Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELP PLS trojan.win32.patched.kl


  • Please log in to reply

#1
Monki1

Monki1

    Member

  • Member
  • PipPip
  • 10 posts
Hi Guys,

I need some help and I'm not that tech savy

Up until the weekend, I knew I had a malware trojan but Kaspersky PURE & Malwarebytes were not detecting this

kaspersky updated overnight last friday and it now recognises I have trojan.win32.patched.kl which has infected both winlogon.exe & explorer.exe

This does not seem to be disinfecting on the restart, I've tried both Kaspersky PURE & Malwarebytes full scans even in safe mode and still infected.

Can someone please assist?
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Firstly Thanks for the help hey!

The first run of combofix I couldn't get the report as it froze on restart.

Second scan completed and here it is

ComboFix 10-11-17.02 - leigh biggar 18/11/2010 18:36:29.2.2 - x86
Running from: c:\documents and settings\leigh biggar.DISNDAT\Desktop\ComboFix.exe
AV: Kaspersky PURE *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky PURE *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\jestertb.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
D:\Autorun.inf

-- Previous Run --

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

--------

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP23\A0023469.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.

2010-11-14 05:25 . 2010-11-14 05:25 -------- d-----w- c:\program files\Veetle
2010-11-08 13:53 . 2010-11-08 13:53 -------- d-----w- c:\documents and settings\leigh biggar.DISNDAT\Application Data\Kaspersky Lab
2010-11-04 06:22 . 2010-11-04 16:42 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2010-11-04 05:18 . 2010-11-04 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\RegAce
2010-11-04 05:17 . 2010-11-04 06:12 -------- d-----w- c:\windows\RegAce
2010-10-20 22:32 . 2010-10-20 22:32 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 06:53 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 08:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 08:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 01:23 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-10 05:58 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 00:17 . 2010-09-08 00:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 00:17 . 2010-09-08 00:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-08-04 08:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 08:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 08:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 08:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-20 14:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 08:00 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2008-01-04 57344]

[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2009-12-25 05:42 129552 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE\shellex.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-11-29 2594224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-11-22 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DeleteLog"="c:\windows\system32\oobe\DeleteLog.exe" [2005-01-06 36864]
"YeppStudioAgent"="c:\program files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe" [2005-10-11 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE\avp.exe" [2009-12-25 340456]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-02-16 136744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
Logitech Harmony Remote.lnk - c:\program files\Logitech\Harmony Remote\harmonyClient.exe [2005-4-18 1478144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 08:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-08-20 19:45 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-04 07:56 135664 ----atw- c:\documents and settings\leigh biggar.DISNDAT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 03:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2009-11-29 01:01 2594224 ----a-w- c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-23 15:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 00:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-03-09 02:02 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-16 11:27 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky PURE\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [7/08/2010 12:16 AM 88632]
R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 9:18 PM 36880]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [20/04/2010 1:22 AM 207280]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [7/08/2010 12:16 AM 39352]
R2 BTCAP;Bluetooth, WDM Video Capture;c:\windows\system32\drivers\BTCap.sys [29/01/2007 10:18 PM 276620]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [8/02/2010 8:50 AM 14976]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [6/08/2010 11:56 PM 30104]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2/10/2009 7:39 PM 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/04/2010 12:45 AM 20952]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [6/08/2010 11:56 PM 30104]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 1:42 PM 32272]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/05/2008 5:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]

2010-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322152454-2414128223-2791606390-1006Core1cb7107d24175ea.job
- c:\documents and settings\leigh biggar.DISNDAT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-04 07:56]

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322152454-2414128223-2791606390-1006UA.job
- c:\documents and settings\leigh biggar.DISNDAT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-04 07:56]

