# TDSS malware virus



## russelb923 (Apr 8, 2010)

Hi there, My computer has recently been infected with the "Rootkit.Win32.TDSS.d" virus. At first my internet browser would get redirected and i thought nothing of it and then it got worse, now Mozilla will not work after type any website. I now have to use Safari web browser. Little things here and there freeze up but i know this is the least of the damage that this malware virus can do to my computer. Ive seen many solutions to it and only tried a few as ive realized everyones computer is probably infected in a different way and following everyone elses solutions may not help. If anyone can guide me through a step-by-step solution to get rid of this virus please let me know.

PS: I use Kaspersky Anti Virus, which i now know cannot get rid of it, only detects it.
Also, Ive tried TDSSKiller which found it and may have deleted some of the infected files but not all of it.

Help before it gets worse! Thanks in advance.

-Russel


----------



## russelb923 (Apr 8, 2010)

bump


----------



## russelb923 (Apr 8, 2010)

bump. someone help


----------



## CatByte (Feb 24, 2009)

Please download *DDS* from either of these links

*LINK 1* 
*LINK 2*

and save it to your *desktop.*

Disable any script blocking protection
 Double click *dds.pif* to run the tool. 
When done, two *DDS.txt's* will open. 
Save both reports to your *desktop.*
---------------------------------------------------
*Please include the contents of the following in your next reply:*

*DDS.txt*
*Attach.txt*.

*NEXT*









Download *GMER Rootkit Scanner *from *here* or *here*.

 Extract the contents of the zipped file to desktop. 
 Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . 
 If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*.

 
_Click the image to enlarge it_

 In the right panel, you will see several boxes that have been checked. Uncheck the following ...
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your next reply.

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _


----------



## russelb923 (Apr 8, 2010)

DDS scan results:

"DDS.txt":

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Admin at 22:41:52.50 on Sun 04/11/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1236 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Microsoft Office Ultimate 2007\Office12\GrooveMonitor.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Admin\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZQfox000&ptb=TMKfGN5LE4om04yDhnxLng
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071206
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071206
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb127\SearchSettings.dll
mURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb127\SearchSettings.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office ultimate 2007\office12\GrooveShellExtensions.dll
BHO: Updater For My.Freeze.com Toolbar: {c26cd490-5f01-41e3-b150-eb29f19da056} - c:\program files\myfreezetoolbar\auxi\myfreezetoolbAu.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb127\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>] 
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office ultimate 2007\office12\GrooveMonitor.exe"
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Aliqoruzifuloruz] rundll32.exe "c:\windows\iqacejoxodokake.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with &DAP - c:\program files\download accelerator\dapextie.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZQfox000
IE: Download &all with DAP - c:\program files\download accelerator\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi8a79~1\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi8a79~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi8a79~1\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203691876593
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office ultimate 2007\office12\GrooveSystemServices.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: WBSrv - c:\program files\windowblinds\wbsrv.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,wbsys.dll c:\progra~1\google\google~2\goec62~1.dll,c:\progra~1\kasper~2\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office ultimate 2007\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli w4SPALOD.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\o7jxw9r4.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={45F61C87-7817-54E7-1991-103585E876C6}&query=
FF - plugin: c:\program files\mozilla firefox\plugins\npCopysafe35.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {1ABF3D76-9DB2-4398-BB88-2634FEEB8773} - c:\documents and settings\admin\local settings\application data\{1ABF3D76-9DB2-4398-BB88-2634FEEB8773}
FF - HiddenExtension: XULRunner: {217AA5CC-85F1-484F-94E2-C10A0D57A28A} - c:\documents and settings\networkservice\local settings\application data\{217aa5cc-85f1-484f-94e2-c10a0d57a28a}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-22 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-23 192512]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-6 29744]

=============== Created Last 30 ================

2010-04-09 00:09:57	11264	----a-w-	C:\U.exe
2010-04-06 02:58:59	1924976	----a-w-	C:\install_flash_player.exe
2010-04-04 18:57:54	0	d-----w-	C:\video_output
2010-04-04 18:51:46	28672	----a-w-	c:\windows\system32\AVEQT.dll
2010-04-04 18:51:46	258048	----a-w-	c:\windows\system32\GplMpgDec.ax
2010-04-04 18:51:46	129024	----a-w-	c:\windows\system32\AVERM.dll
2010-04-04 18:51:44	0	d-----w-	c:\program files\Allok 3GP PSP MP4 iPod Video Converter
2010-04-04 08:37:47	120	----a-w-	c:\windows\Isominubesid.dat
2010-04-04 08:37:47	0	----a-w-	c:\windows\Dpocewus.bin
2010-04-04 08:34:49	31916	----a-w-	c:\windows\system32\drivers\svchost.exe

==================== Find3M ====================

2010-04-11 20:58:57	802848	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2010-04-11 20:58:57	3824	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2010-04-11 20:58:57	3057184	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2010-04-11 20:58:57	24964	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2010-04-06 05:03:14	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2010-01-21 16:03:36	69036	---ha-w-	c:\windows\system32\mlfcache.dat
2007-12-27 21:52:10	3743542	----a-w-	c:\program files\daemon_20tools_204[1].9.rar
2007-12-25 01:37:36	287240	----a-w-	c:\program files\DirectX10.exe
2007-12-25 01:22:09	707624	----a-w-	c:\program files\WindowsXP-KB936357-v2-x86-ENU.exe
2008-10-07 17:46:17	32768	--sha-w-	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100720081008\index.dat

============= FINISH: 22:44:16.45 ===============

ZIP'd "attach.txt":

file://localhost/C:/Documents%20and%20Settings/Admin/Desktop/DDSattach.zip


----------



## russelb923 (Apr 8, 2010)

oops didnt host the file..

"attach.txt" ZIP'd:

http://www.mediafire.com/file/m0m1owznm13/DDSattach.zip


----------



## russelb923 (Apr 8, 2010)

unless you wanted me to just post the contents of attach.txt here i can.. but the program told me to zip the file first and then post it on the forums. whats the reason for that?


----------



## russelb923 (Apr 8, 2010)

the gmer scan has been running for over 3 hours now idk if thats normal or not. also took many manual reboots to finally get the scan past scanning the system files as it froze up everytime before that. im using a different computer now as i dont want to interrupt the scan but just thought i should mention the screen went into screen saver mode many random times and also went black without any responsiveness of the touchpad for a while until i brought up task manager. dont know if those are bad signs or not as i just want to keep you informed. thank you though for replying and helping me


----------



## russelb923 (Apr 8, 2010)

GMER scan will not complete.. either the screen just goes out and i have to reboot, or it freezes up. it was scanning a folder "C:/classes/CLSID/(random number sequences)" for a long time and seemed as if it were just repeating scan of that folder over and over. sorry for the many posts just trying to keep you updated i know these things take a while to research. if theres anything other than GMER we could use let me know what i can do. thanks!


----------



## CatByte (Feb 24, 2009)

Hi,

try unchecking the box beside "files" as well...

try running it in safe mode....

make sure your security programs are disabled and all other programs closed.


----------



## russelb923 (Apr 8, 2010)

ok so i have unchecked:
sections
IAT/EAT
files
show all


ill report back with results soon


----------



## russelb923 (Apr 8, 2010)

well seems as though the scan finished but GMER froze up when i tried to save the log. i can try the scan again if you'd like, it didnt take much time this time around. thanks


----------



## russelb923 (Apr 8, 2010)

i wil try running in safemode, forgot to try that. sorry lol


----------



## CatByte (Feb 24, 2009)

If you haven't re-run it already leave the "sections" checked


----------



## russelb923 (Apr 8, 2010)

well the scan does run in safe mode but unfortunately since it has poor screen resolution in safe mode it cuts off the "copy" and "save.." buttons but yet leaves the "ok" and "cancel" buttons visible. so i had no way of saving it even dragging the window up didnt help. any other ideas..?


----------



## CatByte (Feb 24, 2009)

Please run the following program:

Download *ComboFix *from one of the following locations:
*Link 1* 
*Link 2 *

VERY IMPORTANT !!! Save ComboFix.exe to your *Desktop *

* IMPORTANT - *Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here 

Double click on *ComboFix.exe* & follow the prompts.
As part of it's process, *ComboFix will check to see if the Microsoft Windows Recovery Console* is installed. With malware infections being as they are today, it's *strongly recommended *to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.











Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:











*Click on Yes*, to continue scanning for malware.
When finished, it shall produce a log for you.* Please include the C:\ComboFix.txt in your next reply.*
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


----------



## russelb923 (Apr 8, 2010)

hi,
more problems.. fake XP internet security is trying to get me to purchase full version of its trojan program. found a registry fix which disables it from starting up when i use executables but it still finds its way to pop up after a while. other than that XP defender is doing the same and also a fake Windows Security is doing that and trying to play off as a windows program and "scanning" my computer. also has its own icon in the system tray which i cant get rid of. thought you could help me out with that as well, dunno if thats a partner of the TDSS rootkit. thanks for the help so far!


----------



## russelb923 (Apr 8, 2010)

didnt see your previous post as i guess we posted at the same time, will get back to you with results thanks


----------



## russelb923 (Apr 8, 2010)

COMBOFOX LOG

ComboFix 10-04-14.01 - Admin 04/14/2010 22:59:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1481 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\ShoppingReport
c:\documents and settings\Admin\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Admin\Local Settings\Application Data\{1ABF3D76-9DB2-4398-BB88-2634FEEB8773}
c:\documents and settings\Admin\Local Settings\Application Data\{1ABF3D76-9DB2-4398-BB88-2634FEEB8773}\chrome.manifest
c:\documents and settings\Admin\Local Settings\Application Data\{1ABF3D76-9DB2-4398-BB88-2634FEEB8773}\chrome\content\_cfg.js
c:\documents and settings\Admin\Local Settings\Application Data\{1ABF3D76-9DB2-4398-BB88-2634FEEB8773}\chrome\content\overlay.xul
c:\documents and settings\Admin\Local Settings\Application Data\{1ABF3D76-9DB2-4398-BB88-2634FEEB8773}\install.rdf
c:\documents and settings\Admin\Local Settings\Application Data\av.exe
c:\documents and settings\Admin\Local Settings\Application Data\ave.exe
c:\documents and settings\Admin\Local Settings\Application Data\avG\av.exe
c:\documents and settings\Admin\Local Settings\Application Data\avG\ave.exe
c:\documents and settings\Admin\Local Settings\Application Data\avG\MSASCui.exe
c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows Defender\av.exe
c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe
c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows Defender\MSASCui.exe
c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows Defender\vma.exe
c:\documents and settings\Admin\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\Admin\Local Settings\Application Data\vma.exe
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\mmvbYXDJJ.jpg
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\o6rA83.jpg
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\vm7g04CVf.jpg
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\YL4wKT.jpg
c:\documents and settings\Administrator\Local Settings\Application Data\{D6BAD2E2-2CB9-4158-86B3-CA0189A9B470}
c:\documents and settings\Administrator\Local Settings\Application Data\{D6BAD2E2-2CB9-4158-86B3-CA0189A9B470}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{D6BAD2E2-2CB9-4158-86B3-CA0189A9B470}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{D6BAD2E2-2CB9-4158-86B3-CA0189A9B470}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{D6BAD2E2-2CB9-4158-86B3-CA0189A9B470}\install.rdf
c:\documents and settings\All Users\Application Data\av.exe
c:\documents and settings\All Users\Application Data\ave.exe
c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\MSASCui.exe
c:\documents and settings\All Users\Application Data\vma.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\{217AA5CC-85F1-484F-94E2-C10A0D57A28A}
c:\documents and settings\NetworkService\Local Settings\Application Data\{217AA5CC-85F1-484F-94E2-C10A0D57A28A}\chrome.manifest
c:\documents and settings\NetworkService\Local Settings\Application Data\{217AA5CC-85F1-484F-94E2-C10A0D57A28A}\chrome\content\_cfg.js
c:\documents and settings\NetworkService\Local Settings\Application Data\{217AA5CC-85F1-484F-94E2-C10A0D57A28A}\chrome\content\overlay.xul
c:\documents and settings\NetworkService\Local Settings\Application Data\{217AA5CC-85F1-484F-94E2-C10A0D57A28A}\install.rdf
c:\program files\ActivationManager
c:\program files\ActivationManager\Uninstall.exe
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Uninst.exe
C:\U.exe
c:\windows\iqacejoxodokake.dll
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\system32\spool\prtprocs\w32x86\000021d8.tmp
c:\windows\system32\spool\prtprocs\w32x86\00005367.tmp
c:\windows\system32\spool\prtprocs\w32x86\00005436.tmp
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\w4SPALOD.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-14 09:43 . 2010-04-14 09:43	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-14 04:51 . 2010-04-15 03:08	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\avG
2010-04-13 22:16 . 2010-04-13 22:16	664	----a-w-	c:\windows\system32\d3d9caps.dat
2010-04-13 22:16 . 2010-04-13 22:16	552	----a-w-	c:\windows\system32\d3d8caps.dat
2010-04-12 19:28 . 2010-04-12 19:28	190976	--sha-w-	c:\documents and settings\Admin\Local Settings\Application Data\3444317366.dll
2010-04-12 17:46 . 2010-04-12 06:39	177152	----a-w-	c:\windows\Smomyc.exe
2010-04-12 06:37 . 2010-04-12 03:36	177152	----a-w-	c:\windows\Smomyb.exe
2010-04-12 03:19 . 2010-04-12 03:19	177152	----a-w-	c:\windows\Smomya.exe
2010-04-09 04:05 . 2010-04-09 04:05	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Roxio
2010-04-09 04:05 . 2010-04-09 04:05	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Roxio
2010-04-09 00:09 . 2010-04-15 02:16	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 02:58 . 2010-04-06 02:59	1924976	----a-w-	C:\install_flash_player.exe
2010-04-04 18:57 . 2010-04-05 08:19	--------	d-----w-	C:\video_output
2010-04-04 18:51 . 2007-04-12 18:19	129024	----a-w-	c:\windows\system32\AVERM.dll
2010-04-04 18:51 . 2006-09-26 17:57	28672	----a-w-	c:\windows\system32\AVEQT.dll
2010-04-04 18:51 . 2010-04-04 18:57	--------	d-----w-	c:\program files\Allok 3GP PSP MP4 iPod Video Converter
2010-04-04 08:38 . 2010-04-04 08:38	182784	--sha-w-	c:\documents and settings\Admin\Local Settings\Application Data\4288942400.dll
2010-04-04 08:37 . 2010-04-14 06:56	120	----a-w-	c:\windows\Isominubesid.dat
2010-04-04 08:37 . 2010-04-14 04:51	0	----a-w-	c:\windows\Dpocewus.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 03:21 . 2010-04-15 03:21	187904	--sha-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
2010-04-15 03:20 . 2009-04-22 05:15	868384	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2010-04-15 03:15 . 2008-10-15 06:05	--------	d-----w-	c:\program files\Steam
2010-04-15 03:15 . 2007-12-28 00:13	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-15 03:12 . 2009-04-22 05:15	4048	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2010-04-15 03:12 . 2009-04-22 05:15	3100192	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2010-04-15 03:12 . 2009-04-22 05:15	25300	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2010-04-15 02:32 . 2010-04-14 04:51	187904	--sha-w-	c:\documents and settings\All Users\Application Data\MSASCui.exe
2010-04-15 02:32 . 2010-04-14 04:51	187904	--sha-w-	c:\documents and settings\All Users\Application Data\MSASCui.exe
2010-04-14 05:08 . 2008-01-15 05:40	--------	d-----w-	c:\documents and settings\Admin\Application Data\LimeWire
2010-04-14 05:01 . 2009-12-13 01:07	79488	----a-w-	c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-14 04:51 . 2010-04-14 04:51	182272	--sha-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\ave.exe
2010-04-14 04:51 . 2010-04-14 04:51	182272	--sha-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\av.exe
2010-04-12 20:40 . 2004-08-04 04:59	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2010-04-09 00:09 . 2010-04-09 00:08	439816	----a-w-	c:\documents and settings\Admin\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 03:24 . 2007-12-06 19:41	--------	d-----w-	c:\program files\Google
2010-04-05 21:36 . 2008-01-09 02:16	--------	d-----w-	c:\program files\FlashGet
2010-04-04 06:05 . 2007-12-06 19:31	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-03-04 01:53 . 2008-12-31 21:10	--------	d-----w-	c:\program files\PSPVideoConverter
2010-02-15 00:00 . 2010-01-05 03:26	--------	d--h--w-	c:\program files\InstallJammer Registry
2010-01-21 16:03 . 2009-09-02 21:53	69036	---ha-w-	c:\windows\system32\mlfcache.dat
2007-12-27 21:52 . 2007-12-27 21:52	3743542	----a-w-	c:\program files\daemon_20tools_204[1].9.rar
2007-12-25 01:37 . 2007-12-25 01:37	287240	----a-w-	c:\program files\DirectX10.exe
2007-12-25 01:22 . 2007-12-25 01:22	707624	----a-w-	c:\program files\WindowsXP-KB936357-v2-x86-ENU.exe
2008-08-30 06:30 . 2008-08-30 06:30	122880	----a-w-	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-11-22 04:06 . 2007-11-19 14:44	499712	----a-w-	c:\program files\mozilla firefox\plugins\SetupHelper.dll
.

```
<pre>
c:\program files\download accelerator\Download.Accelerator.Plus.Premium.v8.6.1.4.RETAiL\DAP Premium .exe
</pre>
```
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\Steam\Steam.exe" [2010-02-22 1217872]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [N/A]
"WEK9EMDHI9"="c:\windows\Smomyc.exe" [2010-04-12 177152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-10 148888]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]
"GrooveMonitor"="c:\program files\Microsoft Office Ultimate 2007\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-17 198160]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-23 208616]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Aliqoruzifuloruz"="c:\windows\iqacejoxodokake.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-21 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-6 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-12-28 03:19	229376	----a-w-	c:\program files\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-30 29744]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-22 33808]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2007-12-27 682232]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-03-23 192512]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZQfox000&ptb=TMKfGN5LE4om04yDhnxLng
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071206
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with &DAP - c:\program files\download accelerator\dapextie.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download &all with DAP - c:\program files\download accelerator\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI8A79~1\Office12\EXCEL.EXE/3000
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\o7jxw9r4.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={45F61C87-7817-54E7-1991-103585E876C6}&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCopysafe35.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{69d0691e-b439-d975-e098-fb6d244ffb78} - c:\windows\iqacejoxodokake.dll
SafeBoot-klmdb.sys
AddRemove-Bonus Pack for Super DX-Ball Deluxe_is1 - e:\super dx-ball deluxe(exracted)\Super DX-Ball Deluxe\Super DX-Ball Deluxe\unins000.exe
AddRemove-Real Arcade Sonic 3D Blast - c:\program files\SONIC HEDGEHOG COLLECTION\SONIC THE HEDGEHOG COLLECTION\SONIC 3D BLAST\Uninstal.exe
AddRemove-Sonic and Knuckles - c:\program files\SONIC hedgehog collection\Sonic The Hedgehog Collection\Sonic and Knuckles\Uninstal.exe
AddRemove-Sonic Spinball - c:\program files\SONIC hedgehog collection\Sonic The Hedgehog Collection\Sonic Spinball\Uninstal.exe
AddRemove-Sonic the Hedgehog - c:\program files\SONIC hedgehog collection\Sonic The Hedgehog Collection\Sonic the Hedgehog 1\Uninstal.exe
AddRemove-Sonic the Hedgehog 2 - c:\program files\SONIC hedgehog collection\Sonic The Hedgehog Collection\Sonic the Hedgehog 2\Uninstal.exe
AddRemove-Sonic the Hedgehog 3 - c:\program files\SONIC hedgehog collection\Sonic The Hedgehog Collection\Sonic the Hedgehog 3\Uninstal.exe
AddRemove-Super DX-Ball Deluxe_is1 - e:\super dx-ball deluxe(exracted)\Super DX-Ball Deluxe\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 23:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A4B3AC8]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9e7fcb8
\Driver\atapi -> atapi.sys @ 0xb9e3ab40
\Driver\iaStor -> 0x8a80c1e8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9c5cbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9c4ba0d
SendHandler -> NDIS.sys @ 0xb9c5fb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1352)
c:\windows\system32\WININET.dll
c:\program files\WindowBlinds\wbsrv.dll

