Trojan wmpscfgs wont go away

Steps till now
ran - rkill
ran - cccleaner
ran - combofix (log below)
ran - Malewarebytes (log below)
rebooted
ran - malewarebytes again ( Virus back, log below)
HijackThis  Log

ComboFix 10-03-25.04 - dan 03/26/2010   7:30.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.991.598 [GMT -7:00]
Running from: c:\documents and settings\dan\Desktop\puppy.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\windows\system32\drivers\ciiq.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tmktlugk


(((((((((((((((((((((((((   Files Created from 2010-02-26 to 2010-03-26  )))))))))))))))))))))))))))))))
.

2010-03-26 06:13 . 2010-03-26 06:13      --------      d--h--w-      c:\windows\system32\GroupPolicy
2010-03-26 04:33 . 2010-03-26 04:33      5115823      ----a-w-      c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-26 04:09 . 2010-03-26 04:09      --------      d-sh--w-      c:\documents and settings\LocalService\PrivacIE
2010-03-25 19:40 . 2010-03-26 02:20      27648      ----a-w-      c:\windows\system32\soundman.exe
2010-03-25 19:38 . 2010-03-25 19:38      --------      d-----w-      c:\documents and settings\dan\Application Data\A6EEF11C48597CE2C6EF0871033D990F
2010-03-23 15:03 . 2010-03-23 15:03      12464      ----a-w-      c:\windows\system32\avgrsstx.dll
2010-03-15 18:17 . 2008-04-13 18:45      15104      -c--a-w-      c:\windows\system32\dllcache\usbscan.sys
2010-03-15 18:17 . 2008-04-13 18:45      15104      ----a-w-      c:\windows\system32\drivers\usbscan.sys
2010-03-15 18:17 . 2001-08-18 05:36      5632      ----a-w-      c:\windows\system32\ptpusb.dll
2010-03-15 18:17 . 2008-04-14 00:12      159232      ----a-w-      c:\windows\system32\ptpusd.dll
2010-03-10 10:09 . 2009-10-23 15:28      3558912      -c----w-      c:\windows\system32\dllcache\moviemk.exe
2010-02-25 23:12 . 2010-03-25 22:06      --------      d-----w-      C:\$AVG
2010-02-25 23:12 . 2010-03-23 15:03      242696      ----a-w-      c:\windows\system32\drivers\avgtdix.sys
2010-02-25 23:12 . 2010-03-23 15:03      216200      ----a-w-      c:\windows\system32\drivers\avgldx86.sys
2010-02-25 23:12 . 2010-03-23 15:03      29512      ----a-w-      c:\windows\system32\drivers\avgmfx86.sys
2010-02-25 23:12 . 2010-03-26 08:57      --------      d-----w-      c:\windows\system32\drivers\Avg
2010-02-25 23:12 . 2010-02-25 23:12      --------      d-----w-      c:\program files\AVG
2010-02-25 23:11 . 2010-03-26 08:55      --------      d-----w-      c:\documents and settings\All Users\Application Data\avg9
2010-02-25 22:49 . 2010-02-25 22:49      --------      d-----w-      c:\program files\CCleaner
2010-02-25 07:37 . 2010-03-23 15:45      --------      d-----w-      c:\documents and settings\dan\Local Settings\Application Data\Temp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 07:47 . 2005-09-14 19:09      --------      d-----w-      c:\program files\Trend Micro
2010-03-26 04:33 . 2009-02-23 17:47      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-03-26 02:20 . 2005-09-30 16:57      --------      d-----w-      c:\program files\QuickTime
2010-02-25 22:53 . 2005-09-30 21:25      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2010-02-25 22:52 . 2009-02-23 17:09      --------      d-----w-      c:\program files\NortonInstaller
2010-02-25 22:52 . 2006-10-11 16:52      --------      d-----w-      c:\program files\Norton AntiVirus
2010-02-18 21:39 . 2010-02-18 21:39      --------      d-----w-      c:\program files\Belarc
2010-02-02 15:32 . 2005-10-04 18:48      --------      d-----w-      c:\program files\Google
2010-01-07 23:07 . 2009-02-23 17:47      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-02-23 17:48      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-07-14 01:09      353792      ----a-w-      c:\windows\system32\drivers\srv.sys
2006-10-16 21:32 . 2006-08-18 20:11      60526      ----a-w-      c:\program files\mozilla firefox\components\jar50.dll
2006-10-16 21:32 . 2006-08-18 20:11      49256      ----a-w-      c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-16 21:32 . 2006-08-18 20:11      166000      ----a-w-      c:\program files\mozilla firefox\components\xpinstal.dll
.
[code]<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb04 .exe
</pre>[/code]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-26 27648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-03-26 27648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-23 15:03      12464      ----a-w-      c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask       .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2005-09-19 07:02      7083056      ----a-w-      c:\progra~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2010-03-26 02:20      27648      ----a-w-      c:\windows\system32\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/25/2010 4:12 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/25/2010 4:12 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/23/2010 8:03 AM 308064]
S0 fuhvj;fuhvj;c:\windows\system32\drivers\dvjk.sys --> c:\windows\system32\drivers\dvjk.sys [?]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [7/14/2005 12:59 PM 24971]
S0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2005 12:59 PM 85888]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [7/14/2005 1:00 PM 89610]
S0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\sisraid1.sys [7/14/2005 1:00 PM 45568]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [7/14/2005 12:59 PM 77056]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 8:32 AM 135664]
S3 epcfw2k;SCM Parallel Port CF Driver;c:\windows\system32\drivers\epcfw2k.sys [9/30/2005 2:03 PM 144896]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 14:38]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:32]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:32]