2010-11-18 c:\windows\Tasks\User_Feed_Synchronization-{9AF66458-1395-4F7A-9B60-5A9A883A6B89}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\leigh biggar.DISNDAT\Application Data\Mozilla\Firefox\Profiles\xwl6kqf1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\leigh biggar.DISNDAT\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\leigh biggar.DISNDAT\Application Data\Mozilla\Firefox\Profiles\xwl6kqf1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\leigh biggar.DISNDAT\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 18:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{129e3fc6-af4a-40ab-8c6c-f083fbdcdd5d}]
@Denied: (Full) (Everyone)
"Model"=dword:00000044
"Therad"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c1,91,f0,c8,dd,02,ef,ba,7b,54,1d,05,ab,97,ac,5b,ac,06,10,05,b3,
16,8a,81,a7,83,17,4a,46,2c,ae,74,1e,07,5b,07,52,d2,d7,8f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):92,d0,be,b2,fd,b2,4d,31,22,8d,49,19,af,14,e2,79,e8,02,27,5c,16,
67,59,4f,a2,29,b6,0d,c0,f4,ff,cd,e4,9f,2a,f2,ec,0b,21,64,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9383e17e-cf87-47ac-a7d6-1a43b9b416fd}]
@Denied: (Full) (Everyone)
"Model"=dword:0000007e
"Therad"=dword:0000001b
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,05,7c,0d,4d,4b,87,4b,c6,33,bd,bd,65,1f,10,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1700)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Internet Download Manager\idmmkb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\progra~1\HPQ\SHARED\HPQTOA~1.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2010-11-18 19:06:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-18 08:05

Pre-Run: 17,804,189,696 bytes free
Post-Run: 17,763,291,136 bytes free

- - End Of File - - 94CEAE8CB029E3F808A6A62E5AC48E5A
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
update mbam run a quick scan post that log here
  • 0

#5
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry I don't understand "updatet mbam?" malwarebytes?
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
yes malwarebytes, sorry bout that
  • 0

#7
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry about the delay, here it is

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5150

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/11/2010 7:45:49 PM
mbam-log-2010-11-19 (19-45-49).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 323527
Time elapsed: 2 hour(s), 21 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky is still saying Threats detected, when I click fix it now..its not doing anything?
  • 0

#8
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I've completed a full scan with Kaspersky and no threats detected, yet I'm still getting a message saying that my computer is at risk "threats detected"

Could it mean that I need to repair Kaspersky?
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you get a log from kaspersky of that ?
  • 0

#10
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry Dude,

I've tried so many times to get this log, for some reason my laptop is running extremely slow and freezing
  • 0

#11
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I've just copied this from the last 2 days in Kaspersky reports..its the best I cant do

