Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Trojan.Script.Iframer possible infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 11 October 2009 - 06:36 PM

Here I am once again. This time as I was heading to a website my Kaspersky popped up and said that there was a virus there - Trojan.Script.Iframer - and to cancel the page. I did but my IE is acting strange. Some scripts on the page aren't working and my add-ons will not work either. I already restarted IE 7 since you can't reinstall it on vista. On kaspersky it says that the virus threat is detected but I'm worried my machine might have still gotten it. I've done scans in normal and safe mode but nothing popped up though. The Root Repeal is giving trouble I keep getting this: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/11 20:27 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP1 ================================================== SSDT ------------------- SYSENTER/INT2E Hooked [0x8245d8f0]! ==EOF== Here's the DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by Cece at 19:09:31.45 on Sun 10/11/2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1982.886 [GMT -4:00] AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== D:\Windows\system32\wininit.exe D:\Windows\system32\lsm.exe D:\Windows\system32\svchost.exe -k DcomLaunch D:\Windows\system32\nvvsvc.exe D:\Windows\system32\svchost.exe -k rpcss D:\Windows\System32\svchost.exe -k secsvcs D:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted D:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted D:\Windows\system32\svchost.exe -k netsvcs D:\Windows\system32\SLsvc.exe D:\Windows\system32\svchost.exe -k LocalService D:\Windows\system32\rundll32.exe D:\Windows\system32\WLANExt.exe D:\Windows\System32\spoolsv.exe D:\Windows\system32\svchost.exe -k LocalServiceNoNetwork D:\Windows\system32\svchost.exe -k NetworkService D:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted D:\Windows\system32\taskeng.exe D:\Windows\system32\taskeng.exe D:\Windows\system32\Dwm.exe D:\Windows\Explorer.EXE D:\Program Files\Windows Defender\MSASCui.exe D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe D:\Windows\System32\rundll32.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Windows\vsnp2uvc.exe D:\Program Files\Java\jre6\bin\jusched.exe D:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe D:\Program Files\Windows Sidebar\sidebar.exe D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe D:\Windows\system32\svchost.exe -k imgsvc D:\Windows\System32\svchost.exe -k WerSvcGroup D:\Windows\system32\SearchIndexer.exe D:\Program Files\OpenOffice.org 3\program\soffice.exe D:\Program Files\OpenOffice.org 3\program\soffice.bin D:\Program Files\Internet Explorer\ieuser.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe D:\Windows\system32\Macromed\Flash\FlashUtil10c.exe D:\Windows\System32\svchost.exe -k swprv D:\Program Files\Mozilla Firefox\firefox.exe D:\Windows\system32\wbem\wmiprvse.exe D:\Windows\system32\taskeng.exe D:\Windows\system32\SearchProtocolHost.exe D:\Windows\system32\SearchFilterHost.exe D:\Windows\system32\DllHost.exe D:\Windows\system32\DllHost.exe D:\Users\Cece_Phoenix\Downloads\dds.scr ============== Pseudo HJT Report =============== mStart Page = about:blank BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - d:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - d:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - d:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - d:\program files\wot\WOT.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll TB: {73F7F495-A325-4C52-BE48-5F97FA511E89} - No File TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - d:\program files\wot\WOT.dll uRun: [Sidebar] d:\program files\windows sidebar\sidebar.exe /autoRun uRun: [swg] "d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ehTray.exe] d:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] d:\program files\windows media player\WMPNSCFG.exe uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [AVP] "d:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [TkBellExe] "d:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [snp2uvc] d:\windows\vsnp2uvc.exe mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe" mRun: [BlackBerryAutoUpdate] d:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background mRun: [RoxWatchTray] "d:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRunOnce: [Uninstall Adobe Download Manager] "d:\windows\system32\rundll32.exe" "d:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp mRunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq StartupFolder: d:\users\cece\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - d:\program files\microsoft office\office12\ONENOTEM.EXE uPolicies-explorer: HideSCANetwork = 0 (0x0) uPolicies-explorer: HideSCAVolume = 0 (0x0) mPolicies-explorer: NoAutorun = 1 (0x1) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - d:\program files\wot\WOT.dll Notify: klogon - d:\windows\system32\klogon.dll AppInit_DLLs: d:\progra~1\kasper~1\kasper~2\mzvkbd3.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- d:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); d:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); d:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); d:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); d:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); d:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); d:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); d:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); d:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); d:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;d:\windows\system32\drivers\klbg.sys [2008-12-15 33808] R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;d:\windows\system32\drivers\klim6.sys [2008-3-26 21008] R3 klmouflt;Kaspersky Lab KLMOUFLT;d:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472] S2 0301941240878354mcinstcleanup;0301941240878354mcinstcleanup; [x] S3 getPlusHelper;getPlus® Helper;d:\windows\system32\svchost.exe -k getPlusHelper [2009-3-25 21504] =============== Created Last 30 ================ 2009-10-11 15:15 0 a--sh--- d:\windows\system32\drivers\ISwift3.dat 2009-10-10 12:32 <DIR> --d----- d:\program files\JRE 2009-10-10 12:31 <DIR> --d----- d:\program files\OpenOffice.org 3 2009-10-03 01:01 195,440 -------- d:\windows\system32\MpSigStub.exe 2009-09-27 21:00 <DIR> --d----- d:\programdata\NOS 2009-09-21 19:19 <DIR> --dsh--- D:\$RECYCLE.BIN 2009-09-21 19:02 229,888 a------- d:\windows\PEV.exe 2009-09-21 19:02 161,792 a------- d:\windows\SWREG.exe 2009-09-21 19:02 98,816 a------- d:\windows\sed.exe 2009-09-20 14:58 <DIR> --d----- d:\program files\MSXML 4.0 2009-09-19 21:58 <DIR> --d----- d:\programdata\InstallShield 2009-09-19 21:57 <DIR> --d----- d:\programdata\Sonic 2009-09-19 21:51 <DIR> --d----- d:\programdata\Roxio 2009-09-19 21:51 <DIR> --d----- d:\program files\Roxio 2009-09-19 21:51 <DIR> --d----- d:\program files\common files\Sonic Shared 2009-09-19 21:45 27,136 a------- d:\windows\system32\drivers\RimSerial.sys 2009-09-19 20:29 256 a------- d:\windows\system32\pool.bin 2009-09-19 20:29 <DIR> --d----- d:\users\cece\appdata\roaming\Research In Motion 2009-09-15 21:27 <DIR> --d----- d:\programdata\Kaspersky Lab Setup Files 2009-09-15 21:27 <DIR> --d----- d:\progra~2\Kaspersky Lab Setup Files ==================== Find3M ==================== 2009-10-11 18:56 56,800 a------- d:\programdata\nvModes.dat 2009-10-11 18:56 56,800 a------- d:\progra~2\nvModes.dat 2009-10-07 09:12 382,072 a------- d:\windows\system32\perfh011.dat 2009-10-07 09:12 101,350 a------- d:\windows\system32\perfc011.dat 2009-09-22 10:33 107,547 a------- d:\windows\system32\drivers\klin.dat 2009-09-22 10:33 95,259 a------- d:\windows\system32\drivers\klick.dat 2009-09-19 21:45 143,360 a------- d:\windows\inf\infstrng.dat 2009-09-19 21:45 51,200 a------- d:\windows\inf\infpub.dat 2009-09-19 21:45 86,016 a------- d:\windows\inf\infstor.dat 2009-09-15 21:45 835,616 a--sh--- d:\windows\system32\drivers\fidbox2.dat 2009-09-15 21:45 4,984 a--sh--- d:\windows\system32\drivers\fidbox2.idx 2009-09-15 21:45 4,150,304 a--sh--- d:\windows\system32\drivers\fidbox.dat 2009-09-15 21:45 34,552 a--sh--- d:\windows\system32\drivers\fidbox.idx 2009-08-28 08:39 28,672 a------- d:\windows\system32\Apphlpdm.dll 2009-08-28 08:39 173,056 a------- d:\windows\apppatch\AcXtrnal.dll 2009-08-28 08:38 2,153,984 a------- d:\windows\apppatch\AcGenral.dll 2009-08-28 08:38 541,696 a------- d:\windows\apppatch\AcLayers.dll 2009-08-28 08:38 459,776 a------- d:\windows\apppatch\AcSpecfc.dll 2009-08-28 06:15 4,240,384 a------- d:\windows\system32\GameUXLegacyGDFs.dll 2009-08-21 21:01 56 a---h--- d:\programdata\ezsidmv.dat 2009-08-21 21:01 56 a---h--- d:\progra~2\ezsidmv.dat 2009-08-14 13:07 897,608 a------- d:\windows\system32\drivers\tcpip.sys 2009-08-14 12:29 104,960 a------- d:\windows\system32\netiohlp.dll 2009-08-14 12:29 17,920 a------- d:\windows\system32\netevent.dll 2009-08-14 10:16 17,920 a------- d:\windows\system32\ROUTE.EXE 2009-08-14 10:16 9,728 a------- d:\windows\system32\TCPSVCS.EXE 2009-08-14 10:16 11,264 a------- d:\windows\system32\MRINFO.EXE 2009-08-14 10:16 27,136 a------- d:\windows\system32\NETSTAT.EXE 2009-08-14 10:16 19,968 a------- d:\windows\system32\ARP.EXE 2009-08-14 10:16 10,240 a------- d:\windows\system32\finger.exe 2009-08-14 10:16 8,704 a------- d:\windows\system32\HOSTNAME.EXE 2009-08-03 15:07 403,816 a------- d:\windows\system32\OGACheckControl.dll 2009-08-03 15:07 322,928 a------- d:\windows\system32\OGAAddin.dll 2009-08-03 15:07 230,768 a------- d:\windows\system32\OGAEXEC.exe 2009-07-31 15:23 411,368 a------- d:\windows\system32\deploytk.dll 2009-07-18 12:06 827,904 a------- d:\windows\system32\wininet.dll 2009-07-18 12:01 78,336 a------- d:\windows\system32\ieencode.dll 2009-07-18 05:46 26,624 a------- d:\windows\system32\ieUnatt.exe 2009-07-17 10:35 71,680 a------- d:\windows\system32\atl.dll 2009-07-14 09:00 313,344 a------- d:\windows\system32\wmpdxm.dll 2009-07-14 08:59 4,096 a------- d:\windows\system32\dxmasf.dll 2009-07-14 08:58 7,680 a------- d:\windows\system32\spwmp.dll 2009-07-14 06:59 8,147,456 a------- d:\windows\system32\wmploc.DLL 2009-05-05 20:04 12,978 a------- d:\users\cece\appdata\roaming\nvModes.dat 2009-03-26 03:08 665,600 a------- d:\windows\inf\drvindex.dat 2009-03-26 03:02 139,030 a------- d:\windows\inf\perflib\0411\perfi.dat 2009-03-26 03:02 139,030 a------- d:\windows\inf\perflib\0411\perfh.dat 2009-03-26 03:02 30,674 a------- d:\windows\inf\perflib\0411\perfd.dat 2009-03-26 03:02 30,674 a------- d:\windows\inf\perflib\0411\perfc.dat 2009-03-25 13:45 174 a--sh--- d:\program files\desktop.ini 2006-11-02 08:40 287,440 a------- d:\windows\inf\perflib\0409\perfi.dat 2006-11-02 08:40 287,440 a------- d:\windows\inf\perflib\0409\perfh.dat 2006-11-02 08:40 30,674 a------- d:\windows\inf\perflib\0409\perfd.dat 2006-11-02 08:40 30,674 a------- d:\windows\inf\perflib\0409\perfc.dat 2006-11-02 05:20 287,440 a------- d:\windows\inf\perflib\0000\perfi.dat 2006-11-02 05:20 287,440 a------- d:\windows\inf\perflib\0000\perfh.dat 2006-11-02 05:20 30,674 a------- d:\windows\inf\perflib\0000\perfd.dat 2006-11-02 05:20 30,674 a------- d:\windows\inf\perflib\0000\perfc.dat 2009-05-12 04:47 16,384 a--sh--- d:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2009-05-12 04:47 32,768 a--sh--- d:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2009-05-12 04:47 16,384 a--sh--- d:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat ============= FINISH: 19:10:01.16 =============== and the attach txt is there

