Backdoor.Rustuck.B Removal Help

[strobelfamily]

My original issues were posted at this link....

http://www.techsupportforum.com/secu...d-problem.html

I did not get to finish the final instructions given to me on 3/26 at 5:12 p.m. because every virus scan I've done with Norton AntiVirus since it was installed successfully has shown that I have the Backdoor.Rustock.B virus. It also shows that it's been resolved but it keeps coming back. I've tried everything Norton has said to do except pay them to remove the virus from my registry. I've given up on NAV and I'm now running a virus scan with Kaspersky which I purchased over the weekend. NAV can return my money to me under their warrenty program. I'm so done with them.

What I would like to do is remove all remanants of NAV, keep Kaspersky AntiVirus and get rid of Backdoor.Rustock.B. I'm thinking to do this I need to follow the 5 step process outlined in the (Updated!) IMPORTANT - Read This Before Posting A Log thread and then post a new HiJackThis log or a DSS log since I'm running XP but I'm not 100% certain that is the right step to be taking now.

Could someone let me know if this is the next best step or if there is something else I should do first?

Should I complete the last security measures before worrying about Backdoor.Rustock.B or should I worry about the virus first?

Thanks,
Laura

[strobelfamily]

Bump - it's been more than 56 hours and so I thought it was appropriate to do this. Thanks for any help you can give me.

Laura

[Ried]

Hello Laura,

Why don't we just begin with a new dss.exe scan:

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized

Please just copy/paste the main.txt in your next reply.

[strobelfamily]

Deckard's System Scanner v20070328.36
Run by Laura Strobel on 2007-03-30 at 10:46:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
68: 2007-03-30 16:47:02 UTC - RP124 - Deckard's System Scanner Restore Point
67: 2007-03-30 16:10:06 UTC - RP123 - Removed HP Software Update
66: 2007-03-30 15:50:14 UTC - RP122 - Software Distribution Service 2.0
65: 2007-03-28 00:31:28 UTC - RP121 - Installed Kaspersky Anti-Virus 6.0.
64: 2007-03-27 05:02:45 UTC - RP120 - Installed Symantec Technical Support Web Controls


-- First Restore Point --
1: 2007-03-26 01:38:33 UTC - RP57 - Installed Windows XP KB918899.


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Laura Strobel.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:51:11 AM, on 03/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Laura Strobel\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Laura Strobel.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = %3clocal%3e:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/fil...FamilyTree.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126283306484
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/...l/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://shad.viewnetcam.com:53/bl_camera.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.johncardinal.com/cabs/msxml4.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nat...nt/msichat.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common...INIBrowser.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup141.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11...urrent/kdx.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys
R2 Fallback - c:\windows\system32\drivers\hsf_fall.sys
R2 Fsks - c:\windows\system32\drivers\hsf_fsks.sys
R2 K56 - c:\windows\system32\drivers\hsf_k56k.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R2 SoftFax - c:\windows\system32\drivers\hsf_faxx.sys
R2 Tones - c:\windows\system32\drivers\hsf_tone.sys
R2 V124 - c:\windows\system32\drivers\hsf_v124.sys
R3 Eplpdx02 - c:\windows\system32\drivers\eplpdx02.sys
R3 HSF_DP - c:\windows\system32\drivers\hsfdpsp2.sys
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfbs2s2.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys
R3 winachsf - c:\windows\system32\drivers\hsfcxts2.sys

S3 basic2 - c:\windows\system32\drivers\hsf_bsc2.sys
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys (file missing)
S3 CoachUsb (Dual Mode Digital Camera on USB) - c:\windows\system32\drivers\coachusb.sys
S3 Dual Mode (Dual Mode Video Capture) - c:\windows\system32\drivers\coachvc.sys
S3 dwusbdnt - c:\windows\system32\drivers\dwusbdnt.sys
S3 hsf_msft - c:\windows\system32\drivers\hsf_msft.sys
S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)
S3 Rksample - c:\windows\system32\drivers\hsf_samp.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-03-30 10:50:00 438 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{39709331-3275-44EF-9325-B6A67FD0BC8A}.job<USER_F~1.JOB>


