Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Is wmi32.exe a virus?

Started by Ally , Mar 06 2011 11:17 AM

  • This topic is locked This topic is locked
13 replies to this topic

#1 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 06 March 2011 - 11:17 AM

Hi, I have noticed a few times that a process called wmi32.exe runs for a brief few seconds at start-up on my PC and then disappears.On searching google I find alot of info saying this is a dangerous file. My Startup processes have also decreased from the usual around thirty to only 25 processes is this normal? My PC is running normally but I don't know if this is normal to have this process. Any help is appreciated,thanks.

    Advertisements

Register to Remove

#2 NoodleTech

NoodleTech

    Malware Eradicator

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,380 posts

Posted 06 March 2011 - 11:21 AM

Hi,

:welcome:

My name is NoodleTech. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
As I'm still in training at What The Tech, all my posts needs to be checked by an expert first. This may cause a delay, but I will do my best to keep it as short as possible.
Posted Image
Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 06 March 2011 - 12:10 PM

Hi Noodletech,thanks for the quick response.
here is my hi-jack this log > Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:08:18, on 06/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\rangers\Desktop\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [EPSON SX410 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE /FU "C:\DOCUME~1\rangers\LOCALS~1\Temp\E_S1A.tmp" /EF "HKCU"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1298548274468
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 5201 bytes

#4 NoodleTech

NoodleTech

    Malware Eradicator

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,380 posts

Posted 06 March 2011 - 10:19 PM

Hi Ally,

Please do the following:

Download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments,  attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
===================================================

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

===================================================

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.
===================================================

In your next reply, please post the following:
  • DDS log
  • MBRCheck log
  • GMER log

Posted Image
Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#5 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 07 March 2011 - 02:29 AM