Attached Files


    Advertisements

Register to Remove


#2 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 12 October 2009 - 11:23 AM

Hello stargazercece,
Welcome to What the Tech.
My name is OCD, I will be helping you with your log today.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your logs now, I will post back shortly with instructions.
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#3 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 12 October 2009 - 06:16 PM

Hello stargazercece,
  • You may want to print out these instructions for reference prior to proceeding.
  • This solution is specifically tailored for this particular problem, please do not attempt to use this solution on another computer.
  • If you have any questions, or are uncertain about any steps please ask 'before' proceeding.
- - - - - Next - - - - -

Trojan.Script.Iframer - and to cancel the page. I did but my IE is acting strange. Some scripts on the page aren't working and my add-ons will not work either.
On kaspersky it says that the virus threat is detected but I'm worried my machine might have still gotten it.

It appears that the page you were attempting to view was infected with
the Trojan.Script.Iframer and your Kaspersky protection acted properly. You can read more about it here

But I would like to dig a bit deeper to be sure we aren't missing anything.

- - - - - Next - - - - -

Please download Sysprot Antirootkit from here

Unzip it into a folder on your desktop.

  • Right click Sysprot.exe and select "Run as Administrator" to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  • Open the text file and copy/paste the log here.
- - - - - Next - - - - -

On your next post please provide the following:
  • Sysprot log
  • Tell me how your computer is running at the moment.

Edited by OCD, 12 October 2009 - 06:22 PM.

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#4 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 13 October 2009 - 08:48 PM