-- Files created between 2007-02-28 and 2007-03-30 -----------------------------

2007-03-30 09:50:57 0 d-------- C:\WINDOWS\NV25281300.TMP<NV2528~2.TMP>
2007-03-30 09:50:30 0 d-------- C:\WINDOWS\NV25283256.TMP<NV2528~1.TMP>
2007-03-27 18:31:52 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-03-27 18:31:52 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-03-27 18:31:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab<KASPER~1>
2007-03-27 18:31:32 44064 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-03-27 18:31:32 4704032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-03-26 10:22:03 0 d-------- C:\Program Files\Symantec
2007-03-26 10:22:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-03-26 10:21:41 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-03-26 10:09:43 630784 --a------ C:\GOTOASSIST[1].EXE<GOTOAS~1.EXE>
2007-03-25 20:47:12 0 d-------- C:\WINDOWS\Prefetch
2007-03-25 19:59:39 4569 -----n--- C:\WINDOWS\system32\secupd.dat
2007-03-25 19:17:24 39936 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-25 19:17:23 331264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-03-25 19:17:23 614912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-03-25 19:15:09 171280 --a------ C:\WINDOWS\system32\jit.dll
2007-03-25 19:15:09 46352 --a------ C:\WINDOWS\setdebug.exe
2007-03-25 19:15:08 139536 --a------ C:\WINDOWS\system32\javaee.dll
2007-03-25 19:15:08 313856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-03-25 19:15:08 6550 --a------ C:\WINDOWS\jautoexp.dat
2007-03-25 19:15:03 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-03-25 19:15:02 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-03-25 19:15:02 171792 --a------ C:\WINDOWS\system32\wjview.exe
2007-03-25 19:15:02 286992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-03-25 19:15:01 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-03-25 19:15:01 947472 --a------ C:\WINDOWS\system32\msjava.dll
2007-03-25 19:15:00 154384 --a------ C:\WINDOWS\system32\msawt.dll
2007-03-25 19:15:00 172304 --a------ C:\WINDOWS\system32\jview.exe
2007-03-25 19:15:00 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-03-25 19:14:59 404752 --a------ C:\WINDOWS\system32\javart.dll
2007-03-25 19:14:59 63248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-03-25 19:14:58 187152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-03-25 19:14:56 49424 --a------ C:\WINDOWS\system32\clspack.exe
2007-03-25 19:10:59 1082368 --a------ C:\WINDOWS\system32\esent.dll
2007-03-25 18:52:39 351232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-03-25 18:52:39 18944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-03-25 15:07:52 45568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-03-25 15:07:51 29696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-03-25 15:07:51 43520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-03-25 15:07:51 43520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-03-25 15:07:49 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-03-25 15:07:49 32768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-03-25 15:07:48 48128 --a------ C:\WINDOWS\system32\inetres.dll
2007-03-25 15:07:47 81920 --a------ C:\WINDOWS\system32\isign32.dll
2007-03-25 15:07:47 274432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-03-25 15:07:47 65536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-03-25 15:07:47 73728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-03-25 15:07:40 382464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-03-25 15:07:35 170496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-03-25 15:07:35 239104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-03-25 15:07:35 67584 --a------ C:\WINDOWS\system32\srclient.dll
2007-03-25 15:07:35 73472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-03-25 15:07:34 34560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-03-25 15:07:34 81920 --a------ C:\WINDOWS\system32\ils.dll
2007-03-25 15:07:33 28672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-03-25 15:07:33 69632 --a------ C:\WINDOWS\system32\msconf.dll
2007-03-25 15:07:29 105984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-03-25 15:07:29 252928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-03-25 15:07:28 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-03-25 15:07:27 190976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-03-25 15:07:27 12288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-03-25 15:07:27 274944 --a------ C:\WINDOWS\system32\mstask.dll