- - - - - - - > 'lsass.exe'(1412)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(344)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office Ultimate 2007\Office12\GrooveShellExtensions.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2010-04-14 23:29:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-15 03:29

Pre-Run: 42,465,837,056 bytes free
Post-Run: 45,654,941,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 686B761B81517A360079765266A2D9A2


----------



## russelb923 (Apr 8, 2010)

just thought id let you know that after combofix rebooted the computer those fake XP internet security and XP defender programs kept popping up while combofix was preparing the log. idk if that couldve caused any problems since it said not to open anything until it was finished. well let me know what you find in that mess i will check back tomorrow after work. thanks!


also forgot to mention that a debugger program keeps popping up no matter how many times i exit and asks which debugger i want to use. and also some kinda error message for snmomy or something keeps popping up and saying it needs to close the program


----------



## CatByte (Feb 24, 2009)

Hi,

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
http://forums.techguy.org/7330903-post19.html

Collect::
c:\documents and settings\Admin\Local Settings\Application Data\3444317366.dll
c:\windows\Smomyc.exe
c:\windows\Smomyb.exe
c:\windows\Smomya.exe
c:\documents and settings\Admin\Local Settings\Application Data\4288942400.dll
c:\windows\Isominubesid.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\ave.exe
c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\av.exe
c:\windows\Smomyc.exe
c:\windows\iqacejoxodokake.dll

RenV::
c:\program files\download accelerator\Download.Accelerator.Plus.Premium.v8.6.1.4.RETAiL\DAP Premium .exe

File::
c:\windows\Dpocewus.bin

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\avG
c:\documents and settings\Admin\Local Settings\Application Data\avG

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WEK9EMDHI9"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aliqoruzifuloruz"=-

DDS::
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZQfox000&ptb=TMKfGN5LE4om04yDhnxLng
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.

***Note** *
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

*
NEXT*

There are still indications you have an active rootkit on your system.

I would like you to rerun GMER now that we have removed most of the infections it should run:

Please uncheck only the boxes beside IAT/EAT and Files this time, make sure security programs and all other windows are closed.

please post the log.


----------



## russelb923 (Apr 8, 2010)

hi, after the second combofix scan everythings back to the way it was with all the fake antivirus's annoying the hell out of me. they were gone after the first combofix procedure.. and now executables wont open, just has the loading hourglass next to the mouse. im using the house computer because nothing will open on the laptop. ill be checking up, thanks


----------



## russelb923 (Apr 8, 2010)

tried a manual restart, GMER seems to be running now havent tried anything else yet. oh and when the CF log came up i didnt see a message box? also dont know if you needed the second CF log but when i copied it tp post here the whole thing froze up. well im scanning GMER now on the infected computer ill be back shortly


----------



## CatByte (Feb 24, 2009)

Hi,

Please run this tool, this should resolve the fake av popups and the exe issue (note it will run directly from a USB)

Please download *exeHelper* to your desktop.

Double-click on *exeHelper.com* to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of *log.txt* (Will be created in the directory where you ran exeHelper.com)
*Note  If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).*

Please locate the second Combofix log as well

It should be located at C:\combofix.txt

Note: malware removal isn't instantaneous, it usually takes several passes with different tools to remove it:


----------



## russelb923 (Apr 8, 2010)

ok well it didnt say there was an error deleting file but the scan finished and right after that the av trojan program popped up again, so i decided to run the exehelper again and seems that it says it killed ave.exe which im guessing is that fake av. well here are those two logs:

exeHelper by Raktor
Build 20100414
Run at 16:29:50 on 04/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Removing HKCR\secfile
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 16:31:43 on 04/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Killed process ave.exe
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com

and heres the second CF log which seems to have replaced the first log because i dont see that one anymore.. or maybe the second log didnt save and this is the first one all over again. well your the expert lol here you go:

