Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROOTKIT.WIN32.TDSS.D


  • This topic is locked This topic is locked
32 replies to this topic

#1 Bhoopal

Bhoopal

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 15 April 2010 - 09:49 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:50:39.29 on 15/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.553 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KAQ1E9MG\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/ig?hl=en&source=iglk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: af0.Adblock.BHO: {90eff544-3981-4d46-85c9-c0361d0931d6} - mscoree.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [O2Start] c:\program files\o2cm-ce\o2 connection manager\tscui.exe /s
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [BrowserChoice] "c:\windows\system32\browserchoice.exe" /run
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.co.in/s/v/58.09/uploader2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431} - c:\setup\data\June.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\bujngir2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/ig?hl=en&source=iglk
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E28C6ECB-9261-4125-A90E-23A715D7F49C} - c:\documents and settings\administrator\local settings\application data\{E28C6ECB-9261-4125-A90E-23A715D7F49C}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-4-9 315408]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S0 fhajeat;fhajeat; [x]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmemdm.sys [2009-9-22 88960]
S3 NdisWDM;Belkin Wireless G Plus USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [2009-9-15 198144]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\TsWlan.sys [2009-3-27 33664]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\zteusbser.sys [2009-8-29 100480]
S4 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2010-1-16 69120]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-19 135664]

=============== Created Last 30 ================

2010-04-15 11:20:41 2914 ----a-w- c:\windows\system32\.crusader
2010-04-15 11:20:38 26112 ----a-w- c:\windows\system32\userinit.vir
2010-04-15 10:53:04 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 10:52:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-15 10:52:35 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 10:38:50 0 d-----w- c:\program files\Enigma Software Group
2010-04-15 10:38:09 0 d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 10:37:59 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-15 09:50:44 0 d-----w- C:\!KillBox
2010-04-14 16:51:55 0 d-----w- c:\program files\af0.net
2010-04-09 15:43:44 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-09 15:43:44 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-09 15:39:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-04-08 18:28:27 112 ----a-w- c:\docume~1\alluse~1\applic~1\UvQAd7e1K.dat
2010-04-08 18:19:55 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-06 18:05:07 92 ----a-w- c:\windows\wininit.ini
2010-04-06 17:05:17 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:05:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-05 10:12:30 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-05 10:11:38 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-04 19:45:02 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2010-04-04 19:45:01 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2010-04-04 19:44:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-04-04 13:52:01 0 d-----w- c:\docume~1\admini~1\applic~1\Nokia Ovi Suite
2010-04-04 13:41:02 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-04 13:40:54 0 d-----w- c:\program files\PC Connectivity Solution
2010-04-04 13:38:39 0 d-----w- c:\docume~1\alluse~1\applic~1\OviInstallerCache
2010-04-04 13:27:50 0 d-----w- c:\program files\common files\PCSuite
2010-04-02 15:59:03 120 ----a-w- c:\windows\Wsipa.dat
2010-04-02 15:59:03 0 ----a-w- c:\windows\Vdurusehihe.bin
2010-04-02 15:56:14 0 d-sh--w- c:\documents and settings\administrator\.COMMgr
2010-03-21 15:30:13 0 d-----w- c:\program files\Password Solutions
2010-03-21 15:30:13 0 d-----w- c:\docume~1\admini~1\applic~1\Password Solutions
2010-03-21 14:49:35 0 d-----w- c:\docume~1\admini~1\applic~1\Passware
2010-03-21 14:43:33 275 ----a-w- c:\windows\pwc61su.INI

==================== Find3M ====================

2010-04-15 08:43:31 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 14:36:56 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-04-02 16:34:52 539136 ----a-w- c:\windows\system32\logonui.exe
2010-04-02 16:24:16 221184 ----a-w- c:\windows\system32\wbem\wmiadap.exe
2010-04-02 16:23:34 413696 ----a-w- c:\windows\system32\cmd.exe
2010-04-02 16:23:17 36864 ----a-w- c:\windows\system32\attrib.exe
2010-04-02 16:23:03 53248 ----a-w- c:\windows\system32\verclsid.exe
2010-04-02 16:23:02 44544 ----a-w- c:\windows\system32\cacls.exe
2010-04-02 16:20:54 58368 ----a-w- c:\windows\system32\rundll32.exe
2010-04-02 16:20:45 93696 ----a-w- c:\windows\system32\notepad.exe
2010-04-02 16:20:28 70144 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 14:42:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-02-27 14:42:11 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-02-27 14:39:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 13:01:22 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-11-02 11:57:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110220091103\index.dat

============= FINISH: 12:53:01.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 AM

Posted 16 April 2010 - 11:42 AM

Hello Bhoopal,



I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! smile.gif

If McAfee still gives you problems then you may have to temporarily uninstall it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning


Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 17 April 2010 - 05:11 AM

attached the combofix log

Attached Files

  • Attached File  log.txt   42.44KB   7 downloads


#4 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 17 April 2010 - 09:17 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 15:14:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwlyapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAD2C158C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAD2C1E0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAD2C2922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAD2C2E94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAD2C20EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAD2C0436]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAD2C2D6C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAD2C1192]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAD2C2C28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAD2C134E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAD2C2FC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAD2C4C08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAD2C1AAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAD2C2CCA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xAD2C45FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAD2C09FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAD2C0D88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAD2C2576]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAD2C55CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAD2C0ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAD2C0F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAD2C2382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAD2C468C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAD2C0412]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAD2C0424]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xAD2C4CBC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xAD2C10C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xAD2C2F36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xAD2C1E8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xAD2C05DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xAD2C2E04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xAD2C1792]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xAD2C4C32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xAD2C3068]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xAD2C16B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xAD2C101E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xAD2C0C46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xAD2C4FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xAD2C0896]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xAD2C4922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xAD2C0B0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xAD2C02B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xAD2C33F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xAD2C32B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xAD2C439A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xAD2C7E2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xAD2C54AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xAD2C0248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xAD2C265C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xAD2C1CC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xAD2C3C4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xAD2C4786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xAD2C5114]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xAD2C071E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xAD2C51F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xAD2C5320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xAD2C4526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xAD2C190A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xAD2C1860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xAD2C4E8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xAD2C19EA]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [4E, 13, 2C, AD, C6, 2F, 2C, ...]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [8C, 46, 2C, AD, 12, 04, 2C, ...] {MOV WORD [ESI+0x2c], ES; LODSD ; ADC AL, [ESP+EBP]; LODSD ; AND AL, 0x4; SUB AL, 0xad}
.text ntoskrnl.exe!_abnormal_termination + 34C 804E29B8 16 Bytes [0E, 0B, 2C, AD, B0, 02, 2C, ...]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [F8, 51, 2C, AD, 20, 53, 2C, ...]
.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2B0C 4 Bytes JMP B6AD2C19
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 5 Bytes JMP AD2B68B6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512939 5 Bytes JMP AD2B64DC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.rsrc C:\WINDOWS\system32\drivers\ACPIEC.sys entry point in ".rsrc" section [0xF78A5194]
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xBA02B900]

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[240] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[240] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[240] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
.text C:\WINDOWS\system32\SearchIndexer.exe[460] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1560] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1560] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1560] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1560] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1560] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0164000A
.text C:\WINDOWS\System32\svchost.exe[1560] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0163000A
.text C:\WINDOWS\Explorer.EXE[2260] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001B000A
.text C:\WINDOWS\Explorer.EXE[2260] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 001C000A
.text C:\WINDOWS\Explorer.EXE[2260] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 001A000C
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3148] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3148] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3148] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004E2F10 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 004E2F80 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 004E2E00 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 004E2D50 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 004E2ED0 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 004E2D90 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 004E2E40 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 004E2DC0 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 004E2E80 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe[4020] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 004E2D10 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui .exe (O2 Connection Manager/O2)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A140AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ACPIEC.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 AM

Posted 17 April 2010 - 01:30 PM

Hello,

Thanks for those. Now I can see the patched file that needs to be fixed. thumbup2.gif

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

QUOTE
FCOPY::
C:\WINDOWS\SERVICEPACKFILES\I386\ACPIEC.sys | c:\windows\system32\drivers\ACPIEC.sys
C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys | c:\windows\system32\drivers\atapi.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.

After reboot, post the contents of Combofix.txt in your next reply. Please also run GMER again and post its report.

How is it running please?

Thanks,
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 17 April 2010 - 03:15 PM