2010-03-25 c:\windows\Tasks\User_Feed_Synchronization-{E683AA8F-5FEA-478C-A3A1-BD5216601726}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = local.,
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\dan\Application Data\Mozilla\Firefox\Profiles\um5xcp6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\dan\Application Data\Mozilla\Firefox\Profiles\um5xcp6g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\dan\Application Data\Mozilla\Firefox\Profiles\um5xcp6g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel",             1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad",                   false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",  "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 07:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,b4,85,f6,c1,30,9b,47,89,4e,8b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,b4,85,f6,c1,30,9b,47,89,4e,8b,\

[HKEY_USERS\S-1-5-21-3650595489-3520495155-735610258-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exe
.
**************************************************************************
.
Completion time: 2010-03-26  07:41:59 - machine was rebooted
ComboFix-quarantined-files.txt  2010-03-26 14:41
ComboFix2.txt  2010-03-26 14:04
ComboFix3.txt  2010-03-26 08:48
ComboFix4.txt  2010-03-26 04:28

Pre-Run: 41,859,477,504 bytes free
Post-Run: 41,822,879,744 bytes free

- - End Of File - - 7DE791F915CAD32E6F80802990D69CA7
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2010 7:59:32 AM
mbam-log-2010-03-26 (07-59-32).txt

Scan type: Quick Scan
Objects scanned: 113824
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Second Malware scan
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2010 8:07:47 AM
mbam-log-2010-03-26 (08-07-47).txt

Scan type: Quick Scan
Objects scanned: 113817
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\dan\Local Settings\temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:54 AM, on 3/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128119622546
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 5597 bytes



 Hijackthis log  as well
 Can someone help me with what I am missing from this nasty.

Tatonka88Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

optomaCommented:
1>Run Hitmanpro and see if it detects + removes it
http://www.surfright.nl/en/hitmanpro

2>Run Eset online scanner
Check to "scan archives"

Under advanced options:
Have all three boxes checked

Attach its logfile
Location:C:\Program Files\EsetOnlineScanner\log.txt

Eset online scan http://www.eset.com/onlinescan/
0
Tatonka88Author Commented:
HItmanPro found Nothing ,  ESET found 2  Below is Log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1621d053b3bc5f42bc9bd9b456cf693d
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-26 06:02:35
# local_time=2010-03-26 11:02:35 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 2397504 2397504 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=116273
# found=2
# cleaned=1
# scan_time=6731
C:\old hdd\Documents and Settings\Dan\Local Settings\Application Data\Identities\{5179F61A-7BBC-45BE-8C35-65F9831AC63D}\Microsoft\Outlook Express\Deleted Items.dbx      multiple threats (unable to clean)      00000000000000000000000000000000      I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir      Win32/Olmarik.VM trojan (cleaned - quarantined)      00000000000000000000000000000000      C
0
optomaCommented:
Check this file out at virustotal .Post back results
c:\windows\system32\drivers\dvjk.sys

Also go to c:\windows tasks and delete those At*.job 's

Reboot and run Mbam again
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Tatonka88Author Commented:
There was no dvjk.sys in that folder,  Searched HArd drives for it and came up blank.

Mbam came up with the 4 below.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2010 1:04:15 PM
mbam-log-2010-03-26 (13-04-15).txt

Scan type: Quick Scan
Objects scanned: 114161
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\dan\Local Settings\temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) -> Quarantined and deleted successfully.
0
optomaCommented:
Bit of a nuisance this one. It likes to copy and replace legit files with an infected one.
From your Combofix logfile:
c:\program files\QuickTime\qttask       .exe  >>probably origional file!
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe

Run this live cd:
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system(can take hours to scan but very thorough!)
NB-Update the virus database in live cd before scanning.
--When finished scanning, hit reports and save its scan logfile to hard drive.>remember location to where logfile is being saved to!
Post logfile here after

>>>If you have a usb/flash drive, plug it into machine before starting/booting live cd and save the logfile to it when scan completes

Please Read Carefully: Do you have you're installation media?
You may have to do a repair installation afterwards, depending on what infected files Kaspersky live cd removes->ie.If system files are infected and removed, the operating system will not start, thus resulting in a repair installationhttp://michaelstevenstech.com/XPrepairinstall.htm
0
Tatonka88Author Commented:
Booted to SafeSAfemode after Kapersky,  Removed Old HDD completely as not needed, Ran Mbam come up with same 3 results,