ComboFix 10-04-14.04 - Admin 04/15/2010 15:59:26.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.958 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\Dpocewus.bin"

file zipped: c:\documents and settings\Admin\Local Settings\Application Data\3444317366.dll
file zipped: c:\documents and settings\Admin\Local Settings\Application Data\4288942400.dll
file zipped: c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\av.exe
file zipped: c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\ave.exe
file zipped: c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
file zipped: c:\windows\Isominubesid.dat
file zipped: c:\windows\Smomya.exe
file zipped: c:\windows\Smomyb.exe
file zipped: c:\windows\Smomyc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Local Settings\Application Data\3444317366.dll
c:\documents and settings\Admin\Local Settings\Application Data\4288942400.dll
c:\documents and settings\Admin\Local Settings\Application Data\avG
c:\documents and settings\Admin\Local Settings\Application Data\avG\vma.exe
c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\av.exe
c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\ave.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\avG
c:\windows\Dpocewus.bin
c:\windows\Isominubesid.dat
c:\windows\Smomya.exe
c:\windows\Smomyb.exe
c:\windows\Smomyc.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-14 04:51 . 2010-04-15 02:32	187904	--sha-w-	c:\documents and settings\All Users\Application Data\MSASCui.exe
2010-04-13 22:16 . 2010-04-13 22:16	664	----a-w-	c:\windows\system32\d3d9caps.dat
2010-04-13 22:16 . 2010-04-13 22:16	552	----a-w-	c:\windows\system32\d3d8caps.dat
2010-04-09 04:05 . 2010-04-09 04:05	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Roxio
2010-04-09 04:05 . 2010-04-09 04:05	--------	d-----w-	c:\windows\system32\config\systemprofile\Application Data\Dell
2010-04-09 04:05 . 2010-04-09 04:05	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Roxio
2010-04-09 00:09 . 2010-04-15 02:16	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-09 00:08 . 2010-04-09 00:09	439816	----a-w-	c:\documents and settings\Admin\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 02:58 . 2010-04-06 02:59	1924976	----a-w-	C:\install_flash_player.exe
2010-04-04 18:57 . 2010-04-05 08:19	--------	d-----w-	C:\video_output
2010-04-04 18:51 . 2007-04-12 18:19	129024	----a-w-	c:\windows\system32\AVERM.dll
2010-04-04 18:51 . 2006-09-26 17:57	28672	----a-w-	c:\windows\system32\AVEQT.dll
2010-04-04 18:51 . 2010-04-04 18:57	--------	d-----w-	c:\program files\Allok 3GP PSP MP4 iPod Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 19:53 . 2008-10-15 06:05	--------	d-----w-	c:\program files\Steam
2010-04-15 19:52 . 2007-12-28 00:13	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-15 19:48 . 2009-04-22 05:15	868384	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2010-04-15 19:48 . 2009-04-22 05:15	4020	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2010-04-15 19:48 . 2009-04-22 05:15	3100192	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2010-04-15 19:48 . 2009-04-22 05:15	25300	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2010-04-14 05:08 . 2008-01-15 05:40	--------	d-----w-	c:\documents and settings\Admin\Application Data\LimeWire
2010-04-14 05:01 . 2009-12-13 01:07	79488	----a-w-	c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 20:40 . 2004-08-04 04:59	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2010-04-06 03:24 . 2007-12-06 19:41	--------	d-----w-	c:\program files\Google
2010-04-05 21:36 . 2008-01-09 02:16	--------	d-----w-	c:\program files\FlashGet
2010-04-04 06:05 . 2007-12-06 19:31	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-03-04 01:53 . 2008-12-31 21:10	--------	d-----w-	c:\program files\PSPVideoConverter
2010-02-15 00:00 . 2010-01-05 03:26	--------	d--h--w-	c:\program files\InstallJammer Registry
2010-01-21 16:03 . 2009-09-02 21:53	69036	---ha-w-	c:\windows\system32\mlfcache.dat
2007-12-27 21:52 . 2007-12-27 21:52	3743542	----a-w-	c:\program files\daemon_20tools_204[1].9.rar
2007-12-25 01:37 . 2007-12-25 01:37	287240	----a-w-	c:\program files\DirectX10.exe
2007-12-25 01:22 . 2007-12-25 01:22	707624	----a-w-	c:\program files\WindowsXP-KB936357-v2-x86-ENU.exe
2008-08-30 06:30 . 2008-08-30 06:30	122880	----a-w-	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-11-22 04:06 . 2007-11-19 14:44	499712	----a-w-	c:\program files\mozilla firefox\plugins\SetupHelper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\Steam\Steam.exe" [2010-02-22 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-10 148888]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]
"GrooveMonitor"="c:\program files\Microsoft Office Ultimate 2007\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-17 198160]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-23 208616]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-21 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-6 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-12-28 03:19	229376	----a-w-	c:\program files\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/27/2007 6:17 PM 682232]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [3/23/2009 12:28 AM 192512]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/6/2007 3:41 PM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071206
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with &DAP - c:\program files\download accelerator\dapextie.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download &all with DAP - c:\program files\download accelerator\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI8A79~1\Office12\EXCEL.EXE/3000
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\o7jxw9r4.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={45F61C87-7817-54E7-1991-103585E876C6}&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 16:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A541AC8]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f37852
\Driver\iaStor -> iaStor.sys @ 0xb9e7cc1a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Dell Wireless 1390 WLAN Mini-Card -> SendCompleteHandler -> NDIS.sys @ 0xb9d5cbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d69a21
SendHandler -> NDIS.sys @ 0xb9d4787b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\windows\system32\WININET.dll
c:\program files\WindowBlinds\wbsrv.dll

- - - - - - - > 'lsass.exe'(1356)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-15 16:17:24
ComboFix-quarantined-files.txt 2010-04-15 20:17
ComboFix2.txt 2010-04-15 03:29

Pre-Run: 45,598,547,968 bytes free
Post-Run: 45,589,966,848 bytes free

- - End Of File - - DC1BD6A56B9921284BA75CB6B93359FD
Upload was successful


----------



## russelb923 (Apr 8, 2010)

oh one more thing the exehelper froze everything during the second pass and it didnt complete, the last line of it had some symbols and a 1% next to it like it mightve been scanning/loading something but everything froze


----------



## russelb923 (Apr 8, 2010)

ran it again: 

exeHelper by Raktor
Build 20100414
Run at 16:31:43 on 04/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Killed process ave.exe
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
exeHelper by Raktor
Build 20100414
Run at 16:58:35 on 04/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished-- 

seems as though the scan continued from where it left off and finished. sorry if i shouldnt have scanned it again just figured its not too harmful to re-run


----------



## CatByte (Feb 24, 2009)

Did the GMER scan complete?


----------



## russelb923 (Apr 8, 2010)

geh76esgreg5 is just a random name that i renamed gmer.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 17:46:35
Windows 5.1.2600 Service Pack 3
Running: geh76esgreg5.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\uwtdrpog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xA7B5A1DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xA7B5A7AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xA7B5C1EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xA7B5BB9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xA7B59950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xA7B5DB7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xA7B5A5AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xA7B59D92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xA7B59F92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xA7B5BEAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xA7B5E084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xA7B5A0A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xA7B5A110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xA7B5BD5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xA7B5D620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xA7B5B9F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xA7B59AB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xA7B5A3B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xA7B5DBA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xA7B5A2FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xA7B5A178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xA7B59E7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xA7B59C5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xA7B5D888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xA7B595D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xA7B5CA74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xA7B59734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xA7B5DF56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xA7B593D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xA7B5C08C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)  ZwSetContextThread [0xA7B5A6AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xA7B5D71A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xA7B5DBD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xA7B59B08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xA7B5DCB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xA7B5DDE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xA7B5D54C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xA7B5A47E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xA7B5A4F0]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP A7B71626 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP A7B719E0 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2C40 805044DC 4 Bytes JMP 7CA7B5C1 
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [B4, DC, B5, A7, E0, DD, B5, ...] {MOV AH, 0xdc; MOV CH, 0xa7; LOOPNZ 0xffffffffffffffe3; MOV CH, 0xa7; DEC ESP; AAD 0xb5; CMPSD }
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B83128AC 5 Bytes JMP 8A5541C8 
.rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xB88AFF94]
? System32\Drivers\a7ibxge1.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[772] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; 
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[772] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
.text C:\WINDOWS\system32\CSHelper.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A 
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!GetDC 7E4186C7 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!GetDC + 4 7E4186CB 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!GetWindowDC 7E419021 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!GetWindowDC + 4 7E419025 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!PrintWindow 7E423810 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!PrintWindow + 4 7E423814 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!EnumDisplayDevicesA 7E428A74 6 Bytes JMP 5F0A0F5A 
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!GetDCEx 7E42C595 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CSHelper.exe[820] USER32.dll!GetDCEx + 4 7E42C599 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\CSHelper.exe[820] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 5F040F5A 
.text C:\WINDOWS\system32\CSHelper.exe[820] GDI32.dll!MaskBlt 77F1A0C1 6 Bytes JMP 5F100F5A 
.text C:\WINDOWS\system32\CSHelper.exe[820] GDI32.dll!StretchBlt 77F1B6D0 6 Bytes JMP 5F0D0F5A 
.text C:\WINDOWS\system32\CSHelper.exe[820] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 5F130F5A 
.text C:\WINDOWS\system32\CSHelper.exe[820] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 5F160F5A 
.text C:\WINDOWS\system32\CSHelper.exe[820] GDI32.dll!PlgBlt 77F453B3 6 Bytes JMP 5F250F5A 
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A 
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A 
.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C 
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2280] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; 
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2280] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
.text C:\WINDOWS\Explorer.EXE[2964] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A 
.text C:\WINDOWS\Explorer.EXE[2964] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A 
.text C:\WINDOWS\Explorer.EXE[2964] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A80C1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{976DD75C-E68A-40B7-B2B6-137D80D4EF78} 89E587A0

