I think my computer is infected.

**crashingdell** · 2010-09-20, 17:12

FYI...Before coming to this forum I downloaded, installed, and ran spybot SSD, Mal-ware bytes, and Ad-aware. I ran all three and only MWB found anything...6 tracking cookies. I have kaspersky as my antivirus program and no threats have been detected. That said, my IE appears to be hijacked. It will often redirect, and my computer is running VERY SLOW. It often locks up shortly after visiting and yahoo site. I can see the browser on the bottom left trying to load multiple ad sites. Here is the log.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Gadfly at 11:00:27.93 on Mon 09/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.275 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gadfly\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\8.0\PAS8_Update.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/devicesoftware/AxLoader.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157768554078
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-9 64288]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-22 315408]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340520]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]

=============== Created Last 30 ================

2010-09-16 18:26:28 3246 ----a-w- c:\windows\system32\wbem\Outlook_01cb55ccadde7997.mof
2010-09-10 01:39:29 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-10 01:39:10 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-10 01:32:12 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-10 01:31:11 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-07-29 16:03:02 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-29 16:03:01 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 21:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-10 17:29:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081020080811\index.dat
2009-09-27 12:35:07 2805792 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 11:03:12.81 ===============

**ken545** · 2010-09-23, 02:18

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.

Step 1 | Download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

**crashingdell** · 2010-09-23, 04:42

Hey Ken, I actually live in West Haven....noticed you are in CT also.

Anyhow, here is the info you requested.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000014