I am able to turn on my add-on but the scripts aren't working. For example when I go to any site certain pictures and links do not show up and I have the WOT add-on and I can't see the circles that appear by links or the whole settings page. And on my vista desktop the slide-show and the feeds gadget aren't showing properly. Also a lot of free space on my C drive disappeared (so things are running slow) the same time this virus showed up. Could everything be tied together? Here's the log: SysProt AntiRootkit v1.0.1.0 by swatkat ******************************************************************************** ********** ******************************************************************************** ********** Process: Name: [System Idle Process] PID: 0 Hidden: No Window Visible: No Name: System PID: 4 Hidden: No Window Visible: No Name: D:\Windows\System32\smss.exe PID: 508 Hidden: No Window Visible: No Name: D:\Windows\System32\csrss.exe PID: 640 Hidden: No Window Visible: No Name: D:\Windows\System32\wininit.exe PID: 692 Hidden: No Window Visible: No Name: D:\Windows\System32\csrss.exe PID: 700 Hidden: No Window Visible: No Name: D:\Windows\System32\services.exe PID: 744 Hidden: No Window Visible: No Name: D:\Windows\System32\lsass.exe PID: 756 Hidden: No Window Visible: No Name: D:\Windows\System32\lsm.exe PID: 764 Hidden: No Window Visible: No Name: D:\Windows\System32\winlogon.exe PID: 888 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 972 Hidden: No Window Visible: No Name: D:\Windows\System32\nvvsvc.exe PID: 1024 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1064 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1112 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1200 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1292 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1336 Hidden: No Window Visible: No Name: D:\Windows\System32\audiodg.exe PID: 1416 Hidden: No Window Visible: No Name: D:\Windows\System32\SLsvc.exe PID: 1456 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1532 Hidden: No Window Visible: No Name: D:\Windows\System32\rundll32.exe PID: 1648 Hidden: No Window Visible: No Name: D:\Windows\System32\wlanext.exe PID: 1852 Hidden: No Window Visible: No Name: D:\Windows\System32\spoolsv.exe PID: 1952 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1996 Hidden: No Window Visible: No Name: D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe PID: 760 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1120 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 1768 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 2840 Hidden: No Window Visible: No Name: D:\Windows\System32\svchost.exe PID: 2976 Hidden: No Window Visible: No Name: D:\Windows\System32\SearchIndexer.exe PID: 3040 Hidden: No Window Visible: No Name: D:\Windows\System32\taskeng.exe PID: 3944 Hidden: No Window Visible: No Name: D:\Windows\System32\dwm.exe PID: 2708 Hidden: No Window Visible: Yes Name: D:\Windows\explorer.exe PID: 1244 Hidden: No Window Visible: Yes Name: D:\Program Files\Windows Defender\MSASCui.exe PID: 3500 Hidden: No Window Visible: No Name: D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe PID: 3496 Hidden: No Window Visible: No Name: D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe PID: 1424 Hidden: No Window Visible: No Name: D:\Windows\System32\rundll32.exe PID: 3168 Hidden: No Window Visible: No Name: D:\Program Files\Common Files\Real\Update_OB\realsched.exe PID: 3324 Hidden: No Window Visible: No Name: D:\Windows\vsnp2uvc.exe PID: 3692 Hidden: No Window Visible: No Name: D:\Program Files\Java\jre6\bin\jusched.exe PID: 2692 Hidden: No Window Visible: No Name: D:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe PID: 2212 Hidden: No Window Visible: No Name: D:\Program Files\Windows Sidebar\sidebar.exe PID: 2364 Hidden: No Window Visible: No Name: D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe PID: 3016 Hidden: No Window Visible: No Name: D:\Program Files\OpenOffice.org 3\program\soffice.exe PID: 1232 Hidden: No Window Visible: No Name: D:\Program Files\OpenOffice.org 3\program\soffice.bin PID: 3180 Hidden: No Window Visible: No Name: D:\Windows\System32\taskeng.exe PID: 2276 Hidden: No Window Visible: No Name: D:\Program Files\Internet Explorer\ieuser.exe PID: 3976 Hidden: No Window Visible: No Name: D:\Program Files\Internet Explorer\iexplore.exe PID: 3892 Hidden: No Window Visible: No Name: D:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe PID: 2568 Hidden: No Window Visible: No Name: D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe PID: 1520 Hidden: No Window Visible: No Name: D:\Windows\System32\Macromed\Flash\FlashUtil10c.exe PID: 1680 Hidden: No Window Visible: No Name: D:\Program Files\Mozilla Firefox\firefox.exe PID: 548 Hidden: No Window Visible: No Name: D:\Users\Cece_Phoenix\Desktop\Downloads\SysProt\SysProt.exe PID: 4372 Hidden: No Window Visible: No Name: D:\Windows\System32\mobsync.exe PID: 5320 Hidden: No Window Visible: No Name: D:\Users\Cece_Phoenix\Desktop\Downloads\SysProt\SysProt.exe PID: 5952 Hidden: No Window Visible: Yes Name: D:\Windows\System32\WerFault.exe PID: 5888 Hidden: No Window Visible: No Name: D:\Windows\System32\SearchProtocolHost.exe PID: 5440 Hidden: No Window Visible: No Name: D:\Windows\System32\SearchFilterHost.exe PID: 5972 Hidden: No Window Visible: No ******************************************************************************** ********** ******************************************************************************** ********** Kernel Modules: Module Name: \??\D:\Users\Cece_Phoenix\Desktop\Downloads\SysProt\SysProtDrv.sys Service Name: SysProtDrv.sys Module Base: A0DCE000 Module End: A0DD9000 Hidden: No Module Name: D:\Windows\system32\ntkrnlpa.exe Service Name: --- Module Base: 8241C000 Module End: 827D5000 Hidden: No Module Name: D:\Windows\system32\hal.dll Service Name: --- Module Base: 827D5000 Module End: 82808000 Hidden: No Module Name: D:\Windows\system32\kdcom.dll Service Name: --- Module Base: 80600000 Module End: 80608000 Hidden: No Module Name: D:\Windows\system32\PSHED.dll Service Name: --- Module Base: 80608000 Module End: 80619000 Hidden: No Module Name: D:\Windows\system32\BOOTVID.dll Service Name: --- Module Base: 80619000 Module End: 80621000 Hidden: No Module Name: D:\Windows\system32\CLFS.SYS Service Name: CLFS Module Base: 80621000 Module End: 80662000 Hidden: No Module Name: D:\Windows\system32\CI.dll Service Name: --- Module Base: 80662000 Module End: 80742000 Hidden: No Module Name: D:\Windows\system32\drivers\Wdf01000.sys Service Name: Wdf01000 Module Base: 80742000 Module End: 807BE000 Hidden: No Module Name: D:\Windows\system32\drivers\WDFLDR.SYS Service Name: --- Module Base: 807BE000 Module End: 807CB000 Hidden: No Module Name: D:\Windows\system32\drivers\acpi.sys Service Name: ACPI Module Base: 82A01000 Module End: 82A47000 Hidden: No Module Name: D:\Windows\system32\drivers\WMILIB.SYS Service Name: --- Module Base: 82A47000 Module End: 82A50000 Hidden: No Module Name: D:\Windows\system32\drivers\msisadrv.sys Service Name: msisadrv Module Base: 82A50000 Module End: 82A58000 Hidden: No Module Name: D:\Windows\system32\drivers\pci.sys Service Name: pci Module Base: 82A58000 Module End: 82A7F000 Hidden: No Module Name: D:\Windows\System32\drivers\partmgr.sys Service Name: partmgr Module Base: 82A7F000 Module End: 82A8E000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\compbatt.sys Service Name: Compbatt Module Base: 82A8E000 Module End: 82A91000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\BATTC.SYS Service Name: BattC Module Base: 82A91000 Module End: 82A9B000 Hidden: No Module Name: D:\Windows\system32\drivers\volmgr.sys Service Name: volmgr Module Base: 82A9B000 Module End: 82AAA000 Hidden: No Module Name: D:\Windows\System32\drivers\volmgrx.sys Service Name: volmgrx Module Base: 82AAA000 Module End: 82AF4000 Hidden: No Module Name: D:\Windows\system32\drivers\pciide.sys Service Name: pciide Module Base: 82AF4000 Module End: 82AFB000 Hidden: No Module Name: D:\Windows\system32\drivers\PCIIDEX.SYS Service Name: --- Module Base: 82AFB000 Module End: 82B09000 Hidden: No Module Name: D:\Windows\System32\drivers\mountmgr.sys Service Name: MountMgr Module Base: 82B09000 Module End: 82B19000 Hidden: No Module Name: D:\Windows\system32\drivers\atapi.sys Service Name: atapi Module Base: 82B19000 Module End: 82B21000 Hidden: No Module Name: D:\Windows\system32\drivers\ataport.SYS Service Name: --- Module Base: 82B21000 Module End: 82B3F000 Hidden: No Module Name: D:\Windows\system32\drivers\nvstor.sys Service Name: nvstor Module Base: 82B3F000 Module End: 82B4C000 Hidden: No Module Name: D:\Windows\system32\drivers\storport.sys Service Name: --- Module Base: 82B4C000 Module End: 82B8D000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\nvstor32.sys Service Name: nvstor32 Module Base: 82B8D000 Module End: 82BA7000 Hidden: No Module Name: D:\Windows\system32\drivers\fltmgr.sys Service Name: FltMgr Module Base: 82BA7000 Module End: 82BD9000 Hidden: No Module Name: D:\Windows\system32\drivers\fileinfo.sys Service Name: FileInfo Module Base: 82BD9000 Module End: 82BE9000 Hidden: No Module Name: D:\Windows\system32\drivers\klbg.sys Service Name: klbg Module Base: 82BE9000 Module End: 82BF4000 Hidden: No Module Name: D:\Windows\System32\Drivers\PxHelp20.sys Service Name: PxHelp20 Module Base: 82BF4000 Module End: 82BFD000 Hidden: No Module Name: D:\Windows\System32\Drivers\ksecdd.sys Service Name: KSecDD Module Base: 87E07000 Module End: 87E78000 Hidden: No Module Name: D:\Windows\system32\drivers\ndis.sys Service Name: NDIS Module Base: 87E78000 Module End: 87F83000 Hidden: No Module Name: D:\Windows\system32\drivers\NETIO.SYS Service Name: --- Module Base: 87FAE000 Module End: 87FE8000 Hidden: No Module Name: D:\Windows\System32\drivers\tcpip.sys Service Name: Tcpip Module Base: 8800E000 Module End: 880F7000 Hidden: No Module Name: D:\Windows\System32\drivers\fwpkclnt.sys Service Name: --- Module Base: 880F7000 Module End: 88112000 Hidden: No Module Name: D:\Windows\System32\Drivers\Ntfs.sys Service Name: Ntfs Module Base: 8820A000 Module End: 88319000 Hidden: No Module Name: D:\Windows\system32\drivers\volsnap.sys Service Name: volsnap Module Base: 88319000 Module End: 88352000 Hidden: No Module Name: D:\Windows\System32\Drivers\spldr.sys Service Name: spldr Module Base: 88352000 Module End: 8835A000 Hidden: No Module Name: D:\Windows\System32\Drivers\mup.sys Service Name: Mup Module Base: 8835A000 Module End: 88369000 Hidden: No Module Name: D:\Windows\System32\drivers\ecache.sys Service Name: Ecache Module Base: 88369000 Module End: 88390000 Hidden: No Module Name: D:\Windows\System32\DRIVERS\fvevol.sys Service Name: fvevol Module Base: 88390000 Module End: 883B4000 Hidden: No Module Name: D:\Windows\system32\drivers\disk.sys Service Name: disk Module Base: 883B4000 Module End: 883C5000 Hidden: No Module Name: D:\Windows\system32\drivers\CLASSPNP.SYS Service Name: --- Module Base: 883C5000 Module End: 883E6000 Hidden: No Module Name: D:\Windows\system32\drivers\crcdisk.sys Service Name: crcdisk Module Base: 883E6000 Module End: 883EF000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\tunnel.sys