Hi, I have all ready wrote to support, however I have a few questions. I have tried some mail subscription management softwares, which I removed from my PC. Some of them used "server" applications. So I ended up with rootkit - hidden object attached to my default internet exploring software (IE6.0 or Firefox). I dont see it in system32, or in active processes. F-secure AVG anti-rootkit softwares sees this problem, but not solving it. Need assistance ASAP. By the way, what are rootkits???? How dangerous they are?

hello
which kaspersky product and what version are you using?

rootkits are applications which can hide themselves and other components from the windows API (the are invisible to normal applications). his is commonly achieved through kernel hooks. rootkits themselves usually have no payloads so they aren't "dangerous", but they are often used to hide other malware.

http://www.viruslist.com/en/viruses/glossa...ossid=180118207

I am using Kaspersky anti-virus 6.0 for windows workstations.

and it doesn't see it?
there are a number of rootkit tools you can try.
What does f-secure blacklight see?
another tool you could try is gmer: http://www.gmer.net/gmer.zip
it's advanced, but should be able to detect the toughest rootkits.

v7 will include a technology which enables detection of really nasty rootkits.

All these software sees that I have dangerous hidden object - rootkit in C:\Program Files\Internet Explorer\iexplorer.exe (If IE6.0 is default) or in C:\Program Files\Mozilla Firefox\Firefox.exe.

that looks like something similar to nyfose which uses IE/firefox for it's doing.
try posting a combofix log, maybe we will be able to locate it: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

the log will be located in c:\combofix.txt

But seeing as this is a workstation computer, it might b better to do a format and start clean.

Yeah, I agree, but there are important files on this PC, so I can not consider formating now! . Oh, and thanks for quick replies.

exactly that's why you should back up the files and reformat, if it's bifose, then it's a remote access tool, so those files can be leaked out.

