Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Getting the okay that I'm clear of viruses!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 09-04-2009, 05:50 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: Windows XP (Home Edition)


Getting the okay that I'm clear of viruses!
Hey everybody!

(scroll down for the log links)
I recently managed to get my computer loaded with a number of different viruses. To make a long story short, I downloaded/ran an .exe program that I later found out was full of viruses/keyloggers.

I ran a bunch of scans (Malwarebytes, Avast, McAfee, then after I uninstalled McAfee, Kaspersky. Now everything seems to be back to normal. I'm posting this from the 'safe mode' of firefox via Kaspersky. It might just be me, but my computer still seems a tiny bit slower than it was before all this happened (I'd like to put emphasis on the possibility that it could just be me being cautious). I'm also not sure if there are any keyloggers left, so I would really appreciate it if you guys could look through my logs or not to see if I'm clean.

Known [previous?] Viruses: Right after I opened up that deadly .exe file, my links from the google results page started taking me to RANDOM pages, with nothing to do with what I searched for. Shortly after, EVERY program that I would open up would have a few "error messages" before it, with just little pop up windows saying "Error C:/blahblah", and only after I exited out of 2 or 3 of those, would the program would open.
Also, I ran a virus scan the a couple nights back after I infected my computer, and when I looked at it in the morning, "Windows Police Pro" was up. Knowing this was a fake program, I closed out of it and deleted it via HKEYblah, and the task manager (and I also deleted the WPP files on my local disk). Next morning, it was back again. Those are all the viruses that I know of that my computer had been infected with but I'm still not sure if there are any keyloggers on my computer at the moment.

Thanks for reading, & I tried to make this as descriptive as possible, so sorry for the wall of text. I would appreciate any help/confirmation that my computer is clean (optimism! ).

Thanks so much in advance!


DDS Log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Ari at 16:37:15.98 on Fri 09/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.446 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ari\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Generic Host Process] c:\documents and settings\all users\application data\scvhost.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ari\applic~1\mozilla\firefox\profiles\2pxnxev7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-9-4 296976]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-7-3 303376]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]

=============== Created Last 30 ================

2009-09-04 07:05 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-09-04 06:51 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-09-04 06:51 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-09-04 06:50 <DIR> --d----- c:\program files\Kaspersky Lab
2009-09-04 06:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-09-04 06:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-09-02 16:56 664 a------- c:\windows\system32\d3d9caps.dat
2009-09-02 05:25 4,539 a------- c:\windows\system32\lkd
2009-09-02 05:21 43 a------- c:\windows\system32\rotscxldbaopyv.dat
2009-08-31 22:25 <DIR> --d----- c:\docume~1\ari\applic~1\Malwarebytes
2009-08-31 22:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 22:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-31 22:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 22:17 <DIR> --d----- c:\windows\pss
2009-08-31 21:28 <DIR> --d----- c:\program files\Siber Systems
2009-08-31 19:57 <DIR> --d----- c:\program files\CCleaner
2009-08-31 19:09 14,639 a------- c:\windows\system32\rotscxydwhboyg.dat
2009-08-31 17:23 0 a------- C:\LOGBB3.tmp
2009-08-31 17:09 0 a------- C:\LOGBA4.tmp
2009-08-26 18:54 <DIR> --d----- c:\program files\Xiph.Org
2009-08-26 18:49 122,350 a------- c:\windows\system32\xbadpcm.acm
2009-08-26 18:49 917 a------- c:\windows\system32\xbadpcminst.inf
2009-08-26 18:49 24,848 a------- c:\windows\system32\wavdest.ax
2009-08-20 01:29 7,680 a--sh--- c:\windows\Thumbs.db
2009-08-19 00:42 <DIR> --d----- c:\program files\Paint.NET
2009-08-18 16:27 <DIR> --d----- c:\documents and settings\ari\.thumbnails
2009-08-18 16:25 <DIR> --d----- c:\documents and settings\ari\.gimp-2.6
2009-08-18 16:24 <DIR> --d----- c:\program files\GIMP-2.0
2009-08-18 02:31 388,600 a------- c:\temp\script.zip
2009-08-18 02:31 <DIR> --d----- c:\temp\script
2009-08-18 02:26 <DIR> --d----- C:\temp
2009-08-18 02:24 <DIR> --d----- c:\documents and settings\ari\wadunpack
2009-08-18 02:22 16 a------- c:\documents and settings\ari\common-key.bin
2009-08-18 02:20 <DIR> --d----- c:\program files\WADder
2009-08-18 02:10 <DIR> --d----- C:\MyMenu
2009-08-18 01:43 <DIR> --d----- C:\Wii Backup
2009-08-15 23:17 <DIR> --d----- c:\program files\iPod
2009-08-15 23:16 <DIR> --d----- c:\program files\iTunes
2009-08-15 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-15 22:32 <DIR> --d----- c:\program files\Bonjour
2009-08-15 15:39 <DIR> --d----- c:\docume~1\ari\applic~1\log
2009-08-15 15:39 87,608 a------- c:\docume~1\ari\applic~1\inst.exe
2009-08-15 15:39 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-08-15 15:39 47,360 a------- c:\docume~1\ari\applic~1\pcouffin.sys
2009-08-15 15:39 <DIR> --d----- c:\program files\vso
2009-08-14 01:57 <DIR> --d----- c:\windows\system32\NtmsData
2009-08-14 01:26 <DIR> --d----- c:\program files\WBFS
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\txtcodes
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\images
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\config
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\codes
2009-08-14 00:46 <DIR> --d----- C:\Old
2009-08-12 23:37 <DIR> --d----- C:\Blahhh
2009-08-11 17:59 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 17:59 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 20:53 <DIR> --d----- c:\program files\Frets on Fire
2009-08-10 13:05 <DIR> --d----- c:\program files\3D Analyzer
2009-08-09 14:27 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-08-09 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2009-08-09 14:24 2,189,856 a------- c:\windows\system32\nvcuvid.dll
2009-08-09 14:24 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-08-09 14:24 1,597,690 a------- c:\windows\system32\nvdata.bin

