Inactive Trojan/Virus in shared folders

Status
Not open for further replies.
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : b5feb3b971a8b8c81ce9de65031a87e5
SHA1 : 3cd127766716e43f6c1202cc287eee83ee405c6e

Scanner results : Scanners did not find malware!
Time : 2010/08/18 09:43:59 (EEST)


File Name : svchost.exe
File Size : 14848 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : c09ccfe81dec9b162533d7184d705682
SHA1 : 086fc8c82ba9e1f3f764e15ffbe402a6529ef323
Scanner results : Scanners did not find malware!
Time : 2010/08/18 09:59:26 (EEST)


File Name : explorer.exe
File Size : 1053184 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a26c39540f8be3729846e360e2c57344
SHA1 : bb9c0ebc7256f167838a244724606f6083f59fe9
Scanner results : Scanners did not find malware!
Time : 2010/08/18 10:14:35 (EEST)
 
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

============

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!
 
I can't install the recovery console, it's scan without it.
here the results: XP machine, also infected with the same think + backdoor.win32.zepfod.ev in windows\temp (20 000 files x 976KB) the files are the same size like HEUR:Trojan.Win32.Generic (modification).
ComboFix 10-08-17.03 - prinect 08.2010 г. 13:42:39.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.2047.1409 [GMT 3:00]
Running from: c:\documents and settings\prinect\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\prinect\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-18 10:13 . 2010-08-18 10:13 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-13 11:02 . 2010-08-17 13:35 0 ----a-w- c:\documents and settings\All Users\Application Data\Heidelberg\Licenses\Prinect Workflow\Workflow.bat
2010-08-13 11:02 . 2010-08-17 13:35 0 ----a-w- c:\documents and settings\All Users\Application Data\Heidelberg\Licenses\Licenses$.exe
2010-08-12 13:03 . 2010-08-12 13:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-12 12:49 . 2010-08-12 12:49 -------- d-----w- c:\documents and settings\prinect\Application Data\Malwarebytes
2010-08-12 12:49 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-12 12:49 . 2010-08-12 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-12 12:49 . 2010-08-12 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-12 12:49 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-12 11:41 . 2010-08-17 13:35 0 ----a-w- c:\documents and settings\All Users\Application Data\Heidelberg\Licenses\Logs\Logs.exe
2010-08-12 10:57 . 2010-08-17 13:35 0 ----a-w- c:\documents and settings\All Users\Application Data\Heidelberg\Licenses\Signa_Station-4-0\Signa_Station-4-0.scr
2010-08-12 10:57 . 2010-08-17 13:35 0 ----a-w- c:\documents and settings\All Users\Application Data\Heidelberg\Licenses\PDFToolbox\PDFToolbox.exe
2010-08-12 10:57 . 2010-08-17 13:35 0 ----a-w- c:\documents and settings\All Users\Application Data\Heidelberg\Licenses\MetaDimension\MetaDimension.bat
2010-08-12 10:57 . 2010-08-17 13:35 0 ----a-w- c:\documents and settings\All Users\Application Data\Heidelberg\Licenses\LicSN\LicSN.bat
2010-08-12 10:05 . 2010-08-12 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-08-12 10:03 . 2010-08-12 10:03 -------- d-----w- c:\program files\Common Files\iS3
2010-08-12 10:03 . 2010-08-18 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-12 07:30 . 2010-08-12 07:31 420440 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP60MP4\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.4.1424\mcouas.dll
2010-08-12 07:01 . 2010-08-12 09:11 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-08-12 07:01 . 2010-08-12 09:11 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-08-12 07:00 . 2010-08-18 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-08-12 07:00 . 2010-08-12 07:00 -------- d-----w- c:\program files\Kaspersky Lab
2010-08-12 06:50 . 2010-08-12 06:50 -------- d-----w- C:\KAV