19/11/2010 5:13:45 PM Anti-Spam Task started Kaspersky PURE Anti-Spam
19/11/2010 5:13:45 PM File Anti-Virus Task started Kaspersky PURE File Anti-Virus
19/11/2010 5:13:45 PM Firewall Task started Kaspersky PURE Firewall
19/11/2010 5:13:46 PM Mail Anti-Virus Task started Kaspersky PURE Mail Anti-Virus
19/11/2010 5:13:46 PM Network Attack Blocker Task started Kaspersky PURE Network Attack Blocker
19/11/2010 5:13:46 PM Application Control Task started Kaspersky PURE Application Control
19/11/2010 5:13:46 PM IM Anti-Virus Task started Kaspersky PURE IM Anti-Virus
19/11/2010 5:13:46 PM Web Anti-Virus Task started Kaspersky PURE Web Anti-Virus
19/11/2010 5:13:46 PM Proactive Defense Task started Kaspersky PURE Proactive Defense
19/11/2010 5:14:46 PM Application Control Denied: Start Cpqset.exe Start Start
19/11/2010 5:15:05 PM Application Control Allowed: Low level disk access SamsungMediaStudioAgent Low level disk access Device\CdRom0 Low level disk access
19/11/2010 5:15:06 PM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
19/11/2010 5:15:10 PM Application Control Allowed: Using program interfaces of other process SamsungMediaStudioAgent Using program interfaces of other process c:\program files\samsung\samsung media studio\samsungmediastudioagent.exe Using program interfaces of other process
19/11/2010 5:15:27 PM Application Control Allowed: Changing object access rights Internet Download Manager (IDM) Changing object access rights REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} Changing object access rights
19/11/2010 5:15:53 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS Start driver
19/11/2010 5:16:23 PM Application Control Allowed: Setting debug privileges Internet Download Manager (IDM) Setting debug privileges Setting debug privileges
19/11/2010 5:17:09 PM Application Control Allowed: Access to internal browser data Internet Download Manager agent for click monitoring in IE-based browsers Access to internal browser data Access to internal browser data
19/11/2010 5:17:09 PM Application Control Allowed: Using program interfaces of other process Internet Download Manager agent for click monitoring in IE-based browsers Using program interfaces of other process c:\program files\internet download manager\iemonitor.exe Using program interfaces of other process
19/11/2010 5:17:33 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
19/11/2010 5:25:02 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\MBAMSWISSARMY.SYS Start driver
19/11/2010 5:28:40 PM My Update Center Task started Kaspersky PURE My Update Center
19/11/2010 5:30:42 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
19/11/2010 5:39:40 PM My Update Center Task completed Kaspersky PURE My Update Center
19/11/2010 5:43:50 PM Objects Scan Task started Kaspersky PURE <>
19/11/2010 6:22:53 PM Objects Scan Task completed Kaspersky PURE <>
19/11/2010 7:11:39 PM File Anti-Virus Detected: Trojan.Win32.Patched.kl Malwarebytes' Anti-Malware C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP23\A0023448.exe
19/11/2010 7:11:40 PM My Protection Threats have been detected Kaspersky PURE
19/11/2010 7:11:48 PM File Anti-Virus Disinfected: Trojan.Win32.Patched.kl Malwarebytes' Anti-Malware C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP23\A0023448.exe
19/11/2010 7:11:51 PM File Anti-Virus Disinfected: Trojan.Win32.Patched.kl Malwarebytes' Anti-Malware C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP23\A0023448.exe
19/11/2010 8:20:51 PM My Update Center Task started Kaspersky PURE My Update Center
19/11/2010 8:22:59 PM My Update Center Task completed Kaspersky PURE My Update Center
19/11/2010 8:27:53 PM Objects Scan Task started Kaspersky PURE <>
19/11/2010 9:44:12 PM Objects Scan Task completed Kaspersky PURE <>
19/11/2010 10:06:59 PM Application Control Windows® installer Placed in group Trusted Signed by the digital signature of entrusted manufacturers
19/11/2010 10:07:06 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
19/11/2010 10:15:13 PM My Protection Protection is not running Kaspersky PURE
19/11/2010 10:27:26 PM My Protection Threats have been detected Kaspersky PURE
19/11/2010 10:27:27 PM Anti-Spam Task started Kaspersky PURE Anti-Spam
19/11/2010 10:27:27 PM Application Control Task started Kaspersky PURE Application Control
19/11/2010 10:27:27 PM Network Attack Blocker Task started Kaspersky PURE Network Attack Blocker
19/11/2010 10:27:27 PM Proactive Defense Task started Kaspersky PURE Proactive Defense