Service Name: tunnel Module Base: 8813D000 Module End: 88148000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\tunmp.sys Service Name: tunmp Module Base: 88148000 Module End: 88151000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\amdk8.sys Service Name: AmdK8 Module Base: 88151000 Module End: 88161000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\CmBatt.sys Service Name: CmBatt Module Base: 883FC000 Module End: 88400000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\cpqbttn.sys Service Name: HBtnKey Module Base: 88161000 Module End: 88164000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\HIDCLASS.SYS Service Name: --- Module Base: 88164000 Module End: 88174000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\HIDPARSE.SYS Service Name: --- Module Base: 88174000 Module End: 8817B000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\wmiacpi.sys Service Name: WmiAcpi Module Base: 8817B000 Module End: 88184000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\bcmwl6.sys Service Name: BCM43XV Module Base: 8D60A000 Module End: 8D752000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\nvlddmkm.sys Service Name: nvlddmkm Module Base: 8D80D000 Module End: 8DF4F000 Hidden: No Module Name: D:\Windows\System32\drivers\dxgkrnl.sys Service Name: DXGKrnl Module Base: 8DF4F000 Module End: 8DFEE000 Hidden: No Module Name: D:\Windows\System32\drivers\watchdog.sys Service Name: --- Module Base: 8DFEE000 Module End: 8DFFB000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\nvsmu.sys Service Name: nvsmu Module Base: 8DFFB000 Module End: 8DFFE000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\usbohci.sys Service Name: usbohci Module Base: 8D800000 Module End: 8D80A000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\USBPORT.SYS Service Name: --- Module Base: 8D752000 Module End: 8D790000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\usbehci.sys Service Name: usbehci Module Base: 8D790000 Module End: 8D79F000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\cdrom.sys Service Name: cdrom Module Base: 8D79F000 Module End: 8D7B7000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\ohci1394.sys Service Name: ohci1394 Module Base: 8D7B7000 Module End: 8D7C7000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\1394BUS.SYS Service Name: --- Module Base: 8D7C7000 Module End: 8D7D5000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\sdbus.sys Service Name: sdbus Module Base: 8D7D5000 Module End: 8D7EF000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rimmptsk.sys Service Name: rimmptsk Module Base: 8D7EF000 Module End: 8D7FD000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rimsptsk.sys Service Name: rimsptsk Module Base: 88184000 Module End: 88198000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rixdptsk.sys Service Name: rismxdp Module Base: 88198000 Module End: 881E9000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\HDAudBus.sys Service Name: HDAudBus Module Base: 881E9000 Module End: 881FB000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\nvmfdx32.sys Service Name: NVENETFD Module Base: 8E006000 Module End: 8E106000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\i8042prt.sys Service Name: i8042prt Module Base: 8E106000 Module End: 8E119000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\kbdclass.sys Service Name: kbdclass Module Base: 8E119000 Module End: 8E124000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\klmouflt.sys Service Name: klmouflt Module Base: 8E124000 Module End: 8E12D000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\mouclass.sys Service Name: mouclass Module Base: 8E12D000 Module End: 8E138000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\msiscsi.sys Service Name: iScsiPrt Module Base: 8E138000 Module End: 8E166000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\TDI.SYS Service Name: --- Module Base: 8E166000 Module End: 8E171000 Hidden: No Module Name: D:\Windows\System32\Drivers\RootMdm.sys Service Name: ROOTMODEM Module Base: 8E171000 Module End: 8E179000 Hidden: No Module Name: D:\Windows\system32\drivers\modem.sys Service Name: Modem Module Base: 8E179000 Module End: 8E186000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rasl2tp.sys Service Name: Rasl2tp Module Base: 8E186000 Module End: 8E19D000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\ndistapi.sys Service Name: NdisTapi Module Base: 8E19D000 Module End: 8E1A8000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\ndiswan.sys Service Name: NdisWan Module Base: 8E1A8000 Module End: 8E1CB000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\raspppoe.sys Service Name: RasPppoe Module Base: 8E1CB000 Module End: 8E1DA000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\raspptp.sys Service Name: PptpMiniport Module Base: 8E1DA000 Module End: 8E1EE000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rassstp.sys Service Name: RasSstp Module Base: 87FE8000 Module End: 87FFD000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\RimSerial.sys Service Name: RimVSerPort Module Base: 8E1EE000 Module End: 8E1F5000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rdpdr.sys Service Name: rdpdr Module Base: 8E409000 Module End: 8E492000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\termdd.sys Service Name: TermDD Module Base: 8E492000 Module End: 8E4A2000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\swenum.sys Service Name: swenum Module Base: 8E4A2000 Module End: 8E4A4000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\ks.sys Service Name: --- Module Base: 8E4A4000 Module End: 8E4CE000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\mssmbios.sys Service Name: mssmbios Module Base: 8E4CE000 Module End: 8E4D8000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\umbus.sys Service Name: umbus Module Base: 8E4D8000 Module End: 8E4E5000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\kbdhid.sys Service Name: kbdhid Module Base: 8E4E5000 Module End: 8E4EE000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\usbhub.sys Service Name: usbhub Module Base: 8E4EE000 Module End: 8E522000 Hidden: No Module Name: D:\Windows\System32\Drivers\NDProxy.SYS Service Name: NDProxy Module Base: 8E522000 Module End: 8E533000 Hidden: No Module Name: D:\Windows\system32\drivers\HdAudio.sys Service Name: HdAudAddService Module Base: 8E533000 Module End: 8E572000 Hidden: No Module Name: D:\Windows\system32\drivers\portcls.sys Service Name: --- Module Base: 8E572000 Module End: 8E59F000 Hidden: No Module Name: D:\Windows\system32\drivers\drmk.sys Service Name: --- Module Base: 8E59F000 Module End: 8E5C4000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\VSTAZL3.SYS Service Name: HSFHWAZL Module Base: 8E5C4000 Module End: 8E600000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\VSTDPV3.SYS Service Name: HSF_DPV Module Base: 8E609000 Module End: 8E70D000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\VSTCNXT3.SYS Service Name: winachsf Module Base: 8E70D000 Module End: 8E7C0000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\klif.sys Service Name: KLIF Module Base: 8E80E000 Module End: 8E857000 Hidden: No Module Name: D:\Windows\System32\Drivers\Beep.SYS Service Name: Beep Module Base: 8E867000 Module End: 8E86E000 Hidden: No Module Name: D:\Windows\System32\drivers\vga.sys Service Name: vga Module Base: 8E86E000 Module End: 8E87A000 Hidden: No Module Name: D:\Windows\System32\drivers\VIDEOPRT.SYS Service Name: --- Module Base: 8E87A000 Module End: 8E89B000 Hidden: No Module Name: D:\Windows\System32\DRIVERS\RDPCDD.sys Service Name: RDPCDD Module Base: 8E89B000 Module End: 8E8A3000 Hidden: No Module Name: D:\Windows\system32\drivers\rdpencdd.sys Service Name: RDPENCDD Module Base: 8E8A3000 Module End: 8E8AB000 Hidden: No Module Name: D:\Windows\System32\Drivers\Npfs.SYS Service Name: Npfs Module Base: 8E8B6000 Module End: 8E8C4000 Hidden: No Module Name: D:\Windows\System32\DRIVERS\rasacd.sys Service Name: RasAcd Module Base: 8E8C4000 Module End: 8E8CD000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\tdx.sys Service Name: tdx Module Base: 8E8CD000 Module End: 8E8E3000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\smb.sys Service Name: Smb Module Base: 8E8E3000 Module End: 8E8F7000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\kl1.sys Service Name: kl1 Module Base: 8EA02000 Module End: 8EF22000 Hidden: No Module Name: D:\Windows\system32\drivers\afd.sys Service Name: AFD Module Base: 8EF22000 Module End: 8EF6A000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\usbccgp.sys Service Name: usbccgp Module Base: 8EF6A000 Module End: 8EF81000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\USBD.SYS Service Name: --- Module Base: 8EF81000 Module End: 8EF83000 Hidden: No Module Name: D:\Windows\System32\DRIVERS\netbt.sys Service Name: netbt Module Base: 8EF83000 Module End: 8EFB5000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\snp2uvc.sys Service Name: SNP2UVC Module Base: 8F20B000 Module End: 8F55E000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\STREAM.SYS Service Name: --- Module Base: 8F55E000 Module End: 8F56B000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\sncduvc.SYS Service Name: --- Module Base: 8F56B000 Module End: 8F572000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\pacer.sys Service Name: PSched Module Base: 8F572000 Module End: 8F588000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\klim6.sys Service Name: KLIM6 Module Base: 8F588000 Module End: 8F58F000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\netbios.sys Service Name: NetBIOS Module Base: 8F58F000 Module End: 8F59D000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\wanarp.sys Service Name: Wanarp Module Base: 8F59D000 Module End: 8F5B0000 Hidden: No Module Name: D:\Windows\System32\drivers\truecrypt.sys Service Name: truecrypt Module Base: 8F5B0000 Module End: 8F5E3000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rdbss.sys Service Name: rdbss Module Base: 8EFB5000 Module End: 8EFF1000 Hidden: No Module Name: D:\Windows\system32\drivers\nsiproxy.sys Service Name: nsiproxy Module Base: 8F5E3000 Module End: 8F5ED000 Hidden: No Module Name: D:\Windows\system32\drivers\csc.sys Service Name: CSC Module Base: 8E8F7000 Module End: 8E951000 Hidden: No Module Name: D:\Windows\System32\Drivers\dfsc.sys Service Name: DfsC Module Base: 8E951000 Module End: 8E968000 Hidden: No Module Name: D:\Windows\System32\Drivers\crashdmp.sys Service Name: --- Module Base: 8F5ED000 Module End: 8F5FA000 Hidden: No Module Name: \SystemRoot\System32\Drivers\dump_diskdump.sys Service Name: --- Module Base: 8F200000 Module End: 8F20A000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_nvstor32.sys Service Name: --- Module Base: 8E968000 Module End: 8E982000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys Service Name: --- Module Base: 8E982000 Module End: 8E993000 Hidden: Yes Module Name: D:\Windows\System32\drivers\Dxapi.sys Service Name: --- Module Base: 8EFF1000 Module End: 8EFFB000 Hidden: No Module Name: D:\Windows\system32\drivers\luafv.sys Service Name: luafv Module Base: 8E9A2000 Module End: 8E9BD000 Hidden: No Module Name: D:\Windows\system32\drivers\spsys.sys