Booted in to regular mode and Hijack log attached below

Scan: completed 3/26/10 11:44 PM   (events: 40, objects: 148950, time: 05:53:46)      
3/26/10 5:50 PM      Task started                  
3/26/10 5:51 PM      Detected: Trojan.Win32.Pakes.oad      /discs/C:/Qoobox/Quarantine/C/WINDOWS/system32/spool/prtprocs/w32x86/0000570e.tmp.vir            
3/26/10 5:51 PM      Deleted: Trojan.Win32.Pakes.oad      /discs/C:/Qoobox/Quarantine/C/WINDOWS/system32/spool/prtprocs/w32x86/0000570e.tmp.vir            
3/26/10 5:57 PM      Detected: Trojan.JS.StartPage.at      /discs/C:/old hdd/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/GDAF41A7/fi[2].js            
3/26/10 6:04 PM      Deleted: Trojan.JS.StartPage.at      /discs/C:/old hdd/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/GDAF41A7/fi[2].js            
3/26/10 6:21 PM      Detected: Email-Worm.Win32.Bagle.i      /discs/C:/old hdd/Documents and Settings/Dan/My Documents/Old Email stuff/outlook.pst/Personal Folders/Deleted Items/03 Mar 2004 07:33 from noreply@lincsat.com:Email account utiliza/TextFile.zip            
3/26/10 6:22 PM      Detected: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/30 Nov 2004 03:18 to seed.dan@lincsat.com:Urgent security notice.html            
3/26/10 6:36 PM      Detected: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/30 Nov 2004 03:18 to seed.dan@lincsat.com:Urgent security notice.html            
3/26/10 7:10 PM      Untreated: Email-Worm.Win32.Bagle.i      /discs/C:/old hdd/Documents and Settings/Dan/My Documents/Old Email stuff/outlook.pst/Personal Folders/Deleted Items/03 Mar 2004 07:33 from noreply@lincsat.com:Email account utiliza/TextFile.zip      Skipped by user      
3/26/10 7:16 PM      Detected: Email-Worm.Win32.Bagle.i      /discs/C:/old hdd/old HDD/Admin/My Documents/Old Email stuff/outlook.pst/Personal Folders/Deleted Items/03 Mar 2004 07:33 from noreply@lincsat.com:Email account utiliza/TextFile.zip            
3/26/10 7:16 PM      Detected: Trojan-Spy.HTML.Citifraud.ai      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/02 Dec 2004 02:13 from CITIZENS BANK:{Spam?} Important Notice.html            
3/26/10 7:16 PM      Detected: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/04 Dec 2004 11:50 to seed.dan@lincsat.com:Washington Mutual: Ple.html            
3/26/10 7:16 PM      Detected: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/08 Dec 2004 05:21 from SunTrust bank:Important notice.html            
3/26/10 7:16 PM      Detected: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/12 Dec 2004 06:37 from Smith Barney:OfficiaI Information For AII.html            
3/26/10 7:16 PM      Detected: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/15 Dec 2004 12:56 from Washington Mutual:IMPORTANT BANKING MAIL.html            
3/26/10 7:17 PM      Detected: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/03 Jan 2005 12:51 from Smith.Barney@mail.lincsatmail.com:Smith B.html            
3/26/10 7:17 PM      Deleted: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/old hdd/Documents and Settings/Dan/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst            
3/26/10 7:23 PM      Detected: Trojan-Spy.HTML.Citifraud.ai      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/02 Dec 2004 02:13 from CITIZENS BANK:{Spam?} Important Notice.html            
3/26/10 7:23 PM      Detected: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/04 Dec 2004 11:50 to seed.dan@lincsat.com:Washington Mutual: Ple.html            
3/26/10 7:23 PM      Detected: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/08 Dec 2004 05:21 from SunTrust bank:Important notice.html            
3/26/10 7:23 PM      Detected: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/12 Dec 2004 06:37 from Smith Barney:OfficiaI Information For AII.html            
3/26/10 7:23 PM      Detected: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/15 Dec 2004 12:56 from Washington Mutual:IMPORTANT BANKING MAIL.html            
3/26/10 7:23 PM      Detected: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst/Personal Folders/Junk E-mail/03 Jan 2005 12:51 from Smith.Barney@mail.lincsatmail.com:Smith B.html            
3/26/10 7:23 PM      Deleted: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/old hdd/old HDD/Admin/Local Settings/Application Data/Microsoft/Outlook/Outlook.pst            
3/26/10 9:16 PM      Deleted: Email-Worm.Win32.Bagle.i      /discs/C:/old hdd/old HDD/Admin/My Documents/Old Email stuff/outlook.pst            
3/26/10 11:16 PM      Detected: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/30 Nov 2004 03:18 to seed.dan@lincsat.com:Urgent security notice.html            
3/26/10 11:43 PM      Untreated: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/30 Nov 2004 03:18 to seed.dan@lincsat.com:Urgent security notice.html      Skipped by user      
3/26/10 11:43 PM      Detected: Trojan-Spy.HTML.Citifraud.ai      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/02 Dec 2004 02:13 from CITIZENS BANK:{Spam?} Important Notice.html            
3/26/10 11:43 PM      Untreated: Trojan-Spy.HTML.Citifraud.ai      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/02 Dec 2004 02:13 from CITIZENS BANK:{Spam?} Important Notice.html      Skipped by user      
3/26/10 11:43 PM      Detected: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/04 Dec 2004 11:50 to seed.dan@lincsat.com:Washington Mutual: Ple.html            
3/26/10 11:43 PM      Untreated: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/04 Dec 2004 11:50 to seed.dan@lincsat.com:Washington Mutual: Ple.html      Skipped by user      
3/26/10 11:43 PM      Detected: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/08 Dec 2004 05:21 from SunTrust bank:Important notice.html            
3/26/10 11:43 PM      Untreated: Trojan-Spy.HTML.Sunfraud.c      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/08 Dec 2004 05:21 from SunTrust bank:Important notice.html      Skipped by user      
3/26/10 11:43 PM      Detected: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/12 Dec 2004 06:37 from Smith Barney:OfficiaI Information For AII.html            
3/26/10 11:44 PM      Untreated: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/12 Dec 2004 06:37 from Smith Barney:OfficiaI Information For AII.html      Skipped by user      
3/26/10 11:44 PM      Detected: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/15 Dec 2004 12:56 from Washington Mutual:IMPORTANT BANKING MAIL.html            
3/26/10 11:44 PM      Untreated: Trojan-Spy.HTML.Bankfraud.w      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/15 Dec 2004 12:56 from Washington Mutual:IMPORTANT BANKING MAIL.html      Skipped by user      
3/26/10 11:44 PM      Detected: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/03 Jan 2005 12:51 from Smith.Barney@mail.lincsatmail.com:Smith B.html            
3/26/10 11:44 PM      Untreated: Trojan-Spy.HTML.Smitfraud.a      /discs/C:/Documents and Settings/dan/Local Settings/Application Data/Microsoft/Outlook/Outlook-jan05.pst/Personal Folders/Junk E-mail/03 Jan 2005 12:51 from Smith.Barney@mail.lincsatmail.com:Smith B.html      Skipped by user      
3/26/10 11:44 PM      Task completed                  


