System monitor found: potentially rootkit-masked files

After downloading utorrent with mp3s, I got NSIS media extension Trojan (inside MOZILLA FIREFOX, the latest version).

I deleted it with TROJAN HUNTER.

A computer technician came and saw that my PC had no virus.

The NSIS was found by WEBROOT SPY SWEEPER.

…Now it finds this:

“System monitor found: potentially rootkit-masked filesâ€

I asked from SPY SWEEPER to always remove it and to put it to Quarantine.

What can I do so that I won’t see again this message?

Also I want to be certain that my ebanking is SAFE, because this is the message I get from this threat (when I read about it in SPY SWEEPER’s help) !!!!

Please heeeeeeeelp meeee!!!!

Thanks,
Maggie


**** I WILL COPY THREE DIFFERENT THREADS WITH THE LOG FILES OF 3 PROGRAMS.


...and yes, I have seen the other posts regarding this....

 

HIJACK THIS log !

HIJACK THIS:


Logfile of HijackThis v1.99.1
Scan saved at 9:22:52 μμ, on 27/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\adm\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HJT\analyse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Systran40pemls.IEPlugIn - {D3919E62-D6A5-11D6-AC3E-00B0D094B576} - C:\Program Files\Systran\4_0\PersonalWOI\IEPlugIn.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe "
O4 - HKLM\..\Run: [TVT Scheduler Proxy] "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe "
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231ED520-8AE2-46B8-830A-23BF937C9FA4} (B_Link.BL_RTxaa) - http://www.reporter.gr/RT-xaa/RTxaa_UC.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2117C2FC-E352-434D-9A9A-72E09E37C026}: NameServer = 195.170.0.1,195.170.2.2
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\adm\IUService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

 

...cannot post log files....

cannot post log files....

from SPYSWEEPER, and ROOTKIT REVEAL....

too long files...

I wish I could insert them as attachments and upload them ....

 

Welcome to WindowsBBS Forums.

I am fairly certain that what Spy Sweeper found is more to be a false\positive.
Meaning they are not rootkit-masked files.

By using this setting in your scans it will more times than not produce false readings. True rootkit detection is far beyond an app like SpySweeper.

Your log file looks fine.

 

Thank you very much !

I ran a new SPYSWEEPER test. It rans for 4 hours and freezes before the end, withount finding anything...

How can I fix SPYSWEEPER? I dont want to get rid of it....

WHAT DO YOU MEAN "By using this setting in your scans "? What setting?

"True rootkit detection is far beyond an app like SpySweeper." WHICH APPLICATION DO YOU WANT ME TO USE ?

Maggie

 

What version of SpySweeper are you currently using? Many users have had problems with v5.0.7 build 1608. Maybe try going back to v4.5

There is a setting in the shield tab to check for root kits, untick this option.

You really don't need to run any rootkit tools on any regular basis. Not many people get them and it's likely you would have a bunch of other malwares to deal with first before someone would suggest running a rootkit detector. 99 times out of 100, users who get root kitted spend a day or two cleaning up all kinds of junk then have problems that cannot be seen by the regular scanners.

As your log file is clean, and you're not experiencing any unwanted symptoms, you should be fine.

If it will make you feel better, I can suggest a couple of tools for you to run and post logs.

Let me know.

 

*** SPYSWEEPER 5.0.7 (build 1608) .... I just ...bought it ! What can I do?

**** Yes, please !

***** Please suggest to me the best program, in case I have doubts ....

...unless I can run two or more....

Thanks for the great job !
Maggie

 

You can either request support or try reading the Spy Sweeper Knowledgebase to see if your issue is covered and a fix for it available.

Here are two you can run and are very simple to use.
Please download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.

Download and run F-Secure Blacklight
Double-click on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run Blacklight click > scan then > next, next again then exit
there will be a new text file near Blacklight.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet

There are several anti-spyware apps that are very good. IMHO SpySweeper is one of them. Along with Adware, Spybot Search & Destroy the three are fairly popular.

Yes you can run more than one, tho depending on your system spex, I would caution doing this. I would only run one active registry tool tho, that would be Spy Sweeper in your case. The others can be used for on demand scanning if you think you're infected.

Hope that's been helpful

 

Rootkit Reveal is 10 MB and I cannot attach or copy and post it here...

....problem...

What can I do for you to see it ?

Do you have an email address?

Thanks!

 

F-Secure Blacklight

This is the file if I made it correctly ....

***********************************************

08/28/06 23:14:48 [Info]: BlackLight Engine 1.0.46 initialized
08/28/06 23:14:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/28/06 23:14:48 [Note]: 7019 4
08/28/06 23:14:48 [Note]: 7005 0
08/28/06 23:14:56 [Note]: 7006 0
08/28/06 23:14:56 [Note]: 7011 260
08/28/06 23:14:57 [Note]: 7026 0
08/28/06 23:14:57 [Note]: 7026 0
08/28/06 23:14:57 [Note]: 7015 304
08/28/06 23:14:57 [Note]: 7015 5
08/28/06 23:14:57 [Note]: 7015 1016
08/28/06 23:14:57 [Note]: 7015 5
08/28/06 23:15:28 [Note]: FSRAW library version 1.7.1019
08/28/06 23:20:27 [Note]: 7007 0


************************************************

WHAT DO YOU THINK?

Thank you very much for all your kind efforts!

My pc works OK ...until now...

Maggie

 

Nothing to worry about there. Next one.

 

ROOTKIT REVEAL log !

Rootkit Reveal is 10 MB and I cannot attach or copy and post it here...