Service Name: --- Module Base: 9F602000 Module End: 9F6B1000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\lltdio.sys Service Name: lltdio Module Base: 9F6B1000 Module End: 9F6C1000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\nwifi.sys Service Name: NativeWifiP Module Base: 9F6C1000 Module End: 9F6EB000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\ndisuio.sys Service Name: Ndisuio Module Base: 9F6EB000 Module End: 9F6F5000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\rspndr.sys Service Name: rspndr Module Base: 9F6F5000 Module End: 9F708000 Hidden: No Module Name: D:\Windows\system32\drivers\HTTP.sys Service Name: HTTP Module Base: 9F708000 Module End: 9F773000 Hidden: No Module Name: D:\Windows\System32\DRIVERS\srvnet.sys Service Name: srvnet Module Base: 9F773000 Module End: 9F790000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\bowser.sys Service Name: bowser Module Base: 9F790000 Module End: 9F7A9000 Hidden: No Module Name: D:\Windows\System32\drivers\mpsdrv.sys Service Name: mpsdrv Module Base: 9F7A9000 Module End: 9F7BE000 Hidden: No Module Name: D:\Windows\system32\drivers\mrxdav.sys Service Name: MRxDAV Module Base: 9F7BE000 Module End: 9F7DE000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\mrxsmb.sys Service Name: mrxsmb Module Base: 9F7DE000 Module End: 9F7FD000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\mrxsmb10.sys Service Name: mrxsmb10 Module Base: 8E9C5000 Module End: 8E9FE000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\mrxsmb20.sys Service Name: mrxsmb20 Module Base: 8E7C0000 Module End: 8E7D8000 Hidden: No Module Name: D:\Windows\System32\DRIVERS\srv2.sys Service Name: srv2 Module Base: 8E7D8000 Module End: 8E7FF000 Hidden: No Module Name: D:\Windows\System32\DRIVERS\srv.sys Service Name: srv Module Base: A0C08000 Module End: A0C54000 Hidden: No Module Name: D:\Windows\system32\drivers\peauth.sys Service Name: PEAUTH Module Base: A0C54000 Module End: A0D32000 Hidden: No Module Name: D:\Windows\System32\Drivers\secdrv.SYS Service Name: secdrv Module Base: A0D32000 Module End: A0D3C000 Hidden: No Module Name: D:\Windows\System32\drivers\tcpipreg.sys Service Name: tcpipreg Module Base: A0D3C000 Module End: A0D48000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\cdfs.sys Service Name: cdfs Module Base: A0D48000 Module End: A0D5E000 Hidden: No Module Name: D:\Windows\system32\DRIVERS\monitor.sys Service Name: monitor Module Base: A0D5E000 Module End: A0D6D000 Hidden: No Module Name: D:\Windows\System32\Drivers\fastfat.SYS Service Name: fastfat Module Base: A0D7F000 Module End: A0DA7000 Hidden: No Module Name: D:\Windows\System32\Drivers\Null.SYS Service Name: Null Module Base: 8E860000 Module End: 8E867000 Hidden: No Module Name: D:\Windows\System32\Drivers\Msfs.SYS Service Name: Msfs Module Base: 8E8AB000 Module End: 8E8B6000 Hidden: No ******************************************************************************** ********** ******************************************************************************** ********** SSDT: Function Name: ZwAlpcConnectPort Address: 8E82CE06 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwAlpcCreatePort Address: 8E82CF84 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwAlpcSendWaitReceivePort Address: 8E82D014 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwClose Address: 8E82BDF8 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwConnectPort Address: 8E82C4EA Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateEvent Address: 8E82C816 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateFile Address: 8E82BF66 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateMutant Address: 8E82C6EE Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateNamedPipeFile Address: 8E82B9D2 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreatePort Address: 8E82C5AA Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateSection Address: 8E82BB8C Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateSemaphore Address: 8E82C948 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateWaitablePort Address: 8E82C64C Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwFsControlFile Address: 8E82C0C4 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenEvent Address: 8E82C8B8 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenFile Address: 8E82BE34 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenMutant Address: 8E82C786 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenSection Address: 8E82D45C Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenSemaphore Address: 8E82C9EA Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueryDirectoryObject Address: 8E82D214 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwReplyPort Address: 8E82CD74 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwReplyWaitReceivePort Address: 8E82CC3A Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSecureConnectPort Address: 8E82C1F0 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetInformationToken Address: 8E82D2C8 Driver Base: 8E80E000 Driver End: 8E857000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys ******************************************************************************** ********** ******************************************************************************** ********** No Kernel Hooks found ******************************************************************************** ********** ******************************************************************************** ********** No IRP Hooks found ******************************************************************************** ********** ******************************************************************************** ********** Ports: Local Address: CECE-PC.MYHOME.WESTELL.COM:55433 Remote Address: 65.55.25.60:HTTP Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CECE-PC.MYHOME.WESTELL.COM:55431 Remote Address: WER.MICROSOFT.COM:HTTPS Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CECE-PC.MYHOME.WESTELL.COM:55429 Remote Address: SPYNETTEST.MICROSOFT.COM:HTTPS Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CECE-PC.MYHOME.WESTELL.COM:55427 Remote Address: WATSON.MICROSOFT.COM:HTTP Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CECE-PC.MYHOME.WESTELL.COM:55425 Remote Address: 65.54.152.125:HTTP Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CECE-PC.MYHOME.WESTELL.COM:NETBIOS-SSN Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: CECE-PC:49156 Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Windows\System32\services.exe State: LISTENING Local Address: CECE-PC:49155 Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Windows\System32\lsass.exe State: LISTENING Local Address: CECE-PC:49154 Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Windows\System32\svchost.exe State: LISTENING Local Address: CECE-PC:49153 Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Windows\System32\svchost.exe State: LISTENING Local Address: CECE-PC:49152 Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Windows\System32\wininit.exe State: LISTENING Local Address: CECE-PC:19780 Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe State: LISTENING Local Address: CECE-PC:5357 Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: CECE-PC:NFSD-STATUS Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe State: LISTENING Local Address: CECE-PC:MICROSOFT-DS Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: CECE-PC:EPMAP Remote Address: 0.0.0.0:0 Type: TCP Process: D:\Windows\System32\svchost.exe State: LISTENING Local Address: CECE-PC.MYHOME.WESTELL.COM:SSDP Remote Address: NA Type: UDP Process: D:\Windows\System32\svchost.exe State: NA Local Address: CECE-PC.MYHOME.WESTELL.COM:138 Remote Address: NA Type: UDP Process: System State: NA Local Address: CECE-PC.MYHOME.WESTELL.COM:NETBIOS-NS Remote Address: NA Type: UDP Process: System State: NA Local Address: CECE-PC:59767 Remote Address: NA Type: UDP Process: D:\Program Files\Windows Sidebar\sidebar.exe State: NA Local Address: CECE-PC:56429 Remote Address: NA Type: UDP Process: D:\Windows\System32\svchost.exe State: NA Local Address: CECE-PC:SSDP Remote Address: NA Type: UDP Process: D:\Windows\System32\svchost.exe State: NA Local Address: CECE-PC:IPSEC-MSFT Remote Address: NA Type: UDP Process: D:\Windows\System32\svchost.exe State: NA Local Address: CECE-PC:500 Remote Address: NA Type: UDP Process: D:\Windows\System32\svchost.exe State: NA Local Address: CECE-PC:123 Remote Address: NA Type: UDP Process: D:\Windows\System32\svchost.exe State: NA ******************************************************************************** ********** ******************************************************************************** ********** Hidden files/folders: Object: D:\System Volume Information\MountPointManagerRemoteDatabase Status: Access denied Object: D:\System Volume Information\SPP Status: Access denied Object: D:\System Volume Information\SystemRestore Status: Access denied Object: D:\System Volume Information\tracking.log Status: Access denied Object: D:\System Volume Information\_restore{A3A18297-422B-4257-8E7A-18B3BE2A92D0} Status: Access denied Object: D:\System Volume Information\{01897f7c-b2c3-11de-b631-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{063c0548-b46e-11de-b832-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{063c057e-b46e-11de-b832-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{5ed201df-b6f7-11de-ae0e-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{5ed201ed-b6f7-11de-ae0e-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{5ed20224-b6f7-11de-ae0e-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{5f20f613-b23a-11de-8161-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{690f814f-b69a-11de-83ea-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{a3a486eb-b191-11de-9dd6-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{a3a48724-b191-11de-9dd6-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{ed2c0e16-b3bc-11de-915d-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\System Volume Information\{ed2c0e42-b3bc-11de-915d-0016367d83e2}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Access denied Object: D:\Users\Cece\Favorites\Jpopmusic.com • View topic - KAT-TUN - [Break the Records -by you & for you-] 29th Apr.url Status: Hidden Object: D:\Users\Cece_Phoenix\Favorites\Jpopmusic.com • View topic - KAT-TUN - [Break the Records -by you & for you-] 29th Apr.url Status: Hidden Object: D:\Windows\CSC\v2.0.6\namespace Status: Access denied Object: D:\Windows\CSC\v2.0.6\pq Status: Access denied Object: D:\Windows\CSC\v2.0.6\sm Status: Access denied Object: D:\Windows\CSC\v2.0.6\temp Status: Access denied Object: D:\Windows\CSC\v2.0.6 Status: Access denied Object: D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Access denied Object: D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Access denied Object: D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl Status: Access denied Object: D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Access denied Object: D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Access denied Object: D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Status: Access denied