2007-03-25 1505 131584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-03-25 1505 183808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-03-25 1504 67072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-03-25 1504 20480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-03-25 1504 161280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-03-25 1504 21896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-03-25 1504 12040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-03-25 1503 11776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-03-25 1503 956416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-03-25 1502 58880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-03-25 1502 6144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-03-25 1502 97792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-03-25 1501 540160 --a------ C:\WINDOWS\system32\comuid.dll
2007-03-25 1501 110080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-03-25 1501 85504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-03-25 15:05:57 56320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-03-25 15:05:57 17408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-03-25 15:05:57 185344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-03-25 15:05:55 123392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-03-25 15:05:54 538624 --a------ C:\WINDOWS\system32\spider.exe
2007-03-25 15:05:54 343040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-03-25 15:05:54 102912 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-03-25 15:05:53 6656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-03-25 15:05:53 1343768 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-03-25 15:05:53 124184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-03-25 15:05:53 93696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-03-25 15:05:53 139528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-03-25 15:05:52 60416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-03-25 15:05:52 1866240 --a------ C:\WINDOWS\system32\mstscax.dll
2007-03-25 15:05:52 600576 --a------ C:\WINDOWS\system32\mstsc.exe
2007-03-25 15:05:51 44544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-03-25 15:05:51 295424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-03-25 15:05:51 140800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-03-25 15:05:51 13824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-03-25 15:05:51 147968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-03-25 15:05:50 87176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-03-25 15:05:50 19968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-03-25 15:05:50 62464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-03-25 15:05:49 426496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-03-25 15:05:49 11264 --a------ C:\WINDOWS\system32\icaapi.dll
2007-03-25 15:05:49 38912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-03-25 15:05:43 58880 --a------ C:\WINDOWS\system32\licwmi.dll
2007-03-25 15:05:16 196864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-03-25 15:02:10 52864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2007-03-25 15:02:07 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-03-25 15:00:03 15104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-03-25 14:59:59 57472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-03-25 14:58:43 20992 --a------ C:\WINDOWS\system32\drivers\rtl8139.sys
2007-03-25 14:52:34 30208 --a------ C:\WINDOWS\system32\nvasio.dll
2007-03-25 14:52:33 7168 --a------ C:\WINDOWS\system32\nvack.dll
2007-03-25 14:52:33 962560 --a------ C:\WINDOWS\system32\drivers\nvmcp.sys
2007-03-25 14:52:33 48640 --a------ C:\WINDOWS\system32\drivers\nvax.sys
2007-03-25 14:52:33 66688 --a------ C:\WINDOWS\system32\drivers\nvarm.sys
2007-03-25 14:52:33 396032 --a------ C:\WINDOWS\system32\drivers\nvapu.sys
2007-03-25 14:45:25 40840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-03-25 14:44:00 13312 --a------ C:\WINDOWS\system32\irclass.dll
2007-03-25 14:44:00 11264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-03-25 14:43:59 74752 --a------ C:\WINDOWS\system32\storprop.dll
2007-03-25 14:43:59 24661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-03-25 12:11:14 502272 --a------ C:\WINDOWS\system32\winlogon_vir.exe<WINLOG~1.EXE>
2007-03-25 09:01:17 0 d-------- C:\Program Files\Windows Media Connect 2<WI4DF6~1>
2007-03-25 08:48:31 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-25 08:46:18 0 d-------- C:\Program Files\MSBuild
2007-03-25 08:42:42 0 d-------- C:\WINDOWS\system32\XPSViewer<XPSVIE~1>
2007-03-25 08:41:19 0 d-------- C:\Program Files\Reference Assemblies<REFERE~1>
2007-03-25 08:39:59 14048 -----n--- C:\WINDOWS\system32\spmsg2.dll
2007-03-25 08:39:36 0 d-------- C:\7aa58a8befe1327f883ee6<7AA58A~1>
2007-03-25 08:38:22 36352 -----n--- C:\WINDOWS\system32\tsgqec.dll
2007-03-25 08:38:22 288768 -----n--- C:\WINDOWS\system32\rhttpaa.dll
2007-03-25 08:38:22 116736 -----n--- C:\WINDOWS\system32\aaclient.dll
2007-03-25 01:41:53 0 d-------- C:\Program Files\Kaspersky Lab<KASPER~1>
2007-03-25 01:40:58 0 d-------- C:\KAV
2007-03-24 15:32:43 0 d-------- C:\Documents and Settings\Laura Strobel\Application Data\Lavasoft
2007-03-22 13:57:32 0 d-------- C:\MT123