2010-08-11 10:05 . 2010-08-11 10:05 503808 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7ba8a466-n\msvcp71.dll
2010-08-11 10:05 . 2010-08-11 10:05 499712 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7ba8a466-n\jmc.dll
2010-08-11 10:05 . 2010-08-11 10:05 348160 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7ba8a466-n\msvcr71.dll
2010-08-11 10:05 . 2010-08-11 10:05 61440 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40a9876c-n\decora-sse.dll
2010-08-11 10:05 . 2010-08-11 10:05 12800 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40a9876c-n\decora-d3d.dll
2010-08-11 10:05 . 2010-07-17 02:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 11:12 . 2010-08-03 11:12 -------- d-----w- c:\program files\QuickTime
2010-08-03 11:12 . 2010-08-03 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-27 06:49 . 2010-07-27 06:49 -------- d-----r- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 10:54 . 2007-11-15 18:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-18 10:29 . 2010-08-18 10:29 1152 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-18 10:29 . 2010-08-18 10:29 440 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-08-18 10:03 . 2008-01-11 11:21 -------- d-----w- c:\documents and settings\prinect\Application Data\Skype
2010-08-17 05:05 . 2008-01-11 11:22 -------- d-----w- c:\documents and settings\prinect\Application Data\skypePM
2010-08-16 15:25 . 2008-12-09 10:33 -------- d-----w- c:\documents and settings\prinect\Application Data\uTorrent
2010-08-16 12:28 . 2010-06-23 13:06 -------- d-----w- c:\program files\ICQ7.2
2010-08-12 12:11 . 2007-11-19 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-12 07:07 . 2009-02-02 09:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-12 06:47 . 2009-02-02 09:28 -------- d-----w- c:\program files\Symantec
2010-08-12 06:46 . 2008-04-16 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-11 10:05 . 2009-02-04 09:44 -------- d-----w- c:\program files\Common Files\Java
2010-08-11 10:05 . 2008-12-16 12:45 -------- d-----w- c:\program files\Java
2010-07-26 04:27 . 2008-08-14 05:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2010-07-14 09:17 . 2007-11-19 07:05 51280 ----a-w- c:\documents and settings\prinect\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 08:20 . 2007-11-16 10:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-09 12:19 . 2010-07-09 12:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-07-09 12:19 . 2010-07-09 12:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-06-30 12:31 . 2006-02-28 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2006-02-28 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:08 . 2009-03-13 04:51 -------- d-----w- c:\program files\ICQ6Toolbar
2010-06-23 13:08 . 2007-11-21 08:32 -------- d-----w- c:\documents and settings\prinect\Application Data\ICQ
2010-06-23 13:08 . 2007-11-14 20:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-23 13:08 . 2009-03-13 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ
2010-06-21 15:27 . 2006-02-28 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2006-02-28 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-11-14 20:10 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2006-02-28 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.2\ARM\ARM Update\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.2\ARM\ARM Update\AcrobatUpdater.exe
2010-05-26 11:35 . 2010-05-26 11:35 503808 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-598c5773-n\msvcp71.dll
2010-05-26 11:35 . 2010-05-26 11:35 348160 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-598c5773-n\msvcr71.dll
2010-05-26 11:35 . 2010-05-26 11:35 499712 ----a-w- c:\documents and settings\prinect\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-598c5773-n\jmc.dll
2009-10-08 10:28 . 2009-10-08 14:54 61 ----a-w- c:\program files\mapI.bat
.