Kernel Drivers (total 194):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 cmdide.sys
0xBA5AE000 aliide.sys
0xBA5B0000 toside.sys
0xBA5B2000 viaide.sys
0xBA5B4000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xBA4C4000 cpqarray.sys
0xB9F0B000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9EF3000 atapi.sys
0xBA4C8000 aha154x.sys
0xBA338000 sparrow.sys
0xBA4CC000 symc810.sys
0xBA0D8000 aic78xx.sys
0xBA4D0000 dac960nt.sys
0xBA0E8000 ql10wnt.sys
0xBA4D4000 amsint.sys
0xBA340000 asc.sys
0xBA4D8000 asc3550.sys
0xBA348000 mraid35x.sys
0xBA350000 i2omp.sys
0xBA4DC000 ini910u.sys
0xBA0F8000 ql1240.sys
0xBA108000 aic78u2.sys
0xBA358000 symc8xx.sys
0xBA360000 sym_hi.sys
0xBA368000 sym_u3.sys
0xBA370000 ABP480N5.SYS
0xBA378000 asc3350p.sys
0xBA5B6000 cd20xrnt.sys
0xBA118000 ultra.sys
0xB9EDA000 adpu160m.sys
0xBA380000 dpti2o.sys
0xBA128000 ql1080.sys
0xBA138000 ql1280.sys
0xBA148000 ql12160.sys
0xBA388000 perc2.sys
0xBA5B8000 perc2hib.sys
0xBA390000 hpn.sys
0xBA4E0000 cbidf2k.sys
0xB9EAE000 dac2w2k.sys
0xBA158000 disk.sys
0xBA168000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E8E000 fltmgr.sys
0xB9E7C000 sr.sys
0xBA178000 Lbd.sys
0xB9E66000 drvmcdb.sys
0xBA188000 PxHelp20.sys
0xB9E4F000 KSecDD.sys
0xB9DC2000 Ntfs.sys
0xB9D95000 NDIS.sys
0xBA198000 sisagp.sys
0xBA1A8000 viaagp.sys
0xBA1B8000 ohci1394.sys
0xBA1C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9D7B000 Mup.sys
0xBA1D8000 klbg.sys
0xBA1E8000 agp440.sys
0xBA1F8000 alim1541.sys
0xBA208000 amdagp.sys
0xBA218000 agpCPQ.sys
0xBA248000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9C93000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB9C7E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB8826000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB8812000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB87EA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8648000 \SystemRoot\system32\DRIVERS\NETw3x32.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8624000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA308000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB8610000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xB8E27000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB85C4000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xB8E17000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8595000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8E07000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8DF7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5DA000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xB8DE7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8DD7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8572000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB8DC7000 \SystemRoot\system32\DRIVERS\klim5.sys
0xBA6C6000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8DB7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9C66000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB855B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8DA7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8D97000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8522000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA318000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB84F2000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB9D6B000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5DC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8494000 \SystemRoot\system32\DRIVERS\update.sys
0xBA570000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA400000 \SystemRoot\system32\DRIVERS\omci.sys
0xB9D5B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA8262000 \SystemRoot\system32\drivers\sthda.sys
0xA823E000 \SystemRoot\system32\drivers\portcls.sys
0xB9D2B000 \SystemRoot\system32\drivers\drmk.sys
0xA820C000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA810F000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA805F000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA418000 \SystemRoot\System32\Drivers\Modem.SYS
0xB9CFB000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB9C97000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA7FE6000 \SystemRoot\system32\DRIVERS\klif.sys
0xBA5EC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA773000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5EE000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA428000 \SystemRoot\system32\drivers\ssrtln.sys
0xBA430000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA438000 \SystemRoot\System32\drivers\vga.sys
0xBA5F0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5F2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA440000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA448000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8547000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA7F3B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA7EE2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA7EBA000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA799A000 \??\C:\WINDOWS\system32\drivers\kl1.sys
0xA78DB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB9CEB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA7891000 \SystemRoot\System32\drivers\afd.sys
0xB9CDB000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA7866000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA77F6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB9327000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9317000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA8053000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xB92B7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA77DE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA608000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA7FE2000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA478000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7C5000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB92C7000 \SystemRoot\system32\drivers\drvnddm.sys
0xBA6A4000 \SystemRoot\system32\dla\tfsndres.sys
0xA7660000 \SystemRoot\system32\dla\tfsnifs.sys
0xA76FA000 \SystemRoot\system32\dla\tfsnopio.sys
0xBA62A000 \SystemRoot\system32\dla\tfsnpool.sys
0xBA490000 \SystemRoot\system32\dla\tfsnboio.sys
0xB92A7000 \SystemRoot\system32\dla\tfsncofs.sys
0xBA6A5000 \SystemRoot\system32\dla\tfsndrct.sys
0xA7647000 \SystemRoot\system32\dla\tfsnudf.sys
0xA762E000 \SystemRoot\system32\dla\tfsnudfa.sys
0xBA498000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA7682000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA752A000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA71F1000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA7048000 \SystemRoot\System32\Drivers\HTTP.sys
0xA6F01000 \SystemRoot\system32\DRIVERS\srv.sys
0xA7089000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA69EC000 \SystemRoot\system32\drivers\wdmaud.sys
0xA6A29000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7091000 \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
0xA653A000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xBA66C000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
0xA53EE000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 69):
0 System Idle Process
4 System
1360 C:\WINDOWS\system32\smss.exe
1408 csrss.exe
1432 C:\WINDOWS\system32\winlogon.exe
1484 C:\WINDOWS\system32\services.exe
1496 C:\WINDOWS\system32\lsass.exe
1680 C:\WINDOWS\system32\svchost.exe
1792 svchost.exe
1840 C:\WINDOWS\system32\svchost.exe
1892 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
144 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
192 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
340 svchost.exe
488 svchost.exe
812 C:\WINDOWS\system32\spoolsv.exe
920 svchost.exe
1040 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1060 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
1088 C:\Program Files\Bonjour\mDNSResponder.exe
1112 svchost.exe
1212 C:\WINDOWS\ehome\ehrecvr.exe
1252 C:\WINDOWS\ehome\ehSched.exe
212 C:\Program Files\Java\jre6\bin\jqs.exe
404 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
400 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
912 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
1300 svchost.exe
1396 C:\WINDOWS\system32\svchost.exe
2100 mcrdsvc.exe
2388 wmiprvse.exe
2924 C:\WINDOWS\explorer.exe
3384 unsecapp.exe
3816 alg.exe
388 C:\WINDOWS\ehome\ehtray.exe
652 C:\WINDOWS\system32\rundll32.exe
1800 C:\WINDOWS\ehome\ehmsas.exe
1852 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2432 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
408 C:\WINDOWS\system32\dllhost.exe
2692 C:\WINDOWS\system32\TaskSwitch.exe
1100 C:\WINDOWS\system32\dla\tfswctrl.exe
2920 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3020 C:\WINDOWS\system32\hkcmd.exe
3044 C:\WINDOWS\system32\igfxpers.exe
3096 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
1728 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
2716 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
1488 C:\Program Files\Dell\QuickSet\quickset.exe
3412 C:\Program Files\iTunes\iTunesHelper.exe
3588 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1988 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
4072 C:\WINDOWS\system32\ctfmon.exe
4012 C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
2864 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
1008 C:\Program Files\iPod\bin\iPodService.exe
3424 C:\WINDOWS\system32\svchost.exe
136 C:\WINDOWS\system32\igfxsrvc.exe
648 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
2236 C:\Program Files\Internet Explorer\iexplore.exe
996 C:\Program Files\Internet Explorer\iexplore.exe
1704 C:\Program Files\Internet Explorer\iexplore.exe
4800 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
6028 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
4960 C:\Program Files\Internet Explorer\iexplore.exe
6092 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
2988 C:\Program Files\Internet Explorer\iexplore.exe
2308 C:\WINDOWS\system32\wscntfy.exe
6140 C:\Documents and Settings\Gadfly\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS541060G9SA00, Rev: MB3OC60R