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-14 14:54 10,457,088 a------- c:\windows\system32\nvoglnt.dll
2009-07-14 14:54 7,741,664 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 14:54 5,842,816 a------- c:\windows\system32\nv4_disp.dll
2009-07-14 14:54 2,002,944 a------- c:\windows\system32\nvcuda.dll
2009-07-14 14:54 868,352 a------- c:\windows\system32\nvapi.dll
2009-07-14 14:54 485,920 a------- c:\windows\system32\nvudisp.exe
2009-07-14 14:54 151,552 a------- c:\windows\system32\nvcodins.dll
2009-07-14 14:54 151,552 a------- c:\windows\system32\nvcod.dll
2009-07-14 13:35 2,173,472 a------- c:\windows\system32\nvcplui.exe
2009-07-14 13:35 81,920 a------- c:\windows\system32\nvwddi.dll
2009-07-14 13:35 4,026,368 a------- c:\windows\system32\nvvitvs.dll
2009-07-14 13:35 3,170,304 a------- c:\windows\system32\nvwss.dll
2009-07-14 13:34 13,877,248 a------- c:\windows\system32\nvcpl.dll
2009-07-14 13:34 4,923,392 a------- c:\windows\system32\nvdisps.dll
2009-07-14 13:34 3,547,136 a------- c:\windows\system32\nvgames.dll
2009-07-14 13:34 1,286,144 a------- c:\windows\system32\nvmobls.dll
2009-07-14 13:34 188,416 a------- c:\windows\system32\nvmccss.dll
2009-07-14 13:34 168,004 a------- c:\windows\system32\nvsvc32.exe
2009-07-14 13:34 143,360 a------- c:\windows\system32\nvcolor.exe
2009-07-14 13:34 86,016 a------- c:\windows\system32\nvmctray.dll
2009-07-14 13:34 229,376 a------- c:\windows\system32\nvmccs.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-10 07:01 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-07-03 15:48 219,664 a------- c:\windows\system32\klogon.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 16:38:04.89 ===============

Thanks again!
Attached Files
File Type: zip Attach and Ark.zip (5.4 KB, 2 views)
Adiadi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 09-06-2009, 04:26 AM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,483
OS: XP SP3


Re: Getting the okay that I'm clear of viruses!
Hello and welcome to TSF.