ComboFix 10-04-17.01 - Administrator 17/04/2010 20:59:46.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.803 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\pie.com
Command switches used :: c:\docume~1\ADMINI~1\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-17 19:08 . 2010-04-17 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Novatel Wireless
2010-04-16 14:40 . 2010-04-16 14:41 -------- d-----w- c:\program files\trend micro
2010-04-16 14:40 . 2010-04-16 14:41 -------- d-----w- C:\rsit
2010-04-15 11:20 . 2010-04-15 11:20 0 ----a-w- c:\windows\system32\userinit.vir
2010-04-15 10:53 . 2010-04-15 11:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 10:52 . 2010-04-15 11:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-15 10:52 . 2010-04-15 10:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 10:38 . 2010-04-15 10:38 -------- d-----w- c:\program files\Enigma Software Group
2010-04-15 10:38 . 2010-04-15 10:46 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 10:37 . 2010-04-15 10:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-15 09:50 . 2010-04-15 09:50 -------- d-----w- C:\!KillBox
2010-04-14 16:51 . 2010-04-14 16:51 -------- d-----w- c:\program files\af0.net
2010-04-09 15:49 . 2010-04-09 15:49 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-09 15:49 . 2010-04-09 15:49 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-09 15:43 . 2010-04-09 15:43 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-09 15:43 . 2010-04-09 15:43 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-09 15:39 . 2010-04-09 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-09 14:32 . 2010-04-09 14:32 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-04-08 18:19 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-07 13:37 . 2010-04-07 13:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 17:05 . 2010-04-15 07:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:05 . 2010-04-14 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 10:12 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-05 10:11 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-04 19:45 . 2009-12-14 11:44 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2010-04-04 19:45 . 2009-12-14 11:44 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2010-04-04 19:44 . 2010-04-17 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-04 13:52 . 2010-04-04 13:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia Ovi Suite
2010-04-04 13:47 . 2010-04-04 13:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NokiaAccount
2010-04-04 13:41 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-04 13:40 . 2010-04-04 13:40 -------- d-----w- c:\program files\PC Connectivity Solution
2010-04-04 13:39 . 2010-04-04 13:39 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-04-04 13:39 . 2010-04-04 13:39 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-04-04 13:39 . 2010-04-04 13:39 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-04-04 13:39 . 2010-04-04 13:39 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-04-04 13:39 . 2010-04-04 13:39 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-04-04 13:39 . 2010-04-04 13:39 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\pcswpc.exe
2010-04-04 13:38 . 2010-04-04 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-04-04 13:38 . 2010-04-04 13:38 98366952 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Nokia_Ovi_Suite_PCS_Update.exe
2010-04-04 13:27 . 2010-04-04 13:27 -------- d-----w- c:\program files\Common Files\PCSuite
2010-04-04 13:25 . 2010-04-04 13:23 34442296 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_us.exe
2010-04-04 13:24 . 2010-04-04 13:24 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-04-04 13:24 . 2010-04-04 13:24 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-04-04 13:24 . 2010-04-04 13:24 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-04-04 13:24 . 2010-04-04 13:24 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-04-03 14:46 . 2010-04-04 19:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-02 22:01 . 2010-04-02 22:01 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-04-02 22:01 . 2010-04-02 22:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-04-02 16:41 . 2010-04-02 16:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-02 15:59 . 2010-04-06 09:45 120 ----a-w- c:\windows\Wsipa.dat
2010-04-02 15:59 . 2010-04-06 07:30 0 ----a-w- c:\windows\Vdurusehihe.bin
2010-03-31 07:01 . 2010-03-31 07:01 20895216 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-25 08:20 . 2010-03-25 08:20 -------- d-----w- c:\program files\Common Files\Skype
2010-03-22 15:04 . 2010-03-22 15:04 255472 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-03-21 15:30 . 2010-03-21 19:44 -------- d-----w- c:\program files\Password Solutions
2010-03-21 15:30 . 2010-03-21 15:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Password Solutions
2010-03-21 14:49 . 2010-03-21 14:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Passware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 19:58 . 2010-02-16 14:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-04-17 19:58 . 2009-08-28 06:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-04-16 21:56 . 2009-08-27 10:47 -------- d-----w- c:\program files\Google
2010-04-16 20:55 . 2009-11-18 04:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-15 14:39 . 2004-08-04 12:00 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-04-15 10:40 . 2009-08-26 10:51 71320 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 09:50 . 2009-08-28 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 08:43 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-14 14:29 . 2010-04-08 18:28 112 ----a-w- c:\documents and settings\All Users\Application Data\UvQAd7e1K.dat
2010-04-09 15:42 . 2009-08-26 11:13 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-07 12:44 . 2009-09-11 07:31 -------- d-----w- c:\program files\Nokia
2010-04-07 12:43 . 2009-11-10 10:30 -------- d-----w- c:\program files\Common Files\Nokia
2010-04-04 13:51 . 2009-09-11 07:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia
2010-04-04 13:23 . 2009-08-27 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-04-03 14:31 . 2009-08-27 11:29 -------- d-----w- c:\program files\Common Files\Real
2010-04-02 22:21 . 2009-12-24 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 22:19 . 2009-12-31 04:42 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-02 16:34 . 2004-08-04 12:00 539136 ----a-w- c:\windows\system32\logonui.exe
2010-04-02 16:24 . 2009-08-26 09:59 221184 ----a-w- c:\windows\system32\wbem\wmiadap.exe
2010-04-02 16:23 . 2004-08-04 12:00 413696 ----a-w- c:\windows\system32\cmd.exe
2010-04-02 16:23 . 2004-08-04 12:00 36864 ----a-w- c:\windows\system32\attrib.exe
2010-04-02 16:23 . 2006-03-17 00:38 53248 ----a-w- c:\windows\system32\verclsid.exe
2010-04-02 16:23 . 2004-08-04 12:00 44544 ----a-w- c:\windows\system32\cacls.exe
2010-04-02 16:20 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\rundll32.exe
2010-04-02 16:20 . 2004-08-04 12:00 93696 ----a-w- c:\windows\system32\notepad.exe
2010-04-02 16:20 . 2004-08-04 12:00 70144 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-03-29 23:46 . 2009-12-24 10:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2009-12-24 10:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 07:07 . 2010-03-07 13:56 439816 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-03-26 13:28 . 2009-12-23 04:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 17:43 . 2010-03-10 13:09 -------- d-----w- c:\program files\Raxco
2010-03-17 12:27 . 2010-03-17 12:27 0 ----a-w- c:\windows\nsreg.dat