19/11/2010 10:27:27 PM IM Anti-Virus Task started Kaspersky PURE IM Anti-Virus
19/11/2010 10:27:27 PM Mail Anti-Virus Task started Kaspersky PURE Mail Anti-Virus
19/11/2010 10:27:27 PM Web Anti-Virus Task started Kaspersky PURE Web Anti-Virus
19/11/2010 10:27:27 PM File Anti-Virus Task started Kaspersky PURE File Anti-Virus
19/11/2010 10:27:42 PM Firewall Task started Kaspersky PURE Firewall
19/11/2010 10:28:25 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
19/11/2010 10:28:38 PM My Update Center Task started Kaspersky PURE My Update Center
Date: Today (events: 133)
20/11/2010 11:23:07 AM My Protection Threats have been detected Kaspersky PURE
20/11/2010 11:23:08 AM Anti-Spam Task started Kaspersky PURE Anti-Spam
20/11/2010 11:23:08 AM File Anti-Virus Task started Kaspersky PURE File Anti-Virus
20/11/2010 11:23:08 AM Firewall Task started Kaspersky PURE Firewall
20/11/2010 11:23:08 AM Application Control Task started Kaspersky PURE Application Control
20/11/2010 11:23:08 AM IM Anti-Virus Task started Kaspersky PURE IM Anti-Virus
20/11/2010 11:23:08 AM Network Attack Blocker Task started Kaspersky PURE Network Attack Blocker
20/11/2010 11:23:08 AM Proactive Defense Task started Kaspersky PURE Proactive Defense
20/11/2010 11:23:08 AM Web Anti-Virus Task started Kaspersky PURE Web Anti-Virus
20/11/2010 11:23:08 AM Mail Anti-Virus Task started Kaspersky PURE Mail Anti-Virus
20/11/2010 11:23:08 AM My Protection Your computer is protected Kaspersky PURE
20/11/2010 11:23:45 AM Application Control Denied: Start Cpqset.exe Start Start
20/11/2010 11:24:11 AM Application Control Allowed: Low level disk access SamsungMediaStudioAgent Low level disk access Device\CdRom0 Low level disk access
20/11/2010 11:24:13 AM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
20/11/2010 11:24:18 AM Application Control Allowed: Using program interfaces of other process SamsungMediaStudioAgent Using program interfaces of other process c:\program files\samsung\samsung media studio\samsungmediastudioagent.exe Using program interfaces of other process
20/11/2010 11:24:22 AM Application Control Allowed: Changing object access rights Internet Download Manager (IDM) Changing object access rights REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} Changing object access rights
20/11/2010 11:24:47 AM Application Control Allowed: Setting debug privileges Internet Download Manager (IDM) Setting debug privileges Setting debug privileges
20/11/2010 11:25:18 AM Application Control Allowed: Access to internal browser data Internet Download Manager agent for click monitoring in IE-based browsers Access to internal browser data Access to internal browser data
20/11/2010 11:25:18 AM Application Control Allowed: Using program interfaces of other process Internet Download Manager agent for click monitoring in IE-based browsers Using program interfaces of other process c:\program files\internet download manager\iemonitor.exe Using program interfaces of other process
20/11/2010 11:25:47 AM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS Start driver
20/11/2010 11:25:53 AM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 11:41:34 AM My Update Center Task started Kaspersky PURE My Update Center
20/11/2010 11:55:17 AM Objects Scan Task started Kaspersky PURE <>
20/11/2010 11:56:52 AM Objects Scan Task completed Kaspersky PURE <>
20/11/2010 11:58:17 AM My Update Center Task completed Kaspersky PURE My Update Center
20/11/2010 12:10:23 PM File Anti-Virus Processing error Generic Host Process for Win32 Services C:\WINDOWS\Tasks\User_Feed_Synchronization-{9AF66458-1395-4F7A-9B60-5A9A883A6B89}.job Read error
20/11/2010 12:11:10 PM File Anti-Virus Processing error Generic Host Process for Win32 Services C:\WINDOWS\Tasks\User_Feed_Synchronization-{9AF66458-1395-4F7A-9B60-5A9A883A6B89}.job Read error
20/11/2010 12:15:44 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 12:45:17 PM My Protection Threats have been detected Kaspersky PURE
20/11/2010 12:45:18 PM Application Control Task started Kaspersky PURE Application Control
20/11/2010 12:45:18 PM File Anti-Virus Task started Kaspersky PURE File Anti-Virus
20/11/2010 12:45:18 PM Anti-Spam Task started Kaspersky PURE Anti-Spam
20/11/2010 12:45:18 PM IM Anti-Virus Task started Kaspersky PURE IM Anti-Virus
20/11/2010 12:45:18 PM Mail Anti-Virus Task started Kaspersky PURE Mail Anti-Virus
20/11/2010 12:45:18 PM Proactive Defense Task started Kaspersky PURE Proactive Defense
20/11/2010 12:45:18 PM Network Attack Blocker Task started Kaspersky PURE Network Attack Blocker