Here is report. Notice hidden process! And see picture attached! This is a office PC.
[attachmentid=30666]
[CODE]ComboFix 07-06-18.2 - C:\Documents and Settings\Vlada\Desktop\ComboFix.exe
"Vlada" - 2007-06-20 18:14:52 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-20 18:13 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-20 16:24 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-19 18:38 <DIR> d-------- C:\WINDOWS\pss
2007-06-19 18:30 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-19 18:17 138,220 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\firstlsp.reg.dat
2007-06-19 15:33 <DIR> d-------- C:\DOCUME~1\Vlada\APPLIC~1\UseNeXT
2007-06-19 15:32 2,199,336 --a------ C:\WINDOWS\usenext_freetrial.exe
2007-06-19 15:32 <DIR> d--h----- C:\WINDOWS\windows
2007-06-18 16:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Xtreeme
2007-06-18 15:02 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-06-18 15:02 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-06-18 15:02 <DIR> d-------- C:\DOCUME~1\Vlada\APPLIC~1\HP
2007-06-18 15:01 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2007-06-18 15:01 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2007-06-18 14:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-06-18 14:50 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-06-18 14:46 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-06-18 14:46 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-06-18 14:46 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-06-18 14:46 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-06-18 14:46 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-06-18 14:46 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-06-15 15:07 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-06-15 15:07 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-06-15 15:07 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-06-15 10:00 <DIR> d-------- C:\DOCUME~1\Vlada\APPLIC~1\Imesh MP3 Downloader
2007-06-14 10:29 57,644 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-06-13 16:36 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-13 13:40 <DIR> d-------- C:\Program Files\Trillian
2007-06-12 16:31 17,792 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2007-06-12 16:21 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-06-08 17:57 <DIR> d-------- C:\Program Files\Motorola
2007-06-07 16:58 <DIR> d-------- C:\Program Files\Paint.NET
2007-06-07 13:48 <DIR> d-------- C:\WINDOWS\KeyChanger Office Edition
2007-06-06 15:00 <DIR> d-------- C:\Program Files\uTorrent
2007-06-04 10:21 <DIR> d-------- C:\DOCUME~1\Vlada\APPLIC~1\U3
2007-05-30 16:46 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-30 16:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-30 15:48 299,520 --a------ C:\WINDOWS\uninst.exe
2007-05-28 12:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Bluetooth
2007-05-28 12:36 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-05-28 12:36 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-05-28 12:36 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-05-28 12:36 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2007-05-28 12:36 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-05-28 12:36 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-05-28 12:36 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-05-28 12:36 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2007-05-28 12:32 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-05-25 14:38 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2007-05-25 14:38 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2007-05-25 14:08 92,064 --a------ C:\DOCUME~1\Vlada\mqdmmdm.sys
2007-05-25 14:08 9,232 --a------ C:\DOCUME~1\Vlada\mqdmmdfl.sys
2007-05-25 14:08 79,328 --a------ C:\DOCUME~1\Vlada\mqdmserd.sys
2007-05-25 14:08 66,656 --a------ C:\DOCUME~1\Vlada\mqdmbus.sys
2007-05-25 14:08 6,208 --a------ C:\DOCUME~1\Vlada\mqdmcmnt.sys
2007-05-25 14:08 5,936 --a------ C:\DOCUME~1\Vlada\mqdmwhnt.sys
2007-05-25 14:08 4,048 --a------ C:\DOCUME~1\Vlada\mqdmcr.sys
2007-05-25 14:08 25,600 --a------ C:\DOCUME~1\Vlada\usbsermptxp.sys
2007-05-25 14:08 22,768 --a------ C:\DOCUME~1\Vlada\usbsermpt.sys
2007-05-24 18:30 40,832 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2007-05-24 18:30 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-05-24 18:30 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-05-24 18:30 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-05-23 19:06 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-05-23 19:06 249,856 --------- C:\WINDOWS\Setup1.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 09:45:15 -------- d-----w C:\DOCUME~1\Vlada\APPLIC~1\Canon
2007-06-19 14:44:22 -------- d-----w C:\Program Files\Canon
2007-06-19 13:58:33 -------- d-----w C:\DOCUME~1\Vlada\APPLIC~1\uTorrent
2007-06-15 13:45:07 -------- d-----w C:\Program Files\QuickTime
2007-06-13 14:24:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-07 11:05:43 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-31 11:54:25 -------- d-----w C:\DOCUME~1\Vlada\APPLIC~1\AdobeUM
2007-05-24 13:02:40 -------- d-----w C:\DOCUME~1\Vlada\APPLIC~1\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 12:46:28 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-11 12:35:13 -------- d-----w C:\Program Files\Install Creator Pro
2007-05-11 12:11:50 -------- d-----w C:\DOCUME~1\Vlada\APPLIC~1\Mikrotik
2007-05-10 17:24:49 -------- d-----w C:\DOCUME~1\Vlada\APPLIC~1\Oxin's style
2007-05-10 16:23:52 -------- d-----w C:\DOCUME~1\Vlada\APPLIC~1\Caphyon
2007-05-03 09:51:33 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-25 16:52:08 -------- d-----w C:\Program Files\microsoft frontpage
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-25 11:12:20 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-25 08:47:52 -------- d-----w C:\Program Files\Kaspersky Lab
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 02:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 C:\WINDOWS\SOUNDMAN.EXE]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 02:56 C:\WINDOWS\system32\bthprops.cpl]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a49c2ae-14e7-11dc-9114-00508d86cf5e}]
AutoRun\command- F:\SETUP.EXE /AUTORUN
configure\command- F:\SETUP.EXE
install\command- F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba0c4d86-b5be-11db-b010-00508d86cf5e}]
Auto\command- AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

*Newly Created Service* - GMER

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 18:16:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [1740]


scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-20 18:17:30

--- E O F ---

msnmsger.exe_ - Backdoor.Win32.Bifrose.agg

New malicious software was found in this file. It's detection will be included in the next update.

Hope, this is it!

I think we got it, delete the folder: C:\WINDOWS\windows and reboot.
wait a few hours (3-4), update and perform a full scan in safe mode