Hi Noodletch,here are is DDS log >. DDS (Ver_11-03-05.01) - NTFSx86 Run by rangers at 8:25:42.06 on 07/03/2011 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3326.2709 [GMT 0:00] . AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *Disabled* . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Sandboxie\SbieCtrl.exe C:\Documents and Settings\rangers\Desktop\Downloads\dds.scr . ============== Pseudo HJT Report =============== . BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll uRun: [EPSON SX410 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifce.exe /fu "c:\docume~1\rangers\locals~1\temp\E_S1A.tmp" /EF "HKCU" mRun: [SkyTel] SkyTel.EXE mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe" mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll Trusted Zone: line6.net DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1298548274468 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: klogon - c:\windows\system32\klogon.dll AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\rangers\applic~1\mozilla\firefox\profiles\4bywzobd.default\ FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/ FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} . ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - true FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . ============= SERVICES / DRIVERS =============== . R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184] R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-2-24 475736] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-24 363344] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472] R3 L6TPortGX;Service - Line 6 TonePort GX;c:\windows\system32\drivers\L6TPortGX.sys [2011-2-25 579456] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-24 20952] R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-1-12 125672] S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096] . =============== Created Last 30 ================ . 2011-03-06 12:40:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe 2011-03-06 12:34:54 -------- d-----w- c:\docume~1\rangers\locals~1\applic~1\Adobe 2011-03-06 07:08:08 -------- d-----w- c:\program files\CCleaner 2011-03-01 08:00:14 -------- d-----w- c:\program files\Power Tab Software 2011-02-28 09:37:54 266360 ----a-w- c:\windows\system32\TweakUI.exe 2011-02-28 04:37:24 -------- d-----w- c:\program files\OpenOffice.org 3 2011-02-28 03:21:50 165376 ----a-w- c:\windows\system32\unrar.dll 2011-02-28 02:49:10 -------- d-----w- c:\program files\FreeTime 2011-02-28 02:38:58 -------- d-----w- c:\docume~1\rangers\applic~1\SUPERAntiSpyware.com 2011-02-28 02:38:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2011-02-28 02:38:35 -------- d-----w- c:\program files\SUPERAntiSpyware 2011-02-27 18:02:11 -------- d-----w- c:\docume~1\rangers\locals~1\applic~1\cache 2011-02-27 18:01:48 -------- d-----w- c:\docume~1\rangers\locals~1\applic~1\FullTiltPoker 2011-02-27 18:01:22 -------- d-----w- c:\program files\Full Tilt Poker 2011-02-27 07:42:53 8192 ----a-w- c:\windows\system32\E_DCINST.DLL 2011-02-27 07:42:52 86528 ----a-w- c:\windows\system32\E_FLBFCE.DLL 2011-02-27 07:42:52 78848 ----a-w- c:\windows\system32\E_FD4BFCE.DLL 2011-02-27 07:42:44 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys 2011-02-27 07:42:44 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys 2011-02-27 07:42:40 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2011-02-27 07:42:40 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2011-02-27 07:41:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\UDL 2011-02-27 07:41:08 -------- d-----w- c:\program files\Epson Software 2011-02-27 07:40:57 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll 2011-02-27 07:40:57 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll 2011-02-27 07:40:57 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll 2011-02-27 07:40:57 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll 2011-02-27 07:40:53 614532 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe 2011-02-27 07:40:06 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint 2011-02-27 07:38:55 80024 ----a-w- c:\windows\system32\PICSDK.dll 2011-02-27 07:38:55 71840 ----a-w- c:\windows\system32\EPPicMgr.dll 2011-02-27 07:38:55 501912 ----a-w- c:\windows\system32\PICSDK2.dll 2011-02-27 07:38:55 120992 ----a-w- c:\windows\system32\EpPicPrt.dll 2011-02-27 07:38:55 108704 ----a-w- c:\windows\system32\PICEntry.dll 2011-02-27 07:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\EPSON 2011-02-27 07:38:11 342016 ----a-w- c:\windows\system32\eswiaud.dll 2011-02-27 07:38:10 -------- d-----w- c:\program files\epson 2011-02-27 06:00:42 -------- d-----w- c:\docume~1\rangers\locals~1\applic~1\Identities 2011-02-26 07:07:41 -------- d-----w- c:\program files\ASIO4ALL v2 2011-02-25 23:10:51 -------- d-----w- c:\program files\Fast AVI MPEG Joiner 2011-02-25 20:28:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\vsosdk 2011-02-25 20:12:46 -------- d-----r- C:\Sandbox 2011-02-25 20:11:35 -------- d-----w- c:\program files\Sandboxie 2011-02-25 19:29:41 16 ----a-w- c:\windows\system32\msvcsv60.dll 2011-02-25 19:27:17 -------- d-----w- c:\program files\Steinberg 2011-02-25 19:27:16 -------- d-----w- c:\program files\IK Multimedia 2011-02-25 19:27:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\IK Multimedia 2011-02-25 19:16:14 579456 ----a-w- c:\windows\system32\drivers\L6TPortGX.sys 2011-02-25 19:16:14 180224 ----a-w- c:\windows\system32\L6tpgx.dll 2011-02-25 19:15:47 -------- d-----w- c:\program files\common files\Digidesign 2011-02-25 19:15:47 -------- d-----w- c:\docume~1\rangers\applic~1\Line 6 2011-02-25 19:15:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Line 6 2011-02-25 19:15:39 -------- d-----w- c:\program files\Line6 2011-02-25 03:27:21 -------- d-----w- c:\program files\JDownloader 2011-02-25 03:11:05 -------- d-----w- c:\program files\uTorrent 2011-02-25 03:10:47 -------- d-----w- c:\docume~1\rangers\applic~1\uTorrent 2011-02-24 21:26:05 16736 ----a-w- c:\windows\system32\mucltui.dll.mui 2011-02-24 21:26:04 274288 ----a-w- c:\windows\system32\mucltui.dll 2011-02-24 09:19:46 -------- d-----w- c:\program files\IObit 2011-02-24 08:56:47 -------- d-----w- c:\docume~1\rangers\applic~1\Auslogics 2011-02-24 08:56:43 -------- d-----w- c:\program files\Auslogics 2011-02-24 08:46:14 -------- d-----w- c:\windows\Logs 2011-02-24 08:18:13 -------- d-----w- c:\program files\VideoLAN 2011-02-24 08:17:25 -------- d-----w- c:\docume~1\rangers\applic~1\PhotoScape 2011-02-24 08:17:16 -------- d-----w- c:\program files\PhotoScape 2011-02-24 07:48:56 -------- d-----w- c:\docume~1\rangers\applic~1\IObit 2011-02-24 07:44:44 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2011-02-24 07:44:44 75264 ----a-w- c:\windows\system32\unacev2.dll 2011-02-24 07:44:44 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2011-02-24 07:44:44 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2011-02-24 07:44:44 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2011-02-24 07:44:43 -------- d-----w- c:\program files\Trojan Remover 2011-02-24 07:44:43 -------- d-----w- c:\docume~1\rangers\applic~1\Simply Super Software 2011-02-24 07:44:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software 2011-02-24 06:22:10 