20/11/2010 12:45:18 PM Firewall Task started Kaspersky PURE Firewall
20/11/2010 12:45:18 PM Web Anti-Virus Task started Kaspersky PURE Web Anti-Virus
20/11/2010 12:45:30 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\HTTP.SYS Start driver
20/11/2010 12:45:53 PM Application Control Allowed: Low level disk access SamsungMediaStudioAgent Low level disk access Device\CdRom0 Low level disk access
20/11/2010 12:46:08 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS Start driver
20/11/2010 12:46:10 PM Application Control Allowed: Changing object access rights Internet Download Manager (IDM) Changing object access rights REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} Changing object access rights
20/11/2010 12:46:28 PM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
20/11/2010 12:46:38 PM Application Control Allowed: Using program interfaces of other process SamsungMediaStudioAgent Using program interfaces of other process c:\program files\samsung\samsung media studio\samsungmediastudioagent.exe Using program interfaces of other process
20/11/2010 12:46:42 PM Application Control Allowed: Setting debug privileges Internet Download Manager (IDM) Setting debug privileges Setting debug privileges
20/11/2010 12:48:40 PM My Protection Your computer is protected Kaspersky PURE
20/11/2010 12:48:49 PM Application Control Allowed: Access to internal browser data Internet Download Manager agent for click monitoring in IE-based browsers Access to internal browser data Access to internal browser data
20/11/2010 12:48:49 PM Application Control Allowed: Using program interfaces of other process Internet Download Manager agent for click monitoring in IE-based browsers Using program interfaces of other process c:\program files\internet download manager\iemonitor.exe Using program interfaces of other process
20/11/2010 12:49:01 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 12:52:37 PM Application Control Adobe Reader 8.0 Placed in group c Signed by the digital signature of entrusted manufacturers
20/11/2010 12:52:40 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 1:04:08 PM My Protection Threats have been detected Kaspersky PURE
20/11/2010 1:04:08 PM Anti-Spam Task started Kaspersky PURE Anti-Spam
20/11/2010 1:04:08 PM File Anti-Virus Task started Kaspersky PURE File Anti-Virus
20/11/2010 1:04:08 PM Firewall Task started Kaspersky PURE Firewall
20/11/2010 1:04:08 PM Application Control Task started Kaspersky PURE Application Control
20/11/2010 1:04:08 PM Network Attack Blocker Task started Kaspersky PURE Network Attack Blocker
20/11/2010 1:04:08 PM IM Anti-Virus Task started Kaspersky PURE IM Anti-Virus
20/11/2010 1:04:08 PM Mail Anti-Virus Task started Kaspersky PURE Mail Anti-Virus
20/11/2010 1:04:08 PM Proactive Defense Task started Kaspersky PURE Proactive Defense
20/11/2010 1:04:09 PM Web Anti-Virus Task started Kaspersky PURE Web Anti-Virus
20/11/2010 1:04:09 PM My Protection Your computer is protected Kaspersky PURE
20/11/2010 1:04:14 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\HTTP.SYS Start driver
20/11/2010 1:04:16 PM Application Control Denied: Start Cpqset.exe Start Start
20/11/2010 1:04:49 PM Application Control Allowed: Low level disk access SamsungMediaStudioAgent Low level disk access Device\CdRom0 Low level disk access
20/11/2010 1:04:51 PM Application Control Allowed: Changing object access rights Internet Download Manager (IDM) Changing object access rights REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} Changing object access rights
20/11/2010 1:05:06 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS Start driver
20/11/2010 1:05:20 PM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
20/11/2010 1:05:37 PM Application Control Allowed: Using program interfaces of other process SamsungMediaStudioAgent Using program interfaces of other process c:\program files\samsung\samsung media studio\samsungmediastudioagent.exe Using program interfaces of other process
20/11/2010 1:05:38 PM Application Control Allowed: Setting debug privileges Internet Download Manager (IDM) Setting debug privileges Setting debug privileges
20/11/2010 1:07:10 PM Application Control Allowed: Access to internal browser data Internet Download Manager agent for click monitoring in IE-based browsers Access to internal browser data Access to internal browser data