-- Find3M Report ---------------------------------------------------------------

2007-03-30 10:03:48 0 d-------- C:\Program Files\HP
2007-03-25 20:11:25 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-03-25 20:11:14 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-03-25 20:08:48 250032 -rahs---- C:\ntldr
2007-03-25 16:53:14 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-03-25 15:07:02 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat<EMPTYR~1.DAT>
2007-03-25 08:47:46 0 d-------- C:\Program Files\Windows Media Connect<WI88B7~1>
2007-03-24 16:00:54 0 d-------- C:\Program Files\AWS
2007-03-24 11:32:42 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-22 14:00:25 0 d-------- C:\Documents and Settings\Laura Strobel\Application Data\Macromedia<MACROM~1>
2007-02-25 10:07:16 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-25 10:02:18 0 d-------- C:\Documents and Settings\Laura Strobel\Application Data\Yahoo!
2007-02-24 03:50:55 0 d-------- C:\Program Files\Yahoo!
2007-02-13 14:04:40 254464 --a------ C:\WINDOWS\system32\logixcrt.dll
2007-02-07 16:12:02 0 d-------- C:\Documents and Settings\Laura Strobel\Application Data\Google
2007-02-07 16:11:16 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-07 16:11:16 0 d-------- C:\Program Files\Google
2007-01-31 11:13:10 0 d-------- C:\Program Files\PCCloneEX<PCCLON~1>
2007-01-30 11:04:02 0 d-------- C:\Program Files\The Learning Company<THELEA~1>
2007-01-29 23:04:00 200768 --a------ C:\WINDOWS\system32\klogon.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PPWebCap"="C:\\PROGRA~1\\ScanSoft\\PAPERP~1\\PPWebCap.exe"
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\LaunchPd.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~1\\ONETOU~2.EXE"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"NVIDIA nForce APU1 Utilities"="NVATray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
"GURL01"="C:\\WINDOWS\\System32\\gdwfil.dll"
"PHR01"="C:\\WINDOWS\\System32\\usrfil.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-03-30 at 10:51:41 ---------

[Ried]

Hi Laura,

I'm not seeing any evidence of RustockB in these logs. Where is Norton reporting the location of this infection?

Also, please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------

Post those results here please, along with the location Norton is seeing this infection.

[strobelfamily]

The Panda Scan doesn't seem to be running. I've loaded the ActiveX but 15 minutes later there appears to be no progress. My firewall and antivirus protection is disabled. Does it normally take more than 15 to 20 minutes to see any progress? I have a DSL connection.

Norton was reporting the threat in c:\Windows\system32\system32:lzx32.sys....each time I ran NAV it would find the threat in the same location and then "clean" it and then on the very next scan it would find it again.

They offered to "remove" the problem for $69.95 worth of their services. Kaspersky has never found the threat but I did start with reboot problems and the Rustock.gen!C virus a week ago. Could it be a false postive on the part of NAV at this point?

Laura

[Ried]

Hi Laura,

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop.

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. It will produce a log.