#5 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 14 October 2009 - 10:41 AM

Hi stargazercece,

Please update your Internet Explorer to Version 8 by going here and following the onscreen menu to select the correct version for your Operating System
If this solves your problem, skip the very next step and continue with the remainder of the steps.

- - - - - Next - - - - -

While browser add-ons can enhance your online experience, they can occasionally interfere or conflict with other software on your computer.
Try starting Internet Explorer without add-ons to see if the problem goes away. Here's how:

Click the Start button Posted Image, > > All Programs, > > Accessories, > > System Tools, and then click Internet Explorer (No Add-ons).

- - - - - Next - - - - -

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Right - click OTM and select "Run as Administrator" to run this tool.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services
0301941240878354mcinstcleanup

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"73F7F495-A325-4C52-BE48-5F97FA511E89"=-
[-HKEY_CLASSES_ROOT\CLSID\{73F7F495-A325-4C52-BE48-5F97FA511E89}]

[HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions]
"11316B13-33F0-4C9F-BD55-09994CCFA8EB"=-

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

- - - - - Next - - - - -

Run the following scan: Eset Online Scanner
(you will need Internet Explorer to run this scan)

You will need to run this scan with Administrator privileges:
  • Simply hit the button “Restart browser as Admin” in ESET Online Scanner or
  • Right-click on the browser icon in the Start Menu and select "Run as administrator" from the context menu.
Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
- - - - - Next - - - - -

On your next post please provide the following:
  • OTM log
  • ESET log.txt
  • Any change in computer performance?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#6 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 16 October 2009 - 09:48 PM

I was a little hesitant to put IE 8 so I checked 7 and when I removed and then reinstalled flash and java and the missing scripts showed back up. On my desktop things were still the same though. After some time however the scripts disappeared again so could it be the flash & java that's the problem? Every time I try the est scanner it kept stopping to complain about proxy so I ended up closing it. But OTM worked All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== SERVICES/DRIVERS ========== Service\Driver 0301941240878354mcinstcleanup deleted successfully. ========== REGISTRY ========== Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\73F7F495-A325-4C52-BE48-5F97FA511E89 not found. Registry key HKEY_CLASSES_ROOT\CLSID\{73F7F495-A325-4C52-BE48-5F97FA511E89}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73F7F495-A325-4C52-BE48-5F97FA511E89}\ not found. Registry value HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\\11316B13-33F0-4C9F-BD55-09994CCFA8EB not found. ========== FILES ========== ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Cece ->Temp folder emptied: 8186789 bytes ->Temporary Internet Files folder emptied: 30972653 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 6026463 bytes User: Cece_Phoenix ->Temp folder emptied: 1994131 bytes ->Temporary Internet Files folder emptied: 22840581 bytes ->Java cache emptied: 25538856 bytes ->FireFox cache emptied: 43199660 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes Windows Temp folder emptied: 75364 bytes RecycleBin emptied: 38816039 bytes Total Files Cleaned = 169.42 mb OTM by OldTimer - Version 3.0.0.6 log created on 10162009_222047

#7 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 17 October 2009 - 09:38 AM

stargazercece,

Your last reply wasn't entire clear to me, therefore I have a few questions.

  • What version of IE are your running - IE7 or IE8?
  • Did you uninstall and reinstall Flash & Java, or was it a fresh install?
- - - - - Next - - - - -

I'd like for you to try and run this online scan since you experienced difficulty with ESET
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Please do a scan with Kaspersky Online Scanner or from here

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.
Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419

- - - - - Next - - - - -

On your next post please provide the following:
  • Kaspersky log
  • Answers to the questions posted above

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#8 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 19 October 2009 - 09:57 PM

I was running IE 7 and I uninstalled and reinstalled flash and java. Things went back to normal but then by the next evening everything was messed up again. So I have now installed IE 8 and so far things are working, but I'm keeping an eye open to see if the same problem will return again.

