT o6ko RasAcd Rdbss Tcpip
3/4/2010 10:52:40 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/4/2010 10:52:40 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/4/2010 10:52:40 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/4/2010 10:52:40 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/4/2010 10:52:40 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/4/2010 10:52:40 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/4/2010 10:52:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/4/2010 10:52:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/3/2010 9:40:00 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
3/3/2010 8:59:03 PM, error: Service Control Manager [7000] - The FLEXnet Licensing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/3/2010 8:59:01 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the FLEXnet Licensing Service service to connect.
3/3/2010 8:59:00 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/3/2010 8:59:00 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
3/3/2010 8:58:59 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
3/3/2010 8:57:47 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/3/2010 8:57:46 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
3/3/2010 7:10:14 PM, error: Service Control Manager [7031] - The Security List Class Service Secondary OpcEnum Fonts Control service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/3/2010 10:09:04 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-06 17:31:35
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Emie\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xA9CC85EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xA9CC8E6E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xA9CC9984]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xA9CC9EF6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xA9CC9150]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xA9CC7498]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xA9CC9DCE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xA9CC81F4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xA9CC9C8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xA9CC83B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xA9CCA028]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xA9CCBC6A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xA9CC8B0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xA9CC9D2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xA9CCB65C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xA9CC7A5C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xA9CC7DEA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xA9CC95D8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xA9CCC62C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xA9CC7F2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xA9CC7FD6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xA9CC93E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xA9CCB6EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xA9CC7474]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xA9CC7486]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xA9CCBD1E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xA9CC8122]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xA9CC9F98]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xA9CC8EF0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xA9CC763E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xA9CC9E66]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xA9CC87F4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xA9CCBC94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xA9CCA0CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xA9CC8718]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xA9CC8080]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xA9CC7CA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xA9CCC036]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xA9CC78F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xA9CCB984]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xA9CC7B70]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xA9CC7312]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xA9CCA454]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xA9CCA31A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xA9CCB3FC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xA9CCEE8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xA9CCC50E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xA9CC72AA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xA9CC96BE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xA9CC8D2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xA9CCACAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xA9CCB7E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xA9CCC176]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xA9CC7780]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xA9CCC25A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xA9CCC382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xA9CCB588]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xA9CC896C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xA9CC88C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xA9CCBEEC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xA9CC8A4C]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9FA0 5 Bytes JMP A9CBD572 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE87E 5 Bytes JMP A9CBD94C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2434 80501C6C 16 Bytes [B0, 83, CC, A9, 28, A0, CC, ...] {MOV AL, 0x83; INT 3 ; TEST EAX, 0xa9cca028; PUSH -0x44; INT 3 ; TEST EAX, 0xa9cc8b0c}
.text ntkrnlpa.exe!ZwCallbackReturn + 2470 80501CA8 8 Bytes JMP D8A9CC7D
.text ntkrnlpa.exe!ZwCallbackReturn + 24F0 80501D28 12 Bytes [EE, B6, CC, A9, 74, 74, CC, ...] {OUT DX, AL ; MOV DH, 0xcc; TEST EAX, 0xa9cc7474; XCHG [ESP+ECX*8-0x57], DH}
.text ntkrnlpa.exe!ZwCallbackReturn + 266C 80501EA4 16 Bytes [70, 7B, CC, A9, 12, 73, CC, ...] {JO 0x7d; INT 3 ; TEST EAX, 0xa9cc7312; PUSH ESP; MOVSB ; INT 3 ; TEST EAX, 0xa9cca31a}
.text ntkrnlpa.exe!ZwCallbackReturn + 2720 80501F58 4 Bytes CALL 20F9EC14
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1124] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [A97A3820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [A97A3820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip o6ko.sys (Updater Armor/Returnil SIA)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp o6ko.sys (Updater Armor/Returnil SIA)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp o6ko.sys (Updater Armor/Returnil SIA)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp o6ko.sys (Updater Armor/Returnil SIA)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 PM

Posted 06 March 2010 - 06:41 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I
would appreciate if you would let me no so I can close this topic.


Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools



  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.