((((((((((((((((((((((((((((( SnapShot@2010-08-12_06.31.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 17:32 . 2009-07-11 17:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-11 17:32 . 2009-07-11 17:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-11 22:07 . 2009-07-11 22:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-11 22:19 . 2009-07-11 22:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
- 2007-08-13 16:54 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 16:54 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
+ 2009-09-09 15:01 . 2009-09-09 15:01 27675 c:\windows\system32\drivers\klopp.dat
+ 2009-09-14 10:42 . 2009-09-14 10:42 32272 c:\windows\system32\drivers\klim5.sys
+ 2009-09-03 12:24 . 2009-09-03 12:24 24848 c:\windows\system32\drivers\klfltdev.sys
+ 2009-06-10 19:33 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-10 19:33 . 2010-05-06 10:41 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2007-08-20 10:04 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04 . 2010-05-06 10:41 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-02-28 12:00 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2007-11-14 20:19 . 2009-11-09 13:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-14 20:19 . 2010-08-12 19:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-12 12:01 . 2010-08-12 12:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010081220100813\index.dat
- 2007-11-14 20:19 . 2009-11-09 13:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-14 20:19 . 2010-08-12 19:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-08-12 12:01 . 2010-08-12 12:01 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2010-08-12 12:01 . 2010-08-12 19:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-11-19 11:44 . 2010-07-14 10:05 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-08-12 12:09 . 2010-05-06 10:41 12800 c:\windows\ie8updates\KB2183461-IE8\xpshims.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 55296 c:\windows\ie8updates\KB2183461-IE8\msfeedsbs.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 25600 c:\windows\ie8updates\KB2183461-IE8\jsproxy.dll
+ 2006-02-28 12:00 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll
+ 2006-02-28 12:00 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll
+ 2007-08-13 16:54 . 2010-06-24 12:21 599040 c:\windows\system32\msfeeds.dll
- 2007-08-13 16:54 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll
+ 2010-03-12 16:28 . 2010-03-12 16:28 219736 c:\windows\system32\klogon.dll
+ 2006-02-28 12:00 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll
+ 2006-02-28 12:00 . 2010-06-23 12:08 173056 c:\windows\system32\ie4uinit.exe
- 2006-02-28 12:00 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe
+ 2010-08-12 07:00 . 2010-08-12 07:00 226320 c:\windows\system32\drivers\klif.sys
+ 2009-11-12 14:49 . 2009-11-12 14:49 126480 c:\windows\system32\drivers\kl1.sys
- 2006-02-28 12:00 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-02-28 12:00 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-10-15 03:14 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
+ 2006-02-28 12:00 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-02-28 12:00 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-20 10:04 . 2010-06-24 12:21 599040 c:\windows\system32\dllcache\msfeeds.dll
- 2007-08-20 10:04 . 2010-05-06 10:41 599040 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-06-10 19:33 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-10 19:33 . 2010-05-06 10:41 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2006-02-28 12:00 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-10 07:27 . 2010-06-24 12:21 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-10 07:27 . 2010-05-06 10:41 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2006-02-28 12:00 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-02-28 12:00 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-02-28 12:00 . 2010-06-23 12:08 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-02-28 12:00 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe
 
