[Resolved] Trojan: Win32/Killav.gen!A

sgngracie · 20th June 2009

Hello!

I can no longer connect to the internet using my Netgear Wirless Adapter. Kaspersky did not catch (or I did not see/understand that it did) the trojan. I used Windows Live OneCare and it told me I had the virus.

I run Windows XP and have already run the DDS tool.

I am an extreme novice -- so be gentle with me!

**broni** · 20th June 2009

Post DDS logs, please.
Why are you running two AV programs?

sgngracie · 20th June 2009

I hadn't been running two until I was fairly certain that Kaspersky hadn't caught something. I went into MSN Security to make sure that I had all the system updates I was supposed to have -- that's when the Windows One LiveCare caught the Trojan.

DDS logs below -- thanks!

DDS (Ver_09-05-14.01) - NTFSx86
Run by HP_Administrator at 22:28:25.18 on Fri 06/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.200 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RegCure\RegCure.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\FYYQJFNC\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
Trusted Zone: trymedia.com
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238287501724
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-11-6 213520]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-4-25 201992]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]

=============== Created Last 30 ================

==================== Find3M ====================

2009-06-19 22:14 34,120 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-19 22:05 868,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-19 22:05 4,048 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-18 21:59 4,229,152 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-20 08:30 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 08:30 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-13 00:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 16:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 16:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 06:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 19:25 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-04-25 00:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-28 20:18 210,480 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-28 20:18 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2007-01-20 19:14 22 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 22:29:07.90 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/6/2008 6:13:00 PM
System Uptime: 6/19/2009 9:09:34 PM (1 hours ago)