Your system is still infected with a rootkit. This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

============================

Please note that more than one round may be needed to properly eradicate. Stay with me until you're given the "all clear", even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions in the order they are presented, and please refrain from any self-fixing or running of scanners unless requested by me or another helper at this forum.

Also note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

============================

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

    For further help for disabling, click here.
    To disable Kaspersky Antivirus:
    Please navigate to the system tray on the bottom right hand corner and look for a sign.
    • right click it-> select Pause Protection.
    • click on -> By User Request
    • a popup will claim that protection is now disabled and a sign like this: will now be shown.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done that.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 09:03 AM   #3 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: Windows XP (Home Edition)


Re: Getting the okay that I'm clear of viruses!
Wow, how wrong could I have been? =/
I understand that most anti-malware products probably wouldn't detect a virus such as this one, but I thought I'd post what I've done since I made my original post anyways- I ran Malwarebytes' again, it found 8 more that I deleted. I downloaded Spybot S&D, it deleted a bunch, I full scanned with Kaspersky that deleted 2 or so, and I finished it off with the Anniversary Edition of Ad-Aware, which surprisingly detected NOTHING.

Here's my ComboFix Log:

ComboFix 09-09-05.03 - Ari 09/06/2009 10:35.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.313 [GMT -4:00]
Running from: c:\documents and settings\Ari\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ari\Application Data\inst.exe
c:\windows\system32\rotscxldbaopyv.dat
c:\windows\system32\rotscxydwhboyg.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_rotscxecxxlvck
-------\Service_rotscxecxxlvck