+ 2010-08-12 19:40 . 2010-08-12 19:40 156813 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\1033\StructuredQuerySchema.bin
- 2007-11-19 11:44 . 2010-07-14 10:05 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-08-12 12:09 . 2010-05-06 10:41 916480 c:\windows\ie8updates\KB2183461-IE8\wininet.dll
+ 2010-08-12 12:09 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB2183461-IE8\spuninst\updspapi.dll
+ 2010-08-12 12:09 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2183461-IE8\spuninst\spuninst.exe
+ 2010-08-12 12:09 . 2010-05-06 10:41 206848 c:\windows\ie8updates\KB2183461-IE8\occache.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 611840 c:\windows\ie8updates\KB2183461-IE8\mstime.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 599040 c:\windows\ie8updates\KB2183461-IE8\msfeeds.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 247808 c:\windows\ie8updates\KB2183461-IE8\ieproxy.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 184320 c:\windows\ie8updates\KB2183461-IE8\iepeers.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 743424 c:\windows\ie8updates\KB2183461-IE8\iedvtool.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 387584 c:\windows\ie8updates\KB2183461-IE8\iedkcs32.dll
+ 2010-08-12 12:09 . 2010-05-05 13:30 173056 c:\windows\ie8updates\KB2183461-IE8\ie4uinit.exe
+ 2009-07-11 17:46 . 2009-07-11 17:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-11 17:46 . 2009-07-11 17:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
+ 2006-02-28 12:00 . 2010-06-24 12:22 1210368 c:\windows\system32\urlmon.dll
- 2006-02-28 12:00 . 2010-02-16 14:08 2146304 c:\windows\system32\ntoskrnl.exe
+ 2006-02-28 12:00 . 2010-04-27 13:59 2146304 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-04-27 13:05 2024448 c:\windows\system32\ntkrnlpa.exe
- 2004-08-03 22:59 . 2010-02-16 13:25 2024448 c:\windows\system32\ntkrnlpa.exe
+ 2006-02-28 12:00 . 2010-06-24 12:22 5951488 c:\windows\system32\mshtml.dll
+ 2007-08-13 16:34 . 2010-06-24 12:21 1986560 c:\windows\system32\iertutil.dll
- 2007-11-14 21:57 . 2010-07-26 04:24 2275512 c:\windows\system32\FNTCACHE.DAT
+ 2007-11-14 21:57 . 2010-08-12 13:02 2275512 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-15 03:14 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
+ 2006-02-28 12:00 . 2010-06-24 12:22 1210368 c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-15 03:13 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-15 03:13 . 2010-02-17 06:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-15 03:13 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 03:13 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 03:13 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 03:13 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-15 03:13 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-15 03:13 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-11-12 19:14 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2008-11-12 19:14 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2006-02-28 12:00 . 2010-06-24 12:22 5951488 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-10 18:10 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2010-03-10 18:10 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2007-08-20 10:04 . 2010-06-24 12:21 1986560 c:\windows\system32\dllcache\iertutil.dll
+ 2010-07-26 13:00 . 2010-07-26 13:00 5010944 c:\windows\Installer\cdf8f.msp
+ 2010-08-12 07:01 . 2010-08-12 07:01 4151296 c:\windows\Installer\a3ccc.msi
+ 2007-11-19 11:44 . 2010-08-12 12:11 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-11-19 11:44 . 2010-08-12 12:11 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2007-11-19 11:44 . 2010-07-14 10:05 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-08-12 12:09 . 2010-05-06 10:41 1209344 c:\windows\ie8updates\KB2183461-IE8\urlmon.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 5950976 c:\windows\ie8updates\KB2183461-IE8\mshtml.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 1985536 c:\windows\ie8updates\KB2183461-IE8\iertutil.dll
- 2008-10-15 03:13 . 2010-02-17 06:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 03:13 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-15 03:13 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 03:13 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 03:13 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 03:13 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 03:13 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-10-15 03:13 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-11-19 11:26 . 2010-08-03 18:09 35962312 c:\windows\system32\MRT.exe
+ 2007-08-13 16:54 . 2010-06-24 14:51 11077120 c:\windows\system32\ieframe.dll
