Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Suspected Trojan, High network activity, Windows 7 64.

  • This topic is locked This topic is locked
5 replies to this topic

#1 Jtmadden61


  • Members
  • 4 posts
  • Gender:Male
  • Location:Seaside, CA
  • Local time:12:51 PM

Posted 23 May 2010 - 11:44 AM

I am coming to you because I have tried all I can with my basic knowledge in virus removal. I seem to be suffering from a Trojan that has embedded itself into my computer and is destroying my bandwidth, starting primarily in the evening around 5pm - 12am Pacific Standard Time.
In the recent past my Kaspersky 2010 had detected a Trojan on my computer ( Infected virus HEUR:Trojan.Script.Iframer http://view.atdmt.com.hornium.com/MON/jvie...;click=//JSPack High)
which I quarantined then deleted. I have since noticed that my browsing is severely lagged and gaming latency can range between 400ms to 1200ms in the evenings (I have had no connection issues in the past with my internet). I have scanned my computer with Kaspersky 2010 and numerous other safe spyware tools in safe mode and nothing is detected. I finally fresh reformatted my Windows 7 64bit OS and the problem still persists. With my basic knowledge of the command prompt I used "netstat" and noticed that I had numerous Established connections from unknown IP addresses when I have no games or browsers running. I also use a cable modem from Suddenlink.

I have not used gmer as it is incompatible with Windows 7 64 bit.

DDS (Ver_10-03-17.01) - NTFSX64
Run by jon at 19:52:59.20 on Sun 05/23/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.3136 [GMT -7:00]

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\x64\klwtblfs.exe
C:\Windows\System32\svchost.exe -k secsvcs

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\syswow64\dvmurl.dll
mWinlogon: Userinit=userinit.exe
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [AVP] "c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [Diamondback] c:\program files (x86)\razer\diamondback 3g\razerhid.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
AppInit_DLLs: c:\progra~2\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~2\kasper~1\kasper~1\sbhook.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\klwtbbho.dll
BHO-X64: link filter bho - No File
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
AppInit_DLLs-X64: c:\progra~2\kasper~1\kasper~1\x64\sbhook64.dll,c:\progra~2\kasper~1\kasper~1\x64\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jon\appdata\roaming\mozilla\firefox\profiles\x6d6axih.default\
FF - component: c:\program files (x86)\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 40464]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 27152]
R2 AVP;Kaspersky Internet Security;c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 GEST Service;GEST Service for program management.;c:\program files (x86)\gigabyte\energysaver\GSvr.exe [2010-5-20 68136]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 21008]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-22 1255736]

=============== Created Last 30 ================

2010-05-24 02:52:16 0 ----a-w- c:\users\jon\defogger_reenable
2010-05-23 03:06:48 0 d-----w- c:\windows\syswow64\Macromed
2010-05-23 02:28:31 0 d-----w- c:\program files (x86)\Trend Micro
2010-05-22 16:40:28 0 d-----w- c:\windows\syswow64\Wat
2010-05-22 16:40:28 0 d-----w- c:\windows\system32\Wat
2010-05-22 08:33:10 311808 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-22 08:33:10 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2010-05-22 00:57:43 0 d-----w- c:\program files\Ventrilo
2010-05-22 00:57:39 262 ----a-w- c:\windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
2010-05-22 00:57:05 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard
2010-05-21 23:59:57 73728 ----a-w- c:\windows\syswow64\diamondback.cpl
2010-05-21 16:44:04 0 d-----w- c:\program files (x86)\common files\Blizzard Entertainment
2010-05-21 10:38:50 25640 ----a-w- c:\windows\gdrv.sys
2010-05-21 10:38:39 410822788 ----a-w- c:\windows\MEMORY.DMP
2010-05-21 10:33:29 11406336 ----a-w- c:\windows\syswow64\wmp.dll
2010-05-21 10:33:28 982600 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-05-21 10:33:28 1975296 ----a-w- c:\windows\system32\CertEnroll.dll
2010-05-21 10:33:28 1320960 ----a-w- c:\windows\syswow64\CertEnroll.dll
2010-05-21 10:33:28 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2010-05-21 10:33:28 12625408 ----a-w- c:\windows\syswow64\wmploc.DLL
2010-05-21 10:31:19 716800 ----a-w- c:\windows\syswow64\jscript.dll
2010-05-21 10:30:45 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-21 10:30:45 740864 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-05-21 10:30:38 70656 ----a-w- c:\windows\syswow64\fontsub.dll
2010-05-21 10:30:38 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 10:30:38 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-21 10:30:38 148480 ----a-w- c:\windows\system32\t2embed.dll
2010-05-21 10:30:38 108544 ----a-w- c:\windows\syswow64\t2embed.dll
2010-05-21 10:30:38 100864 ----a-w- c:\windows\system32\fontsub.dll
2010-05-21 10:30:25 389632 ----a-w- c:\windows\system32\winlogon.exe
2010-05-21 10:30:25 2870272 ----a-w- c:\windows\explorer.exe
2010-05-21 10:30:25 2614272 ----a-w- c:\windows\syswow64\explorer.exe
2010-05-21 10:28:55 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-21 10:25:56 46592 ----a-w- c:\windows\system32\msasn1.dll
2010-05-21 10:25:56 34816 ----a-w- c:\windows\syswow64\msasn1.dll
2010-05-21 10:25:42 464896 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-21 10:25:42 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-21 10:24:24 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-05-21 10:24:24 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2010-05-21 10:13:03 5509008 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-05-21 10:13:03 3954568 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-05-21 10:13:03 3899280 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-05-21 10:12:51 12867072 ----a-w- c:\windows\syswow64\shell32.dll
2010-05-21 10:12:50 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-05-21 10:12:50 22016 ----a-w- c:\windows\syswow64\secur32.dll
2010-05-21 10:12:50 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-05-21 10:12:50 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2010-05-21 04:26:09 149773 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-21 04:26:09 106765 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-21 04:25:29 0 d-----w- c:\programdata\Kaspersky Lab
2010-05-21 04:25:29 0 d-----w- c:\program files (x86)\Kaspersky Lab
2010-05-21 04:24:58 0 d-sh--w- c:\windows\Installer
2010-05-21 04:24:49 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 04:24:19 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-05-21 04:14:49 0 d-----w- c:\program files (x86)\common files\Blizzard Entertainment.temp
2010-05-21 04:14:20 0 d-----w- c:\programdata\Blizzard
2010-05-21 04:06:42 98144 ----a-w- c:\windows\system32\drivers\jraid.sys
2010-05-21 04:06:38 0 d-----w- c:\windows\RaidTool
2010-05-21 04:04:16 553 ------r- c:\windows\USetup.iss
2010-05-21 04:04:02 0 d-----w- c:\windows\syswow64\RTCOM
2010-05-21 04:04:02 0 d-----w- c:\program files\Realtek
2010-05-21 04:03:47 0 d--h--w- c:\program files (x86)\Temp
2010-05-21 04:03:47 0 d-----w- c:\program files (x86)\Realtek
2010-05-21 04:01:55 53248 ----a-r- c:\windows\syswow64\CSVer.dll
2010-05-21 04:01:31 146528 ----a-w- c:\windows\syswow64\dvmurl.dll
2010-05-21 04:01:31 0 d-----w- c:\program files (x86)\Browser Configuration Utility
2010-05-21 04:01:08 0 d-----w- c:\program files (x86)\GIGABYTE
2010-05-21 03:54:11 10 ----a-w- c:\windows\GSetup.ini
2010-05-21 03:49:29 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-05-21 03:49:29 172032 ----a-w- c:\windows\syswow64\wintrust.dll
2010-05-21 03:49:28 139264 ----a-w- c:\windows\system32\cabview.dll
2010-05-21 03:49:28 132608 ----a-w- c:\windows\syswow64\cabview.dll
2010-05-21 03:40:20 0 d-----w- c:\windows\Panther
2010-05-21 02:45:26 0 d-----w- c:\programdata\Hewlett-Packard
2010-05-21 02:43:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf

==================== Find3M ====================

2010-05-21 04:03:52 525792 ----a-w- c:\windows\DIFxAPI.dll
2010-02-23 08:22:50 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-02-23 07:55:56 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
2010-02-23 07:55:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-02-23 07:55:43 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-02-23 07:55:43 5964800 ----a-w- c:\windows\syswow64\mshtml.dll
2010-02-23 07:55:24 10978816 ----a-w- c:\windows\syswow64\ieframe.dll
2010-02-23 07:55:20 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:53:51.71 ===============

Any help or information on what I can do if this is a virus affecting me or some kind of driver or software issue would be extremely appreciated.
I can give further information if necessary to this discussion.



Attached Files

Edited by Jtmadden61, 23 May 2010 - 10:35 PM.
Deactivate link. ~ OB

Operating System: Windows 7 64 bit
Antivirus Software: Kaspersky 2010
Firewall: Kaspersky 2010
Computer: Custom
CPU: Intel Core 2 Duo E8500 @ 3.16 Ghz (2 CPUS)
Motherboard: Gigabyte Technology EP45-UD3P
Ram: CORSAIR DOMINATOR 4GB (2 x 2GB) 240-Pin DDR2 SDRAM DDR2 1066 (PC2 8500) Dual Channel Kit Desktop Memory Model TWIN2X4096-8500C5DF50946652
Storage: Western Digital AV WD2500AVJB 250GB 7200 RPM IDE Ultra ATA100 3.5" Hard Drive -Bare Drive
Video Card: Nvidia Geforce 9600 GT 2289MB
Speakers: Speakers (Realtek High Definition Audio)
Case: Antec Nine Hundred Black Steel ATX Mid Tower Computer Case

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 26 May 2010 - 04:13 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Jtmadden61

  • Topic Starter

  • Members
  • 4 posts
  • Gender:Male
  • Location:Seaside, CA
  • Local time:12:51 PM

Posted 27 May 2010 - 10:39 PM

Hello, I appreciate the help.
Operating System: Windows 7 64 bit
Antivirus Software: Kaspersky 2010
Firewall: Kaspersky 2010
Computer: Custom
CPU: Intel Core 2 Duo E8500 @ 3.16 Ghz (2 CPUS)
Motherboard: Gigabyte Technology EP45-UD3P
Ram: CORSAIR DOMINATOR 4GB (2 x 2GB) 240-Pin DDR2 SDRAM DDR2 1066 (PC2 8500) Dual Channel Kit Desktop Memory Model TWIN2X4096-8500C5DF50946652
Storage: Western Digital AV WD2500AVJB 250GB 7200 RPM IDE Ultra ATA100 3.5" Hard Drive -Bare Drive
Video Card: Nvidia Geforce 9600 GT 2289MB
Speakers: Speakers (Realtek High Definition Audio)
Case: Antec Nine Hundred Black Steel ATX Mid Tower Computer Case

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 28 May 2010 - 04:41 PM

Okay, the good news is that Windows 7 still doesn't have the vulnerability which allows rootkits to hook into the operating system.

To check this (I will always check this smile.gif) we can run Sophos.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Next please download and run OTL which is a more detailed DDS-type scanner
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 02 June 2010 - 02:46 PM


I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 03 June 2010 - 07:02 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users