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A5537A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{1FD38C8D-C8AB-4F96-A7B9-3AC25AAF8E49} 89E587A0
Device \Driver\usbuhci \Device\USBPDO-1 8A5537A0
Device \Driver\usbehci \Device\USBPDO-2  8A5341E8
Device \Driver\usbuhci \Device\USBPDO-3 8A5537A0
Device \Driver\usbuhci \Device\USBPDO-4 8A5537A0

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbehci \Device\USBPDO-5 8A5341E8
Device \Driver\usbuhci \Device\USBPDO-6 8A5537A0
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A80E1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A80E1E8
Device \Driver\Cdrom \Device\CdRom0 8A4847A0
Device \Driver\Cdrom \Device\CdRom1 8A4847A0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E3AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E3AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E3AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A80E1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89E587A0
Device \Driver\NetBT \Device\NetbiosSmb 89E587A0
Device \Driver\PCI_NTPNP2148 \Device\0000004f sptd.sys

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBFDO-0 8A5537A0
Device \Driver\usbuhci \Device\USBFDO-1 8A5537A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E957A0
Device \Driver\usbehci \Device\USBFDO-2 8A5341E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E957A0
Device \Driver\usbuhci \Device\USBFDO-3 8A5537A0
Device \Driver\usbuhci \Device\USBFDO-4  8A5537A0
Device \Driver\Ftdisk \Device\FtControl 8A80E1E8
Device \Driver\usbuhci \Device\USBFDO-5 8A5537A0
Device \Driver\usbehci \Device\USBFDO-6 8A5341E8
Device \Driver\a7ibxge1 \Device\Scsi\a7ibxge11Port2Path0Target0Lun0 8A4011E8
Device \Driver\a7ibxge1 \Device\Scsi\a7ibxge11 8A4011E8
Device \FileSystem\Fastfat \Fat 894A51E8
Device \FileSystem\Fastfat \Fat 99D0C297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89E597A0
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A41CAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x49 0xD2 0x09 0x14 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x6B 0x42 0x83 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x0B 0xBA 0x99 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\1965923922[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0x49 0xD2 0x09 0x14 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x6B 0x42 0x83 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x0B 0xBA 0x99 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0x49 0xD2 0x09 0x14 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x6B 0x42 0x83 0x1E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x0B 0xBA 0x99 0x16 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


----------



## russelb923 (Apr 8, 2010)

all but IAT/EAT and files checked


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
TDL::
C:\WINDOWS\system32\DRIVERS\redbook.sys
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.

*
NEXT*

Please download *Malwarebytes' Anti-Malware * 

Double Click *mbam-setup.exe* to install the application.
Make sure a *checkmark* is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click *Finish.*
If an update is found, it will download and install the latest version.
Once the program has loaded, select* "Perform Quick Scan"*, then click* Scan.*
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that everything is checked, and click *Remove Selected*. <-- very important
When disinfection is completed, a *log* will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. 


*NEXT*

*Run an on-line scan with Kaspersky*

Using Internet Explorer or Firefox, visit *Kaspersky On-line Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2.* To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3.* Click *Run* at the Security prompt. 
The program will then begin downloading and installing and will also update the database. 
Please be patient as this can take several minutes. 

Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan. 
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined. 
Click *View scan report* at the bottom.










 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## russelb923 (Apr 8, 2010)

hi i dragged the new CFScript to combofix and i know it told me not to reboot my computer that combofix would do it by itself but it never did for nearly an hour so i turned the computer off, i dont know if its safe to try the same step over again or not so thought i would ask you before i do so..


----------



## CatByte (Feb 24, 2009)

don't repeat the step,

please look in C:\combofix.txt see if there is a log.


----------



## russelb923 (Apr 8, 2010)

there is no combofix log but there is an icon for combofix in C:\ that wasnt there before, and the icon is the same as the 'my computer' icon and if i click on it it just takes me to my computer. whys that?


----------



## CatByte (Feb 24, 2009)

Please delete the copy of combofix from your desktop and download a fresh copy

*Link 1* 

please re-run combofix ( without the script)

Make sure all your security programs are disabled.

Allow ComboFix to run uninterrupted, even if it appears to have stalled. Please give it plenty of time to create a log.


----------



## russelb923 (Apr 8, 2010)

did you want me to completely uninstall it through run> combofix /uninstall? or just delete the copy thats on my desktop?


----------



## CatByte (Feb 24, 2009)

no, please do not uninstall completely, just right click > delete the copy that you have on your desktop.


----------



## russelb923 (Apr 8, 2010)

ComboFix 10-04-17.07 - Admin 04/18/2010 21:57:27.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1345 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe

Infected copy of c:\windows\system32\DRIVERS\redbook.sys was found and disinfected 
Restored copy from - Kitty had a snack  
Infected copy of c:\windows\system32\DRIVERS\redbook.sys was found and disinfected 
Restored copy from - Kitty ate it  
.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-14 04:51 . 2010-04-15 02:32	187904	--sha-w-	c:\documents and settings\All Users\Application Data\MSASCui.exe
2010-04-13 22:16 . 2010-04-17 22:27	664	----a-w-	c:\windows\system32\d3d9caps.dat
2010-04-13 22:16 . 2010-04-13 22:16	552	----a-w-	c:\windows\system32\d3d8caps.dat
2010-04-09 04:05 . 2010-04-09 04:05	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Roxio
2010-04-09 04:05 . 2010-04-09 04:05	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Roxio
2010-04-09 00:09 . 2010-04-15 02:16	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-09 00:08 . 2010-04-19 00:09	439816	----a-w-	c:\documents and settings\Admin\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 02:58 . 2010-04-06 02:59	1924976	----a-w-	C:\install_flash_player.exe
2010-04-04 18:57 . 2010-04-05 08:19	--------	d-----w-	C:\video_output
2010-04-04 18:51 . 2007-04-12 18:19	129024	----a-w-	c:\windows\system32\AVERM.dll
2010-04-04 18:51 . 2006-09-26 17:57	28672	----a-w-	c:\windows\system32\AVEQT.dll
2010-04-04 18:51 . 2010-04-04 18:57	--------	d-----w-	c:\program files\Allok 3GP PSP MP4 iPod Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 01:47 . 2008-01-15 05:40	--------	d-----w-	c:\documents and settings\Admin\Application Data\LimeWire
2010-04-18 19:56 . 2007-12-28 00:13	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-18 19:54 . 2009-04-22 05:15	4020	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2010-04-18 19:54 . 2009-04-22 05:15	868384	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2010-04-18 19:54 . 2009-04-22 05:15	3100192	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2010-04-18 19:54 . 2009-04-22 05:15	25300	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2010-04-17 21:57 . 2008-10-15 06:05	--------	d-----w-	c:\program files\Steam
2010-04-14 05:01 . 2009-12-13 01:07	79488	----a-w-	c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 20:40 . 2004-08-04 04:59	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2010-04-06 03:24 . 2007-12-06 19:41	--------	d-----w-	c:\program files\Google
2010-04-05 21:36 . 2008-01-09 02:16	--------	d-----w-	c:\program files\FlashGet
2010-04-04 06:05 . 2007-12-06 19:31	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-03-04 01:53 . 2008-12-31 21:10	--------	d-----w-	c:\program files\PSPVideoConverter
2010-01-21 16:03 . 2009-09-02 21:53	69036	---ha-w-	c:\windows\system32\mlfcache.dat
2007-12-27 21:52 . 2007-12-27 21:52	3743542	----a-w-	c:\program files\daemon_20tools_204[1].9.rar
2007-12-25 01:37 . 2007-12-25 01:37	287240	----a-w-	c:\program files\DirectX10.exe
2007-12-25 01:22 . 2007-12-25 01:22	707624	----a-w-	c:\program files\WindowsXP-KB936357-v2-x86-ENU.exe
2008-08-30 06:30 . 2008-08-30 06:30	122880	----a-w-	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-11-22 04:06 . 2007-11-19 14:44	499712	----a-w-	c:\program files\mozilla firefox\plugins\SetupHelper.dll
.