2010-03-15 12:09 . 2010-03-15 12:09 8405312 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-15 12:09 . 2010-03-15 12:09 149000 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-15 12:08 . 2010-03-15 12:08 10309448 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-15 12:07 . 2010-03-15 12:07 79368 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-15 12:07 . 2010-03-15 12:07 64000 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-15 12:07 . 2010-03-15 12:07 52288 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-15 12:07 . 2010-03-15 12:07 50688 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-15 12:07 . 2010-03-15 12:07 49152 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-15 12:07 . 2010-03-15 12:07 118784 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 14:52 . 2009-08-27 11:23 -------- d-----w- c:\program files\CCleaner
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 18:53 . 2010-03-09 18:39 -------- d-----w- c:\program files\Viewpoint
2010-03-09 18:52 . 2010-03-09 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-03-09 18:52 . 2009-08-27 11:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-03-09 18:51 . 2009-11-13 12:02 -------- d-----w- c:\program files\BatteryBar
2010-03-09 18:51 . 2010-02-20 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-09 18:25 . 2010-01-16 09:23 -------- d-----w- c:\program files\Zapak Games
2010-03-09 18:24 . 2009-08-26 10:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-09 18:23 . 2010-01-09 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-03-08 15:39 . 2010-03-08 15:39 2360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 11:41 . 2010-03-06 11:41 -------- d-----w- c:\program files\Veoh Networks
2010-02-27 17:32 . 2009-11-22 07:46 -------- d-----w- c:\program files\GameTop.com
2010-02-27 14:43 . 2009-09-11 07:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Suite
2010-02-27 14:42 . 2010-02-27 14:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-02-27 14:42 . 2010-02-27 14:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-02-27 14:39 . 2010-02-27 14:39 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-20 10:51 . 2010-02-20 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-20 10:51 . 2010-02-20 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 08:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:01 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
CODE
<pre>
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp .exe
c:\program files\Nokia\Nokia Music\nokiamusic .exe
c:\program files\O2CM-CE\O2 Connection Manager\tscui .exe
c:\program files\Skype\Phone\skype .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-04-17_09.41.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 09:39 . 2009-03-27 09:39 33664 c:\windows\system32\drivers\TsWlan.sys
- 2009-03-27 10:39 . 2009-03-27 10:39 33664 c:\windows\system32\drivers\TsWlan.sys
+ 2010-04-17 19:08 . 2010-04-17 19:08 10134 c:\windows\Installer\{4AA211BA-DB14-4895-AC77-EF4009144AFC}\ARPPRODUCTICON.exe
- 2010-03-09 17:59 . 2010-03-09 17:59 10134 c:\windows\Installer\{4AA211BA-DB14-4895-AC77-EF4009144AFC}\ARPPRODUCTICON.exe
+ 2010-04-17 19:08 . 2010-04-17 19:08 1482240 c:\windows\Installer\feca81.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-20 340456]
"O2Start"="c:\program files\O2CM-CE\O2 Connection Manager\tscui.exe" [2009-06-05 2973696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-1425521274-1801674531-500\Scripts\Logon\0\0]
"Script"=autorun.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^YoWindow.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\YoWindow.lnk
backup=c:\windows\pss\YoWindow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Networking Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Networking Utility.lnk
backup=c:\windows\pss\Belkin Wireless Networking Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Radix MC-AS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Radix MC-AS.lnk
backup=c:\windows\pss\Radix MC-AS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 03:28 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-07-22 05:38 88361 ----a-r- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-01-04 04:15 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager]
2007-06-14 10:18 1282048 ----a-w- c:\windows\system32\wltray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-02 22:36 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-10-02 06:19 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-10-02 06:37 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2009-09-17 09:50 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2004-10-01 08:46 262144 ----a-w- c:\progra~1\LAUNCH~1\LManager.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2006-01-05 06:58 489472 ----a-w- c:\program files\Logitech\Video\CameraAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraService(E)]
2004-11-01 16:22 262144 ----a-w- c:\windows\system32\ElkCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
2006-01-05 07:15 73728 ----a-w- c:\program files\Logitech\Video\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-12-09 14:32 225280 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-29 23:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-26 15:36 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 09:27 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NiwradSoft Welcome]
c:\windows\NiwradSoft Shell Pack\Tools\NS Welcome.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
c:\program files\Nokia\Nokia Music\NokiaMusic.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2Start]
2009-06-05 14:20 2973696 ----a-w- c:\program files\O2CM-CE\O2 Connection Manager\tscui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qdage]
c:\windows\ahumuqujuzesec.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 09:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
c:\documents and settings\Administrator\Application Data\Smilebox\SmileboxTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-07-27 09:01 68096 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
c:\program files\Spybot - Search & Destroy\TeaTimer.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-30 08:42 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-08-12 07:12 684032 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-08-12 07:13 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Venturi Configurator]
c:\program files\Netbooster Client\Configurator\ventcfg.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MDM"=2 (0x2)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"Boonty Games"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Shared Folder\\Softwares\\Portable TeamViewer + Cracked Version [h33t] [Ahmed]\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 20:18 36880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13:42 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18:39 19472]
S0 fhajeat;fhajeat; [x]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmemdm.sys [22/09/2009 09:10 88960]
S3 NdisWDM;Belkin Wireless G Plus USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [15/09/2009 18:57 198144]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\TsWlan.sys [27/03/2009 10:39 33664]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\zteusbser.sys [29/08/2009 15:08 100480]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2009 06:26 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
c:\setup\DATA\June.exe [N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 05:26]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 05:26]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1425521274-1801674531-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-02 22:36]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1425521274-1801674531-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-02 22:36]