+ 2007-08-20 10:04 . 2010-06-24 14:51 11077120 c:\windows\system32\dllcache\ieframe.dll
+ 2010-08-12 12:09 . 2010-05-06 10:41 11076096 c:\windows\ie8updates\KB2183461-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [2010-03-12 311680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\prinect\Start Menu\Programs\Startup\
map.bat [2008-11-26 116]
mapI.bat [2009-10-8 61]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-1-23 708608]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Signa Station 3\\PrinectSignaStation3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Signa Station 4\\PrinectSignaStation4.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\PTSupport\\PrinectService\\HDPrinectService.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\CEPSConverter\\HDCEPSConverter.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\ColorCarver\\HDColorCarver.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\ContentHotfolder\\HDContentHotfolder.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\CopydotConverter\\HDCopydotConverter.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\DocumentHandler\\HDPDFDocumentHandler.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\ImageHandler\\HDPDFImageHandler.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\Imposer\\HDPDFImposer.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\JobImExporter\\HDJobImportExport.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\Messenger\\HDMessenger.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\Normalizer\\HDNormalizer.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\AutoPage\\HDAutoPage.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\Preflighter\\HDPreflighter.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\Recombiner\\HDRecombiner.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\ResponseHandler\\HDResponseHandler.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\AutoSheet\\HDAutoSheet.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\Trapper\\HDTrapper.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\Cockpit\\PTClient.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Workflow\\PTSupport\\JRE\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
"c:\\Program Files\\Heidelberg\\Licensing\\License Server\\HDLicenseServer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24654:UDP"= 24654:UDP:Enfocus Port
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"123:UDP"= 123:UDP:System Time (NTP) Port
"427:UDP"= 427:UDP:AppleShare IP TCP Port 427
"548:UDP"= 548:UDP:AppleShare IP TCP Port 548
"520:UDP"= 520:UDP:Routing Information Protocol (RIP) Port
"65001:TCP"= 65001:TCP:Heidelberg Local Information Service Monitor (65001)
"65001:UDP"= 65001:UDP:Heidelberg Local Information Service Monitor (65001)
"65002:TCP"= 65002:TCP:Heidelberg Local Information Service Monitor (65002)
"65002:UDP"= 65002:UDP:Heidelberg Local Information Service Monitor (65002)
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_0\bin\fb_inet_server.exe -s --> c:\program files\Firebird\Firebird_2_0\bin\fb_inet_server.exe -s [?]
R2 HDLicenseServer;Heidelberg License Server Service;c:\program files\Heidelberg\Licensing\License Server\HDLicenseServer.exe [13.9.2004 г. 15:23 221184]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [23.1.2008 г. 16:41 14416]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [03.9.2009 г. 15:24 24848]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14.9.2009 г. 13:42 32272]
S2 Color Proof Pro Server;Color Proof Pro Server;c:\program files\Heidelberg\Color Proof Pro\Server\ColorProofPro_Server.exe -service "Color Proof Pro Server" --> c:\program files\Heidelberg\Color Proof Pro\Server\ColorProofPro_Server.exe -service Color Proof Pro Server [?]
S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29.7.2009 г. 15:59 133104]
S2 HDLISMonitor;Heidelberg Local Information Service Monitor;c:\program files\Heidelberg\Service Tools\bin\HDLISMonitor.exe [14.4.2008 г. 15:11 382256]
S2 HDPrinectSignaStationServer4;Heidelberg Prinect Signa Station 4 Server;c:\program files\Heidelberg\Prinect Signa Station 4\HDPrinectSignaStationServer4.exe [08.9.2004 г. 14:00 303104]
S2 Printready;Heidelberg Prinect;c:\program files\Heidelberg\Prinect Workflow\PTSupport\PrinectService\HDPrinectService.exe [24.4.2008 г. 09:09 1537328]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\eyeonedp.sys [23.1.2008 г. 16:38 44344]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06.5.2008 г. 16:06 11520]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [15.11.2007 г. 20:18 685816]
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 12:07]