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-05 19:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-05 19:26 . 2009-09-05 19:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-05 19:26 . 2009-09-05 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-05 19:26 . 2009-09-05 19:26 -------- d-----w- c:\program files\Lavasoft
2009-09-05 19:15 . 2009-09-05 19:15 -------- d-----w- c:\program files\Trend Micro
2009-09-05 17:17 . 2009-09-05 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-05 17:17 . 2009-09-05 17:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-05 17:08 . 2009-09-05 17:08 152576 ----a-w- c:\documents and settings\Ari\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-04 11:05 . 2009-09-04 11:05 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-09-04 10:51 . 2009-09-04 10:51 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-04 10:51 . 2009-09-04 10:51 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-04 10:50 . 2009-09-06 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-04 10:50 . 2009-09-04 10:50 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-04 10:49 . 2009-09-04 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-04 10:43 . 2009-09-04 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-09-02 20:56 . 2009-09-03 03:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-02 20:55 . 2009-09-02 20:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 02:39 . 2009-09-01 02:39 -------- d-----w- c:\program files\Alwil Software
2009-09-01 02:25 . 2009-09-01 02:25 -------- d-----w- c:\documents and settings\Ari\Application Data\Malwarebytes
2009-09-01 02:24 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 02:24 . 2009-09-01 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 02:24 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 02:24 . 2009-09-01 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 01:29 . 2009-09-01 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-08-31 23:57 . 2009-08-31 23:57 -------- d-----w- c:\program files\CCleaner
2009-08-26 22:54 . 2009-08-26 22:54 -------- d-----w- c:\program files\Xiph.Org
2009-08-22 07:11 . 2009-09-01 02:10 381880 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-19 04:42 . 2009-08-19 04:42 -------- d-----w- c:\program files\Paint.NET
2009-08-19 04:42 . 2009-08-19 04:43 -------- d-----w- c:\documents and settings\Ari\Local Settings\Application Data\Paint.NET
2009-08-18 20:27 . 2009-08-20 16:40 -------- d-----w- c:\documents and settings\Ari\Application Data\gtk-2.0
2009-08-18 20:27 . 2009-08-18 20:27 -------- d-----w- c:\documents and settings\Ari\.thumbnails
2009-08-18 20:25 . 2009-09-04 23:40 -------- d-----w- c:\documents and settings\Ari\.gimp-2.6
2009-08-18 20:24 . 2009-08-18 20:24 -------- d-----w- c:\program files\GIMP-2.0
2009-08-18 06:31 . 2009-08-18 06:31 -------- d-----w- c:\temp\script
2009-08-18 06:31 . 2009-08-18 06:29 388600 ----a-w- c:\temp\script.zip
2009-08-18 06:26 . 2009-08-18 06:31 -------- d-----w- C:\temp
2009-08-18 06:24 . 2009-08-18 06:26 -------- d-----w- c:\documents and settings\Ari\wadunpack
2009-08-18 06:22 . 2008-12-16 04:16 16 ----a-w- c:\documents and settings\Ari\common-key.bin
2009-08-18 06:20 . 2009-08-18 06:20 -------- d-----w- c:\program files\WADder
2009-08-18 06:10 . 2009-08-20 05:52 -------- d-----w- C:\MyMenu
2009-08-18 05:43 . 2009-08-20 16:36 -------- d-----w- C:\Wii Backup
2009-08-16 03:17 . 2009-08-16 03:17 -------- d-----w- c:\program files\iPod
2009-08-16 03:16 . 2009-08-16 03:17 -------- d-----w- c:\program files\iTunes
2009-08-16 03:16 . 2009-08-16 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-16 03:14 . 2009-08-16 03:15 -------- d-----w- c:\program files\QuickTime
2009-08-16 02:32 . 2009-08-16 02:32 -------- d-----w- c:\program files\Bonjour
2009-08-15 19:39 . 2009-08-15 19:43 -------- d-----w- c:\documents and settings\Ari\Application Data\log
2009-08-15 19:39 . 2009-08-15 19:39 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-15 19:39 . 2009-08-15 19:39 47360 ----a-w- c:\documents and settings\Ari\Application Data\pcouffin.sys
2009-08-15 19:39 . 2009-08-15 19:39 -------- d-----w- c:\documents and settings\Ari\Application Data\Vso
2009-08-15 19:39 . 2009-08-15 19:39 -------- d-----w- c:\program files\vso
2009-08-14 05:57 . 2009-08-14 06:17 -------- d-----w- c:\windows\system32\NtmsData
2009-08-14 05:28 . 2009-08-14 05:28 -------- d-----w- c:\documents and settings\Ari\Local Settings\Application Data\WBFSManager
2009-08-14 05:26 . 2009-08-14 05:26 -------- d-----w- c:\program files\WBFS
2009-08-14 05:02 . 2009-08-14 05:02 -------- d-----w- c:\documents and settings\Ari\txtcodes
2009-08-14 05:02 . 2009-08-14 05:02 -------- d-----w- c:\documents and settings\Ari\images
2009-08-14 05:02 . 2009-08-14 05:02 -------- d-----w- c:\documents and settings\Ari\config
2009-08-14 05:02 . 2009-08-14 05:02 -------- d-----w- c:\documents and settings\Ari\codes
2009-08-14 04:46 . 2009-08-14 04:47 -------- d-----w- C:\Old
2009-08-13 03:37 . 2009-08-13 03:39 -------- d-----w- C:\Blahhh
2009-08-11 21:59 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 00:53 . 2009-08-11 00:53 -------- d-----w- c:\program files\Frets on Fire
2009-08-10 17:05 . 2009-08-10 17:05 -------- d-----w- c:\program files\3D Analyzer
2009-08-09 18:27 . 2009-08-09 18:27 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-09 18:27 . 2009-08-09 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-09 18:24 . 2009-07-14 18:54 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-09 18:24 . 2009-07-14 18:54 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-09 18:24 . 2009-07-14 18:54 1597690 ----a-w- c:\windows\system32\nvdata.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 18:33 . 2009-04-09 02:30 -------- d-----w- c:\program files\AskBarDis
2009-09-05 17:09 . 2009-04-26 23:40 -------- d-----w- c:\program files\Java
2009-08-31 21:23 . 2009-03-02 01:03 -------- d-----w- c:\documents and settings\Ari\Application Data\U3
2009-08-25 14:57 . 2009-05-04 23:10 -------- d-----w- c:\documents and settings\Ari\Application Data\uTorrent
2009-08-16 03:17 . 2009-01-26 21:39 -------- d-----w- c:\program files\Common Files\Apple
2009-08-13 17:04 . 2009-01-24 02:49 20792 ----a-w- c:\documents and settings\Ari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 17:28 . 2009-01-24 04:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 04:38 . 2009-05-25 04:50 -------- d-----w- c:\program files\torrentstorage
2009-07-25 09:23 . 2009-04-26 23:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 16:34 . 2009-07-21 16:33 -------- d-----w- c:\program files\Guitar Pro 5
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-01-24 05:23 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2009-01-24 03:19 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 18:54 . 2009-01-15 13:19 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-07-14 18:54 . 2009-01-15 13:19 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2009-01-15 13:19 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-07-14 18:54 . 2009-01-15 13:19 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-14 18:54 . 2009-01-15 13:19 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-07-14 18:54 . 2008-04-14 00:12 5842816 ----a-w- c:\windows\system32\nv4_disp.dll
2009-07-14 17:35 . 2009-07-14 17:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 17:35 . 2009-07-14 17:35 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-07-14 17:35 . 2009-07-14 17:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-07-14 17:35 . 2009-07-14 17:35 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-07-14 17:34 . 2009-07-14 17:34 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 17:34 . 2009-07-14 17:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-07-14 17:34 . 2009-07-14 17:34 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-07-14 17:34 . 2009-07-14 17:34 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-07-14 17:34 . 2009-07-14 17:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-07-14 17:34 . 2009-07-14 17:34 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-07-14 17:34 . 2009-07-14 17:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 17:34 . 2009-07-14 17:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-07-14 17:34 . 2009-07-14 17:34 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 11:01 . 2009-01-24 05:22 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-03 19:48 . 2009-07-03 19:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 19:45 . 2009-07-03 19:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 18:01 . 2009-06-15 18:01 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-01-24 02:35 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 14:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-11 101136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-12-30 18082304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-11 101136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2009-4-14 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-02-20 17:57 65536 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/5/2009 3:28 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 4:33 PM 13952]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 4:32 PM 28800]
.
Contents of the 'Scheduled Tasks' folder