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:28 AM, on 3/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exe
c:\program files\trend micro\hijackthis\hijackthis .exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128119622546
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 5745 bytes
0
optomaCommented:
Ok, that didn't even detect it :(

Done some searching and came accross this thread which seems to have a good step by step explanation+ removal steps.
http://www.howtogeek.com/howto/9727/how-to-get-rid-of-the-wmpscfgs.exe-virus-a-reader-contributed-guide/

NB>Create a System Restore point first before trying the above!



0
rpggamergirlCommented:
It's a vundo file infector among others, do this and we'll see.

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\program files\internet explorer\wmpscfgs.exe

AtJob::

RenV::
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb04 .exe

Driver::
fuhvj

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
rpggamergirlCommented:
c:\windows\system32\soundman.exe <-- also virus check this file, legit one should be in the windows folder, delete or include it in the script if infected.

0
rpggamergirlCommented:
<<<"There was no dvjk.sys in that folder, Searched HArd drives for it and came up blank.">>>

Based from the CF log, that file no longer exist only its service.

wmpscfgs.exe <-- and this one wasn't going anywhere because it's being respawned by those malicious jobs, the script should kill all those jobs and kill the file, and will also fix those infected legit programs if CF finds a replacement.
0
optomaCommented:
Thanks for stepping in Rpg!
0
Tatonka88Author Commented:
Did what OPoma suggested, yesterday and its was still hidding,

Did rpggamergirl suggestions logs attached below,  still same 3 with mbam ( the SOundman.exe came back witha few hits as infected so added that to the script as well)

Hope you have more Ideas...;-)

ComboFix 10-03-25.04 - dan 03/27/2010  11:03:16.5.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.991.530 [GMT -7:00]
Running from: c:\documents and settings\dan\Desktop\puppy.exe
Command switches used :: c:\documents and settings\dan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\internet explorer\wmpscfgs.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\internet explorer\wmpscfgs.exe
c:\windows\system32\ctfmon .exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_fuhvj


(((((((((((((((((((((((((   Files Created from 2010-02-27 to 2010-03-27  )))))))))))))))))))))))))))))))
.

2010-03-26 17:37 . 2010-03-26 17:37      --------      d-----w-      c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-26 16:07 . 2010-03-26 16:07      --------      d-----w-      c:\program files\ESET
2010-03-26 15:59 . 2010-03-27 18:10      15944      ----a-w-      c:\windows\system32\drivers\hitmanpro35.sys
2010-03-26 15:58 . 2010-03-26 15:58      --------      d-----w-      c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-26 15:58 . 2010-03-27 17:52      --------      d-----w-      c:\program files\Hitman Pro 3.5
2010-03-26 06:13 . 2010-03-26 06:13      --------      d--h--w-      c:\windows\system32\GroupPolicy
2010-03-26 04:33 . 2010-03-26 04:33      5115823      ----a-w-      c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-26 04:09 . 2010-03-26 04:09      --------      d-sh--w-      c:\documents and settings\LocalService\PrivacIE
2010-03-25 19:40 . 2010-03-26 02:20      27648      ----a-w-      c:\windows\system32\soundman.exe
2010-03-25 19:38 . 2010-03-25 19:38      --------      d-----w-      c:\documents and settings\dan\Application Data\A6EEF11C48597CE2C6EF0871033D990F
2010-03-23 15:03 . 2010-03-23 15:03      12464      ----a-w-      c:\windows\system32\avgrsstx.dll
2010-03-15 18:17 . 2008-04-13 18:45      15104      -c--a-w-      c:\windows\system32\dllcache\usbscan.sys
2010-03-15 18:17 . 2008-04-13 18:45      15104      ----a-w-      c:\windows\system32\drivers\usbscan.sys
2010-03-15 18:17 . 2001-08-18 05:36      5632      ----a-w-      c:\windows\system32\ptpusb.dll
2010-03-15 18:17 . 2008-04-14 00:12      159232      ----a-w-      c:\windows\system32\ptpusd.dll
2010-03-10 10:09 . 2009-10-23 15:28      3558912      -c----w-      c:\windows\system32\dllcache\moviemk.exe
2010-02-25 23:12 . 2010-03-25 22:06      --------      d-----w-      C:\$AVG
2010-02-25 23:12 . 2010-03-23 15:03      242696      ----a-w-      c:\windows\system32\drivers\avgtdix.sys
2010-02-25 23:12 . 2010-03-23 15:03      216200      ----a-w-      c:\windows\system32\drivers\avgldx86.sys
2010-02-25 23:12 . 2010-03-23 15:03      29512      ----a-w-      c:\windows\system32\drivers\avgmfx86.sys
2010-02-25 23:12 . 2010-03-27 15:21      --------      d-----w-      c:\windows\system32\drivers\Avg
2010-02-25 23:12 . 2010-02-25 23:12      --------      d-----w-      c:\program files\AVG
2010-02-25 23:11 . 2010-03-26 08:55      --------      d-----w-      c:\documents and settings\All Users\Application Data\avg9
2010-02-25 22:49 . 2010-02-25 22:49      --------      d-----w-      c:\program files\CCleaner