Size Device Name MBR Status
--------------------------------------------
54 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 86489E3B39BA71CCD7428B67894DE6732DFFF0C8

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

**ken545** · 2010-09-23, 10:49

Hi,

Yep, not to far from you. Ever been to Pepe's Pizza ?

Looks like your Master Boot Record is infected and this can be very delicate to fix. Before we proceed we need to check for a Rootkit also.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

**crashingdell** · 2010-09-23, 18:52

Used to go there all the time, now only once in a while. If the wait is too bad I go to "the spot" next door. Just the same, just not usually a wait.

Zuppardi's in West Haven is great pizza. The Sausage pie there is fantastic.

As far as my computer. I ran the program, when I went to save the file as a .txt, it defaulted as a .log file. So I saved it as ark.log and then renamed it ark.txt. Hopefully that is okay.

Also, I disabled the antivirus software (kaspersky), but midway through the scan it activated itself for about 5 seconds. I quickly turned it off.

**ken545** · 2010-09-23, 19:04

Go ahead and post the log or attach it if you wish

**crashingdell** · 2010-09-23, 19:06

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 12:06:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Gadfly\LOCALS~1\Temp\uxtdipog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xA800658C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xA8006E0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xA8007922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xA8007E94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xA80070EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xA8005436]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xA8007D6C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xA8006192]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xA8007C28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xA800634E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xA8007FC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xA8009C08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xA8006AAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xA8007CCA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xA80095FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xA80059FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xA8005D88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xA8007576]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xA800A5CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xA8005ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xA8005F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xA8007382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xA800968C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xA8005412]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xA8005424]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xA8009CBC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xA80060C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xA8007F36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xA8006E8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xA80055DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xA8007E04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xA8006792]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xA8009C32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xA8008068]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xA80066B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xA800601E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xA8005C46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xA8009FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xA8005896]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xA8009922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xA8005B0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xA80052B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xA80083F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xA80082B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xA800939A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xA800CE2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xA800A4AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xA8005248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xA800765C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xA8006CC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xA8008C4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xA8009786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xA800A114]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xA800571E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xA800A1F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xA800A320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xA8009526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xA800690A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xA8006860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xA8009E8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xA80069EA]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9FA0 5 Bytes JMP A7FFB4DC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE87E 5 Bytes JMP A7FFB8B6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 244C 80501C84 16 Bytes [4E, 63, 00, A8, C6, 7F, 00, ...] {DEC ESI; ARPL [EAX], AX; TEST AL, 0xc6; JG 0x7; TEST AL, 0x8; PUSHF ; ADD [EAX-0x57ff9556], CH}
.text ntkrnlpa.exe!ZwCallbackReturn + 2508 80501D40 12 Bytes [8C, 96, 00, A8, 12, 54, 00, ...] {MOV WORD [ESI+0x5412a800], SS; ADD [EAX-0x57ffabdc], CH}
.text ntkrnlpa.exe!ZwCallbackReturn + 2684 80501EBC 16 Bytes [0E, 5B, 00, A8, B0, 52, 00, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2778 80501FB0 12 Bytes [F8, A1, 00, A8, 20, A3, 00, ...] {CLC ; MOV EAX, [0xa320a800]; ADD [EAX-0x57ff6ada], CH}
.text ntkrnlpa.exe!ZwCallbackReturn + 27D8 80502010 4 Bytes JMP 5CA80069
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1060] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1060] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1060] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2716] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2716] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2716] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6028] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 30F8D300 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \FileSystem\Fastfat \Fat A52C7D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [1060] 0x06FF0000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [1060] 0x0A250000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016414d1a58
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016414d1a58 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

**ken545** · 2010-09-23, 22:43

Hi,

Lets do this. Keep MBRCheck on your desktop, we may need it later.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