2009-09-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Windows Generic Host Process - c:\documents and settings\All Users\Application Data\scvhost.exe
HKLM-Run-Logitech BT Wizard - LBTWiz.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Ari\Application Data\Mozilla\Firefox\Profiles\icqew3w8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 10:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2980)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\program files\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\SetPoint\LBTWiz.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-09-06 10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 14:46

Pre-Run: 40,300,863,488 bytes free
Post-Run: 40,276,369,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

273 --- E O F --- 2009-09-02 07:00
Adiadi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 12:02 PM   #4 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,483
OS: XP SP3


Re: Getting the okay that I'm clear of viruses!
Hi,

I see that you've also posted here. As stated in our sticky topic:

Quote:
NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.
So, please let them, and any other forum you may have posted, know that you're already receiving help.

==============================

uTorrent ------This practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it via Add or Remove Programs in Control Panel as suggested in our
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

Quote:
  • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link
==========================

I see some registry entries for AskBar. While it is not actually malware, its activities are somewhat dubious and its intentions are misleading.
The toolbar is also a resource hog and as such can seriously affect system performance, one of the results being a significant reduction of the systems speed.

Therefore, I'd recommend that you uninstall the Ask Toolbar, if present in your Add or Remove Programs list. Otherwise, let me know so that we can clean up the leftovers.

===========================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Also advise me how the computer is running now, please.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 02:11 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: Windows XP (Home Edition)


Re: Getting the okay that I'm clear of viruses!
Hi!
Thanks for the quick reply!

I successfully uninstalled uTorrent & the AskBar.
However, when I tried to scan using the Kaspersky Online Scanner 7 (while I was on Mozilla, which is the only browser that I use), in the middle of the 'updating database' part, it froze with an error message saying:

"Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.
You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Key is expired]"

I did a quick Google search and found this thread: http://forum.kaspersky.com/index.php...ic=127400&st=0
which consists of people who all had the same problem as I did.

Overall, my computer is running fine. I have recently downloaded a lot of programs to help fix my infected computer, so that might also be one reason why it's running a tiny bit slower.
Last edited by Adiadi; 09-06-2009 at 02:13 PM.
Adiadi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 10:34 PM   #6 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,483
OS: XP SP3


Re: Getting the okay that I'm clear of viruses!
Hi,

It's important that we run an online scan to look for remnants hiding around. Let's try this one:

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 08:38 AM   #7 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: Windows XP (Home Edition)


Re: Getting the okay that I'm clear of viruses!
Here's the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=7cf0738e3466724786639764f907f436
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-07 07:23:16
# local_time=2009-09-07 03:23:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=67368
# found=0
# cleaned=0
# scan_time=5794

I tried Kaspersky again after this one, and I got the same error.
Adiadi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 10:26 AM   #8 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,483
OS: XP SP3


Re: Getting the okay that I'm clear of viruses!
Hi,

That looks good. We have been having this issue on and off with Kaspersky online scanner for a while now.