2010-08-18 c:\windows\Tasks\User_Feed_Synchronization-{11F60A2F-4588-43E6-A463-EB640A8120EA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 01:31]
 
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: {64FAA71B-6E44-452F-8FDA-5841D645BD12} = 192.168.10.133
FF - ProfilePath - c:\documents and settings\prinect\Application Data\Mozilla\Firefox\Profiles\jjsxlrco.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/profile.php?id=697918936&ref=search#!/?ref=home|http://svejo.net/popular/all/new?pa...itetemplates.com/|http://www.leader-code.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.1.6&q=
FF - component: c:\documents and settings\prinect\Application Data\Mozilla\Firefox\Profiles\jjsxlrco.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 13:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="9105A6099F220EDE1F35664B70121834CC981FFCB4F332AAE5CF61140FCC107F49997338237077FAB3FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933C038D530D6EB34529DB7CE019D40AA5C7FA73213809552B8576613F3F4AAB07CC9286D18171DCFBD227705AD7763D10EAE538242DE61D91648B767E7CF59BFE859750E311EA7E02503CF417A9851F2DEC4775A7CB9D8F667BF4B74BAF474AC5C04ED2FBB0607210470AA040CDE68C7039BA7A39F1808A5D959EF6DEF7B558AB547BF6D7C16FEDD9166B0F212647CF5A6D02AAF5D04EE052CF426EC5D7EC714EAE0C7CA119A4A0996273D998A46D5490848F5B0BC0D02DA3434266DAD1F0D2484569BAD69E417B973B662644B27AD30F9273A3D1646A90C59FE594F60015BBDA16F81DC48490828185F64277C2BB3BCE55659D218C4C0A797805F5848CADA05F1B97507C6A032B38CAD3B979CFC8AA7C406664FC424985A00A70A308CA8A7423B03273FCEC69F5CE8F293D1FACA4ACAA6A72DF6F082F37BB6A7DF6327C9D36357E1F9F7211ECFC9DE44CDD1BC45FC25AEF0A970C7820C7FF2789CE1E6E265F6B22D840DD18A33C5AD7AFE7CDAA123D995DB0F47C4CC8C858354AB806E2A53354E8094B9C873AF3C2EB3EE95229B2EAF252840EABB89144BC5BAB277B45C0DF540BCA7A1C14620C148CF9A4933ED0511BC555A2F5167B9B52F6E0863053971B4B206F1C74B75D20B7B743226825D038DCF2D274B809A024CC7F635C4FD83D59361C45B184A7209F1590C1B9CD8AD7857E5B62B5B16D96B3B2D9FF700120404D61DA4FEDE7639F97489C1ED85D328274619401A5DB3DD65D18DF6C3DC8705B867CC16AB4DDBC3CEB44408751A631CC6551BDDDDB4D0665484AF504009F9D725D3E8CCE5F8D993A4F7D913B3F84DD901222DE415AAB4B70EEA6944C51358CDEDCA7EC1655B23AD8E29AB5DDC24A8B77671276E10687E156241A7AB64F06541AC23AF301551421B1355AF22D902630F3AA7745A547F9F4C8DE6EBA65EF9378CED533119959C10672BAD7064C5DD3E3D515294499CE1DEAA46E04998A9EB388EB2FACC4039E23E24468A0DE773E54EA4B81E99A25566540233D5E82971E5A8AB70595EAD07ADCEE4C3633637652B7C2A5FDF2D0F20C9EEAAEF1306C214EB1BCC10D2592EBB6A1CC37CD6B39E55A58338A60D087ED1AB707E8E06F193236874DAED7241D0C6694FDBB928DD2FAE2F773C67C1FA22F58EEEDB91C58F9167A671C85C63AFEA4BE1E94F38BBA5BE92853A27EBBBE8EFC8D953267088D871D8D621861FF6D113A06B3F422B1B0BE556CC85EF735E48233C595B4319A8D82E288D648FEFA26A275305F6DC38F5A6818109E60F31B02638F53C199E6929"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1100)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3984)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\program files\WinRAR\rarext.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\ADFSMenu.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\BIB.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiamenu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Firebird\Firebird_2_0\bin\fb_inet_server.exe
c:\windows\system32\oodag.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-08-18 14:02:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 11:02
ComboFix2.txt 2010-08-12 06:34

Pre-Run: 13*825*286*144 bytes free
Post-Run: 30*741*446*656 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - AB48A947B0CC956A280EF782001ED5CE
 
2010-08-18 Zepfod.ev 2010-08-18 Trojan.Generic.2911046
2010-08-18 Win32:Rootkit-gen 2010-08-18 Trojan.Win32.KillAV
2010-08-18 BackDoor.Generic12.TSA 2010-08-18 Backdoor.Win32.Zepfod.ev
2010-08-18 BDS/Zepfod.EV 2010-08-18 Win32/AutoRun.Agent.UD worm
2010-08-18 Trojan.Generic.2911046 Scanning, please wait...
2010-08-18 Trojan.KillAV-241 2010-08-18 Trojan.Scar.bany
2010-08-18 Found nothing 2010-08-18 Troj/Bckdr-RAJ
2010-08-18 Trojan.Packed.654 2010-08-16 Trojan.Win32.AntiAV.emk
2010-08-17 W32/Trojan2.LOJC 2010-08-17 Trojan.AntiAV.CRK
2010-08-18 Trojan.Generic.2911046

scan by jotti ... file in windows\temp
 
Can you get some info from these files please;
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\drivers\kgpfr2.cfg

=============

Can you also go back and do another ESET scan and this time before the scan, select 'remove found threats' and hit start.
Please post the log.
 