• Copy the log using the Copy button
• Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.

[strobelfamily]

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-31 08:10:28
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP BABDA3C0 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP BABD7400 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80503C29 5 Bytes JMP BABD6F00 \??\C:\WINDOWS\system32\drivers\klif.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\explorer.exe[1892] SHELL32.dll!StrStrW + FFE2DAB6 7C9C8998 4 Bytes [ B0, 02, 40, 7E ]

---- Threads - GMER 1.0.12 ----

Thread 4:112 86A488E0
Thread 4:116 86A488E0
Thread 4:120 86A028D0
Thread 4:124 86A028D0
Thread 4:128 86A028D0
Thread 4:336 86A488E0
Thread 4:400 86A488E0

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts@0?0?The Learning Company THELC___.FON
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts@0?0?TITUS Cyberbit Basic (TrueType) TITUSCBZ.TTF

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Laura Strobel\Desktop\Laura's Genealogy\Welch\Scanned Items\Picture -- Childern and Grandchildren of Alido Grace (Welch) Glover Davis Miller Family in Minn. -- taken July 4, 1942 -- Names with Picture.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\system32:lzx32.sys

---- EOF - GMER 1.0.12 ----

[Ried]

Hello Laura,

Open HijackThis

• Click on the button " Open the Misc Tools section"
• Click the button labelled "Open ADSSpy"
• Make sure " Quick Scan (Windows based folders only)" is unchecked.
• Make sure " Ignore Safe System Info Streams" is checked.
• Click the "Scan" button.
• When it has finished scanning, checkmark/tick all that entries that it found.
• Click the "remove selected" button, then Click "Yes" at the following prompt.
• Click the "Scan" button once again.
• Click the "Save Log" button once this scan is complete. If nothing is found in this second run, no log will be produced.

Please post that log here for review.

------------------------------------------------

Next, please run ComboFix.exe

If you've already deleted that tool after your recent cleaning, please download it once again:

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply along with the ADSSpy log and an update on system behavior.

[strobelfamily]

There was no further log for ADSSpy after the second scan. Below is the log from Combo Fix. The computer seems to be ok right now. Kaspersky runs a complete scan with no viruses found. I've dumped the NAV.


"Laura Strobel" - 07-03-31 20:59:39 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\Laura Strobel\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))