20/11/2010 1:07:10 PM Application Control Allowed: Using program interfaces of other process Internet Download Manager agent for click monitoring in IE-based browsers Using program interfaces of other process c:\program files\internet download manager\iemonitor.exe Using program interfaces of other process
20/11/2010 1:07:34 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 1:26:29 PM My Protection Threats have been detected Kaspersky PURE
20/11/2010 1:26:30 PM Firewall Task started Kaspersky PURE Firewall
20/11/2010 1:26:30 PM File Anti-Virus Task started Kaspersky PURE File Anti-Virus
20/11/2010 1:26:30 PM Anti-Spam Task started Kaspersky PURE Anti-Spam
20/11/2010 1:26:30 PM Proactive Defense Task started Kaspersky PURE Proactive Defense
20/11/2010 1:26:30 PM Application Control Task started Kaspersky PURE Application Control
20/11/2010 1:26:30 PM IM Anti-Virus Task started Kaspersky PURE IM Anti-Virus
20/11/2010 1:26:30 PM Mail Anti-Virus Task started Kaspersky PURE Mail Anti-Virus
20/11/2010 1:26:30 PM Network Attack Blocker Task started Kaspersky PURE Network Attack Blocker
20/11/2010 1:26:30 PM Web Anti-Virus Task started Kaspersky PURE Web Anti-Virus
20/11/2010 1:26:39 PM Application Control Denied: Start Cpqset.exe Start Start
20/11/2010 1:26:52 PM Application Control Allowed: Low level disk access SamsungMediaStudioAgent Low level disk access Device\CdRom0 Low level disk access
20/11/2010 1:26:53 PM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
20/11/2010 1:27:00 PM Application Control Allowed: Setting debug privileges ActiveSync Connection Manager Setting debug privileges Setting debug privileges
20/11/2010 1:27:00 PM Application Control Allowed: Using program interfaces of other process ActiveSync Connection Manager Using program interfaces of other process c:\program files\microsoft activesync\wcescomm.exe Using program interfaces of other process
20/11/2010 1:27:00 PM Application Control Allowed: Using program interfaces of other process SamsungMediaStudioAgent Using program interfaces of other process c:\program files\samsung\samsung media studio\samsungmediastudioagent.exe Using program interfaces of other process
20/11/2010 1:27:12 PM Application Control Allowed: Changing object access rights Internet Download Manager (IDM) Changing object access rights REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} Changing object access rights
20/11/2010 1:27:44 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS Start driver
20/11/2010 1:28:59 PM Application Control Allowed: Setting debug privileges Internet Download Manager (IDM) Setting debug privileges Setting debug privileges
20/11/2010 1:29:05 PM My Protection Your computer is protected Kaspersky PURE
20/11/2010 1:29:45 PM Application Control Allowed: Access to internal browser data Internet Download Manager agent for click monitoring in IE-based browsers Access to internal browser data Access to internal browser data
20/11/2010 1:29:46 PM Application Control Allowed: Using program interfaces of other process Internet Download Manager agent for click monitoring in IE-based browsers Using program interfaces of other process c:\program files\internet download manager\iemonitor.exe Using program interfaces of other process
20/11/2010 1:29:57 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 2:05:21 PM My Protection Threats have been detected Kaspersky PURE
20/11/2010 2:05:25 PM File Anti-Virus Task started Kaspersky PURE File Anti-Virus
20/11/2010 2:05:25 PM Anti-Spam Task started Kaspersky PURE Anti-Spam
20/11/2010 2:05:26 PM IM Anti-Virus Task started Kaspersky PURE IM Anti-Virus
20/11/2010 2:05:26 PM Mail Anti-Virus Task started Kaspersky PURE Mail Anti-Virus
20/11/2010 2:05:26 PM Network Attack Blocker Task started Kaspersky PURE Network Attack Blocker
20/11/2010 2:05:26 PM Application Control Task started Kaspersky PURE Application Control
20/11/2010 2:05:26 PM Proactive Defense Task started Kaspersky PURE Proactive Defense
20/11/2010 2:05:26 PM Web Anti-Virus Task started Kaspersky PURE Web Anti-Virus
20/11/2010 2:05:26 PM Firewall Task started Kaspersky PURE Firewall
20/11/2010 2:06:09 PM Application Control MS DTC console program Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:06:18 PM Application Control Microsoft Out of Box Experience Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:06:20 PM Application Control Microsoft Windows Media Player Setup Utility Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:06:22 PM Application Control Blaster/Nachi Removal Tool Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:06:29 PM Application Control OLE32 Extensions for Win32 Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:07:30 PM Application Control Denied: Start Cpqset.exe Start Start