============================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

=============================

Since you already have Malwarebyte's Anti-Malware installed,
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with the Add-Remove Programs.txt.

Also, please post a fresh log from GMER.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
Last edited by amateur; 09-07-2009 at 10:46 AM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 01:47 PM   #9 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: Windows XP (Home Edition)


Re: Getting the okay that I'm clear of viruses!
I think it says I still have uTorrent & the Ask Toolbar because at the time of when I ran the ComboFix scan, I hadn't deleted either at that point. Neither of them appear in my "Add or Remove Programs", and when I search them using Windows' search function, it finds nothing.

µTorrent
7-Zip 4.65
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
Canon MP Navigator EX 1.0
Canon MP210 series
Canon MP210 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner (remove only)
CDDRV_Installer
Free Studio version 4.1
Frets On Fire
GIMP 2.6.7
Guitar Hero III
Guitar Pro 5.2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946344)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB951708)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
iTunes
Java(TM) 6 Update 15
Kaspersky Internet Security 2010
KhalSetup
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB954430)
Music Rescue
MyMenu 1.2
NVIDIA Drivers
NVIDIA nView Desktop Manager
Ogg Codecs 0.81.15562
Paint.NET v3.36
Parallel Port Joystick
Power Tab Editor 1.7
QuickTime
Realtek High Definition Audio Driver
ScanSoft OmniPage SE 4
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SetPoint
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SQL Server System CLR Types
Steam
Tortun 0.8
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Ventrilo Client
VSO Inspector 2.0.1.7
WADder 2.7.3
WBFS Manager 3.0
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows XP Service Pack 3
World of Warcraft
Xbox 360 Controller for Windows



Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 3

9/7/2009 3:42:55 PM
mbam-log-2009-09-07 (15-42-55).txt

Scan type: Quick Scan
Objects scanned: 96119
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


When I did the GMER scan, at the end, I got a message saying this: http://www.picturepush.com/public/2230955
Attached Files
File Type: txt ark.txt (10.8 KB, 2 views)
Adiadi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-08-2009, 01:44 AM   #10 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,483
OS: XP SP3


Re: Getting the okay that I'm clear of viruses!
Hi,

Quote:
I think it says I still have uTorrent & the Ask Toolbar because at the time of when I ran the ComboFix scan, I hadn't deleted either at that point.
Yes, that's the reason they are still showing, but you already told me that you removed them in post #5.

What GMER reports is not an active infection, and it will be sorted out by Windows itself after a few reboots. However, it won't harm to double check. I hate to ask you to do another scan but it's better to be safe than sorry.

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select these items:
    Process
    Kernel Modules
    SSDT
    Kernel Hooks
    Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-08-2009, 02:56 PM   #11 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: Windows XP (Home Edition)


Re: Getting the okay that I'm clear of viruses!
Trust me, I'm quite content with making numerous scans. I was originally going to do a full reformat, but then I remembered about TSF :). Thank you, this process has saved me from a ton of (unnecessary?) work.

I think this is the log you're talking about:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 880
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 976
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 1000
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1048
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1060
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 1220
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1248
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1308
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1352
Hidden: No
Window Visible: No

Name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PID: 1384
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
PID: 1416
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1664
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1740
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1928
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 612
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 700
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 736
Hidden: No
Window Visible: No

Name: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
PID: 752
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 776
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 840
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1260
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3256
Hidden: No
Window Visible: No

Name: C:\WINDOWS\RTHDCPL.EXE
PID: 3544
Hidden: No
Window Visible: No

Name: C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PID: 3720
Hidden: No
Window Visible: No

Name: C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
PID: 3764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 3956
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 3996
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 4076
Hidden: No
Window Visible: No

Name: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
PID: 340
Hidden: No
Window Visible: No

Name: C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PID: 2436
Hidden: No
Window Visible: No