Argh! Kaspersky is giving trouble too. I shut off my anti-virus and anti-spyware programs but it still won't work. This is the message that I get :
Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Key is expired]

#9 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 20 October 2009 - 02:06 PM

Hello stargazercece,

Please re-run DDS and post the new logs generated.

Be sure to disable your script blocking software BEFORE running the DDS scan. Use the link below if you need assistance.
  • Disable any script blocking protection (How to Disable your Security Programs) < - - Important
  • Right click DDS icon and select "Run as Administrator" to run this tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
- - - - - Next - - - - -

On your next post please provide the following:
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#10 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 22 October 2009 - 09:48 PM

Here are the logs: DDS (Ver_09-06-26.01) - NTFSx86 Run by Cece at 23:40:47.72 on Thu 10/22/2009 Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_16 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1982.848 [GMT -4:00] AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== D:\Windows\system32\wininit.exe D:\Windows\system32\lsm.exe D:\Windows\system32\svchost.exe -k DcomLaunch D:\Windows\system32\nvvsvc.exe D:\Windows\system32\svchost.exe -k rpcss D:\Windows\System32\svchost.exe -k secsvcs D:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted D:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted D:\Windows\system32\svchost.exe -k netsvcs D:\Windows\system32\svchost.exe -k GPSvcGroup D:\Windows\system32\SLsvc.exe D:\Windows\system32\svchost.exe -k LocalService D:\Windows\system32\rundll32.exe D:\Windows\system32\WLANExt.exe D:\Windows\System32\spoolsv.exe D:\Windows\system32\svchost.exe -k LocalServiceNoNetwork D:\Windows\system32\svchost.exe -k NetworkService D:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted D:\Windows\system32\Dwm.exe D:\Windows\system32\taskeng.exe D:\Windows\Explorer.EXE D:\Windows\system32\taskeng.exe D:\Program Files\Windows Defender\MSASCui.exe D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe D:\Windows\System32\rundll32.exe D:\Windows\vsnp2uvc.exe D:\Windows\system32\svchost.exe -k imgsvc D:\Windows\System32\svchost.exe -k WerSvcGroup D:\Windows\system32\SearchIndexer.exe D:\Program Files\Java\jre6\bin\jusched.exe D:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe D:\Program Files\Windows Sidebar\sidebar.exe D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe D:\Program Files\OpenOffice.org 3\program\soffice.exe D:\Program Files\OpenOffice.org 3\program\soffice.bin D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Windows\system32\Macromed\Flash\FlashUtil10c.exe D:\Program Files\Internet Explorer\iexplore.exe D:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Users\Cece_Phoenix\Downloads\dds.scr D:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== mStart Page = about:blank BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - d:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - d:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - d:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - d:\program files\wot\WOT.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll TB: {73F7F495-A325-4C52-BE48-5F97FA511E89} - No File TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - d:\program files\wot\WOT.dll uRun: [Sidebar] d:\program files\windows sidebar\sidebar.exe /autoRun uRun: [swg] "d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ehTray.exe] d:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] d:\program files\windows media player\WMPNSCFG.exe uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [AVP] "d:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [TkBellExe] "d:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [snp2uvc] d:\windows\vsnp2uvc.exe mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe" mRun: [BlackBerryAutoUpdate] d:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background mRun: [RoxWatchTray] "d:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRunOnce: [Uninstall Adobe Download Manager] "d:\windows\system32\rundll32.exe" "d:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp mRunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq mRunOnce: [OTM] "d:\users\cece_phoenix\downloads\OTM.exe" StartupFolder: d:\users\cece\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - d:\program files\microsoft office\office12\ONENOTEM.EXE uPolicies-explorer: HideSCANetwork = 0 (0x0) uPolicies-explorer: HideSCAVolume = 0 (0x0) mPolicies-explorer: NoAutorun = 1 (0x1) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - d:\program files\wot\WOT.dll Notify: klogon - d:\windows\system32\klogon.dll AppInit_DLLs: d:\progra~1\kasper~1\kasper~2\mzvkbd3.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - d:\users\cece\appdata\roaming\mozilla\firefox\profiles\m8nai9rf.default\ FF - component: d:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- d:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); d:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); d:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); d:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); d:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); d:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); d:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); d:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); d:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); d:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;d:\windows\system32\drivers\klbg.sys [2008-12-15 33808] R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;d:\windows\system32\drivers\klim6.sys [2008-3-26 21008] R3 klmouflt;Kaspersky Lab KLMOUFLT;d:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472] =============== Created Last 30 ================ 2009-10-16 22:20 <DIR> --d----- D:\_OTM 2009-10-15 13:03 <DIR> --d----- d:\users\cece\appdata\roaming\Foxit 2009-10-15 13:03 <DIR> --d----- d:\program files\Foxit Software 2009-10-14 15:55 428,544 a------- d:\windows\system32\EncDec.dll 2009-10-14 15:55 293,376 a------- d:\windows\system32\psisdecd.dll 2009-10-14 15:55 217,088 a------- d:\windows\system32\psisrndr.ax 2009-10-14 15:55 177,664 a------- d:\windows\system32\mpg2splt.ax 2009-10-14 15:55 80,896 a------- d:\windows\system32\MSNP.ax 2009-10-14 15:55 213,504 a------- d:\windows\system32\msv1_0.dll 2009-10-14 15:55 3,597,896 a------- d:\windows\system32\ntkrnlpa.exe 2009-10-14 15:55 3,546,184 a------- d:\windows\system32\ntoskrnl.exe 2009-10-14 15:55 61,440 a------- d:\windows\system32\msasn1.dll 2009-10-14 15:54 144,896 a------- d:\windows\system32\drivers\srv2.sys 2009-10-14 15:54 604,672 a------- d:\windows\system32\WMSPDMOD.DLL 2009-10-12 02:50 <DIR> --d----- d:\program files\CCleaner 2009-10-10 12:32 <DIR> --d----- d:\program files\JRE 2009-10-10 12:31 <DIR> --d----- d:\program files\OpenOffice.org 3 2009-10-03 01:01 195,440 -------- d:\windows\system32\MpSigStub.exe 2009-09-27 21:00 <DIR> --d----- d:\programdata\NOS ==================== Find3M ==================== 2009-10-22 23:13 56,800 a------- d:\programdata\nvModes.dat 2009-10-22 23:13 56,800 a------- d:\progra~2\nvModes.dat 2009-10-14 03:09 108,059 a------- d:\windows\system32\drivers\klin.dat 2009-10-14 03:09 95,259 a------- d:\windows\system32\drivers\klick.dat 2009-10-07 09:12 382,072 a------- d:\windows\system32\perfh011.dat 2009-10-07 09:12 101,350 a------- d:\windows\system32\perfc011.dat 2009-09-19 21:45 143,360 a------- d:\windows\inf\infstrng.dat 2009-09-19 21:45 51,200 a------- d:\windows\inf\infpub.dat 2009-09-19 21:45 86,016 a------- d:\windows\inf\infstor.dat 2009-09-15 21:45 835,616 a--sh--- d:\windows\system32\drivers\fidbox2.dat 2009-09-15 21:45 4,984 a--sh--- d:\windows\system32\drivers\fidbox2.idx 2009-09-15 21:45 4,150,304 a--sh--- d:\windows\system32\drivers\fidbox.dat 2009-09-15 21:45 34,552 a--sh--- d:\windows\system32\drivers\fidbox.idx 2009-09-14 02:12 229,888 a------- d:\windows\PEV.exe 2009-08-28 08:39 28,672 a------- d:\windows\system32\Apphlpdm.dll 2009-08-28 08:39 173,056 a------- d:\windows\apppatch\AcXtrnal.dll 2009-08-28 08:38 2,153,984 a------- d:\windows\apppatch\AcGenral.dll 2009-08-28 08:38 541,696 a------- d:\windows\apppatch\AcLayers.dll 2009-08-28 08:38 459,776 a------- d:\windows\apppatch\AcSpecfc.dll 2009-08-28 06:15 4,240,384 a------- d:\windows\system32\GameUXLegacyGDFs.dll 2009-08-27 01:22 916,480 a------- d:\windows\system32\wininet.dll 2009-08-27 01:17 109,056 a------- d:\windows\system32\iesysprep.dll 2009-08-27 01:17 71,680 a------- d:\windows\system32\iesetup.dll 2009-08-26 23:42 133,632 a------- d:\windows\system32\ieUnatt.exe 2009-08-21 21:01 56 a---h--- d:\programdata\ezsidmv.dat 2009-08-21 21:01 56 a---h--- d:\progra~2\ezsidmv.dat 2009-08-14 12:29 104,960 a------- d:\windows\system32\netiohlp.dll 2009-08-14 12:29 17,920 a------- d:\windows\system32\netevent.dll 2009-08-14 10:16 17,920 a------- d:\windows\system32\ROUTE.EXE 2009-08-14 10:16 9,728 a------- d:\windows\system32\TCPSVCS.EXE 2009-08-14 10:16 11,264 a------- d:\windows\system32\MRINFO.EXE 2009-08-14 10:16 27,136 a------- d:\windows\system32\NETSTAT.EXE 2009-08-14 10:16 19,968 a------- d:\windows\system32\ARP.EXE 2009-08-14 10:16 10,240 a------- d:\windows\system32\finger.exe 2009-08-14 10:16 8,704 a------- d:\windows\system32\HOSTNAME.EXE 2009-08-03 15:07 403,816 a------- d:\windows\system32\OGACheckControl.dll 2009-08-03 15:07 322,928 a------- d:\windows\system32\OGAAddin.dll 2009-08-03 15:07 230,768 a------- d:\windows\system32\OGAEXEC.exe 2009-07-31 15:23 411,368 a------- d:\windows\system32\deploytk.dll 2009-05-05 20:04 12,978 a------- d:\users\cece\appdata\roaming\nvModes.dat 2009-03-26 03:08 665,600 a------- d:\windows\inf\drvindex.dat 2009-03-26 03:02 139,030 a------- d:\windows\inf\perflib\0411\perfi.dat 2009-03-26 03:02 139,030 a------- d:\windows\inf\perflib\0411\perfh.dat 2009-03-26 03:02 30,674 a------- d:\windows\inf\perflib\0411\perfd.dat 2009-03-26 03:02 30,674 a------- d:\windows\inf\perflib\0411\perfc.dat 2009-03-25 13:45 174 a--sh--- d:\program files\desktop.ini 2006-11-02 08:40 287,440 a------- d:\windows\inf\perflib\0409\perfi.dat 2006-11-02 08:40 287,440 a------- d:\windows\inf\perflib\0409\perfh.dat 2006-11-02 08:40 30,674 a------- d:\windows\inf\perflib\0409\perfd.dat 2006-11-02 08:40 30,674 a------- d:\windows\inf\perflib\0409\perfc.dat 2006-11-02 05:20 287,440 a------- d:\windows\inf\perflib\0000\perfi.dat 2006-11-02 05:20 287,440 a------- d:\windows\inf\perflib\0000\perfh.dat 2006-11-02 05:20 30,674 a------- d:\windows\inf\perflib\0000\perfd.dat 2006-11-02 05:20 30,674 a------- d:\windows\inf\perflib\0000\perfc.dat 2009-05-12 04:47 16,384 a--sh--- d:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2009-05-12 04:47 32,768 a--sh--- d:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2009-05-12 04:47 16,384 a--sh--- d:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat ============= FINISH: 23:42:15.73 ===============

