Iexplore.exe slowing me down!

**Leeboy** · #11 27th Jan 2009, 22:32

The only problem i had this time was...Combo fix restarted my computer byitself, and then KAspersky started blocking all these things like "ef.pvc.exe" ( or something similar) But heres what i came up with, let me know if i should do these two steps again.....
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\fgjlm.ini2 moved successfully.
C:\WINDOWS\system32\fgjlm.tmp moved successfully.
C:\WINDOWS\system32\fhhkj.ini2 moved successfully.
C:\WINDOWS\system32\fhhkj.tmp moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\gnserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7a0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spnserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spserv.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01272009_205237
Files moved on Reboot...
File move failed. C:\WINDOWS\temp\gnserv.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_7a0.dat not found!
File move failed. C:\WINDOWS\temp\spnserv.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\spserv.dat scheduled to be moved on reboot.

ComboFix 09-01-21.04 - Lee Boy 2009-01-27 21:09:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.273 [GMT -8:00]
Running from: c:\documents and settings\Lee Boy\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\desktop(2).ini
c:\documents and settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\desktop(2).ini
c:\program files\Common Files\{34FDF~1
c:\program files\outlook
c:\windows\system32\_003855_.tmp.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\taskkill.com
c:\windows\system32\wanpacket.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.
2009-01-27 20:52 . 2009-01-27 20:52 <DIR> d-------- C:\_OTMoveIt
2009-01-27 13:58 . 2009-01-27 13:58 <DIR> d-------- c:\documents and settings\LEEBOY~1tings\Lee Boy
2009-01-27 13:58 . 2009-01-27 13:58 <DIR> d-------- c:\documents and settings\LEEBOY~1tings
2009-01-27 13:40 . 2009-01-27 13:46 <DIR> d-------- C:\Lop SD
2009-01-26 14:20 . 2009-01-26 14:21 <DIR> d-------- C:\rsit
2009-01-26 14:20 . 2009-01-26 14:21 <DIR> d-------- c:\program files\trend micro
2009-01-14 06:32 . 2009-01-14 06:38 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\PrevxCSI
2009-01-01 21:17 . 2009-01-27 21:12 3,451,424 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-01 21:17 . 2009-01-27 21:14 606,240 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-01-01 21:17 . 2009-01-27 21:12 29,092 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-01 21:17 . 2009-01-27 21:14 4,200 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-01-01 21:05 . 2009-01-26 08:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 21:05 . 2009-01-01 21:05 <DIR> d-------- c:\documents and settings\Lee Boy\Application Data\Malwarebytes
2009-01-01 21:05 . 2009-01-01 21:05 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-01 21:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 21:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 16:49 . 2009-01-01 21:30 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-01-01 16:49 . 2009-01-01 16:49 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-01-01 16:48 . 2009-01-01 16:48 <DIR> d-------- c:\program files\Kaspersky Lab
2009-01-01 16:48 . 2009-01-27 21:14 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-01-01 11:08 . 2009-01-01 11:08 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2008-12-31 13:19 . 2008-12-31 13:19 <DIR> d-------- c:\documents and settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-01-27 21:03 --------- d-----w c:\program files\Java
2009-01-23 17:16 --------- d-----w c:\documents and settings\Lee Boy\Application Data\uTorrent
2009-01-21 00:08 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-20 17:54 --------- d-----w c:\program files\Google
2009-01-16 22:03 38,144 -c--a-w c:\documents and settings\Lee Boy\Application Data\GDIPFONTCACHEV1.DAT
2009-01-02 00:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-02 00:28 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-13 14:52 --------- d-----w c:\documents and settings\Lee Boy\Application Data\AdobeUM
2008-12-13 14:49 --------- d-----w c:\program files\Common Files\Adobe
2008-12-09 01:36 --------- d-----w c:\program files\Panda Security
2008-12-09 01:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 01:33 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-12-09 01:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Ulead Systems
2008-12-09 01:32 --------- d-----w c:\program files\TweakNow RegCleaner Pro
2008-12-09 01:05 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-09 00:34 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-09 00:33 --------- d-----w c:\program files\FotoSketcher
2008-11-28 06:31 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Macrovision
2008-11-28 01:52 2,516 -csha-w c:\documents and settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-08-11 07:11 24 -c--a-w c:\documents and settings\Lee Boy\jagex_runescape_preferences.dat
2008-03-10 07:55 8 -csh--r c:\documents and settings\All Users.WINDOWS\Application Data\090D4D4228.sys
2007-01-12 18:02 284 -c--a-w c:\documents and settings\Lee Boy\Application Data\ViewerApp.dat
2004-10-01 23:00 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE" [2009-01-20 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-01-19 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
desktop(2).ini [2006-02-09 84]
c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\
desktop(2).ini [2006-02-09 84]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-27 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-01 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 16:49 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"7126:TCP"= 7126:TCP:BitComet 7126 TCP
"7126:UDP"= 7126:UDP:BitComet 7126 UDP
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-02-16 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2006-03-02 55024]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R4 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2006-08-22 316992]
R4 Vcs;Vcs support;c:\windows\system32\drivers\Vcs.sys [2006-05-18 6852]
S3 Us0440ais;Us0440ais; [x]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nascar.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
mSearch Bar =
IE: &Google Search
IE: &Translate English Word
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Backward Links
IE: Cached Snapshot of Page
IE: Similar Pages
IE: Translate Page into English
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 21:15:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\v sdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WgaTray.exe
.
************************************************** ************************
.
Completion time: 2009-01-27 21:23:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-28 05:23:38
Pre-Run: 12,348,567,552 bytes free
Post-Run: 12,282,888,192 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /fastdetect /NoExecute=OptIn
182 --- E O F --- 2007-08-27 15:02:22