Motherboard: ASUSTek Computer INC. | | LEUCITE3
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 199.974 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 0.415 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP124: 3/21/2009 1:08:54 PM - System Checkpoint
RP125: 3/22/2009 1:13:45 PM - System Checkpoint
RP126: 3/23/2009 6:54:59 PM - System Checkpoint
RP127: 3/24/2009 9:36:19 PM - System Checkpoint
RP128: 3/26/2009 6:15:15 PM - System Checkpoint
RP129: 3/28/2009 1:23:12 PM - System Checkpoint
RP130: 3/28/2009 7:49:49 PM - Software Distribution Service 3.0
RP131: 3/28/2009 7:50:53 PM - Software Distribution Service 3.0
RP132: 3/28/2009 9:07:42 PM - Software Distribution Service 3.0
RP133: 3/28/2009 10:16:04 PM - Software Distribution Service 3.0
RP134: 3/28/2009 11:43:45 PM - Software Distribution Service 3.0
RP135: 3/29/2009 10:39:34 AM - Software Distribution Service 3.0
RP136: 3/30/2009 6:04:23 PM - System Checkpoint
RP137: 3/30/2009 8:16:12 PM - Software Distribution Service 3.0
RP138: 3/31/2009 9:34:50 PM - System Checkpoint
RP139: 3/31/2009 10:27:56 PM - Software Distribution Service 3.0
RP140: 4/1/2009 9:38:24 PM - Software Distribution Service 3.0
RP141: 4/2/2009 10:29:03 PM - Software Distribution Service 3.0
RP142: 4/3/2009 7:08:25 PM - Software Distribution Service 3.0
RP143: 4/4/2009 4:24:12 PM - Software Distribution Service 3.0
RP144: 4/5/2009 9:26:41 AM - Software Distribution Service 3.0
RP145: 4/6/2009 6:01:31 PM - System Checkpoint
RP146: 4/6/2009 7:02:58 PM - Software Distribution Service 3.0
RP147: 4/7/2009 11:09:43 PM - Software Distribution Service 3.0
RP148: 4/8/2009 8:11:04 PM - Software Distribution Service 3.0
RP149: 4/9/2009 9:37:09 PM - System Checkpoint
RP150: 4/9/2009 10:12:08 PM - Software Distribution Service 3.0
RP151: 4/10/2009 1:11:46 PM - Software Distribution Service 3.0
RP152: 4/11/2009 9:00:57 AM - Software Distribution Service 3.0
RP153: 4/12/2009 10:23:08 AM - System Checkpoint
RP154: 4/12/2009 2:11:50 PM - Software Distribution Service 3.0
RP155: 4/13/2009 6:00:01 PM - System Checkpoint
RP156: 4/13/2009 9:06:43 PM - Software Distribution Service 3.0
RP157: 4/14/2009 11:36:35 PM - Software Distribution Service 3.0
RP158: 4/15/2009 5:34:42 PM - Software Distribution Service 3.0
RP159: 4/16/2009 6:06:29 PM - System Checkpoint
RP160: 4/16/2009 8:34:03 PM - Software Distribution Service 3.0
RP161: 4/17/2009 11:54:38 PM - Software Distribution Service 3.0
RP162: 4/18/2009 10:33:42 AM - Software Distribution Service 3.0
RP163: 4/19/2009 9:55:14 AM - Software Distribution Service 3.0
RP164: 4/20/2009 6:15:54 PM - System Checkpoint
RP165: 4/20/2009 9:18:03 PM - Software Distribution Service 3.0
RP166: 4/21/2009 9:29:38 PM - Software Distribution Service 3.0
RP167: 4/22/2009 10:12:44 PM - Software Distribution Service 3.0
RP168: 4/23/2009 6:32:01 PM - Software Distribution Service 3.0
RP169: 4/24/2009 10:17:07 PM - Software Distribution Service 3.0
RP170: 4/25/2009 6:10:54 PM - Software Distribution Service 3.0
RP171: 4/26/2009 8:41:14 AM - Software Distribution Service 3.0
RP172: 4/28/2009 7:25:17 PM - Installed NETGEAR WG111v3 wireless USB 2.0 adapter
RP173: 4/28/2009 9:25:50 PM - Software Distribution Service 3.0
RP174: 4/29/2009 10:58:32 PM - Software Distribution Service 3.0
RP175: 4/30/2009 10:53:16 PM - Software Distribution Service 3.0
RP176: 5/1/2009 11:31:31 PM - Software Distribution Service 3.0
RP177: 5/2/2009 10:41:47 PM - Software Distribution Service 3.0
RP178: 5/3/2009 10:43:36 PM - Software Distribution Service 3.0
RP179: 5/4/2009 9:48:56 PM - Software Distribution Service 3.0
RP180: 5/5/2009 11:48:10 PM - Software Distribution Service 3.0
RP181: 5/6/2009 11:24:46 PM - Software Distribution Service 3.0
RP182: 5/7/2009 9:11:18 PM - Software Distribution Service 3.0
RP183: 5/7/2009 9:29:42 PM - Software Distribution Service 3.0
RP184: 5/7/2009 11:01:09 PM - Software Distribution Service 3.0
RP185: 5/8/2009 8:51:09 AM - Software Distribution Service 3.0
RP186: 5/9/2009 1:06:59 PM - System Checkpoint
RP187: 5/9/2009 10:51:00 PM - Software Distribution Service 3.0
RP188: 5/10/2009 11:09:29 AM - Software Distribution Service 3.0
RP189: 5/10/2009 9:38:50 PM - Software Distribution Service 3.0
RP190: 5/11/2009 11:23:56 PM - Software Distribution Service 3.0
RP191: 5/12/2009 11:04:59 PM - Software Distribution Service 3.0
RP192: 5/13/2009 10:50:43 PM - Software Distribution Service 3.0
RP193: 5/14/2009 12:25:43 PM - Software Distribution Service 3.0
RP194: 5/14/2009 10:43:06 PM - Software Distribution Service 3.0
RP195: 5/15/2009 9:19:38 PM - Software Distribution Service 3.0
RP196: 5/16/2009 11:10:32 PM - Software Distribution Service 3.0
RP197: 5/17/2009 10:57:59 PM - Software Distribution Service 3.0
RP198: 5/18/2009 2:14:53 PM - Software Distribution Service 3.0