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-24 06:22:10 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll 2011-02-24 06:15:24 -------- d-----w- c:\docume~1\rangers\applic~1\Malwarebytes 2011-02-24 06:15:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-24 06:15:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-02-24 06:15:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-24 06:15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-24 06:05:50 -------- d-----w- c:\docume~1\rangers\locals~1\applic~1\ATI 2011-02-24 05:47:02 6912 ----a-w- c:\windows\system32\drivers\vulfnth.sys 2011-02-24 05:47:02 45056 ----a-w- c:\windows\system32\vusetup.dll 2011-02-24 05:47:01 11264 ----a-w- c:\windows\system32\drivers\vulfntr.sys 2011-02-24 05:46:51 306688 ----a-w- c:\windows\IsUninst.exe 2011-02-24 04:11:25 -------- d-----w- c:\docume~1\rangers\locals~1\applic~1\ApplicationHistory 2011-02-24 04:00:30 -------- d-----w- c:\program files\Windows Media Connect 2 2011-02-24 03:59:41 -------- d-----w- c:\windows\system32\LogFiles 2011-02-24 03:58:38 -------- d-----w- c:\windows\system32\URTTemp 2011-02-24 03:48:51 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2011-02-24 03:48:39 45568 -c----w- c:\windows\system32\dllcache\wab.exe 2011-02-24 03:48:21 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2011-02-24 03:48:20 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2011-02-24 03:47:51 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2011-02-24 03:44:03 -------- d-sh--w- c:\documents and settings\rangers\IECompatCache 2011-02-24 03:43:50 -------- d-sh--w- c:\documents and settings\rangers\PrivacIE 2011-02-24 03:42:15 -------- d-----w- c:\docume~1\rangers\applic~1\Foxit Software 2011-02-24 03:42:05 -------- d-----w- c:\program files\Foxit Software 2011-02-24 03:32:35 -------- d-----w- c:\windows\system32\scripting 2011-02-24 03:32:34 -------- d-----w- c:\windows\system32\en 2011-02-24 03:32:34 -------- d-----w- c:\windows\system32\bits 2011-02-24 03:32:34 -------- d-----w- c:\windows\l2schemas 2011-02-24 03:30:13 -------- d-----w- c:\windows\network diagnostic 2011-02-24 03:28:02 -------- d-----w- c:\windows\EHome 2011-02-24 03:18:48 356352 ----a-w- c:\windows\system32\nvunrm.exe 2011-02-24 03:18:15 -------- d-----w- c:\windows\system32\ReinstallBackups 2011-02-24 03:14:34 -------- d-sh--w- c:\documents and settings\rangers\IETldCache 2011-02-24 03:13:16 -------- d-----w- c:\windows\ie8updates 2011-02-24 03:13:10 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2011-02-24 03:13:10 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2011-02-24 03:13:10 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2011-02-24 03:13:10 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2011-02-24 03:13:10 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll 2011-02-24 03:13:10 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2011-02-24 03:13:10 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll 2011-02-24 03:12:14 -------- dc-h--w- c:\windows\ie8 2011-02-24 03:10:01 9216 ----a-w- c:\windows\system32\bdco1.dll 2011-02-24 03:10:01 888064 ----a-w- c:\windows\system32\drivers\nvnrm.sys 2011-02-24 03:10:01 53632 ----a-w- c:\windows\system32\drivers\NVENETFD.sys 2011-02-24 03:10:01 37376 ----a-w- c:\windows\system32\nvconrm.dll 2011-02-24 03:10:01 22016 ----a-w- c:\windows\system32\drivers\nvnetbus.sys 2011-02-24 03:10:01 195072 ----a-w- c:\windows\system32\fdco1.dll 2011-02-24 02:47:34 -------- d-----w- c:\docume~1\rangers\locals~1\applic~1\Mozilla 2011-02-24 02:45:35 357248 -c----w- c:\windows\system32\dllcache\srv.sys 2011-02-24 02:44:21 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys 2011-02-24 02:44:10 293376 ------w- c:\windows\system32\browserchoice.exe 2011-02-24 02:43:52 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2011-02-24 02:43:52 272128 ------w- c:\windows\system32\drivers\bthport.sys 2011-02-24 02:43:38 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll 2011-02-24 02:41:56 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll 2011-02-24 02:41:39 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-24 02:41:39 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe 2011-02-24 02:38:05 -------- d-----w- c:\windows\system32\PreInstall 2011-02-24 02:38:04 -------- d--h--w- c:\windows\$hf_mig$ 2011-02-24 02:22:13 97859 ----a-w- c:\windows\system32\drivers\klick.dat 2011-02-24 02:22:13 114243 ----a-w- c:\windows\system32\drivers\klin.dat 2011-02-24 02:21:43 -------- d-----w- c:\program files\Kaspersky Lab 2011-02-24 02:21:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2011-02-24 02:21:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2011-02-24 02:16:38 -------- d-----w- c:\windows\system32\SoftwareDistribution 2011-02-24 02:14:38 -------- d-----w- c:\windows\system32\Lang 2011-02-24 02:14:36 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys 2011-02-24 02:14:34 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys 2011-02-24 02:14:33 6272 ----a-w- c:\windows\system32\drivers\splitter.sys 2011-02-24 02:14:33 142592 ----a-w- c:\windows\system32\drivers\aec.sys 2011-02-24 02:14:19 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys 2011-02-24 02:13:28 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys 2011-02-24 02:13:28 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys 2011-02-24 02:13:28 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys 2011-02-24 02:13:27 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys 2011-02-24 02:13:27 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys 2011-02-24 02:13:26 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys 2011-02-24 02:13:17 49152 ----a-w- c:\windows\system32\ChCfg.exe 2011-02-24 02:11:59 315392 ----a-w- c:\windows\HideWin.exe 2011-02-24 02:11:58 520192 ------r- c:\windows\RtlExUpd.dll 2011-02-24 02:11:57 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll 2011-02-24 02:11:57 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe 2011-02-24 02:11:57 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll 2011-02-24 02:11:57 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll 2011-02-24 02:11:57 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll 2011-02-24 02:11:56 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll 2011-02-24 02:11:55 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll 2011-02-24 02:11:55 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll 2011-02-24 02:09:51 195072 ----a-w- c:\windows\system32\fdco1ins.dll 2011-02-24 02:09:50 1732 ----a-r- c:\windows\system32\drivers\nvphy.bin 2011-02-24 02:09:19 9216 ----a-w- c:\windows\system32\bdco1ins.dll 2011-02-24 02:09:18 356352 ----a-w- c:\windows\system32\nvusmb.exe 2011-02-24 02:08:58 356352 ----a-w- c:\windows\system32\NVUNINST.EXE 2011-02-24 02:07:58 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys 2011-02-24 02:07:44 12536 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS . ==================== Find3M ==================== . 2011-02-24 06:30:37 87608 ----a-w- c:\docume~1\rangers\applic~1\inst.exe 2011-02-24 06:30:37 47360 ----a-w- c:\docume~1\rangers\applic~1\pcouffin.sys 2011-02-24 06:03:37 0 ----a-w- c:\windows\ativpsrm.bin 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . ============= FINISH: 8:26:10.21 ===============