**evilfantasy** · #12 28th Jan 2009, 10:09

Looks pretty good. How is the computer running now?

Download GMER and save it to your desktop

Unzip (extract) it to your desktop.
Disconnect from Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click gmer.exe to run it.
Let the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
Click the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
Then click the Scan button. Wait for the scan to finish.
Once done, click the Copy button.
This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

**Leeboy** · #13 29th Jan 2009, 08:52

Well, i havent used it so much since we started this...but i did know last night, i was surfing and it slowed down to a crawl...I checked the prcesees and "Helpsvc.exe " was using 99% of my usage...SO i killed it.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-29 07:48:04
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xEE9B281A]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF7AFDB30]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xEE9B2DC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xEE9B482A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xEE9B41E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xEE9B1F90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xEE9B618C]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF7AFD6F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xEE9B23D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xEE9B25D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xEE9B44EC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xEE9B6698]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xEE9B26E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xEE9B2750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xEE9B43A2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xEE9B5C50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF7AFD470]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xEE9B403C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xEE9B20F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xEE9B29E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xEE9B61B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xEE9B293E]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF7AFDC50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xEE9B27B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xEE9B24BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xEE9B229A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xEE9B5EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xEE9B1C12]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xEE9B50B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xEE9B1D74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xEE9B6568]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xEE9B1A10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xEE9B46CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xEE9B2CC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xEE9B5D4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xEE9B61E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xEE9B2148]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF7AFD990]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xEE9B62C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xEE9B63F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xEE9B5B7C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE780F20]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF7AFDD60]
INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EB87716D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EB876FC2
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [ C4, 62, 9B, EE, F0, 63, 9B, ... ]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP EE9C93D6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804FBE09 5 Bytes JMP EE9C901C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F737962C 5 Bytes JMP 82D10728
.text tcpip.sys!IPTransmit + 10BC EE8AECFA 6 Bytes CALL F8562CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2810 EE8B044E 6 Bytes CALL F8562CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!ARPRcv + 506D EE8B54E0 6 Bytes CALL F8562CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F88CB3FD 4 Bytes CALL F8562E30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F88CB402 2 Bytes [ 90, 90 ]
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.14 ----
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[504] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[504] USER32.dll!VRipOutput + FFFA5005 77D42A88 4 Bytes [ 70, 11, 41, 6D ]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1684] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1684] USER32.dll!VRipOutput + FFFA5005 77D42A88 4 Bytes [ 70, 11, 41, 6D ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 430A17EF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 430A1770 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 430A17B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 430A16FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 430A1736 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 430A182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 430A17EF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 430A1770 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 430A17B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 430A16FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 430A1736 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 430A182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2208] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \WINDOWS\System32\Drivers\SPTDDRV1.SYS[ntoskrnl.exe!IoConnectInterrupt] [F873E718] sptd.sys