RP199: 5/18/2009 4:45:44 PM - Software Distribution Service 3.0
RP200: 5/18/2009 7:39:00 PM - Software Distribution Service 3.0
RP201: 5/18/2009 10:47:31 PM - Software Distribution Service 3.0
RP202: 5/20/2009 12:19:21 AM - Software Distribution Service 3.0
RP203: 5/20/2009 10:00:23 PM - Software Distribution Service 3.0
RP204: 5/21/2009 11:26:32 PM - Software Distribution Service 3.0
RP205: 5/22/2009 9:22:29 AM - Software Distribution Service 3.0
RP206: 5/22/2009 10:03:22 AM - Software Distribution Service 3.0
RP207: 5/23/2009 12:08:36 AM - Software Distribution Service 3.0
RP208: 5/24/2009 7:42:48 AM - Software Distribution Service 3.0
RP209: 5/25/2009 12:48:57 AM - Software Distribution Service 3.0
RP210: 5/25/2009 12:33:46 PM - Printer Driver HP Officejet 6500 E709a Series fax Installed
RP211: 5/26/2009 12:41:21 AM - Software Distribution Service 3.0
RP212: 5/26/2009 10:36:24 PM - Software Distribution Service 3.0
RP213: 5/27/2009 6:50:32 PM - Software Distribution Service 3.0
RP214: 5/27/2009 7:02:42 PM - Software Distribution Service 3.0
RP215: 5/27/2009 7:17:27 PM - Software Distribution Service 3.0
RP216: 5/28/2009 12:04:57 AM - Software Distribution Service 3.0
RP217: 5/28/2009 10:56:23 PM - Software Distribution Service 3.0
RP218: 5/29/2009 9:57:03 PM - Software Distribution Service 3.0
RP219: 5/30/2009 9:48:27 PM - Software Distribution Service 3.0
RP220: 5/31/2009 10:16:57 PM - Software Distribution Service 3.0
RP221: 6/1/2009 10:40:44 PM - Software Distribution Service 3.0
RP222: 6/2/2009 10:02:32 PM - Software Distribution Service 3.0
RP223: 6/4/2009 12:10:11 AM - Software Distribution Service 3.0
RP224: 6/4/2009 10:51:51 PM - Software Distribution Service 3.0
RP225: 6/5/2009 11:09:46 PM - Software Distribution Service 3.0
RP226: 6/6/2009 11:55:55 PM - Software Distribution Service 3.0
RP227: 6/7/2009 10:18:39 PM - Software Distribution Service 3.0
RP228: 6/8/2009 5:23:42 PM - Software Distribution Service 3.0
RP229: 6/8/2009 9:57:55 PM - Software Distribution Service 3.0
RP230: 6/9/2009 11:32:42 PM - Software Distribution Service 3.0
RP231: 6/10/2009 8:42:07 PM - Software Distribution Service 3.0
RP232: 6/11/2009 10:46:58 PM - Software Distribution Service 3.0
RP233: 6/13/2009 1:41:19 AM - Software Distribution Service 3.0
RP234: 6/13/2009 10:59:37 PM - Software Distribution Service 3.0
RP235: 6/14/2009 8:45:52 AM - Software Distribution Service 3.0
RP236: 6/15/2009 8:33:48 PM - System Checkpoint
RP237: 6/15/2009 11:37:58 PM - Software Distribution Service 3.0
RP238: 6/16/2009 6:16:54 AM - Software Distribution Service 3.0
RP239: 6/16/2009 10:25:53 PM - Software Distribution Service 3.0
RP240: 6/17/2009 8:32:29 PM - Software Distribution Service 3.0
RP241: 6/17/2009 9:11:40 PM - Software Distribution Service 3.0
RP242: 6/18/2009 6:01:18 AM - Software Distribution Service 3.0
RP243: 6/18/2009 9:58:18 PM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
6500_E709_eDocs
6500_E709_Help
6500_E709a
Adobe Acrobat 9 Pro
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
AT&T Yahoo! Activation
AT&T Yahoo! Messenger
AutoUpdate
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Compatibility Pack for the 2007 Office system
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
DeductionPro 2008
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DISCover
DivX
DocMgr
DocProc
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Fax
FullDPAppQFolder
GemMaster Mystic
GPBaseService2
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Customer Participation Program 12.0
HP DigitalMedia Archive
HP Document Manager 2.0
HP DVD Play 2.1
HP Imaging Device Functions 12.0
HP Officejet 6500 E709 Series
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Smart Web Printing
HP Solution Center 12.0
HP Update
HP Web Helper
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
HPSSupply
InstantShareDevices
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 12
Kaspersky Anti-Virus 2009
LightScribe 1.4.105.1
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
My HP Games
NETGEAR WG111v3 wireless USB 2.0 adapter
Netscape Browser (remove only)
Network
OCR Software by I.R.I.S. 12.0
OptionalContentQFolder
Otto
PhotoGallery
ProductContext
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
RealPlayer
Realtek High Definition Audio Driver
RegCure 1.6.0.0
Remove WeatherBug Installer
Rhapsody
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shop for HP Supplies
SkinsHP1
SlideShow
SlideShowMusic
SmartWebPrinting
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Status
TaxCut Premium + State + Efile 2008
TaxCut Wisconsin 2008
Toolbox
TrayApp
Unload
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
WebFldrs XP
WebReg
WildTangent Web Driver
WILLPower v6
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