Attached Files


    Advertisements

Register to Remove


#11 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 23 October 2009 - 10:41 AM

Hi stargazercece,

Your log shows remnants of a program called SiteHound.

Please go to Start > All Programs > Firetrust > SiteHound > Uninstall

- - - - - Next - - - - -

Congratulations, your logs appear clean. :thumbup: Now for a little housekeeping and my recommendations to help you stay clean.

- - - - - Next - - - - -

Clean up with OTM
  • Right-click OTM.exe and select Run As Administrator... to run it.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
- - - - - Next - - - - -

You can now delete any other tools I had you download and use, unless you wish to keep them.
(they should be located on your desktop, if they are no longer there just continue)
  • DDS
  • Sysprot
- - - - - Next - - - - -

Here comes the "All Clean Speech":

You need to set a new clean System Restore Point

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
We need to set a new system restore point:

Click Start > Run > copy and paste the following into the run box:


%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

- - - - - Next - - - - -

Now remove all previous Restore Points:

Click Start > Run > copy and paste the following into the run box:


cleanmgr

At the top, click on More Options tab. Click the Clean up button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.

- - - - - Next - - - - -

You don't appear to have a Firewall enabled, please download one of these and install it before you continue.

Firewall:
- - - - - Next - - - - -

Here are some tips to reduce the potential for spyware infection in the future:

Automatic Updates:

The easiest way to ensure you don't miss any of the critical Windows Updates is to set your computer up to receive Automatic Updates.
To set your computer up for Automatic Updates please do the following:
  • Click Start button > All Programs > Windows Update > Change Settings.
  • Make sure that Automatic Updating is checked.
  • Click OK
  • Close the Control Panel.
- - - - - Next - - - - -

Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

For Firefox, I highly recommend this add-on to keep your PC even more secure.
NoScript - for blocking ads and other potential website attacks

You are using Kaspersky Anti-Virus as your anti virus software. It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Firewall - I cannot stress how important it is that you keep the Firewall on your computer active at all times. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

Update all security programs regularly - Make sure you update all the programs regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Remember to have only one (1) Firewall and one (1) Anti-Virus program running at any one time.

I would also suggest you read "So how did I get infected in the first place"?: by Tony Klein

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#12 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 25 October 2009 - 10:29 AM

I don't understand how Sitehound is showing up when I can't find it anywhere on the system to uninstall. It gave me problems before and I tried to remove it but I guess it wasn't gone as I thought? Do you have any ideas how to get flash player installed on my laptop? Everytime I try to download I get the error notice: "Installation is corrupt! (16248.203.296-73272352.80040154.FFFFFFFF.80070424)" I have the latest java so I know that isn't causing it. I've followed the other instructions is your post too.

#13 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 26 October 2009 - 11:06 AM

Hi stargazercece,

Do you have any ideas how to get flash player installed on my laptop? Every time I try to download I get the error notice: "Installation is corrupt! (16248.203.296-73272352.80040154.FFFFFFFF.80070424)"

You can try a complete Flash Player uninstall/reinstall as follows:

- - - - - Next - - - - -

For your general knowledge, this portion of the forum is for malware removal only.
Since the above issue is not malware related, if the above solution does not remedy the situation please feel free post in the Windows Help Forum.

Please be sure to include a link to this thread so the person that assists you can review what we have already tried.
Link to your thread: http://forums.whatth...on_t107557.html
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#14 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 26 October 2009 - 05:43 PM

Thank you. I was able to get flash installed. But the problem is the Sitehound. Kaspersky labeled it as a virus last time and I tried to remove it. If it shows in the log is it still there?

#15 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 27 October 2009 - 07:09 AM

Hi stargazercece,

But the problem is the Sitehound. Kaspersky labeled it as a virus last time and I tried to remove it. If it shows in the log is it still there?

You log is free of malware. SiteHound by Firetrust is not malware.
Sometimes tools that are used to monitor attacks on your computer are flagged by other scanning tools as malicious because of the way they interpret each others actions.

Quote taken from http://www.firetrust...ducts/sitehound

SiteHound is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.

Today the most common route for attacks on your computer is through your web browser as you surf the web. Everyday, people around the world fall victim to online fraud, scams, security vulnerabilities and malware while surfing the web, and most people realise before its too late.

SiteHound solves this alarming security gap by working with some of the world’s leading security watchdogs to provide you with instant and real-time protection for you as you surf the web.

Powered by a unique database created by a global community of users and experts who actively report potentially malicious websites, SiteHound ensures you surf the web safely by providing you with an unprecedented level of protection from fraud, phishing, spyware, adware, security risks, spam, viruses, online scams, adult and offensive sites and fake anti-spyware products.


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users