2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{5F5B496E-2C48-4AAF-B147-48E0FDA2E7BA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 16:23]

2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{E387758D-C605-41AC-8C93-4CDB3694854C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 16:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/ig?hl=en&source=iglk/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {E3961B02-FF7D-42DB-9B69-115E21E83B8B} = 82.132.136.103 82.132.136.102
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.co.in/s/v/58.09/uploader2.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bujngir2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/ig?hl=en&source=iglk
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1425521274-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,67,82,8d,3f,f6,c4,4f,aa,6c,17,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,67,82,8d,3f,f6,c4,4f,aa,6c,17,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,54,e1,71,e7,c7,c6,48,9b,1e,f1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,54,e1,71,e7,c7,c6,48,9b,1e,f1,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\BatteryBar\BatteryBar.dll
c:\program files\BatteryBar\BatteryBar.Utilities.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-17 21:12:39
ComboFix-quarantined-files.txt 2010-04-17 20:12
ComboFix2.txt 2010-04-17 17:25
ComboFix3.txt 2010-04-17 09:49

Pre-Run: 10,040,762,368 bytes free
Post-Run: 9,995,894,784 bytes free

- - End Of File - - BF33C9687F37EEDD070B0F3383F32A5A


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 AM

Posted 17 April 2010 - 03:30 PM

Hello,

It doesn't look like you used the script I asked you to for ComboFix, and :
QUOTE
Please also run GMER again and post its report.

How is it running please?