IAT \WINDOWS\System32\Drivers\SPTDDRV1.SYS[ntoskrnl.exe!IofCompleteRequest] [F8753656] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F873E6C4] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8754394] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F873E718] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F872EAB6] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F872EBEE] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F872EB76] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F872F71C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F872F5F2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F87544E8] sptd.sys
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F87544E8] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F87537AE] sptd.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F8563970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F8563970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F8563970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F8563970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F8059DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F8059DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F8563970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F8563970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F8563760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F8563970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F8563AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F8563A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [F8059D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 82F711D8
Device \FileSystem\Fastfat \FatCdrom 82A73990
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\usbuhci \Device\USBPDO-0 82D095B0
Device \Driver\kl1 \Device\klick wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbuhci \Device\USBPDO-1 82D095B0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82FD71D8
Device \Driver\dmio \Device\DmControl\DmConfig 82FD71D8
Device \Driver\dmio \Device\DmControl\DmPnP 82FD71D8
Device \Driver\dmio \Device\DmControl\DmInfo 82FD71D8
Device \Driver\usbuhci \Device\USBPDO-2 82D095B0
Device \Driver\usbehci \Device\USBPDO-3 82CEC990
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\kl1 \Device\kl1 wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 82F731D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E21BB83A-1DD4-45D4-A786-40B76EC19A4F} 828626F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82F731D8
Device \Driver\Cdrom \Device\CdRom0 82CDB568
Device \Driver\Cdrom \Device\CdRom1 82CDB568
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82F721D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82F721D8
Device \Driver\atapi \Device\Ide\IdePort0 82F721D8
Device \Driver\atapi \Device\Ide\IdePort1 82F721D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82F721D8
Device \Driver\kl1 \Device\KLCR wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\NetBT \Device\NetBt_Wins_Export 828626F8
Device \Driver\kl1 \Device\Klop wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\NetBT \Device\NetbiosSmb 828626F8
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\kl1 \Device\kimul14 wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\kl1 \Device\klnkd5 wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 82D095B0
Device \Driver\usbuhci \Device\USBFDO-1 82D095B0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8280A1D8
Device \Driver\usbuhci \Device\USBFDO-2 82D095B0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8280A1D8
Device \Driver\usbehci \Device\USBFDO-3 82CEC990
Device \Driver\kl1 \Device\KLFW wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Ftdisk \Device\FtControl 82F731D8
Device \Driver\kl1 \Device\klin wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\kl1 \Device\IDS00234 wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \FileSystem\Fastfat \Fat 82A73990
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 82B2A1D8
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1354688088
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -925491029
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@khjeh 0x94 0xFA 0x0A 0x90 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@khjeh 0x94 0xFA 0x0A 0x90 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Scanner\shell\open\ddeexec\ifexec@ []
Reg HKLM\SOFTWARE\Classes\CLSID\{E3DC6D1E-50E6-469D-818E-CD3FE8E24CF6}\ProgID@ WMEnc.WMEncSessionPropAgent.1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{4C3A3EEB-DB13-56F9-BC8A-E7EAB5740397}
---- EOF - GMER 1.0.14 ----

**evilfantasy** · #14 29th Jan 2009, 09:57

Quote:

Well, i havent used it so much since we started this...but i did know last night, i was surfing and it slowed down to a crawl...I checked the prcesees and "Helpsvc.exe " was using 99% of my usage...SO i killed it.