**crashingdell** · 2010-09-23, 23:23

ComboFix 10-09-23.01 - Gadfly 09/23/2010 16:55:31.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.908 [GMT -4:00]
Running from: c:\documents and settings\Gadfly\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-20 15:26 . 2010-09-20 15:26 -------- d-----w- c:\program files\ERUNT
2010-09-10 02:13 . 2010-09-10 02:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-10 01:39 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-10 01:39 . 2010-09-10 01:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-10 01:33 . 2010-09-10 01:33 -------- d-----w- c:\documents and settings\Gadfly\Local Settings\Application Data\Sunbelt Software
2010-09-10 01:32 . 2010-09-10 01:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-10 01:31 . 2010-09-10 01:31 -------- d-----w- c:\program files\Lavasoft
2010-09-09 23:11 . 2010-09-09 23:11 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 21:09 . 2009-11-23 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-09-23 20:48 . 2008-10-18 18:57 -------- d-----w- c:\documents and settings\Gadfly\Application Data\FileZilla
2010-09-16 16:10 . 2010-09-16 16:10 850448 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\updater.dll
2010-09-16 16:10 . 2010-09-16 16:10 850520 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\updater.dll
2010-09-10 01:31 . 2008-09-15 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-09 23:10 . 2006-09-08 23:31 -------- d-----w- c:\program files\Java
2010-09-05 14:44 . 2010-02-14 03:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-01 16:19 . 2006-09-08 23:27 37640 ----a-w- c:\documents and settings\Gadfly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-29 16:17 . 2010-08-17 15:19 -------- d-----w- c:\program files\DraftDominator
2010-08-24 00:28 . 2006-09-23 19:05 -------- d-----w- c:\documents and settings\Gadfly\Application Data\Apple Computer
2010-08-18 19:07 . 2010-08-18 19:07 170584 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\prloader.dll
2010-08-18 19:07 . 2010-08-18 19:07 340520 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\avp.exe
2010-08-17 15:16 . 2010-08-17 15:16 -------- d-----w- c:\program files\MFL Import
2010-08-17 13:17 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 15:38 . 2010-08-16 15:38 -------- d-----w- c:\program files\MSECache
2010-08-12 12:16 . 2010-09-10 01:32 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-04 21:15 . 2007-01-21 22:06 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-08-04 16:23 . 2007-01-21 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-08-04 16:23 . 2006-09-08 23:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 13:33 . 2010-08-03 13:33 503808 ----a-w- c:\documents and settings\Gadfly\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3bb31d84-n\msvcp71.dll
2010-08-03 13:33 . 2010-08-03 13:33 12800 ----a-w- c:\documents and settings\Gadfly\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-74e5ae48-n\decora-d3d.dll
2010-08-03 13:33 . 2010-08-03 13:33 61440 ----a-w- c:\documents and settings\Gadfly\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-74e5ae48-n\decora-sse.dll
2010-08-03 13:33 . 2010-08-03 13:33 499712 ----a-w- c:\documents and settings\Gadfly\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3bb31d84-n\jmc.dll
2010-08-03 13:33 . 2010-08-03 13:33 348160 ----a-w- c:\documents and settings\Gadfly\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3bb31d84-n\msvcr71.dll
2010-07-29 16:03 . 2009-11-23 01:27 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-29 16:03 . 2009-11-23 01:27 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-22 15:49 . 2005-08-16 09:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 23:00 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00 . 2010-04-18 19:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2005-08-16 09:18 149504 ----a-w- c:\windows\system32\schannel.dll
2009-09-27 12:35 . 2009-09-26 23:31 2805792 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-08-18 340520]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Palo Alto Software Update Manager 8.0.lnk - c:\program files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2004-6-29 102400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 10:18 PM 36880]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/9/2010 9:39 PM 64288]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 3:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 1:52 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 8:15 AM 15008]
.
Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 01:39]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 17:52]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 17:52]

2010-09-23 c:\windows\Tasks\User_Feed_Synchronization-{E14903A5-8CD0-4F6D-8286-8317D2832BD0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Norton Ghost 10 - c:\program files\Norton Ghost\Agent\GhostTray.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 14\pccguide.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 17:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\¸*& 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE
c:\program files\internet explorer\iexplore.exe
c:\program files\Microsoft Office\OFFICE11\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2010-09-23 17:21:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-23 21:21

Pre-Run: 16,861,376,512 bytes free
Post-Run: 16,923,238,400 bytes free

- - End Of File - - 5A333232CE4BD6216486001D77634B68

**ken545** · 2010-09-24, 00:47

Hey Pepes Pizza guy

We know that one in New Haven gets crowded so most times we go to the one in Fairfield.

Looks like your MBR was not infected or else CF would have shown it as infected and it did not.

Lets do this to really clean up your system.

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

Thread: I think my computer is infected.

Thread Tools

Display

I think my computer is infected.

Posting Permissions