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 18 April 2010 - 05:57 AM

ComboFix 10-04-17.05 - Administrator 18/04/2010 11:45:35.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.458 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\pie.com
Command switches used :: c:\docume~1\ADMINI~1\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dbghlp.dll . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\SERVICEPACKFILES\I386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-17 20:27 . 2010-04-17 20:27 -------- d--h--w- c:\windows\PIF
2010-04-17 19:08 . 2010-04-17 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Novatel Wireless
2010-04-16 14:40 . 2010-04-16 14:41 -------- d-----w- c:\program files\trend micro
2010-04-16 14:40 . 2010-04-16 14:41 -------- d-----w- C:\rsit
2010-04-15 11:20 . 2010-04-15 11:20 0 ----a-w- c:\windows\system32\userinit.vir
2010-04-15 10:53 . 2010-04-15 11:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 10:52 . 2010-04-15 11:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-15 10:52 . 2010-04-15 10:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 10:38 . 2010-04-15 10:38 -------- d-----w- c:\program files\Enigma Software Group
2010-04-15 10:38 . 2010-04-15 10:46 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 10:37 . 2010-04-15 10:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-15 09:50 . 2010-04-15 09:50 -------- d-----w- C:\!KillBox
2010-04-14 16:51 . 2010-04-14 16:51 -------- d-----w- c:\program files\af0.net
2010-04-09 15:49 . 2010-04-09 15:49 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-09 15:49 . 2010-04-09 15:49 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-09 15:43 . 2010-04-09 15:43 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-09 15:43 . 2010-04-09 15:43 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-09 15:39 . 2010-04-09 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-09 14:32 . 2010-04-09 14:32 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-04-08 18:19 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-07 13:37 . 2010-04-07 13:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 17:05 . 2010-04-15 07:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:05 . 2010-04-14 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 10:12 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-05 10:11 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-04 19:45 . 2009-12-14 11:44 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2010-04-04 19:45 . 2009-12-14 11:44 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2010-04-04 19:44 . 2010-04-18 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-04 13:52 . 2010-04-04 13:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia Ovi Suite
2010-04-04 13:47 . 2010-04-04 13:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NokiaAccount
2010-04-04 13:41 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-04 13:40 . 2010-04-04 13:40 -------- d-----w- c:\program files\PC Connectivity Solution
2010-04-04 13:39 . 2010-04-04 13:39 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-04-04 13:39 . 2010-04-04 13:39 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-04-04 13:39 . 2010-04-04 13:39 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-04-04 13:39 . 2010-04-04 13:39 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-04-04 13:39 . 2010-04-04 13:39 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-04-04 13:39 . 2010-04-04 13:39 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\pcswpc.exe
2010-04-04 13:38 . 2010-04-04 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-04-04 13:38 . 2010-04-04 13:38 98366952 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Nokia_Ovi_Suite_PCS_Update.exe
2010-04-04 13:27 . 2010-04-04 13:27 -------- d-----w- c:\program files\Common Files\PCSuite
2010-04-04 13:25 . 2010-04-04 13:23 34442296 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_us.exe
2010-04-04 13:24 . 2010-04-04 13:24 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-04-04 13:24 . 2010-04-04 13:24 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-04-04 13:24 . 2010-04-04 13:24 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-04-04 13:24 . 2010-04-04 13:24 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-04-03 14:46 . 2010-04-04 19:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-02 22:01 . 2010-04-02 22:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-04-02 16:41 . 2010-04-02 16:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-02 15:59 . 2010-04-06 09:45 120 ----a-w- c:\windows\Wsipa.dat
2010-04-02 15:59 . 2010-04-06 07:30 0 ----a-w- c:\windows\Vdurusehihe.bin
2010-03-31 07:01 . 2010-03-31 07:01 20895216 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-25 08:20 . 2010-03-25 08:20 -------- d-----w- c:\program files\Common Files\Skype
2010-03-22 15:04 . 2010-03-22 15:04 255472 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-03-21 15:30 . 2010-03-21 19:44 -------- d-----w- c:\program files\Password Solutions
2010-03-21 15:30 . 2010-03-21 15:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Password Solutions
2010-03-21 14:49 . 2010-03-21 14:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Passware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 10:48 . 2010-02-16 14:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-04-18 08:18 . 2009-08-28 06:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-04-17 20:37 . 2010-03-08 15:39 161552 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-16 21:56 . 2009-08-27 10:47 -------- d-----w- c:\program files\Google
2010-04-16 20:55 . 2009-11-18 04:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-15 14:39 . 2004-08-04 12:00 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-04-15 10:40 . 2009-08-26 10:51 71320 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 09:50 . 2009-08-28 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 14:29 . 2010-04-08 18:28 112 ----a-w- c:\documents and settings\All Users\Application Data\UvQAd7e1K.dat
2010-04-09 15:42 . 2009-08-26 11:13 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-07 12:44 . 2009-09-11 07:31 -------- d-----w- c:\program files\Nokia
2010-04-07 12:43 . 2009-11-10 10:30 -------- d-----w- c:\program files\Common Files\Nokia
2010-04-04 13:51 . 2009-09-11 07:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia
2010-04-04 13:23 . 2009-08-27 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-04-03 14:31 . 2009-08-27 11:29 -------- d-----w- c:\program files\Common Files\Real
2010-04-02 22:21 . 2009-12-24 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 22:19 . 2009-12-31 04:42 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-02 16:34 . 2004-08-04 12:00 539136 ----a-w- c:\windows\system32\logonui.exe
2010-04-02 16:24 . 2009-08-26 09:59 221184 ----a-w- c:\windows\system32\wbem\wmiadap.exe
2010-04-02 16:23 . 2004-08-04 12:00 413696 ----a-w- c:\windows\system32\cmd.exe
2010-04-02 16:23 . 2004-08-04 12:00 36864 ----a-w- c:\windows\system32\attrib.exe
2010-04-02 16:23 . 2006-03-17 00:38 53248 ----a-w- c:\windows\system32\verclsid.exe
2010-04-02 16:23 . 2004-08-04 12:00 44544 ----a-w- c:\windows\system32\cacls.exe
2010-04-02 16:20 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\rundll32.exe
2010-04-02 16:20 . 2004-08-04 12:00 93696 ----a-w- c:\windows\system32\notepad.exe