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\LicSN\LicSN.bat.vir a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\MetaDimension\MetaDimension.bat.vir a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\Prinect Workflow\Workflow.bat.vir a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000863.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000864.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000865.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000866.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000867.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000868.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000869.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000870.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000871.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000872.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000873.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000874.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000875.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP1\A0000876.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0005603.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0005604.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0005605.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0005606.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0005607.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0005608.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0005609.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006378.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006379.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006380.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006381.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006382.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006383.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006384.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006385.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006386.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006387.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006388.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006389.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006390.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006391.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006392.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006393.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006394.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006395.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006396.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006397.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006398.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006399.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006400.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006401.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006402.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006403.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006404.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006405.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006406.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006407.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006408.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP11\A0006409.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001969.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001970.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001971.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001972.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001973.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001974.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001975.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001976.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001977.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001978.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001979.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001980.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001981.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001982.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001983.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001984.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001985.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001986.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001987.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001988.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001989.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001990.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001991.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001992.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001993.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001994.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001995.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001996.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001997.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001998.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0001999.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0002000.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0002001.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0002002.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0002003.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP3\A0002004.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0002559.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003296.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003297.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003298.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003299.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003302.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003303.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003304.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003305.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003307.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003308.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003309.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003310.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003311.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003312.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003313.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003314.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003315.pif a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003316.scr a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003317.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003318.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003319.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003320.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003321.exe a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{88E1DFC5-D3F4-4892-AD45-A5488BFC08D3}\RP6\A0003322.bat a variant of Win32/AutoRun.Agent.UD worm cleaned by deleting - quarantined
 
I delete this files one by avenger... jotti scan - no infection...
I follow http://www.bleepingcomputer.com/forums/topic252151-30.html


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\drivers\kgpcpy.cfg" deleted successfully.
File "c:\windows\system32\drivers\kgpfr2.cfg" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 
Didnt' find this files on the 2003 machine, just on XP, between this afternoon there is no activity on the 2 computers that I check. I start also a processor monitor to record the creation of the files on another XP machine, the file appear on the location, but... nothing suspicious on the records. I check the second before creation until the secon after creation. I'll try tomorrow some new ideas.
 
As per the 8 step instructions:
DO NOT make any other changes to your computer (e.g. installing programs, using other cleaning tools, etc.), until it's officially declared clean!!! DO NOT make any Registry Changes. And it is recommended that if you are running any Registry editing program, that you either uninstall or disable that while we are in the cleaning process
Click to expand...
If there was nothing found with those files, I fail to understand why you had them removed? I also did not request the running of Avenger.
If you are going to be doing your own thing in the background, I will be unable to assist you further.
 
Sorry about that, the files are back on. No activity for today, everything looks normal, no new files in shared folders.
 
Any chance you can have all those pc's scanned at ESET? Especially the server, which is probably infecting them.

==

It appears you have 2 versions of the same software installed. Can you confirm that?

==

Is there an IT person there who can go through those machines? It may be that they will end up having to be formatted.
 
I start a scan with ESET on the server. Yesterday there is no activity on the server an the nearby xp computer. I moved to the other infected one. I collect some data with a process explorer and process monitor at the moment of creation of the infected files. The virus isn't a visible process in the PE, maybe it's a part of some dll, or the code is injected somewhere, didn't find which service create the files. Can somebody check this log, it's a too big to post it here. ? In monday it's a final try to fix this, then i do format c: on both computers, and next week try to preinstall everything.

----
It appears you have 2 versions of the same software installed. Can you confirm that?
----
DIdn't understand this ?
 
"c:\\Program Files\\Heidelberg\\Prinect Signa Station 3\\PrinectSignaStation3.exe"=
"c:\\Program Files\\Heidelberg\\Prinect Signa Station 4\\PrinectSignaStation4.exe"=

Looks like version 3 and version 4 together?
 