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 18:03 . 2005-09-30 16:57      --------      d-----w-      c:\program files\QuickTime
2010-03-26 07:47 . 2005-09-14 19:09      --------      d-----w-      c:\program files\Trend Micro
2010-03-26 04:33 . 2009-02-23 17:47      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-02-25 22:53 . 2005-09-30 21:25      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2010-02-25 22:52 . 2009-02-23 17:09      --------      d-----w-      c:\program files\NortonInstaller
2010-02-25 22:52 . 2006-10-11 16:52      --------      d-----w-      c:\program files\Norton AntiVirus
2010-02-18 21:39 . 2010-02-18 21:39      --------      d-----w-      c:\program files\Belarc
2010-02-02 15:32 . 2005-10-04 18:48      --------      d-----w-      c:\program files\Google
2010-01-07 23:07 . 2009-02-23 17:47      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-02-23 17:48      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-07-14 01:09      353792      ----a-w-      c:\windows\system32\drivers\srv.sys
2006-10-16 21:32 . 2006-08-18 20:11      60526      ----a-w-      c:\program files\mozilla firefox\components\jar50.dll
2006-10-16 21:32 . 2006-08-18 20:11      49256      ----a-w-      c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-16 21:32 . 2006-08-18 20:11      166000      ----a-w-      c:\program files\mozilla firefox\components\xpinstal.dll
.
[code]<pre>
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hitman Pro 3.5\hitmanpro35 .exe
c:\program files\Trend Micro\HijackThis\hijackthis .exe
</pre>[/code]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-27 27648]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2010-03-27 27648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-03-27 27648]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-03-27 27648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-23 15:03      12464      ----a-w-      c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2005-09-19 07:02      7083056      ----a-w-      c:\progra~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/25/2010 4:12 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/25/2010 4:12 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/23/2010 8:03 AM 308064]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [3/26/2010 8:59 AM 15944]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [7/14/2005 12:59 PM 24971]
S0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2005 12:59 PM 85888]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [7/14/2005 1:00 PM 89610]
S0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\sisraid1.sys [7/14/2005 1:00 PM 45568]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [7/14/2005 12:59 PM 77056]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 8:32 AM 135664]
S3 epcfw2k;SCM Parallel Port CF Driver;c:\windows\system32\drivers\epcfw2k.sys [9/30/2005 2:03 PM 144896]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HITMANPRO35

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
napagent
hkmsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]

2010-03-27 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = local.,
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\dan\Application Data\Mozilla\Firefox\Profiles\um5xcp6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\dan\Application Data\Mozilla\Firefox\Profiles\um5xcp6g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\dan\Application Data\Mozilla\Firefox\Profiles\um5xcp6g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel",             1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad",                   false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",  "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,b4,85,f6,c1,30,9b,47,89,4e,8b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,b4,85,f6,c1,30,9b,47,89,4e,8b,\

[HKEY_USERS\S-1-5-21-3650595489-3520495155-735610258-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2980)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\hitman pro 3.5\hitmanpro35 .exe
c:\program files\trend micro\hijackthis\hijackthis .exe
.
**************************************************************************
.
Completion time: 2010-03-27  11:18:23 - machine was rebooted
ComboFix-quarantined-files.txt  2010-03-27 18:18
ComboFix2.txt  2010-03-26 14:41

Pre-Run: 51,953,836,032 bytes free
Post-Run: 51,905,822,720 bytes free

- - End Of File - - 3473BEFE73E5BDF21A8EF7D89F94D94D


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:52 AM, on 3/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exe
c:\program files\trend micro\hijackthis\hijackthis .exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128119622546
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 5555 bytes
0
cpmcomputersManaging DirectorCommented:
Hi

I see you are in good hands with RPGgamerGirl ( She has helped me out previously)

For what it is worth I have just removed this pest from a clients pc
A long and labourious exercise that perhaps someone could shorten - but it did work.

I think possibly the key here is that your svchosts.exe file has been changed ?

I booted in safe mode (WinXP o/s)
Deleted all the AT*. job scheduled tasks
Searched the hard drives for wmpscfgs files and deleted them all
Ran hijackthis and printed the log file

deleted an entry referring to scheduled tasks that looked most odd (I suspect this aids re-infection)

Now the boring bit, I went through every listed *.exe file in the log and went to that location
Each file had been changed eg something.exe became something .exe
deleted the file without the space (each a 30k file) then renamed the file with the space back to its original name.
As per the article prevouisly referred to by Optoma

The exception was the svchosts.exe file in \windows\system32 which you cannot delete - Access denied
I booted from a windows xp install disk and selected Recovery console
from there deleted the svchosts.exe file
and renamed the svchosts .exe to svchosts.exe

Rebooted in safe mode
Ran Combofix - found various items
Ran CCleaner
Ran Malwarebytes in full scan mode

Hope this helps




0
rpggamergirlCommented:
Ahh... just respawned... and while RenV fixed the other vundo infected programs, new programs are infected.
You need to isolate the infected pc, try not to go online using this pc...as these nasties can respawn faster than you can clean them, it only need a few seconds or a minute for vundo to download files.

The pc has to be isolated... disconnect and remove the nasties offline... use another pc with online access to download stuff, or you can download using the infected pc but go offline after you've done the downloading and work offline till the logs show clean.
While in the process of cleaning the system you can't browse online even for a few minutes until the infection is gone.


First I would uninstall AVG and install Kaspersky Free trial.
https://www.kasperskyanz.com.au/kav_trial

Also download Gmer
http://www.gmer.net/gmer.zip

DrWebCureIt:
http://www.freedrweb.com/cureit/


Then go offline and run this script...after running the script scan with Kaspersky and let it delete threats found even legit programs that it flags.