2010-04-02 16:20 . 2004-08-04 12:00 70144 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-03-29 23:46 . 2009-12-24 10:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2009-12-24 10:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 07:07 . 2010-03-07 13:56 439816 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-03-26 13:28 . 2009-12-23 04:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 17:43 . 2010-03-10 13:09 -------- d-----w- c:\program files\Raxco
2010-03-17 12:27 . 2010-03-17 12:27 0 ----a-w- c:\windows\nsreg.dat
2010-03-15 12:09 . 2010-03-15 12:09 8405312 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-15 12:09 . 2010-03-15 12:09 149000 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-15 12:08 . 2010-03-15 12:08 10309448 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-15 12:07 . 2010-03-15 12:07 79368 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-15 12:07 . 2010-03-15 12:07 64000 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-15 12:07 . 2010-03-15 12:07 52288 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-15 12:07 . 2010-03-15 12:07 50688 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-15 12:07 . 2010-03-15 12:07 49152 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-15 12:07 . 2010-03-15 12:07 118784 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 14:52 . 2009-08-27 11:23 -------- d-----w- c:\program files\CCleaner
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 18:53 . 2010-03-09 18:39 -------- d-----w- c:\program files\Viewpoint
2010-03-09 18:52 . 2010-03-09 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-03-09 18:52 . 2009-08-27 11:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-03-09 18:51 . 2009-11-13 12:02 -------- d-----w- c:\program files\BatteryBar
2010-03-09 18:51 . 2010-02-20 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-09 18:25 . 2010-01-16 09:23 -------- d-----w- c:\program files\Zapak Games
2010-03-09 18:24 . 2009-08-26 10:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-09 18:23 . 2010-01-09 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-03-06 11:41 . 2010-03-06 11:41 -------- d-----w- c:\program files\Veoh Networks
2010-02-27 17:32 . 2009-11-22 07:46 -------- d-----w- c:\program files\GameTop.com
2010-02-27 14:43 . 2009-09-11 07:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Suite
2010-02-27 14:42 . 2010-02-27 14:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-02-27 14:42 . 2010-02-27 14:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-02-27 14:39 . 2010-02-27 14:39 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-20 10:51 . 2010-02-20 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-20 10:51 . 2010-02-20 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 08:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:01 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-17_09.41.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-27 10:39 . 2009-03-27 10:39 33664 c:\windows\system32\drivers\TsWlan.sys
+ 2009-03-27 09:39 . 2009-03-27 09:39 33664 c:\windows\system32\drivers\TsWlan.sys
+ 2004-08-04 12:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
- 2010-03-09 17:59 . 2010-03-09 17:59 10134 c:\windows\Installer\{4AA211BA-DB14-4895-AC77-EF4009144AFC}\ARPPRODUCTICON.exe
+ 2010-04-17 19:08 . 2010-04-17 19:08 10134 c:\windows\Installer\{4AA211BA-DB14-4895-AC77-EF4009144AFC}\ARPPRODUCTICON.exe
+ 2010-04-18 08:23 . 2010-04-18 08:23 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
- 2010-04-03 14:39 . 2010-04-03 14:39 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-04-17 19:08 . 2010-04-17 19:08 1482240 c:\windows\Installer\feca81.msi
+ 2010-04-18 08:23 . 2010-04-18 08:23 1575936 c:\windows\Installer\66df6.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-20 340456]
"O2Start"="c:\program files\O2CM-CE\O2 Connection Manager\tscui.exe" [2009-06-05 2973696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-1425521274-1801674531-500\Scripts\Logon\0\0]
"Script"=autorun.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^YoWindow.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\YoWindow.lnk
backup=c:\windows\pss\YoWindow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Networking Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Networking Utility.lnk
backup=c:\windows\pss\Belkin Wireless Networking Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Radix MC-AS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Radix MC-AS.lnk
backup=c:\windows\pss\Radix MC-AS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 03:28 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-07-22 05:38 88361 ----a-r- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-01-04 04:15 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager]
2007-06-14 10:18 1282048 ----a-w- c:\windows\system32\wltray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-02 22:36 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-10-02 06:19 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-10-02 06:37 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2009-09-17 09:50 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2004-10-01 08:46 262144 ----a-w- c:\progra~1\LAUNCH~1\LManager.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2006-01-05 06:58 489472 ----a-w- c:\program files\Logitech\Video\CameraAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraService(E)]
2004-11-01 16:22 262144 ----a-w- c:\windows\system32\ElkCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
2006-01-05 07:15 73728 ----a-w- c:\program files\Logitech\Video\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-12-09 14:32 225280 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-29 23:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-26 15:36 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 09:27 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2Start]
2009-06-05 14:20 2973696 ----a-w- c:\program files\O2CM-CE\O2 Connection Manager\tscui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 01:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-07-27 09:01 68096 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-30 08:42 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-08-12 07:12 684032 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-08-12 07:13 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MDM"=2 (0x2)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"Boonty Games"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Shared Folder\\Softwares\\Portable TeamViewer + Cracked Version [h33t] [Ahmed]\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 20:18 36880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13:42 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18:39 19472]
S0 fhajeat;fhajeat; [x]
S2 avp ;avp ;"c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp .exe" -r --> c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp .exe [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmemdm.sys [22/09/2009 09:10 88960]
S3 NdisWDM;Belkin Wireless G Plus USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [15/09/2009 18:57 198144]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\TsWlan.sys [27/03/2009 10:39 33664]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\zteusbser.sys [29/08/2009 15:08 100480]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2009 06:26 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 05:26]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 05:26]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1425521274-1801674531-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-02 22:36]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1425521274-1801674531-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-02 22:36]