Name: C:\Program Files\SetPoint\SetPoint.exe
PID: 1616
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
PID: 3428
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 3484
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 620
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 2532
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunes.exe
PID: 3380
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Ari\Desktop\SysProt\SysProt.exe
PID: 2636
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Ari\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B79B3000
Module End: B79BE000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806CF680
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806D0000
Module End: 806F0300
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7990000
Module End: F7992000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F78A0000
Module End: F78A3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7361000
Module End: F738F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7992000
Module End: F7994000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7350000
Module End: F7361000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7490000
Module End: F749A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A58000
Module End: F7A59000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7710000
Module End: F7717000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F74A0000
Module End: F74AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F7331000
Module End: F7350000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7994000
Module End: F7996000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F730B000
Module End: F7331000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F7718000
Module End: F771D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F74B0000
Module End: F74BD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F72F3000
Module End: F730B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F74C0000
Module End: F74C9000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F74D0000
Module End: F74DD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F72D3000
Module End: F72F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F72C1000
Module End: F72D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\klbg.sys
Service Name: klbg
Module Base: F74E0000
Module End: F74EB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F74F0000
Module End: F74FF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F72AA000
Module End: F72C1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F721D000
Module End: F72AA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F71F0000
Module End: F721D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F71D6000
Module End: F71F0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kl1.sys
Service Name: kl1
Module Base: F6CB6000
Module End: F71D6000
Hidden: No

Module Name: \WINDOWS\system32\drivers\TDI.SYS
Service Name: ---
Module Base: F7720000
Module End: F7725000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\processr.sys
Service Name: Processor
Module Base: F7520000
Module End: F7529000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F6C7A000
Module End: F6C7D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7530000
Module End: F753D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7768000
Module End: F776E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F7770000
Module End: F7775000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6502000
Module End: F6526000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7778000
Module End: F7780000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F64DA000
Module End: F6502000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7540000
Module End: F754B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F65B6000
Module End: F65C6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F65A6000
Module End: F65B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F64B7000
Module End: F64DA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F6596000
Module End: F65A0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F5D36000
Module End: F6499000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F5D22000
Module End: F5D36000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Service Name: BTKRNL
Module Base: F5C53000
Module End: F5D22000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klim5.sys
Service Name: klim5
Module Base: F6586000
Module End: F6590000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PPJoyBus.sys
Service Name: PPJoyBus
Module Base: F6C72000
Module End: F6C76000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7A67000
Module End: F7A68000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F6576000
Module End: F6583000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F6C6E000
Module End: F6C71000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F5C3C000
Module End: F5C53000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F6566000
Module End: F6571000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F6556000
Module End: F6562000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F5C2B000
Module End: F5C3C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F6546000
Module End: F654F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7788000
Module End: F778D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7790000
Module End: F7795000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\pcouffin.sys
Service Name: pcouffin
Module Base: F6536000
Module End: F6542000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F5BD3000
Module End: F5C03000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F6526000
Module End: F6530000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7798000
Module End: F779E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79DC000
Module End: F79DE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F5B75000
Module End: F5BD3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7934000
Module End: F7938000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\btaudio.sys
Service Name: btaudio
Module Base: F28A8000
Module End: F28F7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F2884000
Module End: F28A8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F7550000
Module End: F755F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7560000
Module End: F756A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7570000
Module End: F757F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79E0000
Module End: F79E2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: F22B4000
Module End: F279C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klif.sys
Service Name: KLIF
Module Base: F223E000
Module End: F228C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: F5C23000
Module End: F5C26000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F7580000
Module End: F7589000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F77C0000
Module End: F77C7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F79E4000
Module End: F79E6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7B7E000
Module End: F7B7F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F79E6000
Module End: F79E8000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F77D0000
Module End: F77D6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F79E8000
Module End: F79EA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F79EA000
Module End: F79EC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F77D8000
Module End: F77DD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F77E0000
Module End: F77E8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F5C1B000
Module End: F5C1E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: F21E3000
Module End: F21F6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: F218A000
Module End: F21E3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: F2162000
Module End: F218A000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: F2140000
Module End: F2162000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7590000
Module End: F7599000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: F2115000
Module End: F2140000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: F207D000
Module End: F20ED000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F75A0000
Module End: F75AB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: F2057000
Module End: F207D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F75B0000
Module End: F75B9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F77E8000
Module End: F77F0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: usbstor
Module Base: F77F0000
Module End: F77F7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\WUSB20XP.sys
Service Name: PRISM_A02
Module Base: F2004000
Module End: F2057000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F2860000
Module End: F2863000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klmouflt.sys
Service Name: klmouflt
Module Base: F75C0000
Module End: F75C9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: F285C000
Module End: F2860000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F77F8000
Module End: F77FF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F7630000
Module End: F7640000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F1F4C000
Module End: F1F64000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79FA000
Module End: F79FC000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F5C1F000
Module End: F5C22000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7808000
Module End: F780D000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7B00000
Module End: F7B01000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B86B0000
Module End: B86B4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B82FB000
Module End: B8328000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B81F6000
Module End: B820B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B83A0000
Module End: B83AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B8066000
Module End: B80B8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B79E3000
Module End: B7A24000
Hidden: No