  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

unite.jpg


#3 emjsky

emjsky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 07 March 2010 - 10:39 AM

Thank you for the quick response. Here is the Combofix report:

ComboFix 10-03-04.05 - Emie 03/07/2010 10:15:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.734 [GMT -5:00]
Running from: c:\documents and settings\Emie\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Emie\Application Data\inst.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\ligh
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRVOKO6
-------\Service_srvoko6


((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-05 19:54 . 2010-03-05 19:54 -------- d-----w- c:\documents and settings\Emie\Application Data\Ahead
2010-03-05 18:57 . 2010-03-05 18:57 -------- d-----w- c:\program files\Runtime Software
2010-03-05 16:06 . 2010-03-05 16:06 -------- d-----w- c:\documents and settings\Emie\Application Data\Malwarebytes
2010-03-05 16:06 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:05 . 2010-03-05 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 16:05 . 2010-03-05 16:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 16:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 01:28 . 2010-03-05 01:28 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-05 01:28 . 2010-03-05 01:28 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-05 01:27 . 2010-03-07 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-05 01:27 . 2010-03-05 01:27 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-05 01:23 . 2010-03-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-04 21:21 . 2010-03-04 21:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-03 23:32 . 2010-03-03 23:32 -------- d-----w- c:\documents and settings\Emie\Local Settings\Application Data\ESET
2010-02-27 19:03 . 2010-02-27 19:03 -------- d-----w- c:\program files\iPod
2010-02-27 19:03 . 2010-02-27 19:04 -------- d-----w- c:\program files\iTunes
2010-02-25 19:10 . 2010-02-25 19:10 -------- d-----w- c:\documents and settings\Emie\Application Data\LG Electronics
2010-02-25 19:09 . 2010-02-25 19:09 -------- d-----w- c:\program files\LG Outlook Sync
2010-02-16 19:57 . 2010-02-16 19:57 -------- d-----w- c:\documents and settings\Emie\Application Data\EPSON
2010-02-16 19:50 . 2010-02-16 19:50 -------- d-----w- C:\epson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 14:16 . 2009-05-08 20:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-04 04:44 . 2009-11-05 21:51 -------- d-----w- c:\documents and settings\Emie\Application Data\Vso
2010-03-04 03:23 . 2009-06-09 18:01 -------- d-----w- c:\documents and settings\Emie\Application Data\uTorrent
2010-03-03 22:45 . 2009-07-22 15:06 -------- d-----w- c:\program files\Yahoo!
2010-03-03 21:16 . 2009-06-09 18:01 -------- d-----w- c:\program files\uTorrent
2010-02-27 19:03 . 2009-05-02 13:14 -------- d-----w- c:\program files\Common Files\Apple
2010-02-27 18:39 . 2010-02-27 18:39 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-25 19:09 . 2010-02-25 19:09 766 ----a-r- c:\documents and settings\Emie\Application Data\Microsoft\Installer\{3E54A849-D29D-4105-9184-C07219055007}\NewShortcut3_ED5A8C011A3E4EAFA614157F455BF6BE.exe
2010-02-25 19:09 . 2010-02-25 19:09 68790 ----a-r- c:\documents and settings\Emie\Application Data\Microsoft\Installer\{3E54A849-D29D-4105-9184-C07219055007}\NewShortcut2_ED5A8C011A3E4EAFA614157F455BF6BE_1.exe
2010-02-25 19:09 . 2010-02-25 19:09 40960 ----a-r- c:\documents and settings\Emie\Application Data\Microsoft\Installer\{3E54A849-D29D-4105-9184-C07219055007}\ARPPRODUCTICON.exe
2010-02-25 19:00 . 2009-03-29 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-16 19:51 . 2009-03-27 14:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-28 13:51 . 2010-01-28 13:51 503808 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e35e35f-n\msvcp71.dll
2010-01-28 13:51 . 2010-01-28 13:51 499712 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e35e35f-n\jmc.dll
2010-01-28 13:51 . 2010-01-28 13:51 348160 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e35e35f-n\msvcr71.dll
2010-01-28 13:51 . 2010-01-28 13:51 -------- d-----w- c:\program files\Common Files\Java
2010-01-28 13:50 . 2010-01-28 13:50 61440 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fc53a4f-n\decora-sse.dll
2010-01-28 13:50 . 2010-01-28 13:50 12800 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fc53a4f-n\decora-d3d.dll
2010-01-28 13:50 . 2009-04-21 02:01 -------- d-----w- c:\program files\Java
2010-01-23 00:05 . 2009-03-28 20:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 01:24 . 2010-01-18 01:24 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-18 01:24 . 2010-01-18 01:24 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-01-06 17:08 . 2010-01-14 19:57 4726272 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 17:08 . 2010-01-14 19:57 103424 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-06 17:08 . 2010-01-14 19:57 57856 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 17:08 . 2010-01-14 19:57 545280 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 17:08 . 2010-01-14 19:57 4725760 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 17:08 . 2010-01-14 19:57 344064 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 17:08 . 2010-01-14 19:57 153600 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-05 10:00 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-10 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 17:56 . 2009-12-26 17:56 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-26 17:55 . 2009-12-26 17:55 3106632 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\MyPalsPlugin.exe
2009-12-17 22:14 . 2009-04-21 02:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2009-03-27 14:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2005-03-30 01:23 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-03-28 19:43 . 2009-03-28 19:43 110116 ----a-w- c:\program files\adobe_gamma.zip
2009-03-27 17:10 . 2009-03-27 17:10 1878888 ----a-w- c:\program files\install_flash_player.exe
2006-02-18 22:06 . 2009-05-10 01:44 693528 ----a-w- c:\program files\DScaler5008.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 1867776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Monitor"="e:\program files\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\Emie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"e:\\Program Files\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"8085:TCP"= 8085:TCP:GateOKO
"4:TCP"= 4:TCP:Verizon