Attached Files


#6 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 07 March 2011 - 03:01 AM

Hi Noodletch here are my other two logs.

gmer > GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-07 08:57:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 Hitachi_HDT721032SLA360 rev.ST2OA3AA
Running: gmer.exe; Driver: C:\DOCUME~1\rangers\LOCALS~1\Temp\fwaiqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAE2355FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAE235EFE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAE236D32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAE23727C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAE2361DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAE23446A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAE237162]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAE2351E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAE237036]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAE235390]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAE23739C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAE235B86]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAE2370CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xAE238A84]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAE234A74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAE234E28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAE23665C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAE239C90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAE234F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAE23500C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAE23646A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAE238B76]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAE234446]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAE234458]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xAE2392DE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xAE235138]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xAE237312]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xAE235F80]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xAE23462A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xAE2371F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xAE235836]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xAE239078]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xAE237432]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xAE235728]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xAE2350A4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xAE234CDC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xAE239618]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xAE234906]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xAE238F0A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xAE234B96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xAE233E80]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xAE237796]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xAE23765C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xAE23881E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xAE2341F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xAE239B32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xAE233E18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xAE236A78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xAE235DA2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xAE2380BE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xAE238D14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xAE239768]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xAE234780]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xAE23985A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xAE239994]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xAE2389A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xAE2359D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xAE235932]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xAE2394BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xAE235ABC]