((((((((((((((((((((((((((((( [email protected]_20.11.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-18 19:55 . 2010-04-18 19:55	16384 c:\windows\Temp\Perflib_Perfdata_26c.dat
+ 2007-12-15 16:12 . 2010-04-18 19:50	32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-15 16:12 . 2010-04-15 19:36	32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-15 16:12 . 2010-04-18 19:50	32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-15 16:12 . 2010-04-15 19:36	32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-16 20:23 . 2010-04-18 19:50	16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-12-15 16:12 . 2010-04-15 19:36	16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-10 148888]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]
"GrooveMonitor"="c:\program files\Microsoft Office Ultimate 2007\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-17 198160]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-23 208616]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-21 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-6 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-12-28 03:19	229376	----a-w-	c:\program files\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office Ultimate 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/27/2007 6:17 PM 682232]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [3/23/2009 12:28 AM 192512]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/6/2007 3:41 PM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071206
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with &DAP - c:\program files\download accelerator\dapextie.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download &all with DAP - c:\program files\download accelerator\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI8A79~1\Office12\EXCEL.EXE/3000
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\o7jxw9r4.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={45F61C87-7817-54E7-1991-103585E876C6}&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\program files\WindowBlinds\wbsrv.dll
.
Completion time: 2010-04-18 22:06:48
ComboFix-quarantined-files.txt 2010-04-19 02:06
ComboFix2.txt 2010-04-15 20:24
ComboFix3.txt 2010-04-15 03:29

Pre-Run: 45,623,681,024 bytes free
Post-Run: 45,695,442,944 bytes free

- - End Of File - - 1DC2AF2757E6F92A10F8E877F41A9EBE


----------



## russelb923 (Apr 8, 2010)

also an error popped up during scan, it was titled something like PEV.cffx? i think. and it said there was a corrupt file and told me to use ChkDsk utility


----------



## russelb923 (Apr 8, 2010)

just got an error for MBAM


----------



## CatByte (Feb 24, 2009)

Hi,


Uninstall Malwarebytes' Anti-Malware using *Add/Remove programs* in the control panel.
Restart your computer (*very important*).
Download and run this utility.
It will ask to restart your computer (please allow it to).
After the computer restarts, install the latest version from here.


----------



## russelb923 (Apr 8, 2010)

same error


----------



## CatByte (Feb 24, 2009)

That dll is from your visual basic package

you will likely need to visit the windows update site and see if there are any updates that you need for Visual basic.


In the mean time. move on to the Kaspersky scan


----------



## russelb923 (Apr 8, 2010)

ok i already have kaspersky anti virus would you still like me to use the website for the scan


----------



## CatByte (Feb 24, 2009)

Oh no, my apologies,

It won't run for you.

Please do a full scan with your onboard program (make sure the definitions are up to date) and report any findings.


----------



## russelb923 (Apr 8, 2010)

well everytime i boot up the computer kaspersky automatically tells me threaths are detected and the active threats right now are rootkit.win32,TDSS.d, did you still need the scan results?


----------



## CatByte (Feb 24, 2009)

I expect they are being located in C:\qoobox\quarantine

or system volume information (old system restore points) if they are located in any other location, please post the log


----------



## russelb923 (Apr 8, 2010)

i looked in C:\Qoobox and found a few different types of folders, but i looked around and saw folders for the trojans like shopping report and windows defender. idk which log your looking for? theres one called catchme and it only contains dates and times no other info


----------



## CatByte (Feb 24, 2009)

Hi,

I was referring to a report from your Kaspersky Antivirus, as you indicated it was finding trojans,

I would like to see the report if you can produce one


----------



## russelb923 (Apr 8, 2010)

i dont see a log in C:\qoobox\quarantine besides the catchme i mentioned above.. also there is a rar file of the quarantined trojans, a file named "registry_backups", and one named "C"


----------



## russelb923 (Apr 8, 2010)

ps sorry for late reply havent been home in 2 days but i will check the other location you mentioned it might be in


----------



## russelb923 (Apr 8, 2010)

just finished a full scan and still found no log in that location, the scan just ended without warning and all kaspersky windows disappeared. so i looked in kaspersky and found scan results and it says there was an error during scan, maybe because i was on the internet at the same time? well either way i see no log for it. well i will be back after work tomorrow around 4pm eastern


----------



## CatByte (Feb 24, 2009)

Try this scanner:


Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

Click the







button.

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on







to download the ESET Smart Installer. *Save* it to your desktop.

Double click on the







icon on your desktop.

Check









Click the







button.
Accept any security warnings from your browser.

Check









Push the *Start* button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push








Push







, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the







button.
Push


----------



## russelb923 (Apr 8, 2010)

C:\Program Files\Frets on Fire\RF-mod-4-win32.zip	probably a variant of Win32/Agent trojan	deleted - quarantined
C:\Program Files\Frets on Fire\RF mod 4.15 for v1.2.451 (GAME)\contrib\lyrics\LRC2FOF v1.2\LRC2FOF.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\Program Files\GTA- san andreas\sa\gta.sa\GTA San Andreas\trainer.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\Program Files\NFS Carbon\Carbon\NFS_Carbon.iso	probably a variant of Win32/Agent trojan	deleted - quarantined
C:\Program Files\NFS Carbon\Carbon\Razor1911\Keygen.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\Program Files\SAN ANDREAS BACKUP\sa\gta.sa\GTA San Andreas\trainer.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\Program Files\SONIC hedgehog collection\Sonic the Hedgehog 1\sonic.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\Program Files\SONIC hedgehog collection\Sonic the Hedgehog 3\sonic_3.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\Program Files\TrackMania United Forever (install files and track mod)\tmuf-dtn.iso	probably a variant of Win32/Agent trojan	deleted - quarantined
C:\Program Files\TrackMania United Forever (install files and track mod)\DETONATiON\keygen-tmuf-dtn.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\Program Files\WindowBlinds\WindowBlinds6 Installer and Skins\Windowblinds6.rar	probably a variant of Win32/Injector.U trojan	deleted - quarantined
C:\Qoobox\32788R22FWJFW\redbook.sys	Win32/Olmarik.XG trojan	cleaned - quarantined
C:\Qoobox\Quarantine\[4]-Submit_2010-04-15_15.58.47.zip	multiple threats	deleted - quarantined
C:\Qoobox\Quarantine\C\Program Files\ShoppingReport\Uninst.exe.vir	probably a variant of Win32/Adware.Agent application	cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\iqacejoxodokake.dll.vir	a variant of Win32/Cimag.CG trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091699.DLL	Win32/Toolbar.MyWebSearch application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091700.DLL	Win32/Toolbar.MyWebSearch.G application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091701.DLL	Win32/Adware.FunWeb application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091702.DLL	Win32/Toolbar.MyWebSearch application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091703.DLL	Win32/Toolbar.MyWebSearch.K application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091704.EXE	Win32/Toolbar.MyWebSearch application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091705.DLL	Win32/Toolbar.MyWebSearch application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP497\A0091795.dll	Win32/Toolbar.MyWebSearch.K application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP525\A0109526.exe	a variant of Win32/Toolbar.MyWebSearch.I application	deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP525\A0109569.exe	probably a variant of Win32/Adware.Agent application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP525\A0109571.dll	a variant of Win32/Cimag.CG trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP527\A0118073.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP527\A0118074.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP527\A0118082.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP527\A0118083.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP527\A0118090.exe	probably a variant of Win32/Agent trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP527\A0118092.sys	Win32/Olmarik.XG trojan	cleaned - quarantined
C:\WINDOWS\system32\agieev.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\alopp.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\asshejmdo.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\asudoevwi.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\asuhjeasu.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\cololob.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\craserrpo.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\errdllasuasu.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\etapias.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\foyapiasu.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\gibasg.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\h32sto.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\niripwico.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\nishedllco.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\pocope.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\sloebxy.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\wiloshewin.dll	a variant of Win32/Delf.PFX trojan	cleaned by deleting - quarantined


----------



## CatByte (Feb 24, 2009)

Please post a fresh DDS log and advise how your computer is running now and if thee are any outstanding issues.