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [3/29/2009 2:22 PM 40496]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R1 o6ko;ML Display Class Docfile Intel;c:\windows\system32\drivers\o6ko.sys [3/19/2008 9:40 PM 32768]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 3:13 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc6 REG_MULTI_SZ srvoko6
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-07 c:\windows\Tasks\User_Feed_Synchronization-{66A1A1B5-AA2E-434E-B10F-F29F4792BF36}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\Office12\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Emie\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Emie\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Emie\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: e:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 10:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3936)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
e:\program files\LeapFrog Connect\CommandService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-07 10:34:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 15:34

Pre-Run: 5,420,163,072 bytes free
Post-Run: 9,281,323,008 bytes free

- - End Of File - - 4946317958EE17A9526B84658B0B129D


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 PM

Posted 07 March 2010 - 10:53 AM

Hi,

Can you tell me, did you have problems installing the recovery console, or did you just not bother? Also can you give me an update
of what problems you are currently having?

Thanks

unite.jpg


#5 emjsky

emjsky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 07 March 2010 - 12:50 PM

I couldn't load recovery console via download but I have my WinXp sp2 cd that came with my computer. The cd instructions just stated to boot the computer with the cd if I needed Recovery Console.

I attempted to get on the internet and was able to download Kaspersky update. Kaspersky detected C:/Windows/system32/drivers/06k0.sys as a trojan. Now both my Firefox browser and IE browser are not working. I get an error message saying "C:\Program Files\Internet Explorer\iexplore.exe is not a valid Win 32 application" (same with Firefox). Otherwise the computer seems to working okay. thanks

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 PM

Posted 07 March 2010 - 01:17 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"netsvc6"=-
Driver::
o6ko


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#7 emjsky

emjsky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 07 March 2010 - 02:34 PM

I got recovery console loaded this time. Here is the log:

ComboFix 10-03-04.05 - Emie 03/07/2010 14:03:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.782 [GMT -5:00]
Running from: c:\documents and settings\Emie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Emie\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_O6KO
-------\Service_o6ko