2007-03-30 13:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-30 10:46 <DIR> d-------- C:\Deckard
2007-03-30 09:50 <DIR> d-------- C:\WINDOWS\NV25283256.TMP
2007-03-30 09:50 <DIR> d-------- C:\WINDOWS\NV25281300.TMP
2007-03-27 18:31 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-03-27 18:31 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-03-27 18:31 54,048 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-03-27 18:31 4,833,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-03-27 18:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-03-26 10:22 <DIR> d-------- C:\Program Files\Symantec
2007-03-26 10:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-03-26 10:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-03-26 10:09 630,784 --a------ C:\GOTOASSIST[1].EXE
2007-03-25 20:47 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-25 19:59 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-03-25 19:17 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-03-25 19:17 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-25 19:17 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-03-25 19:15 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-03-25 19:15 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-03-25 19:15 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-03-25 19:15 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-03-25 19:15 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-03-25 19:15 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-03-25 19:15 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-03-25 19:15 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-03-25 19:15 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-03-25 19:15 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-03-25 19:15 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-03-25 19:15 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-03-25 19:15 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-03-25 19:15 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-03-25 19:14 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-03-25 19:14 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-03-25 19:14 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-03-25 19:14 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-03-25 19:10 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-03-25 18:52 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-03-25 18:52 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-03-25 15:07 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-03-25 15:07 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-03-25 15:07 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-03-25 15:07 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-03-25 15:07 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-03-25 15:07 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-03-25 15:07 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-03-25 15:07 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-03-25 15:07 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-03-25 15:07 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-03-25 15:07 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-03-25 15:07 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-03-25 15:07 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-03-25 15:07 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-03-25 15:07 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-03-25 15:07 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-03-25 15:07 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-03-25 15:07 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-03-25 15:07 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-03-25 15:07 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-03-25 15:07 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-03-25 15:07 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-03-25 15:07 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-03-25 15:07 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-03-25 15:07 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-03-25 15:07 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-03-25 15:06 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-03-25 15:06 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-03-25 15:06 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-03-25 15:06 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-03-25 15:06 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-03-25 15:06 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-03-25 15:06 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-03-25 15:06 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-03-25 15:06 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-03-25 15:06 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-03-25 15:06 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-03-25 15:06 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-03-25 15:06 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-03-25 15:06 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-03-25 15:06 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-03-25 15:05 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-03-25 15:05 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-03-25 15:05 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-03-25 15:05 600,576 --a------ C:\WINDOWS\system32\mstsc.exe
2007-03-25 15:05 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-03-25 15:05 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-03-25 15:05 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2007-03-25 15:05 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-03-25 15:05 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-03-25 15:05 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-03-25 15:05 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-03-25 15:05 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-03-25 15:05 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-03-25 15:05 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-03-25 15:05 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-03-25 15:05 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-03-25 15:05 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-03-25 15:05 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-03-25 15:05 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-03-25 15:05 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-03-25 15:05 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-03-25 15:05 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-03-25 15:05 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-03-25 15:05 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-03-25 15:05 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2007-03-25 15:05 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-03-25 15:05 1,866,240 --a------ C:\WINDOWS\system32\mstscax.dll
2007-03-25 15:05 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-03-25 15:02 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-03-25 15:02 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2007-03-25 15:00 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-03-25 14:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-03-25 14:58 20,992 --a------ C:\WINDOWS\system32\drivers\rtl8139.sys
2007-03-25 14:52 962,560 --a------ C:\WINDOWS\system32\drivers\nvmcp.sys
2007-03-25 14:52 7,168 --a------ C:\WINDOWS\system32\nvack.dll
2007-03-25 14:52 66,688 --a------ C:\WINDOWS\system32\drivers\nvarm.sys
2007-03-25 14:52 48,640 --a------ C:\WINDOWS\system32\drivers\nvax.sys
2007-03-25 14:52 396,032 --a------ C:\WINDOWS\system32\drivers\nvapu.sys
2007-03-25 14:52 30,208 --a------ C:\WINDOWS\system32\nvasio.dll
2007-03-25 14:45 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-03-25 14:44 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-03-25 14:44 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-03-25 14:43 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-03-25 14:43 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-03-25 12:11 502,272 --a------ C:\WINDOWS\system32\winlogon_vir.exe
2007-03-25 09:01 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-03-25 08:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-25 08:46 <DIR> d-------- C:\Program Files\MSBuild
2007-03-25 08:42 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-03-25 08:41 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-03-25 08:39 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-03-25 08:39 <DIR> d-------- C:\7aa58a8befe1327f883ee6
2007-03-25 08:38 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-03-25 08:38 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-03-25 08:38 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-03-25 01:41 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-03-25 01:40 <DIR> d-------- C:\KAV
2007-03-24 15:32 <DIR> d-------- C:\DOCUME~1\LAURAS~1\APPLIC~1\Lavasoft
2007-03-22 13:57 <DIR> d-------- C:\MT123