----------



## russelb923 (Apr 8, 2010)

ok done did you need the attach.txt ZIP'd again? or did you just want the one DDS log


----------



## CatByte (Feb 24, 2009)

both, if you have them, thanks


----------



## russelb923 (Apr 8, 2010)

attach.txt:
http://www.mediafire.com/file/tzrej2d2y0m/Attach2.rar

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Admin at 13:00:30.90 on Fri 04/23/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1516 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Microsoft Office Ultimate 2007\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Admin\Desktop\dds.com
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071206
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office ultimate 2007\office12\GrooveShellExtensions.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office ultimate 2007\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with &DAP - c:\program files\download accelerator\dapextie.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download &all with DAP - c:\program files\download accelerator\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi8a79~1\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi8a79~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi8a79~1\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203691876593
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office ultimate 2007\office12\GrooveSystemServices.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: WBSrv - c:\program files\windowblinds\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office ultimate 2007\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\o7jxw9r4.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={45F61C87-7817-54E7-1991-103585E876C6}&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-22 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-23 192512]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-6 29744]

=============== Created Last 30 ================

2010-04-22 17:27:40	0	d-----w-	c:\program files\ESET
2010-04-20 02:21:49	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 02:21:47	0	d-----w-	c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-20 02:21:46	20824	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-20 02:21:46	0	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-04-19 01:55:58	0	d-----w-	C:\ComboFix
2010-04-15 02:55:41	0	d-sha-r-	C:\cmdcons
2010-04-15 02:52:12	77312	----a-w-	c:\windows\MBR.exe
2010-04-15 02:52:12	261632	----a-w-	c:\windows\PEV.exe
2010-04-15 02:52:11	161792	----a-w-	c:\windows\SWREG.exe
2010-04-15 02:52:10	98816	----a-w-	c:\windows\sed.exe
2010-04-14 04:51:28	187904	--sha-w-	c:\docume~1\alluse~1\applic~1\MSASCui.exe
2010-04-13 22:16:08	664	----a-w-	c:\windows\system32\d3d9caps.dat
2010-04-13 22:16:08	552	----a-w-	c:\windows\system32\d3d8caps.dat
2010-04-06 02:58:59	1924976	----a-w-	C:\install_flash_player.exe
2010-04-04 18:57:54	0	d-----w-	C:\video_output
2010-04-04 18:51:46	28672	----a-w-	c:\windows\system32\AVEQT.dll
2010-04-04 18:51:46	258048	----a-w-	c:\windows\system32\GplMpgDec.ax
2010-04-04 18:51:46	129024	----a-w-	c:\windows\system32\AVERM.dll
2010-04-04 18:51:44	0	d-----w-	c:\program files\Allok 3GP PSP MP4 iPod Video Converter

==================== Find3M ====================

2010-04-23 07:20:33	868384	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2010-04-23 07:20:33	4020	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2010-04-23 07:20:33	3799072	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2010-04-23 07:20:33	30760	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2010-04-12 20:40:59	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2007-12-27 21:52:10	3743542	----a-w-	c:\program files\daemon_20tools_204[1].9.rar
2007-12-25 01:37:36	287240	----a-w-	c:\program files\DirectX10.exe
2007-12-25 01:22:09	707624	----a-w-	c:\program files\WindowsXP-KB936357-v2-x86-ENU.exe
2008-10-07 17:46:17	32768	--sha-w-	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100720081008\index.dat

============= FINISH: 13:01:37.37 ===============


----------



## russelb923 (Apr 8, 2010)

the computer is running ok but kaspersky is still flashing red saying there are active threats, should i try disinfecting with kaspersky again since we've gotten rid of most of virus?


----------



## CatByte (Feb 24, 2009)

Yes, go ahead and run kaspersky, let me know exactly what it finds and where

were you ever able to install MalwareBytes?


----------



## russelb923 (Apr 8, 2010)

i tried several times to update windows using the update website and it kept coming to an error screen saying that internet explorer had a problem loading the page, so no progress on updating windows. also checked if automatic updates was on and it is so i don't see why i wouldn't have the latest updates.. going to try and disinfect with kaspersky when im back after work


----------



## CatByte (Feb 24, 2009)

How did the Kaspersky scan do?


----------



## russelb923 (Apr 8, 2010)

the scan finally finished about 4 hours later and it found a lot of vulnerabilities and a couple trojans and virus'. i provided a screen shot because i couldn't find a log that i could post here, made sure all the infections and filenames/types are visible. after clicking "disinfect all" the yellow pop up at the bottom came up and i did a delete of just one file but then stopped myself because i wasn't sure if it was actually okay that i'm deleting everything that it found to be harmful. you'll see the green check by the one i deleted. let me know what to do from here because i don't want to delete anything before you tell me its okay. thanks


----------



## CatByte (Feb 24, 2009)

I'm sorry, I'm not seeing the screen shot???


----------



## russelb923 (Apr 8, 2010)

Uploaded with ImageShack.us


----------



## russelb923 (Apr 8, 2010)

sorry it was taking a minute to upload


----------



## CatByte (Feb 24, 2009)

Delete the items in the Sonic hedgehog collection.
leave everything else

Then please run a fresh DDS Log and Gmer log, just check the box beside "sections" and the C:\ drive, leave everything else blank.

Please advise how your computer is running now and if there are any outstanding issues


----------



## russelb923 (Apr 8, 2010)

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Admin at 21:51:48.12 on Mon 04/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1451 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Microsoft Office Ultimate 2007\Office12\GrooveMonitor.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Admin\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071206
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office ultimate 2007\office12\GrooveShellExtensions.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office ultimate 2007\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with &DAP - c:\program files\download accelerator\dapextie.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download &all with DAP - c:\program files\download accelerator\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi8a79~1\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi8a79~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi8a79~1\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272046845796
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272047260531
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office ultimate 2007\office12\GrooveSystemServices.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - 
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: WBSrv - c:\program files\windowblinds\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office ultimate 2007\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\o7jxw9r4.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={45F61C87-7817-54E7-1991-103585E876C6}&query=
FF - plugin: c:\program files\mozilla firefox\plugins\npCopysafe35.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-22 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-23 192512]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-6 29744]

=============== Created Last 30 ================

==================== Find3M ====================

2010-04-26 04:19:13	868384	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2010-04-26 04:19:13	4020	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2010-04-26 04:19:12	3799072	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2010-04-26 04:19:12	30760	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2010-04-12 20:40:59	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
2007-12-27 21:52:10	3743542	----a-w-	c:\program files\daemon_20tools_204[1].9.rar
2007-12-25 01:37:36	287240	----a-w-	c:\program files\DirectX10.exe
2007-12-25 01:22:09	707624	----a-w-	c:\program files\WindowsXP-KB936357-v2-x86-ENU.exe
2008-10-07 17:46:17	32768	--sha-w-	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100720081008\index.dat

============= FINISH: 21:53:08.37 ===============


----------



## russelb923 (Apr 8, 2010)

Attach.txt:

http://www.mediafire.com/file/mk2dazymmqe/Attach3.rar


----------



## CatByte (Feb 24, 2009)

Please re-run Gmer as well, just check the box beside "sections" and the C:\ drive, leave everything else blank.

Thank-you


----------



## russelb923 (Apr 8, 2010)

about how long should it take? last night it took nearly an hour and i noticed it was scanning files extremely slow not like before


----------



## CatByte (Feb 24, 2009)

There is no standard amount of time, it depends on your computer.

Do you have the log to post?


----------



## russelb923 (Apr 8, 2010)

no i dont sorry, every time i ran gmer and tried to save the log it froze everything up. first i copied the log incase it wouldnt save so i could just post it, but even then it wouldnt let me save it into notepad or even open any web browsers


----------



## CatByte (Feb 24, 2009)

Did you try running GMER in safe mode?

Please give me the current status of your computer

what are the outstanding issues


----------



## russelb923 (Apr 8, 2010)

only issues i seem to notice are sometimes when shutting down it takes an extremely long time to get to the shut down screen where it asks what i want to do, and not everytime but it also seems to take a very long time to actually shut down. also every once in a while safari will freeze up for a moment. havent really switched back to firefox as that was one of the issues with the virus and i was left with safari, which worked for the most part throughout the infection. other than that right now only gmer seems to freeze everything up completely, all other programs seem to work fine..