See here: Help and Support causes Windows XP to stop responding

----------

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:

Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt3 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt3

----------

Scan with Panda ActiveScan 2.0

This scanner requires Internet Explorer

Once you are on the Panda site click the Scan your PC now button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Select the appropriate Yes or No to receiving marketing information
Click the Free Online Scan button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report in your next reply.

**Leeboy** · #15 30th Jan 2009, 19:02

When i was going through the other two steps before the panda scan ..."pvchk.exe" kept trying to run, and Kaspersky kept stopping it. Also, when im closing a internet page, sometimes im getting a "error about running this script" (or something like that)

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-01-30 17:59:00
PROTECTIONS: 1
MALWARE: 26
SUSPECTS: 4
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
Kaspersky Internet Security 8.0.0.454 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search page_bak
00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\curr entversion\uninstall\switch
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@mediaplex[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@bs.serving-sys[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@stat.onestat[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@ads.pointroll[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@realmedia[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Lee Boy\Cookies\lee_boy@adrevolver[2].txt
00217459 adware/dollarrevenue Adware No 1 Yes No c:\windows\keyboard51.dat
00958457 Generic Malware Virus/Trojan No 0 Yes No F:\Bittotrent Files\Video tools\Ace Video Workshop v1.4.7\Crack\Patch.exe
04277176 Generic Trojan Virus/Trojan No 0 Yes No F:\Bittotrent Files\WM.Recorder.v10.1.Incl.Keygen.and.Patch-iNFECTED\WM.Recorder.v10.1.Incl.Keygen.and.Patch-iNFECTED.ZIP[WM.Recorder.v10.1.Incl.Keygen.and.Patch-iNFECTED/Crack/keygen.exe]
04347291 Generic Trojan Virus/Trojan No 0 Yes No F:\Bittotrent Files\Video tools\KC VideoInspector v1.9.0.102\keygen.exe
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location ?X
;================================================= ================================================== ================================================== ==============================
No F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip[Macromedia Contribute 2.0/ngn-ct2b-2003-09-24/Crack.exe]
No F:\Bittotrent Files\Serials 2005 + June 15 2006 Update.rar[Serials2005v21Final.zip][Serials2005.msi][unk_0019][_F5ED46D8ED1F463F8578381CED726372]
No F:\Bittotrent Files\Video tools\WinAVI Video Converter v7.6\Crack\WinAVIVideoConverterv76_Crack.exe ?X
No F:\Bittotrent Files\Video tools\windows media recorder 10.2\patch.exe ?X
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description ?X
;================================================= ================================================== ================================================== ==============================
184380 MEDIUM MS08-002 ?X
184379 MEDIUM MS08-001 ?X
182046 HIGH MS07-067 ?X
182043 HIGH MS07-064 ?X
179553 HIGH MS07-061 ?X
176383 HIGH MS07-058 ?X
170911 HIGH MS07-050 ?X
170907 HIGH MS07-046 ?X
170904 HIGH MS07-043 ?X
164915 HIGH MS07-035 ?X
164911 HIGH MS07-031 ?X
157262 HIGH MS07-022 ?X
157261 HIGH MS07-021 ?X
157260 HIGH MS07-020 ?X
157259 HIGH MS07-019 ?X
156477 HIGH MS07-017 ?X
150249 HIGH MS07-013 ?X
150248 HIGH MS07-012 ?X
150247 HIGH MS07-011 ?X
150243 HIGH MS07-008 ?X
150242 HIGH MS07-007 ?X
150241 MEDIUM MS07-006 ?X
145501 HIGH MS07-004 ?X
141034 HIGH MS06-076 ?X
141033 MEDIUM MS06-075 ?X
137571 HIGH MS06-070 ?X
133387 MEDIUM MS06-065 ?X
133386 MEDIUM MS06-064 ?X
133385 MEDIUM MS06-063 ?X
133379 HIGH MS06-057 ?X
129977 MEDIUM MS06-053 ?X
129976 MEDIUM MS06-052 ?X
126093 HIGH MS06-051 ?X
126092 MEDIUM MS06-050 ?X
126087 HIGH MS06-046 ?X
126086 MEDIUM MS06-045 ?X
126082 HIGH MS06-041 ?X
126081 HIGH MS06-040 ?X
123421 HIGH MS06-036 ?X
123420 HIGH MS06-035 ?X
120825 MEDIUM MS06-032 ?X
120823 MEDIUM MS06-030 ?X
120818 HIGH MS06-025 ?X
120815 HIGH MS06-022

**evilfantasy** · #16 30th Jan 2009, 19:22

You are going to have to remove the cracks.