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-30 10:03 -------- d-------- C:\Program Files\hp
2007-03-25 20:11 -------- d-------- C:\Program Files\windows nt
2007-03-25 20:11 -------- d-------- C:\Program Files\movie maker
2007-03-25 16:53 -------- d--h----- C:\Program Files\windowsupdate
2007-03-25 15:07 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-25 08:47 -------- d-------- C:\Program Files\windows media connect
2007-03-24 11:32 -------- d-------- C:\Program Files\quicktime
2007-02-25 10:02 -------- d-------- C:\DOCUME~1\LAURAS~1\APPLIC~1\yahoo!
2007-02-24 03:50 -------- d-------- C:\Program Files\yahoo!
2007-02-13 14:04 254464 --a------ C:\WINDOWS\system32\logixcrt.dll
2007-02-07 16:11 -------- d--h----- C:\Program Files\installshield installation information
2007-02-07 16:11 -------- d-------- C:\Program Files\google
2007-01-31 11:13 -------- d-------- C:\Program Files\pccloneex
2007-01-30 11:04 -------- d-------- C:\Program Files\the learning company
2007-01-29 23:04 200768 --a------ C:\WINDOWS\system32\klogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PPWebCap"="C:\\PROGRA~1\\ScanSoft\\PAPERP~1\\PPWebCap.exe"
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\LaunchPd.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~1\\ONETOU~2.EXE"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"NVIDIA nForce APU1 Utilities"="NVATray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
"GURL01"="C:\\WINDOWS\\System32\\gdwfil.dll"
"PHR01"="C:\\WINDOWS\\System32\\usrfil.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\User_Feed_Synchronization-{39709331-3275-44EF-9325-B6A67FD0BC8A}.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-31 21:03:54
C:\ComboFix2.txt ... 07-03-24 16:48

[Ried]

Glad to hear that, Laura.

Let's do one more scan with gmer now.

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. It will produce a log.

• Copy the log using the Copy button
• Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.

-----------------------------------------

Also, see if you can get online Panda scan to complete for you. Post those results here if you were successful.

[strobelfamily]

Panda Scan still did not run. Actually it's not completing the 8 MB download I guess. I waited 30 minutes this time and never got past the "You are about to start the scan and get a second opinion..." message. GMER scan is below.
Laura

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-01 11:21:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP BABDA3C0 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP BABD7400 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80503C29 5 Bytes JMP BABD6F00 \??\C:\WINDOWS\system32\drivers\klif.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\explorer.exe[1960] SHELL32.dll!StrStrW + FFE2DAB6 7C9C8998 4 Bytes [ 40, 02, 40, 7E ]

---- Threads - GMER 1.0.12 ----

Thread 4:112 86A4D8E0
Thread 4:116 86A4D8E0
Thread 4:120 86A268D0
Thread 4:124 86A268D0
Thread 4:128 86A268D0
Thread 4:336 86A4D8E0
Thread 4:400 86A4D8E0

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts@0?0?The Learning Company THELC___.FON
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts@0?0?TITUS Cyberbit Basic (TrueType) TITUSCBZ.TTF

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Laura Strobel\Desktop\Laura's Genealogy\Welch\Scanned Items\Picture -- Childern and Grandchildren of ***edited names for privacy***-- taken July 4, 1942 -- Names with Picture.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----

[Ried]

Ok, let's try Kaspersky and see if you have better luck:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note for Internet Explorer 7 users**

If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Is the system still behaving well?

[strobelfamily]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 02, 2007 1:17:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/04/2007
Kaspersky Anti-Virus database records: 290127
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 106981
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:23:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\018f_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0191_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-04-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Laura Strobel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Temp\~DF969A.tmp Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Temp\~DF96AD.tmp Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\ntuser.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{66436E90-B0E5-4F60-8785-39471453B8E8}\RP126\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Ried]

Hi Laura,

Kaspersky is coming up clean. If there aren't any more problems, you're good to go.

You've already received good instructions from sUBs on protecting your system in your previous thread, so all that's left to do is flush your system restore:

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

Please let us know if we can consider this thread resolved.

[strobelfamily]

Thank You for all of your help. I'll follow the instructions from the previous thread about protecting my system and I'm guessing I'll be in good shape for now.
Laura

[Ried]

You're welcome, Laura.

When you get a chance, I think you'll find this article quite helpful PC Safety and Security--What Do I Need?