Code F7B77C9C ZwRequestPort
Code F7B77BFC ZwTraceEvent
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous
Code F7B77C9B NtRequestPort
Code F7B77BFB NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP AE227FEC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP AE2283C8 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2D68 80504604 12 Bytes [76, 8B, 23, AE, 46, 44, 23, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2EE4 80504780 16 Bytes [96, 4B, 23, AE, 80, 3E, 23, ...] {XCHG ESI, EAX; DEC EBX; AND EBP, [ESI-0x51dcc180]; XCHG ESI, EAX; JA 0x2e; SCASB ; POP ESP; JBE 0x32; SCASB }
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [5A, 98, 23, AE, 94, 99, 23, ...]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6714000, 0x253D97, 0xE8000020]
? C:\DOCUME~1\rangers\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[736] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[736] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[736] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [E0, 13, 48, 6C] {LOOPNZ 0x15; DEC EAX; INSB }
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[844] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[844] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[844] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [E0, 13, 48, 6C] {LOOPNZ 0x15; DEC EAX; INSB }

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

---- EOF - GMER 1.0.15 ----




MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7497000 MountMgr.sys
0xF7328000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF74A7000 VolSnap.sys
0xF7310000 atapi.sys
0xF74B7000 disk.sys
0xF74C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72F0000 fltmgr.sys
0xF74D7000 PxHelp20.sys
0xF72D9000 KSecDD.sys
0xF724C000 Ntfs.sys
0xF721F000 NDIS.sys
0xF7205000 Mup.sys
0xF6CE3000 kl1.sys
0xF7507000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7517000 \SystemRoot\system32\DRIVERS\serial.sys
0xF792B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF6C87000 \SystemRoot\system32\DRIVERS\parport.sys
0xF798D000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xF7757000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6C63000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF775F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6C3B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF776F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7991000 \SystemRoot\System32\Drivers\vulfnth.sys
0xF6713000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF66FF000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7527000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7537000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7547000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF66DC000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7557000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF6603000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF7567000 \SystemRoot\system32\DRIVERS\klim5.sys
0xF7B07000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7577000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7947000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF65EC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7587000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7597000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7797000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF65DB000 \SystemRoot\system32\DRIVERS\psched.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77A7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF75B7000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF75C7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7997000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF64B5000 \SystemRoot\system32\DRIVERS\update.sys
0xF795B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF75D7000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF75E7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF75F7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF799B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF6467000 \SystemRoot\system32\drivers\AtiHdmi.sys
0xF6443000 \SystemRoot\system32\drivers\portcls.sys
0xF7617000 \SystemRoot\system32\drivers\drmk.sys
0xAE31D000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF6CA3000 \SystemRoot\System32\Drivers\vulfntr.sys
0xAE209000 \SystemRoot\system32\DRIVERS\klif.sys
0xF79A3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B5D000 \SystemRoot\System32\Drivers\Null.SYS
0xF79A7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF781F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7827000 \SystemRoot\System32\drivers\vga.sys
0xF79AB000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79AF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7837000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7847000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF65C3000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF784F000 \SystemRoot\system32\DRIVERS\kl2.sys
0xAE1AE000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE155000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAE12D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAE107000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7667000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAE0E5000 \SystemRoot\System32\drivers\afd.sys
0xF7677000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAE0C3000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xAE035000 \SystemRoot\System32\Drivers\L6TPortGX.sys
0xF7687000 \SystemRoot\System32\Drivers\STREAM.SYS
0xF787F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF788F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xADF42000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xADED2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7697000 \SystemRoot\System32\Drivers\Fips.SYS
0xF774F000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF76C7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF65BF000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAE1E1000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF777F000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAE1D9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAE1D1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF6523000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xADF85000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77AF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AC9000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF060000 \SystemRoot\System32\ati2cqag.dll
0xBF10C000 \SystemRoot\System32\atikvmag.dll
0xBF1A9000 \SystemRoot\System32\atiok3x2.dll
0xBF20E000 \SystemRoot\System32\ati3duag.dll
0xBF5BF000 \SystemRoot\System32\ativvaxx.dll
0xBF9C5000 \SystemRoot\System32\ATMFD.DLL
0xAB3CD000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xAB158000 \??\C:\Program Files\Sandboxie\SbieDrv.sys
0xAB305000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAAF63000 \SystemRoot\system32\drivers\wdmaud.sys
0xAB221000 \SystemRoot\system32\drivers\sysaudio.sys
0xF79D5000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAACBB000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xAA8E2000 \SystemRoot\System32\Drivers\HTTP.sys
0xF783F000 \??\C:\DOCUME~1\rangers\LOCALS~1\Temp\mbr.sys
0xAA48C000 \??\C:\DOCUME~1\rangers\LOCALS~1\Temp\fwaiqpob.sys
0xAA461000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 25):
0 System Idle Process
4 System
768 C:\WINDOWS\system32\smss.exe
856 csrss.exe
888 C:\WINDOWS\system32\winlogon.exe
932 C:\WINDOWS\system32\services.exe
944 C:\WINDOWS\system32\lsass.exe
1104 C:\WINDOWS\system32\ati2evxx.exe
1140 C:\WINDOWS\system32\svchost.exe
1196 svchost.exe
1308 C:\Program Files\Sandboxie\SbieSvc.exe
1336 C:\WINDOWS\system32\svchost.exe
1572 C:\WINDOWS\system32\ati2evxx.exe
1592 svchost.exe
1784 C:\WINDOWS\system32\spoolsv.exe
176 C:\WINDOWS\explorer.exe
736 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
844 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
860 C:\WINDOWS\RTHDCPL.exe
1176 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2688 alg.exe
4036 C:\WINDOWS\system32\svchost.exe
1268 C:\WINDOWS\system32\svchost.exe
2336 C:\Program Files\Mozilla Firefox\firefox.exe
2052 C:\Documents and Settings\rangers\Desktop\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HitachiHDT721032SLA360, Rev: ST2OA3AA