6/18/2009 7:55:49 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00223FE175FE. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
6/16/2009 7:17:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2

==== End Of File ===========================

**broni** · 20th June 2009

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

sgngracie · 21st June 2009

I have completed step 1 and run SAS -- log below. No harmful items found. When I restart the computer before step 2, am I supposed to restart in safe mode again? Or normal mode?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2009 at 05:57 PM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 01:08:11

Memory items scanned : 216
Memory threats detected : 0
Registry items scanned : 6313
Registry threats detected : 0
File items scanned : 142151
File threats detected : 0

**broni** · 22nd June 2009

All other scan are to be run in normal mode.

sgngracie · 23rd June 2009

OK -- that's what I did for Step 2 -- the Malwarebytes log is below. I cannot get GMER to run -- it downloads fine from all three sites, but I click on Scan and nothing happens -- it just sits there.

Malwarebytes' Anti-Malware 1.38
Database version: 2317
Windows 5.1.2600 Service Pack 3

6/20/2009 7:15:58 PM
mbam-log-2009-06-20 (19-15-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 254332
Time elapsed: 55 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df78 0f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\ WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

**broni** · 23rd June 2009

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

sgngracie · 23rd June 2009

No dice -- I've tried from both links.

1) It doesn't give me an option to save to the desktop.

2) Both tell me I can't rename it from ComboFix.exe to ComboFix.exe[1] -- but I haven't done a thing to them.

I appreciate your help -- this is very frustrating. :-(

**broni** · 23rd June 2009

Not a problem...

Download it from HERE

sgngracie · 23rd June 2009

Nope -- same thing. No option to save to desktop and the error message telling me I can't rename the file even though I haven't touched it.

I did a search on Windows for "Combofix" and found it on my C drive in the Prefetch folder. I tried double clicking on it, but for all .pf extension files, it tells me it is an unknown application and I can't open anything that is .pf.

**broni** · 23rd June 2009

I'm going to PM you with my private download link.

sgngracie · 24th June 2009

That did the trick! Thanks! Log below...