((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-07 18:12 . 2010-03-07 18:12 -------- d-----w- c:\documents and settings\Administrator.LAPTOP
2010-03-07 17:17 . 2010-03-07 17:17 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-07 17:17 . 2010-03-07 17:17 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-03-07 17:17 . 2010-03-07 17:17 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-07 17:17 . 2010-03-07 17:17 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-07 17:17 . 2010-03-07 17:17 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-07 17:17 . 2010-03-07 17:17 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-03-05 19:54 . 2010-03-05 19:54 -------- d-----w- c:\documents and settings\Emie\Application Data\Ahead
2010-03-05 18:57 . 2010-03-05 18:57 -------- d-----w- c:\program files\Runtime Software
2010-03-05 16:06 . 2010-03-05 16:06 -------- d-----w- c:\documents and settings\Emie\Application Data\Malwarebytes
2010-03-05 16:06 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:05 . 2010-03-05 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 16:05 . 2010-03-05 16:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 16:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 01:28 . 2010-03-05 01:28 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-05 01:28 . 2010-03-05 01:28 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-05 01:27 . 2010-03-07 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-05 01:27 . 2010-03-05 01:27 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-05 01:23 . 2010-03-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-04 21:21 . 2010-03-04 21:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-03 23:32 . 2010-03-03 23:32 -------- d-----w- c:\documents and settings\Emie\Local Settings\Application Data\ESET
2010-02-27 19:03 . 2010-02-27 19:03 -------- d-----w- c:\program files\iPod
2010-02-27 19:03 . 2010-02-27 19:04 -------- d-----w- c:\program files\iTunes
2010-02-27 18:39 . 2010-02-27 18:39 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-25 19:10 . 2010-02-25 19:10 -------- d-----w- c:\documents and settings\Emie\Application Data\LG Electronics
2010-02-25 19:09 . 2010-02-25 19:09 766 ----a-r- c:\documents and settings\Emie\Application Data\Microsoft\Installer\{3E54A849-D29D-4105-9184-C07219055007}\NewShortcut3_ED5A8C011A3E4EAFA614157F455BF6BE.exe
2010-02-25 19:09 . 2010-02-25 19:09 68790 ----a-r- c:\documents and settings\Emie\Application Data\Microsoft\Installer\{3E54A849-D29D-4105-9184-C07219055007}\NewShortcut2_ED5A8C011A3E4EAFA614157F455BF6BE_1.exe
2010-02-25 19:09 . 2010-02-25 19:09 40960 ----a-r- c:\documents and settings\Emie\Application Data\Microsoft\Installer\{3E54A849-D29D-4105-9184-C07219055007}\ARPPRODUCTICON.exe
2010-02-25 19:09 . 2010-02-25 19:09 -------- d-----w- c:\program files\LG Outlook Sync
2010-02-16 19:57 . 2010-02-16 19:57 -------- d-----w- c:\documents and settings\Emie\Application Data\EPSON
2010-02-16 19:50 . 2010-02-16 19:50 -------- d-----w- C:\epson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 14:16 . 2009-05-08 20:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-04 04:44 . 2009-11-05 21:51 -------- d-----w- c:\documents and settings\Emie\Application Data\Vso
2010-03-04 03:23 . 2009-06-09 18:01 -------- d-----w- c:\documents and settings\Emie\Application Data\uTorrent
2010-03-03 22:45 . 2009-07-22 15:06 -------- d-----w- c:\program files\Yahoo!
2010-03-03 21:16 . 2009-06-09 18:01 -------- d-----w- c:\program files\uTorrent
2010-02-27 19:03 . 2009-05-02 13:14 -------- d-----w- c:\program files\Common Files\Apple
2010-02-25 19:00 . 2009-03-29 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-16 19:51 . 2009-03-27 14:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-28 13:51 . 2010-01-28 13:51 503808 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e35e35f-n\msvcp71.dll
2010-01-28 13:51 . 2010-01-28 13:51 499712 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e35e35f-n\jmc.dll
2010-01-28 13:51 . 2010-01-28 13:51 348160 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e35e35f-n\msvcr71.dll
2010-01-28 13:51 . 2010-01-28 13:51 -------- d-----w- c:\program files\Common Files\Java
2010-01-28 13:50 . 2010-01-28 13:50 61440 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fc53a4f-n\decora-sse.dll
2010-01-28 13:50 . 2010-01-28 13:50 12800 ----a-w- c:\documents and settings\Emie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fc53a4f-n\decora-d3d.dll
2010-01-28 13:50 . 2009-04-21 02:01 -------- d-----w- c:\program files\Java
2010-01-23 00:05 . 2009-03-28 20:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 01:24 . 2010-01-18 01:24 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-18 01:24 . 2010-01-18 01:24 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-01-06 17:08 . 2010-01-14 19:57 4726272 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 17:08 . 2010-01-14 19:57 103424 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-06 17:08 . 2010-01-14 19:57 57856 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 17:08 . 2010-01-14 19:57 545280 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 17:08 . 2010-01-14 19:57 4725760 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 17:08 . 2010-01-14 19:57 344064 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 17:08 . 2010-01-14 19:57 153600 ----a-w- c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-10 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 17:56 . 2009-12-26 17:56 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-26 17:55 . 2009-12-26 17:55 3106632 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\MyPalsPlugin.exe
2009-12-17 22:14 . 2009-04-21 02:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2009-03-27 14:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2005-03-30 01:23 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-03-28 19:43 . 2009-03-28 19:43 110116 ----a-w- c:\program files\adobe_gamma.zip
2009-03-27 17:10 . 2009-03-27 17:10 1878888 ----a-w- c:\program files\install_flash_player.exe
2006-02-18 22:06 . 2009-05-10 01:44 693528 ----a-w- c:\program files\DScaler5008.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 1867776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Monitor"="e:\program files\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\Emie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"e:\\Program Files\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"8085:TCP"= 8085:TCP:GateOKO
"4:TCP"= 4:TCP:Verizon