Run combofix using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
File::
c:\program files\internet explorer\wmpscfgs.exe

RenV::
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hitman Pro 3.5\hitmanpro35 .exe
c:\program files\Trend Micro\HijackThis\hijackthis .exe

AtJob::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=-
"HijackThis startup scan"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HitmanPro35"=-
"Adobe_Reader"=-

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
RegNull::
[HKEY_USERS\S-1-5-21-3650595489-3520495155-735610258-1005\Software\Microsoft\SystemCertificates\AddressBook*]
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Then scan with:
Kaspersky
DrWebCureIt
Gmer
And show us all the logs.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tatonka88Author Commented:
Kapersky found nothin and so did DrWeb
Also tried  MBam that was nill as well


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-28 18:22:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\dan\LOCALS~1\Temp\uxtdapod.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwAdjustPrivilegesToken [0xF41AE58C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwClose [0xF41AEE0C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwConnectPort [0xF41AF922]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateEvent [0xF41AFE94]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateFile [0xF41AF0EE]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateKey [0xF41AD436]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateMutant [0xF41AFD6C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateNamedPipeFile [0xF41AE192]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreatePort [0xF41AFC28]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateSection [0xF41AE34E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateSemaphore [0xF41AFFC6]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateSymbolicLinkObject [0xF41B1C08]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateThread [0xF41AEAAA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwCreateWaitablePort [0xF41AFCCA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwDebugActiveProcess [0xF41B15FA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwDeleteKey [0xF41AD9FA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwDeleteValueKey [0xF41ADD88]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwDeviceIoControlFile [0xF41AF576]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwDuplicateObject [0xF41B25CA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwEnumerateKey [0xF41ADECA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwEnumerateValueKey [0xF41ADF74]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwFsControlFile [0xF41AF382]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwLoadDriver [0xF41B168C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwLoadKey [0xF41AD412]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwLoadKey2 [0xF41AD424]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwMapViewOfSection [0xF41B1CBC]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwNotifyChangeKey [0xF41AE0C0]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenEvent [0xF41AFF36]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenFile [0xF41AEE8E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenKey [0xF41AD5DC]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenMutant [0xF41AFE04]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenProcess [0xF41AE792]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenSection [0xF41B1C32]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenSemaphore [0xF41B0068]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwOpenThread [0xF41AE6B6]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwQueryKey [0xF41AE01E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwQueryMultipleValueKey [0xF41ADC46]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwQuerySection [0xF41B1FD4]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwQueryValueKey [0xF41AD896]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwQueueApcThread [0xF41B1922]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwRenameKey [0xF41ADB0E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwReplaceKey [0xF41AD2B0]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwReplyPort [0xF41B03F2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwReplyWaitReceivePort [0xF41B02B8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwRequestWaitReplyPort [0xF41B139A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwRestoreKey [0xF41B4E2C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwResumeThread [0xF41B24AC]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSaveKey [0xF41AD248]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSecureConnectPort [0xF41AF65C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSetContextThread [0xF41AECC8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSetInformationToken [0xF41B0C4A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSetSecurityObject [0xF41B1786]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSetSystemInformation [0xF41B2114]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSetValueKey [0xF41AD71E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSuspendProcess [0xF41B21F8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSuspendThread [0xF41B2320]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwSystemDebugControl [0xF41B1526]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwTerminateProcess [0xF41AE90A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwTerminateThread [0xF41AE860]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwUnmapViewOfSection [0xF41B1E8A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 ZwWriteVirtualMemory [0xF41AE9EA]

Code            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 FsRtlCheckLockForReadAccess
Code            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)                                                                 IoIsOperationSynchronous
Code            57DEF449                                                                                                                                              KeSetProfileIrql

---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!ZwYieldExecution + 13E                                                                                                                   804E4998 16 Bytes  [4E, E3, 1A, F4, C6, FF, 1A, ...]
.text           ntoskrnl.exe!ZwYieldExecution + 1FA                                                                                                                   804E4A54 12 Bytes  [8C, 16, 1B, F4, 12, D4, 1A, ...] {MOV WORD [ESI], SS; SBB ESI, ESP; ADC DL, AH; SBB DH, AH; AND AL, 0xd4; SBB DH, AH}
.text           ntoskrnl.exe!ZwYieldExecution + 376                                                                                                                   804E4BD0 16 Bytes  [0E, DB, 1A, F4, B0, D2, 1A, ...]
.text           ntoskrnl.exe!ZwYieldExecution + 46A                                                                                                                   804E4CC4 12 Bytes  [F8, 21, 1B, F4, 20, 23, 1B, ...]
.text           ntoskrnl.exe!ZwYieldExecution + 47A                                                                                                                   804E4CD4 8 Bytes  JMP 68AF40F3
.text           ...                                                                                                                                                  
.text           ntoskrnl.exe!IoIsOperationSynchronous                                                                                                                 804EAFCE 5 Bytes  JMP F41A38B6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text           ntoskrnl.exe!FsRtlCheckLockForReadAccess                                                                                                              804F45B3 5 Bytes  JMP F41A34DC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
?               Combo-Fix.sys                                                                                                                                         The system cannot find the file specified. !
init            C:\WINDOWS\system32\drivers\ALCXSENS.SYS                                                                                                              entry point in "init" section [0xF6C165F0]
?               C:\puppy\catchme.sys                                                                                                                                  The system cannot find the path specified. !
?               C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                                                                                            The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