Module Name: \??\C:\DOCUME~1\Ari\LOCALS~1\Temp\aujasnkj.sys
Service Name: aujasnkj
Module Base: B66DC000
Module End: B66F1000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B66B1000
Module End: B66DC000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: F225D36E
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwClose
Address: F225DA86
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwConnectPort
Address: F225E60C
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateEvent
Address: F225EB40
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateFile
Address: F225DD78
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateKey
Address: F225C460
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateMutant
Address: F225EA18
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateNamedPipeFile
Address: F225BD0A
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreatePort
Address: F225E8D4
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSection
Address: F225D102
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSemaphore
Address: F225EC72
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSymbolicLinkObject
Address: F226040E
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateThread
Address: F225D886
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateWaitablePort
Address: F225E976
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteKey
Address: F225CA20
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteValueKey
Address: F225CCF8
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeviceIoControlFile
Address: F225E21C
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDuplicateObject
Address: F2260980
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateKey
Address: F225CE3A
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateValueKey
Address: F225CEE4
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwFsControlFile
Address: F225E016
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadDriver
Address: F225FEA6
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadKey
Address: F225C43C
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadKey2
Address: F225C44E
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwNotifyChangeKey
Address: F225D030
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenEvent
Address: F225EBE2
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenFile
Address: F225DB08
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenKey
Address: F225C604
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenMutant
Address: F225EAB0
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenProcess
Address: F225D56E
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSection
Address: F2260438
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSemaphore
Address: F225ED14
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenThread
Address: F225D492
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryKey
Address: F225CF8E
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryMultipleValueKey
Address: F225CBB6
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryValueKey
Address: F225C8BC
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueueApcThread
Address: F2260128
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRenameKey
Address: F225CB34
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplaceKey
Address: F225C0C2
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyPort
Address: F225F09E
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyWaitReceivePort
Address: F225EF64
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRequestWaitReplyPort
Address: F225FC30
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRestoreKey
Address: F225C224
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwResumeThread
Address: F2260860
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveKey
Address: F225BEC4
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSecureConnectPort
Address: F225E312
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetContextThread
Address: F225D984
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetInformationToken
Address: F225F5F2
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSecurityObject
Address: F225FFA0
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSystemInformation
Address: F22604C2
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetValueKey
Address: F225C744
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendProcess
Address: F22605A6
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendThread
Address: F22606D2
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSystemDebugControl
Address: F225FDD2
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwTerminateProcess
Address: F225D6EA
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwTerminateThread
Address: F225D63C
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwWriteVirtualMemory
Address: F225D7C8
Driver Base: F223E000
Driver End: F228C000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Adiadi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-09-2009, 02:21 AM   #12 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,483
OS: XP SP3


Re: Getting the okay that I'm clear of viruses!
Hi,

All looks good. You can delete SysProt from your desktop.

Since you dont' appear to have malware issues anymore , you're all set to go.
  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /




This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-09-2009, 07:35 PM   #13 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: Windows XP (Home Edition)


Re: Getting the okay that I'm clear of viruses!
Thanks for all the help, Amateur!
Am I free to uninstall all the programs that I installed throughout this process (i.e. DDS, GMER, etc)?
Adiadi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-10-2009, 02:21 AM   #14 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,483
OS: XP SP3


Re: Getting the okay that I'm clear of viruses!
You're welcome. Yes, you can go ahead and remove them from your desktop.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:55 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85