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [3/29/2009 2:22 PM 40496]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 3:13 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc6 REG_MULTI_SZ srvoko6
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-07 c:\windows\Tasks\User_Feed_Synchronization-{66A1A1B5-AA2E-434E-B10F-F29F4792BF36}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\Office12\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Emie\Application Data\Mozilla\Firefox\Profiles\v7fvxol1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 14:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
e:\program files\LeapFrog Connect\CommandService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-07 14:28:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 19:23
ComboFix2.txt 2010-03-07 15:34

Pre-Run: 9,050,365,952 bytes free
Post-Run: 9,012,670,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT

- - End Of File - - 430522390621FE17FC49B07986648343


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 PM

Posted 07 March 2010 - 03:03 PM

Seems to be a stubborn entry, let's see why it's not gone.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /k reg export "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost" log.txt& start log.txt
  • A file log.txt should pop up please post the contents in your reply.


Then run a quick MBAM scan and post both logs. Also please let me know if you are still getting the IE and FF error.

unite.jpg


#9 emjsky

emjsky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 07 March 2010 - 05:44 PM

I did not get the IE or Firefox errors although the internet seemed to be running a little slow. However, Mbam caught the malware in system restore files. Here are the logs. thx

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,4d,00,\
48,00,4e,00,00,00,42,00,49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,\
00,65,00,72,00,76,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,\
65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,\
00,73,00,76,00,63,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,\
00,00,6e,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,\
00,73,00,76,00,63,00,00,00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"eapsvcs"=hex(7):65,00,61,00,70,00,68,00,6f,00,73,00,74,00,00,00,00,00
"dot3svc"=hex(7):64,00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,00,00
"WudfServiceGroup"=hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,\
00
"netsvc6"=hex(7):73,00,72,00,76,00,6f,00,6b,00,6f,00,36,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

------------------------END FILE--------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/7/2010 5:14:15 PM
mbam-log-2010-03-07 (17-14-06).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 327408
Time elapsed: 1 hour(s), 27 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\System Volume Information\_restore{953E6436-562D-47CD-90DA-D5DD589F5DBA}\RP5\A0004783.exe (Backdoor.Bot) -> No action taken.
E:\System Volume Information\_restore{953E6436-562D-47CD-90DA-D5DD589F5DBA}\RP5\A0004784.exe (Trojan.Downloader) -> No action taken.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 PM

Posted 07 March 2010 - 06:07 PM

That's looking better we just need to remove this stubborn entry and do a final check, then we should be done.

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the icon on your desktop.
  • Paste the following code under the area. Do not include the word "Code".
    CODE
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "netsvc6"=-
    :Commands
    [Purity]
    [EmptyTemp]
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • OTM results
  • ESET report
  • New DDS log

Thanks

unite.jpg


#11 emjsky

emjsky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 07 March 2010 - 08:49 PM

All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\netsvc6 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1175715840 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Administrator.LAPTOP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Emie
->Temp folder emptied: 296420 bytes
->Temporary Internet Files folder emptied: 138051726 bytes
->Java cache emptied: 36824635 bytes
->FireFox cache emptied: 48956253 bytes
->Flash cache emptied: 109833 bytes