?               C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] C:\WINDOWS\system32\ntdll.dll                                                  time/date stamp mismatch;
?               C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] C:\WINDOWS\system32\kernel32.dll                                               time/date stamp mismatch;
.text           C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] USER32.dll!AlignRects + FFFA5598                                               7E412A78 4 Bytes  [70, 11, 33, 6D]
?               C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] C:\WINDOWS\system32\ntdll.dll                                                  time/date stamp mismatch;
?               C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] C:\WINDOWS\system32\kernel32.dll                                               time/date stamp mismatch;
.text           C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] USER32.dll!AlignRects + FFFA5598                                               7E412A78 4 Bytes  [70, 11, 33, 6D]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice]                                                                                   [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject]                                                                               [F3C89820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice]                                                                                   [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice]                                                                                   [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject]                                                                               [F3C89820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice]                                                                                     [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice]                                                                                 [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice]                                                                                   [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice]                                                                                    [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice]                                                                                 [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice]                                                                                [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\usbccgp.sys[NTOSKRNL.EXE!IoCreateDevice]                                                                                 [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\kbdhid.sys[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice]                                                                                    [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice]                                                                                 [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice]                                                                                    [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice]                                                                                     [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice]                                                                                [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT             \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice]                                                                                  [F3C896D0] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlAllocateHeap]                 00370240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlFreeHeap]                     003702B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlSizeHeap]                     00370320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlReAllocateHeap]               00370390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetModuleFileNameA]             00950860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]                   009508D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW]                   00950940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress]                 009509B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary]                    00950A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    00950A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread]                   00370630
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!VirtualAlloc]                   003706A0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!VirtualFree]                    00370710
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [ntdll.dll!RtlFreeHeap]                       00370780
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\RPCRT4.dll [ntdll.dll!RtlAllocateHeap]                   003707F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetErrorMode]                 00950B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]               00950B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleFileNameW]           00950BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread]                 00370860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]  00950C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]                 00950CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary]                  00950D30
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]                 00950DA0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]               00950E10
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!VirtualAlloc]                 003709B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!VirtualFree]                  00370A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlFreeHeap]                     00370A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlAllocateHeap]                 00370B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlReAllocateHeap]               00370B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00950E80
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]                  00950EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW]                  00950F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetModuleFileNameW]            7D1F0550
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress]                7D1F05C0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!FreeLibrary]                   7D1F0630
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [ntdll.dll!RtlFreeHeap]                      00370BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\Secur32.dll [ntdll.dll!RtlAllocateHeap]                  00370C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW]                 7D1F06A0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread]                   00370CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW]                 7D1F0710
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameA]             7D1F0780
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA]                   7D1F07F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    7D1F0860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                 7D1F08D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW]                   7D1F0940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary]                    7D1F09B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameW]             7D1F0A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!RtlAllocateHeap]                   00370EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!RtlFreeHeap]                       00370F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]     7D1F0A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW]                  7D1F0B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA]                    7D1F0B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary]                     7D1F0BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                  7D1F0C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW]                    7D1F0CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!RtlAllocateHeap]                    7D1E0390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!RtlFreeHeap]                        7D1E0400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetErrorMode]                   00960240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    009602B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress]                 00960320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA]                   00960390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary]                    00960400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA]                 00960470
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW]                 009604E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameA]             00960550
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!HeapDestroy]                    7D1E0940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!VirtualFree]                    7D1E09B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!VirtualAlloc]                   7D1E0A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateThread]                   7D1E0B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameW]             009605C0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!VirtualAlloc]                  7D1E0CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!VirtualFree]                   7D1E0D30
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!HeapDestroy]                   7D1E0EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00960710
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]                  00960780
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW]                009607F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleFileNameW]            00960860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetErrorMode]                  009608D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW]                  00960940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress]                009609B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread]                  7D1E0F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW]                00960A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary]                   00960A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA]                00960B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!RtlFreeHeap]                      00380010
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00960B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetErrorMode]                  00960BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameW]            00960C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA]                00960CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW]                00960D30
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]                  00960DA0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA]                00960E10
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW]                00960E80
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary]                   00960EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread]                  00380080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!HeapDestroy]                   003800F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]                  00960F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]                00970010
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameA]            00970080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress]                  009700F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]                    00970160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary]                     009701D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW]                    00970240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetModuleFileNameW]              009702B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread]                    00380390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]                  00970320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA]                  00970390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW]                  00970400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!VirtualAlloc]                    00380400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]     00970470
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!RtlFreeHeap]                        00380470
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA]                    009801D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!FreeLibrary]                     00980240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress]                  009802B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter]     00980320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetErrorMode]                  00980710
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW]                  00980780
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA]                009807F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread]                  7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateProcessW]                00980860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetModuleFileNameW]            009808D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetProcAddress]                00980940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!FreeLibrary]                   009809B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA]                  00980A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00980A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\userenv.dll [ntdll.dll!RtlFreeHeap]                      7D1E0080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW]                 7D1F0400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]  7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA]                 7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!FreeLibrary]                  7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress]               7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetModuleFileNameA]           7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread]                 7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!RtlAllocateHeap]                 7D1E0010
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!RtlFreeHeap]                     7D1E0080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!HeapDestroy]                    7D1E0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress]                 7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetModuleFileNameA]             7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA]                   7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread]                   7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!FreeLibrary]                    7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!FreeLibrary]                   7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA]                  7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleFileNameA]            7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread]                  7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress]                7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter]  7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!FreeLibrary]                  7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!HeapDestroy]                  7D1E0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress]               7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA]                 7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!RtlFreeHeap]                     7D1E0080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!RtlAllocateHeap]                 7D1E0010