2010-04-18 c:\windows\Tasks\User_Feed_Synchronization-{5F5B496E-2C48-4AAF-B147-48E0FDA2E7BA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 16:23]

2010-04-18 c:\windows\Tasks\User_Feed_Synchronization-{E387758D-C605-41AC-8C93-4CDB3694854C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 16:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/ig?hl=en&source=iglk/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.co.in/s/v/58.09/uploader2.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bujngir2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/ig?hl=en&source=iglk
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-avp - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp .exe
MSConfigStartUp-NiwradSoft Welcome - c:\windows\NiwradSoft Shell Pack\Tools\NS Welcome.exe
MSConfigStartUp-NokiaMusic FastStart - c:\program files\Nokia\Nokia Music\NokiaMusic.exe
MSConfigStartUp-NokiaOviSuite2 - c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
MSConfigStartUp-Qdage - c:\windows\ahumuqujuzesec.dll
MSConfigStartUp-SmileboxTray - c:\documents and settings\Administrator\Application Data\Smilebox\SmileboxTray.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-Venturi Configurator - c:\program files\Netbooster Client\Configurator\ventcfg.exe
MSConfigStartUp-VoipBuster - c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe
ActiveSetup-{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431} - c:\setup\DATA\June.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 11:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1425521274-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,67,82,8d,3f,f6,c4,4f,aa,6c,17,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,67,82,8d,3f,f6,c4,4f,aa,6c,17,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,54,e1,71,e7,c7,c6,48,9b,1e,f1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,54,e1,71,e7,c7,c6,48,9b,1e,f1,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(4124)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\BatteryBar\BatteryBar.dll
c:\program files\BatteryBar\BatteryBar.Utilities.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 11:56:11
ComboFix-quarantined-files.txt 2010-04-18 10:56
ComboFix2.txt 2010-04-17 20:12
ComboFix3.txt 2010-04-17 17:25
ComboFix4.txt 2010-04-17 09:49

Pre-Run: 10,143,535,104 bytes free
Post-Run: 10,152,837,120 bytes free

- - End Of File - - 3F7A295A3EAEB8F2DB0060D2080E6F80


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 AM

Posted 18 April 2010 - 02:08 PM

Please tell me....do you have a problem reading or speaking? blink.gif

For the 3rd time :
QUOTE
Please also run GMER again and post its report.

How is it running please?


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 18 April 2010 - 04:48 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 22:47:27
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwlyapod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB203158C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xB2031E0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xB2032922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xB2032E94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xB20320EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xB2030436]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xB2032D6C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xB2031192]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xB2032C28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xB203134E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xB2032FC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB2034C08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xB2031AAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xB2032CCA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xB20345FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xB20309FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xB2030D88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xB2032576]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xB20355CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xB2030ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB2030F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xB2032382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xB203468C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xB2030412]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xB2030424]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xB2034CBC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xB20310C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xB2032F36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xB2031E8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xB20305DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xB2032E04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xB2031792]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xB2034C32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xB2033068]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xB20316B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xB203101E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xB2030C46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xB2034FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xB2030896]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xB2034922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xB2030B0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xB20302B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xB20333F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xB20332B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xB203439A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xB2037E2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xB20354AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xB2030248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xB203265C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xB2031CC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xB2033C4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xB2034786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xB2035114]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xB203071E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xB20351F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xB2035320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xB2034526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xB203190A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xB2031860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xB2034E8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xB20319EA]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3884] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1984] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1984] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1984] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3052] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3052] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3052] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 004E2D10 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 004E2D50 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 004E2D90 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 004E2DC0 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004E2F10 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 004E2F80 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 004E2E00 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 004E2E40 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 004E2E80 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)
.text C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe[3064] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 004E2ED0 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2 Connection Manager/O2)

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xBA4C7900]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[340] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [4E, 13, 03, B2, C6, 2F, 03, ...]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [8C, 46, 03, B2, 12, 04, 03, ...]
.text ntoskrnl.exe!_abnormal_termination + 34C 804E29B8 16 Bytes [0E, 0B, 03, B2, B0, 02, 03, ...]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [F8, 51, 03, B2, 20, 53, 03, ...]
.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2B0C 4 Bytes JMP B6B20319
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512939 5 Bytes JMP B20264DC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 5 Bytes JMP B20268B6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----


#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 AM

Posted 20 April 2010 - 10:40 AM

still waiting.......... whistling.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 20 April 2010 - 11:40 AM

wat r y waiting for , i had posted by running the GMER log !??!?!?

#13 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 20 April 2010 - 11:43 AM

i had already sent a combo fix log as u said & now gmer log... plz let me know clearly, now wat u want me to do

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 AM

Posted 20 April 2010 - 11:48 AM

I want you to tell me how your computer is behaving. It really is important or I would not ask. smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Bhoopal

Bhoopal
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 20 April 2010 - 11:55 AM

I could not find any virus , if i run the Kspersky ... , i hope my pc is working fine , if anything else i need to do , plz instruct , thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users