Now download The Avenger by Swandog46 and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop
Run avenger.exe by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Comment:

Files to delete:
c:\windows\keyboard51.dat
F:\Bittotrent Files\Video tools\Ace Video Workshop v1.4.7\Crack\Patch.exe
F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip
F:\Bittotrent Files\WM.Recorder.v10.1.Incl.Keygen.and.Patch-iNFECTED\WM.Recorder.v10.1.Incl.Keygen.and.Patch-iNFECTED.ZIP
F:\Bittotrent Files\Video tools\KC VideoInspector v1.9.0.102\keygen.exe
F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip
F:\Bittotrent Files\Serials 2005 + June 15 2006 Update.rar
F:\Bittotrent Files\Video tools\WinAVI Video Converter v7.6\Crack\WinAVIVideoConverterv76_Crack.exe
F:\Bittotrent Files\Video tools\windows media recorder 10.2\patch.exe

Registry keys to delete:
hkey_current_user\software\microsoft\internet explorer\main\search page_bak
hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch

[B]

Now click the Execute button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Add the Avenger log in your next post.

**Leeboy** · #17 30th Jan 2009, 22:46

Zip.exe was the only thing Kaspersky tried to pick up on restart...Heres the latest log.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Fri Jan 30 21:20:48 2009
21:20:24: Error: Invalid registry syntax in command:
"hkey_current_user\software\microsoft\internet explorer\main\search page_bak"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\keyboard51.dat" deleted successfully.
File "F:\Bittotrent Files\Video tools\Ace Video Workshop v1.4.7\Crack\Patch.exe" deleted successfully.
File "F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip" deleted successfully.
File "F:\Bittotrent Files\WM.Recorder.v10.1.Incl.Keygen.and.Patch-iNFECTED\WM.Recorder.v10.1.Incl.Keygen.and.Patch-iNFECTED.ZIP" deleted successfully.
File "F:\Bittotrent Files\Video tools\KC VideoInspector v1.9.0.102\keygen.exe" deleted successfully.
Error: file "F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip" not found!
Deletion of file "F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "F:\Bittotrent Files\Serials 2005 + June 15 2006 Update.rar" deleted successfully.
File "F:\Bittotrent Files\Video tools\WinAVI Video Converter v7.6\Crack\WinAVIVideoConverterv76_Crack.exe" deleted successfully.
File "F:\Bittotrent Files\Video tools\windows media recorder 10.2\patch.exe" deleted successfully.
Registry key "hkey_local_machine\software\microsoft\windows\cur rentversion\uninstall\switch" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.

**evilfantasy** · #18 31st Jan 2009, 10:25

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:reg
[-hkey_current_user\software\microsoft\internet explorer\main\search page_bak]
[-hkey_local_machine\software\microsoft\windows\curr  entversion\uninstall\switch]

:files
F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip

:Commands
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

**Leeboy** · #19 1st Feb 2009, 12:42

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key hkey_current_user\software\microsoft\internet explorer\main\search page_bak\\ not found.
Registry key hkey_local_machine\software\microsoft\windows\curr entversion\uninstall\switch\\ not found.
========== FILES ==========
File/Folder F:\Bittotrent Files\macro\Macromedia Contribute 2.0.zip not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\gnserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spnserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spserv.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02012009_112913
Files moved on Reboot...
File move failed. C:\WINDOWS\temp\gnserv.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_2d4.dat not found!
File move failed. C:\WINDOWS\temp\spnserv.dat scheduled to be moved on reboot.

**evilfantasy** · #20 1st Feb 2009, 14:13

OK. Sorry for the long scans but we need to run another one.

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.