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#7 NoodleTech

NoodleTech

    Malware Eradicator

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,380 posts

Posted 08 March 2011 - 06:19 PM

Hi Ally,

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Also please describe how your computer behaves at the moment.

===================================================

I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start.  The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button.  The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
===================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
*wmi32*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#8 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 09 March 2011 - 04:58 AM

Hi Noodletech, here are my logs >Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5997 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 09/03/2011 10:38:58 mbam-log-2011-03-09 (10-38-58).txt Scan type: Quick scan Objects scanned: 133479 Time elapsed: 1 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6425 # api_version=3.0.2 # EOSSerial=28c006a78d162a42ba60ef4acab96b59 # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-03-09 10:54:26 # local_time=2011-03-09 10:54:26 (+0000, GMT Standard Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=1280 16777191 100 0 1156846 1156846 0 0 # compatibility_mode=8192 67108863 100 0 3747 3747 0 0 # scanned=58208 # found=0 # cleaned=0 # scan_time=719 SystemLook 04.09.10 by jpshortstuff Log created at 10:55 on 09/03/2011 by rangers Administrator - Elevation successful ========== filefind ========== Searching for "*wmi32*" C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\wmi32.exe --a---- 15200 bytes [20:28 05/10/2010] [20:28 05/10/2010] 31FF20619784DC5D2CB446FACE39A43D C:\WINDOWS\Prefetch\WMI32.EXE-0C86CD76.pf --a---- 17476 bytes [10:36 09/03/2011] [10:36 09/03/2011] E1660C7D44822943DE0857F12BDA67E8 -= EOF =-

#9 NoodleTech

NoodleTech

    Malware Eradicator

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,380 posts

Posted 09 March 2011 - 06:19 PM

Hi Ally,

Everything looks good! Turns out wmi32.exe is harmless and is actually a part of Kaspersky Internet Security.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure
  • Click Start > Run
  • Type Inetcpl.cpl and click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected and Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to Prompt, and ("Initialize and Script ActiveX controls not marked as safe") to Disable.
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis.  With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update   regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Do you have any further questions?
Posted Image
Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#10 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 10 March 2011 - 12:44 AM

Hi Noodletech, Sorry for wasting your time.I do have a couple of quick questions for you though > 1. I used to have a program called hostsman(which had mvps hosts)will this be ok to re-install? 2. I Currently run Malwarebytes Pro(Realtime protection) alongside Kaspersky Internet Security Suite is this ok or could the two programs conflict with each other? Thanks again Noodletech for checking out my logs and helping out,much appreciated. :thumbup: Kindest Regards, Ally.

#11 NoodleTech

NoodleTech

    Malware Eradicator

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,380 posts

Posted 10 March 2011 - 09:23 AM

Hi Ally, No problem :thumbup: There is no need to reinstall mvps hosts if you have done so before. You may run Malwarebytes Pro and Kaspersky simultaneously. Any other questions?
Posted Image
Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#12 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 10 March 2011 - 12:50 PM

Hi Noodletch, no thats all thanks. Again thanks for all the help. :notworthy:

#13 NoodleTech

NoodleTech

    Malware Eradicator

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,380 posts

Posted 10 March 2011 - 02:43 PM

Anytime :thumbup: Take care!
Posted Image
Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 10 March 2011 - 04:11 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·