User: Joseph
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 157915 bytes
->Java cache emptied: 43803853 bytes
->FireFox cache emptied: 53059254 bytes
->Flash cache emptied: 10651 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1422338 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1166 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,429.00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03072010_184727

Files moved on Reboot...
C:\Documents and Settings\Emie\Local Settings\Temporary Internet Files\Content.IE5\3PO75UN6\iframe[1].htm moved successfully.
C:\Documents and Settings\Emie\Local Settings\Temporary Internet Files\Content.IE5\3PO75UN6\iframe[2].htm moved successfully.
C:\Documents and Settings\Emie\Local Settings\Temporary Internet Files\Content.IE5\3PO75UN6\iframe[3].htm moved successfully.
C:\Documents and Settings\Emie\Local Settings\Temporary Internet Files\Content.IE5\3PO75UN6\iframe[4].htm moved successfully.
C:\Documents and Settings\Emie\Local Settings\Temporary Internet Files\Content.IE5\3PO75UN6\topic300796[1].htm moved successfully.
C:\Documents and Settings\Emie\Local Settings\Temporary Internet Files\Content.IE5\2XKNUBPL\iframe[1].htm moved successfully.
C:\Documents and Settings\Emie\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...
-------------------------------------------------------------------

ESET REPORT:

C:\WINDOWS\system32\o6ko.dll Win32/Tinxy.AZ trojan cleaned by deleting - quarantined

-----------------------------------------------------------------------


DDS (Ver_09-12-01.01) - NTFSx86
Run by Emie at 20:41:00.71 on Sun 03/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.730 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LeapFrog Connect\CommandService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\LeapFrog Connect\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Emie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Monitor] "e:\program files\leapfrog connect\Monitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\emie\startm~1\programs\startup\onenot~1.lnk - e:\program files\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238166102312
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\emie\applic~1\mozilla\firefox\profiles\v7fvxol1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\emie\application data\mozilla\firefox\profiles\v7fvxol1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\emie\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\emie\application data\mozilla\firefox\profiles\v7fvxol1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\emie\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\emie\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: e:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-3-29 40496]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-4 315408]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-15 34064]

=============== Created Last 30 ================

2010-03-07 23:47:27 0 d-----w- C:\_OTM
2010-03-07 19:02:03 0 d-sha-r- C:\cmdcons
2010-03-07 14:51:45 98816 ----a-w- c:\windows\sed.exe
2010-03-07 14:51:45 77312 ----a-w- c:\windows\MBR.exe
2010-03-07 14:51:45 261632 ----a-w- c:\windows\PEV.exe
2010-03-07 14:51:45 161792 ----a-w- c:\windows\SWREG.exe
2010-03-05 18:57:44 0 d-----w- c:\program files\Runtime Software
2010-03-05 16:06:12 0 d-----w- c:\docume~1\emie\applic~1\Malwarebytes
2010-03-05 16:06:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:05:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-05 16:05:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 16:05:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 01:28:22 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-05 01:28:21 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-05 01:27:03 0 d-----w- c:\program files\Kaspersky Lab
2010-03-05 01:27:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-03-05 01:23:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-02-27 19:03:33 0 d-----w- c:\program files\iPod
2010-02-27 19:03:24 0 d-----w- c:\program files\iTunes
2010-02-25 19:10:57 0 d-----w- c:\docume~1\emie\applic~1\LG Electronics
2010-02-25 19:09:32 0 d-----w- c:\program files\LG Outlook Sync
2010-02-16 19:50:47 0 d-----w- C:\epson

==================== Find3M ====================

2010-01-18 01:24:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-18 01:24:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-03-28 19:43:35 110116 ----a-w- c:\program files\adobe_gamma.zip
2009-03-27 17:10:24 1878888 ----a-w- c:\program files\install_flash_player.exe
2006-02-18 22:06:56 693528 ----a-w- c:\program files\DScaler5008.exe

============= FINISH: 20:41:59.73 ===============






#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 PM

Posted 07 March 2010 - 08:56 PM

Your logs look fine to me now smile.gif

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#13 emjsky

emjsky
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 07 March 2010 - 09:16 PM

Thanks!!! You rock!!!! thumbup.gif

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 PM

Posted 07 March 2010 - 09:18 PM

You're very welcome thumbup2.gif

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users