ComboFix 09-06-22.0E - HP_Administrator 06/23/2009 19:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.532 [GMT -5:00]
Running from: c:\tools-av\28456\28456.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kl1.sys
c:\windows\kb913800.exe
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-24 00:51 . 2009-06-24 00:51 -------- d-----w- C:\Tools-AV
2009-06-21 16:57 . 2009-06-21 16:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-06-21 14:10 . 2009-06-21 14:10 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-06-21 14:10 . 2009-06-21 14:10 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\IsolatedStorage
2009-06-21 14:10 . 2009-06-21 14:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\HP
2009-06-20 23:14 . 2009-06-20 23:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-06-20 23:14 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 23:14 . 2009-06-20 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 23:14 . 2009-06-20 23:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 23:14 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-20 21:45 . 2009-06-21 15:37 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-20 21:45 . 2009-06-20 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-20 21:45 . 2009-06-20 21:45 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-20 21:39 . 2009-06-24 01:06 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-20 21:38 . 2009-06-20 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-20 21:38 . 2009-06-20 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-20 21:38 . 2009-06-20 21:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-06-19 02:39 . 2009-06-19 02:39 -------- d-----w- c:\windows\system32\LogFiles
2009-06-19 01:02 . 2009-06-19 01:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-14 13:50 . 2009-06-23 02:58 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-10 17:20 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 17:20 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-05-25 18:16 . 2009-06-24 00:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPAppData
2009-05-25 17:35 . 2009-05-25 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-05-25 17:34 . 2009-05-25 17:34 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\HP
2009-05-25 17:30 . 2009-05-25 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-05-25 17:27 . 2009-05-25 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-05-25 17:26 . 2009-05-25 17:26 -------- d-----w- c:\windows\hpoj6500e709
2009-05-25 17:25 . 2007-07-09 18:13 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-05-25 17:25 . 2007-07-09 18:13 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-05-25 17:25 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-05-25 17:25 . 2008-08-12 15:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2009-05-25 17:25 . 2007-07-09 18:13 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-05-25 17:25 . 2008-10-06 19:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2009-05-25 17:25 . 2008-10-06 19:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2009-05-25 17:25 . 2007-07-09 18:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-05-25 17:25 . 2007-07-09 18:13 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-05-25 17:25 . 2007-07-06 18:48 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-05-25 17:24 . 2009-05-25 17:24 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-05-25 17:21 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-25 17:21 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-25 17:21 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-05-25 17:21 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-05-25 17:20 . 2009-05-25 17:34 186748 ----a-w- c:\windows\hpwins23.dat
2009-05-25 17:20 . 2008-10-25 09:30 1847 ------w- c:\windows\hpwmdl23.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 01:07 . 2008-11-07 00:59 884768 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-24 01:07 . 2008-11-07 00:59 4104 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-24 01:06 . 2008-11-07 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-24 01:03 . 2008-11-07 00:59 4275744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-24 01:03 . 2008-11-07 00:59 34484 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-20 21:37 . 2008-12-20 02:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-11 01:46 . 2009-03-01 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-25 17:29 . 2006-08-04 14:39 -------- d-----w- c:\program files\HP
2009-05-22 18:09 . 2006-08-04 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-20 13:30 . 2008-11-07 01:00 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-20 13:30 . 2008-11-07 01:00 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-19 03:28 . 2009-01-27 04:25 -------- d-----w- c:\program files\MSN Games
2009-05-15 03:31 . 2009-01-27 04:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-13 05:15 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-08 14:32 . 2006-08-04 14:49 90128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-08 02:33 . 2006-08-04 14:53 -------- d-----w- c:\program files\Microsoft Works
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-04-29 00:25 . 2009-04-29 00:25 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-04-29 00:25 . 2009-04-29 00:25 -------- d-----w- c:\program files\NETGEAR
2009-04-17 12:26 . 2004-08-10 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 01:36 . 2009-04-07 01:36 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-29 01:18 . 2009-04-26 13:22 210480 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-03-29 01:18 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2007-01-21 00:14 . 2008-11-07 00:04 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-02-05 201992]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 7:29 PM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/25/2008 9:07 PM 24592]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
HKLM-Run-PCDrProfiler - (no file)

.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-23 20:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1464)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(2564)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-06-24 20:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 01:11

Pre-Run: 214,837,379,072 bytes free
Post-Run: 215,418,314,752 bytes free

221 --- E O F --- 2009-06-23 03:29

**broni** · 24th June 2009

Upload kl1.sys.vir file located in C:\Qoobox\Quarantine to http://www.virustotal.com/ for security check.

sgngracie · 24th June 2009

Done -- results below.

File has already been analysed:
MD5: 45056287cdd70803bad130bf71fe6890
First received: 2009.02.12 08:53:04 UTC
Date: 2009.06.20 19:51:35 UTC [>3D]
Results: 0/40
Permalink: analisis/c6cd7c0046ae7958160611e67ee71d20d3cd32f260d77821b7aa223926dbbb4e-1245527495