----------



## CatByte (Feb 24, 2009)

OK,

I'm a little concerned about the GMER program not working, but let's try another rootkit program:

try a defrag and clear your Temp files, let's see if that helps: Also give Firefox a run, see if there are still issues

please do the following

Download *TFC* to your *desktop*

Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*NEXT*

Download and run *Auslogics Disc Defragmenter *

*NEXT*


Download RootRepeal from the following location and save it to your desktop.
*Zip Mirrors (Recommended)*
Primary Mirror
Secondary Mirror
Secondary Mirror

*Rar Mirrors* - Only if you know what a RAR is and can extract it.
Primary Mirror
Secondary Mirror
Secondary Mirror


Extract RootRepeal.exe from the archive.
Open







on your desktop.
Click the







tab.
Click the







button.
Check all seven boxes:








Push Ok
Check the box for your main system drive (Usually C, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the







button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


----------



## russelb923 (Apr 8, 2010)

kaspersky is seeing rootrepeal as a security threat why is this? it says it is trying to download hidden drivers and can not be controlled once its run


----------



## CatByte (Feb 24, 2009)

disable Kaspersky till rootrepeal is done. It just detects it based on heuristics as it has to scan low level files.

It's safe to run.


----------



## russelb923 (Apr 8, 2010)

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/03 16:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: a0mx9tyf.SYS
Image Path: C:\WINDOWS\System32\Drivers\a0mx9tyf.SYS
Address: 0xB8306000	Size: 417792	File Visible: No	Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA668A000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA66A000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xBA61A000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: PCI_NTPNP5724
Image Path: \Driver\PCI_NTPNP5724
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA62F5000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\change.log.2
Status: Locked to the Windows API!

SSDT
-------------------
#: 011	Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69381da

#: 025	Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69387ae

#: 031	Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693a1ea

#: 037	Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939b9c

#: 041	Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937950

#: 052	Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693bb7c

#: 053	Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69385ae

#: 063	Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937d92

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937f92

#: 066	Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939eac

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693c084

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69380a8

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6938110

#: 084	Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939d5e

#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693b620

#: 116	Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69399f8

#: 119	Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937ab2

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69383b2

#: 125	Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693bba6

#: 128	Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69382fe

#: 160	Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6938178

#: 161	Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937e7c

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937c5a

#: 180	Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693b888

#: 193	Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69375d2

#: 200	Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693aa74

#: 204	Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937734

#: 206	Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693bf56

#: 207	Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69373d0

#: 210	Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693a08c

#: 213	Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69386ac

#: 237	Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693b71a

#: 240	Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693bbd0

#: 247	Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6937b08

#: 253	Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693bcb4

#: 254	Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693bde0

#: 255	Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693b54c

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693847e

#: 277	Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69384f0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x8a80c1e8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x8a54e390	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System	Address: 0x8a6121e8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a6121e8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a6121e8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a6121e8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System	Address: 0x8a6121e8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a6121e8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System	Address: 0x8a6121e8	Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CREATE]
Process: System	Address: 0x8a80d1e8	Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CLOSE]
Process: System	Address: 0x8a80d1e8	Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a80d1e8	Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a80d1e8	Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_POWER]
Process: System	Address: 0x8a80d1e8	Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a80d1e8	Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_PNP]
Process: System	Address: 0x8a80d1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x8a80e1e8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x8a12c1e8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x8a12c1e8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a12c1e8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a12c1e8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a12c1e8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x8a12c1e8	Size: 121

Object: Hidden Code [Driver: a0mx9tyf؅ఉ义䍔&#56288;, IRP_MJ_CREATE]
Process: System	Address: 0x8a5147a0	Size: 121

Object: Hidden Code [Driver: a0mx9tyf؅ఉ义䍔&#56288;, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5147a0	Size: 121

Object: Hidden Code [Driver: a0mx9tyf؅ఉ义䍔&#56288;, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5147a0	Size: 121

Object: Hidden Code [Driver: a0mx9tyf؅ఉ义䍔&#56288;, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5147a0	Size: 121

Object: Hidden Code [Driver: a0mx9tyf؅ఉ义䍔&#56288;, IRP_MJ_POWER]
Process: System	Address: 0x8a5147a0	Size: 121

Object: Hidden Code [Driver: a0mx9tyf؅ఉ义䍔&#56288;, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5147a0	Size: 121

Object: Hidden Code [Driver: a0mx9tyf؅ఉ义䍔&#56288;, IRP_MJ_PNP]
Process: System	Address: 0x8a5147a0	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8a5f04e0	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5f04e0	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5f04e0	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5f04e0	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8a5f04e0	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5f04e0	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8a5f04e0	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x898eb1e8	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_CREATE]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_CLOSE]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_READ]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_CLEANUP]
Process: System	Address: 0x89ec57a0	Size: 121

Object: Hidden Code [Driver: Therm, IRP_MJ_PNP]
Process: System	Address: 0x89ec57a0	Size: 121

Shadow SSDT
-------------------
#: 013	Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939938

#: 227	Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939998

#: 237	Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69399c8

#: 292	Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939968

#: 307	Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6938e28

#: 323	Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939ff8

#: 378	Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939106

#: 383	Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6938d68

#: 414	Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6938dc8

#: 416	Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6938d98

#: 460	Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693b49c

#: 475	Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693b4f4

#: 476	Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa693b520

#: 491	Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6939fa2

#: 502	Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69390e0

#: 549	Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa6938806

#: 552	Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa69389f2

==EOF==


----------



## CatByte (Feb 24, 2009)

That looks Ok

are there any outstanding issues?


----------



## russelb923 (Apr 8, 2010)

none that i notice at the moment really besides when i put the computer in hibernation and log back in, some icons will sometimes be moved around almost out of view, but thats really just an annoyance not really a problem. safari still freezes every so often though and i think thats about it.


----------



## CatByte (Feb 24, 2009)

Right click on the desktop and select View,
Uncheck Auto Arrange,
click Align to grid
click Show Desktop Icons.

see if that locks them in place, if not, then it's your screen resolution.

let's clean up all the tools as I don't see any more malware:

You can delete the *DDS* and *GMER* folders from your desktop.

*
NEXT*

*Follow these steps to uninstall Combofix *


Make sure your security programs are totally disabled.
Click *START* then *RUN*
Now copy/paste *Combofix /uninstall* into the *runbox* and click *OK.* Note the *space* between the *..X* and the */U*, it needs to be there.










Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

If there are any logs/tools remaining > right click and delete them.

*NEXT*

Below I have included a number of recommendations for how to protect your computer against malware infections.


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article *
Strong passwords: How to create and use them* Then consider a *password keeper,* to keep all your passwords safe.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

*Make Internet Explorer more secure*
Click *Start* > *Run*
Type *Inetcpl.cpl* & click *OK*
Click on the *Security* tab
Click *Reset all zones to default level*
Make sure the *Internet Zone* is selected & Click *Custom level*
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click *OK*, then *Apply* button and then *OK* to exit the Internet Properties page.

*ATF Cleaner* - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*WOT*, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
*Green* to go 
*Yellow* for caution 
*Red* to stop
 WOT has an addon available for both Firefox and IE

*Keep a backup of your important files* - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
*Think Prevention.*
*PC Safety and Security--What Do I Need?.*

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. *

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.


----------



## russelb923 (Apr 8, 2010)

Okay thank you very much for all your help and your patience with me as well as i work very random hours, one last thing though, kaspersky is still giving me a pop up notification about "potentially unwanted software" its a yellow pop up not a red one so i guess its not a real risk? well anyway thanks again! hopefully ill never have to be back here again!


----------



## russelb923 (Apr 8, 2010)

also is it ok to keep and use the disk defragmenter tool?


----------



## CatByte (Feb 24, 2009)

Yes, keep the disk defragmenter.

What is Kaspersky identifying?


----------



## russelb923 (Apr 8, 2010)

that list of files i asked if i should delete, remember it?
idk if it will show the same files so i just took another screen shot of the report



Uploaded with ImageShack.us


----------



## CatByte (Feb 24, 2009)

Hi,

Yes, those are just advisories:

Remove all those old java programs from Add/remove programs:

The only one you should have in your installed programs list is java version 6 update 20.

Also remove the old adobe reader 8, the newest version is 9.3,

set a new restore point and delete all the old ones:

*System Restore* makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
We need to set a new system restore point:

Click *Start > Run > *copy and paste the following into the run box:

*%SystemRoot%\System32\restore\rstrui.exe*​
Press *OK.* Choose *Create a Restore Point* then click *Next.*
Name it (something you'll remember) and click *Create,*
when the confirmation screen shows the restore point has been created click *Close.*

Now remove all previous Restore Points:

Click *Start > Run > *copy and paste the following into the run box:

*cleanmgr*​
At the top, click on *More Options* tab. Click the *Clean up* button in the *System Restore* box. 
Click on the *Yes* button. 
When finished, click on *Cancel* button to exit.

Now you should be good to go:


----------