....problem...

What can I do for you to see it ?

Do you have an email address?

Thanks!

 

Are any of the file paths relating to volume\restore\recyler folders? If so, edit all of those, they are of no threat we can clean them out later. If RKR found that much actual nasty stuff your system would be unbootable and I'd recommend a reformat.

 

Do you mean something like that?

C:\System Volume

Information\_restore{7AE3CF83-1F52-4C2E-AA03-8B6821E0D818}\RP32\A0

088371.inf:KAVICHS

...there are tooooo .....many...... !!!!

HOW CAN WE CLEAN THEM ?

My pc WORKS GREAT !!!!!

 

ROOTKIT REVEAL log !

Do you mean something like that?

C:\System Volume Information\_restore{7AE3CF83-1F52-4C2E-AA03-8B6821E0D818}\RP32\A0
088371.inf:KAVICHS

...there are tooooo .....many...... !!!!

HOW CAN WE CLEAN THEM ?

My pc WORKS GREAT !!!!!

Each program creates so many files reported in ROOTKIT REVEAL.... like KASPERSKY and all programs do that....

DO I HAVE A PROBLEM? THE LOG FILES IS STILL HUGE....

My IBM creates a complete backup (with the programs also)...

I will do that tonight....

 

No you do not have a problem. All those files are in your system restore which we can reset easily and clean them all out.

Set New System Restore Point

Elder Geek On System Restore

By turning off then turning on system restore all those entries will be erased and a new point will be set and as well, new points will be automatically set periodical.

Also, never turn off system restore, even if you think you have a problem. This way, if you should do something which disables the machine, you can always use system restore, an infected running system is better than a system which needs a reformat. I would however change the amount of space allocated by default to something more reasonable. If you have a large drive, I would cut it down by half perhaps.

You can also find loads of reading on the Elder Geek website pertaining to XP.

 

ROOTKIT REVEAL log !

I deleted system volume files alone with CCleaner, emptying IE6 temp, cookies etc...!

Even if I have 4 C:\System Volume Information\_restore{ such files now, my log is 7 MB...!!!

I copy some files randomly for you to see:

**********************************************

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLo 29/8/2006 3:03 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHi 29/8/2006 3:03 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLo 29/8/2006 3:03 4 bytes Data mismatch between Windows API and raw hive data.

**********************************************

C:\col5319\hpcd.sjp:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\col5319\locCHS.dll:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.
C:\col5319\locCHT.dll:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.
C:\col5319\locCSY.dll:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.
C:\col5319\locDAN.dll:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.
C:\col5319\locDEU.dll:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.
C:\col5319\locELL.dll:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.

**********************************************

C:\Documents and Settings\Administrator\Application Data\desktop.ini:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\IBM\Access\access-config.ini:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\IBM\Access\welcome.html:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\description.ini:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\stats.awd:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.

**********************************************

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7lmtkfhl.default\prefs.js:KAVICHS 29/8/2006 4:34 68 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7lmtkfhl.default\search.rdf:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7lmtkfhl.default\secmod.db:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7lmtkfhl.default\signons.txt:KAVICHS 29/8/2006 4:34 36 bytes Hidden from Windows API.

**********************************************

But there more of these same files here above mentioned in my log !!!

ALL MY PROGRAMS (...and they are plenty...) CREATED ...tons of such files....

WHAT IS MY PROBLEM ?

 

All of the items you posted with 'KAVICHS' are results from your anti virus, Kaspersky. It changes some files for faster scanning by adding an ADS portion to them.

You can read more about that process here

For the Firefox related items you can use ATF Cleaner by Atribune. It does a similar but somewhat more thorough job than CCleaner with regards to Firefox. Just follow the directions as stated on the page.

Well, I think thats about it eh?

You should be good to go and maybe even learned a little bit more about how your PC works.

Hope I have been helpful.

 

You are a very ...good school for me ...

But I am still afraid why do I get this huge log... Do you think KASPERSKY scans all my programs and files and then gives me the 7 MB log?

...because what I copy for you to see was a smallest part ....

Thank you so much,
Maggie

 

GMER log !

I copy here a GMER log file...

What do you think ?

GMER:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-29 11:25:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 82F88B70 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\drivers\klif.sys ZwClose
SSDT 82FAD588 ZwCreateKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateSection
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateThread
SSDT 82FAD510 ZwDeleteKey
SSDT 82F4C148 ZwDeleteValueKey
SSDT kl1.sys ZwOpenFile
SSDT \SystemRoot\System32\drivers\klif.sys ZwOpenProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwQueryInformationFile
SSDT \SystemRoot\System32\drivers\klif.sys ZwQuerySystemInformation
SSDT 82F88BE8 ZwQueueApcThread
SSDT 82F88A80 ZwReadVirtualMemory
SSDT 82F89148 ZwRenameKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwResumeThread
SSDT 82F88CD8 ZwSetContextThread
SSDT 82FD2750 ZwSetInformationKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwSetInformationProcess
SSDT 82F88D50 ZwSetInformationThread
SSDT 82F4C1C0 ZwSetValueKey
SSDT 82F88EB8 ZwSuspendProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwSuspendThread
SSDT \SystemRoot\System32\drivers\klif.sys ZwTerminateProcess
SSDT 82F88DC8 ZwTerminateThread
SSDT 82F88AF8 ZwWriteVirtualMemory
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[284]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[285]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[286]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[287]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[288]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[289]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[290]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[291]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[292]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[293]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[294]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[295]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[296]

---- EOF - GMER 1.0.10 ----