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary]                   7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]                7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA]                  7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA]                7D1F0320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW]                7D1F0390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread]                  7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleFileNameW]            7D1F01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleFileNameA]            7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!LoadLibraryW]                  7D1F0400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!CreateThread]                  7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!SetErrorMode]                  7D1F0470
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!GetModuleFileNameA]            7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!LoadLibraryExW]                7D1F0390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!GetProcAddress]                7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!LoadLibraryA]                  7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!FreeLibrary]                   7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1588] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!GetModuleFileNameW]            7D1F01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlAllocateHeap]                 00370240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlFreeHeap]                     003702B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlSizeHeap]                     00370320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlReAllocateHeap]               00370390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetModuleFileNameA]             00B30860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]                   00B308D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW]                   00B30940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress]                 00B309B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary]                    00B30A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    00B30A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread]                   00370630
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!VirtualAlloc]                   003706A0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!VirtualFree]                    00370710
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [ntdll.dll!RtlFreeHeap]                       00370780
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\RPCRT4.dll [ntdll.dll!RtlAllocateHeap]                   003707F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetErrorMode]                 00B30B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]               00B30B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleFileNameW]           00B30BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread]                 00370860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]  00B30C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]                 00B30CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary]                  00B30D30
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]                 00B30DA0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]               00B30E10
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!VirtualAlloc]                 003709B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!VirtualFree]                  00370A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlFreeHeap]                     00370A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlAllocateHeap]                 00370B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlReAllocateHeap]               00370B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00B30E80
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]                  00B30EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW]                  00B30F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetModuleFileNameW]            7D1F0550
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress]                7D1F05C0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!FreeLibrary]                   7D1F0630
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [ntdll.dll!RtlFreeHeap]                      00370BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\Secur32.dll [ntdll.dll!RtlAllocateHeap]                  00370C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW]                 7D1F06A0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread]                   00370CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW]                 7D1F0710
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameA]             7D1F0780
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA]                   7D1F07F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    7D1F0860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                 7D1F08D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW]                   7D1F0940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary]                    7D1F09B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameW]             7D1F0A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!RtlAllocateHeap]                   00370EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!RtlFreeHeap]                       00370F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]     7D1F0A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW]                  7D1F0B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA]                    7D1F0B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary]                     7D1F0BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                  7D1F0C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW]                    7D1F0CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!RtlAllocateHeap]                    7D1E0390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!RtlFreeHeap]                        7D1E0400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetErrorMode]                   00B40240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    00B402B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress]                 00B40320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA]                   00B40390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary]                    00B40400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA]                 00B40470
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW]                 00B404E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameA]             00B40550
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!HeapDestroy]                    7D1E0940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!VirtualFree]                    7D1E09B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!VirtualAlloc]                   7D1E0A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateThread]                   7D1E0B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameW]             00B405C0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!VirtualAlloc]                  7D1E0CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!VirtualFree]                   7D1E0D30
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!HeapDestroy]                   7D1E0EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00B40710
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]                  00B40780
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW]                00B407F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleFileNameW]            00B40860
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetErrorMode]                  00B408D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW]                  00B40940
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress]                00B409B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread]                  7D1E0F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW]                00B40A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary]                   00B40A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA]                00B40B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!RtlFreeHeap]                      00380010
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00B40B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetErrorMode]                  00B40BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameW]            00B40C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA]                00B40CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW]                00B40D30
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]                  00B40DA0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA]                00B40E10
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW]                00B40E80
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary]                   00B40EF0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread]                  00380080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!HeapDestroy]                   003800F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]                  00B40F60
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]                00B50010
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameA]            00B50080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress]                  00B500F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]                    00B50160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary]                     00B501D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW]                    00B50240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetModuleFileNameW]              00B502B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread]                    00380390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]                  00B50320
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA]                  00B50390
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW]                  00B50400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!VirtualAlloc]                    00380400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]     00B50470
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!RtlFreeHeap]                        00380470
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA]                    00B604E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!FreeLibrary]                     00B60550
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress]                  00B605C0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter]     00B60630
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetErrorMode]                  00B60A20
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW]                  00B60A90
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA]                00B60B00
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread]                  7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateProcessW]                00B60B70
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetModuleFileNameW]            00B60BE0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetProcAddress]                00B60C50
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!FreeLibrary]                   00B60CC0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA]                  00B60D30
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   00B60DA0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\userenv.dll [ntdll.dll!RtlFreeHeap]                      7D1E0080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW]                 7D1F0400
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]  7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA]                 7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!FreeLibrary]                  7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress]               7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetModuleFileNameA]           7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread]                 7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!RtlAllocateHeap]                 7D1E0010
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!RtlFreeHeap]                     7D1E0080
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!HeapDestroy]                    7D1E0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress]                 7D1F0240
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetModuleFileNameA]             7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA]                   7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread]                   7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!FreeLibrary]                    7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!FreeLibrary]                   7D1F00F0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   7D1F04E0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA]                  7D1F02B0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleFileNameA]            7D1F0160
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread]                  7D1E01D0
IAT             C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[2848] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress]                7D1F0240

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                              kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                             kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                             kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                           kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                              fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                              sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)

---- EOF - GMER 1.0.15 ----
0
Tatonka88Author Commented:
Thanks to all for the help,  very helpful and accurate help
0
rpggamergirlCommented:
Great, the second script did it then?

0
Tatonka88Author Commented:
Thanks So much for your help rpggamergirl your insight was very helpfull.  Hope to work with you again
0
rpggamergirlCommented:
You're welcome, it's a pleasure working with you.

When you're done with ComboFix, you can uninstall it.
To uninstall ComboFix:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall
Thank you for using Experts-Exchange!


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.