C:\Program Files\DAEMON Tools\SetupDTSB.exe Win32/Adware.WhenU.SaveNow application cleaned by deleting - quarantined


This is the scan of the Server by ESET online scanner.

I'll format the computers maybe next week at wednesday. Hope to fix something until then.
Still no activity on the 2 computers server and xp. On one of the active ones i do a RootkitRevealer
It show me a couple of regestry issues that i check .. they are false positive. It also give me a 100 000 issues with a files or folders, I restart the computer because it was impossible to create a log file. The checkdisk was start and fix something, after that RootkitRevealer just see those registry stuff.

The link above: It's not my case.
Any idea guys what to do next ?
 
Have you scanned all the computers with the ESET on-line scanner?
How are you certain that the link contains nothing?
 
C:\Program Files\DAEMON Tools\SetupDTSB.exe Win32/Adware.WhenU.SaveNow application cleaned by deleting - quarantined

This is the log file from ESET online scanner made on the server, or maybe I save only the log of the deleted file.

About the link, I check the registry keys, I check for ace folder, I check the process Netsvcs.exe, check for the NtApi.exe, non of them are located on 2 of the machines.
 
I found something,

Gmer scan: it says that some rootkit make a changes to the system.
Take a look at services.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-23 17:13:51
Windows 5.1.2600 Service Pack 3
Running: xbjixdjo.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwriauow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA6CA81C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAA6CAF90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAA6CB3B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAA6CB66C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAA6CF0F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAA6C9F50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAA6CB628]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAA6CA6E2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAA6CB5E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAA6CA7FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAA6CB6B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA6CC466]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAA6CAD42]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAA6CB606]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xAA6CBE98]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAA6CA3F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAA6CA592]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAA6CB18A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAA6CC8A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAA6CA67C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAA6CA69E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAA6CB03C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAA6CBF2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAA6C9F2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAA6C9F3E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xAA6CB68E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xAA6CEF36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xAA6CA0A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xAA6CB64A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xAA6CAA2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xAA6CC490]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xAA6CB6D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xAA6CA94E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xAA6CA6C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA6CA4B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xAA6CA2EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xAA6CC1BE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xAA6C9BB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA6CBD1E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xAA6C9D14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xAA6CC77C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xAA6C99B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xAA6CB27A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xAA6CAE42]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xAA6CC024]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xAA6CC4BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xAA6CA1BE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xAA6CC59E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xAA6CC65A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xAA6CBDC4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xAA6CABA2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xAA6CAAF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xAA6CAC82]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP AA6DD49C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP AA6DD876 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2CAC 80504548 16 Bytes [FA, A7, 6C, AA, B0, B6, 6C, ...] {CLI ; CMPSD ; INSB ; STOSB ; MOV AL, 0xb6; INSB ; STOSB ; LES BP, WORD [EDX+EBP*4+0x42]; LODSD ; INSB ; STOSB }
.text ntkrnlpa.exe!ZwCallbackReturn + 2D68 80504604 12 Bytes [2A, BF, 6C, AA, 2C, 9F, 6C, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2DC1 8050465D 7 Bytes [A0, 6C, AA, 4A, B6, 6C, AA] {MOV AL, [0xb64aaa6c]; INSB ; STOSB }
.text ntkrnlpa.exe!ZwCallbackReturn + 2EA8 80504744 4 Bytes JMP 1AAA6CA2
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [9E, C5, 6C, AA, 5A, C6, 6C, ...]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF67A4F80]

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1064] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1064] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]}
.text C:\WINDOWS\system32\SearchIndexer.exe[1536] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[3620] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[3620] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]}

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [AA18FD50] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [AA18FD50] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
530
Mark Fuller
M
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
464
eriksnyman1
E
Bubbajim
US lawmakers weigh-in on deepfakes after explicit Taylor Swift images are shared online
2
Replies
34
Views
744
Mark Fuller
M

Latest posts

Back