20/11/2010 2:07:59 PM Application Control Allowed: Low level disk access SamsungMediaStudioAgent Low level disk access Device\CdRom0 Low level disk access
20/11/2010 2:08:04 PM Application Control Microsoft ® Console Based Script Host Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:08:19 PM Application Control Allowed: Changing object access rights Internet Download Manager (IDM) Changing object access rights REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} Changing object access rights
20/11/2010 2:08:30 PM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
20/11/2010 2:08:36 PM Application Control Registry Console Tool Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:08:39 PM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
20/11/2010 2:08:40 PM Application Control TSCUINST.VBS Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:08:43 PM Application Control Allowed: Setting debug privileges SamsungMediaStudioAgent Setting debug privileges Setting debug privileges
20/11/2010 2:09:01 PM Application Control Allowed: Changing object access rights Internet Download Manager (IDM) Changing object access rights REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9383e17e-cf87-47ac-a7d6-1a43b9b416fd} Changing object access rights
20/11/2010 2:09:03 PM Application Control Allowed: Using program interfaces of other process SamsungMediaStudioAgent Using program interfaces of other process c:\program files\samsung\samsung media studio\samsungmediastudioagent.exe Using program interfaces of other process
20/11/2010 2:09:15 PM Application Control Allowed: Setting debug privileges Internet Download Manager (IDM) Setting debug privileges Setting debug privileges
20/11/2010 2:09:27 PM Application Control Allowed: Access to internal browser data Internet Download Manager agent for click monitoring in IE-based browsers Access to internal browser data Access to internal browser data
20/11/2010 2:09:27 PM Application Control Allowed: Using program interfaces of other process Internet Download Manager agent for click monitoring in IE-based browsers Using program interfaces of other process c:\program files\internet download manager\iemonitor.exe Using program interfaces of other process
20/11/2010 2:10:23 PM Application Control Allowed: Start driver Absent Start driver C:\WINDOWS\SYSTEM32\DRIVERS\IPFLTDRV.SYS Start driver
20/11/2010 2:10:31 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 2:19:40 PM Application Control Firefox%20Setup%203.6.12[1].exe Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:19:44 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 2:19:56 PM Application Control SETUP.EXE Placed in group Trusted Signed by the digital signature of entrusted manufacturers
20/11/2010 2:19:57 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
20/11/2010 2:45:41 PM Objects Scan Task started Kaspersky PURE Rootkit Scan
20/11/2010 2:46:30 PM Application Control Allowed: Setting debug privileges HARMONYCLIENT.EXE Setting debug privileges Setting debug privileges
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
that's fine



Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.



  • Open OTL
  • Under the Custom Scans/Fixes box at the bottom, paste the following:
    :Commands
    [clearallrestorepoints]
  • Click the Run Fix button at the top
  • It might ask you to reboot, if so click YES



  • Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
  • Click on the CleanUp button.
  • Click Yes to begin the cleanup process and remove tools, including this application
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes



  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Howdy,

Ok so I uninstalled combofix and ran OTL up to Custom scans/fixes, and on the restart everything loaded and my laptop freezes..can't do any actions. Since that point I can't do anything on my laptop unless i'm in safe mode?
  • 0

#14
Monki1

Monki1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Once again thanks for your help on this.

Just letting you know I've been posting on my iphone or at work. I keep restarting my laptop and the same thing happens. Windows loads until complete, i click anywhere on the Desktop, icons & start menu and it freezes.

do you know what might be causing this or what I need to do to fix it?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP