n.exn, trojan virus

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Want a New HP LaserJet MFP? Trade in your old printer and receive $1,000 in savings!
Trade in your old printer and receive up to $1,000 in saving on a new HP LaserJet Multifunction Printer. Click here for savings!

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

5 Pages

1 2 3 > »

n.exn, trojan virus, Do not know how to remove

Options

goodwidp View Member Profile	Feb 6 2010, 12:36 PM Post #1
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	Recently, my computer (internet browsing in particular, using Firefox) has noticeably slowed. I will occasionally receive a warning from AVG anti-virus that I am infected with a Trojan virus, and this morning, my firewall (ZoneAlarm) blocked an attempt by n.exn, which is apparently used to steal banking information. Also I recently started to receive pop up windows for advertising sites in Firefox. I have since changed my passwords to my online baking site, and no suspicious activity has occurred. I followed the instructions provided for the actions to perform prior to this post, however I did run into an issue. While I was able to run DDS and save the accompanying log files with no issues, I was unable to get GMER to perform correctly. I tried on 2 occasions and both times, the program would hang, my cpu usage increased to 100% and I would have to power down my PC and reboot. I couldnt close the program manually or bring up task manager to use that to close it. I did use DeFogger to stop all CD Emu, and followed all other instructions verbatim, so am unsure as to what would cause this. I will still post the DDS.txt log and attach the attach.txt file from DDS as instructed. Any help with this issue would be greatly appreciated. Thank you. (edited for spelling/grammar) DDS.txt: DDS (Ver_09-12-01.01) - NTFSx86 Run by Dave at 10:37:07.14 on Sat 02/06/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2040 [GMT -5:00] AV: AVG Anti-Virus Free On-access scanning enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\Shared Files\CTAudSvc.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe C:\Program Files\Creative\Shared Files\CTSched.exe C:\WINDOWS\explorer.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\WizMouse\WizMouse.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Dave\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uURLSearchHooks: H - No File uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [WizMouse] "c:\program files\wizmouse\WizMouse.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [RIMDeviceManager] "c:\program files\common files\research in motion\rimdevicemanager\RIMDeviceManager.exe" -RunServer uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe mRun: [SoundMan] SOUNDMAN.EXE mRun: [AlcWzrd] ALCWZRD.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe" mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe" mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE mRun: [zuyalavaz] Rundll32.exe "c:\windows\system32\zijofege.dll",a StartupFolder: c:\docume~1\dave\startm~1\programs\startup\foldin~1.lnk - c:\docume~1\dave\applic~1\microsoft\installer\{6a90c837-054e-44ae-b9bd-1b1f87986bbc}\_98830A63A82EB98D7BA198.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263307874343 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll AppInit_DLLs: detezija.dll c:\windows\system32\zijofege.dll SSODL: suzetekur - {c0a5efe0-32b7-4420-b5f7-c71ee2624bd6} - c:\windows\system32\zijofege.dll STS: kupuhivus: {c0a5efe0-32b7-4420-b5f7-c71ee2624bd6} - c:\windows\system32\zijofege.dll LSA: Notification Packages = scecli aswapl.dll hukuwozu.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\q2au713i.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.wow.com/ FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p= FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\documents and settings\dave\local settings\application data\huludesktop\instances\0.9.6.1\npHDPlg.dll FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\opera\program\plugins\np_gp.dll FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll FF - HiddenExtension: XULRunner: {9D8EFD2E-9E2D-479C-8A9B-7F3581F3A312} - c:\documents and settings\dave\local settings\application data\{9D8EFD2E-9E2D-479C-8A9B-7F3581F3A312} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2010-1-26 22272] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-20 333192] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-20 28424] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-20 360584] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-10 353672] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-17 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-17 285392] R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032] R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056] R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728] R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720] R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2010-1-26 14856] R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-20 79360] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728] S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?] =============== Created Last 30 ================ 2010-02-06 15:27:17 176 ----a-w- c:\documents and settings\dave\defogger_reenable 2010-02-06 14:00:08 0 d-----w- C:\VundoFix Backups 2010-01-29 06:51:56 1080 ----a-w- c:\windows\system32\settingsbkup.sfm 2010-01-29 06:51:56 1080 ----a-w- c:\windows\system32\settings.sfm 2010-01-27 00:42:04 0 d-----w- c:\program files\AMD 2010-01-27 00:41:55 22272 ----a-w- c:\windows\system32\drivers\amdtools.sys 2010-01-27 00:40:17 14856 ----a-w- c:\windows\system32\drivers\LGVirHid.sys 2010-01-24 03:58:19 0 d-----w- c:\docume~1\dave\applic~1\Realtime Soft 2010-01-24 03:58:06 0 d-----w- c:\program files\common files\Realtime Soft 2010-01-24 03:58:05 0 d-----w- c:\program files\UltraMon 2010-01-24 03:58:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Realtime Soft 2010-01-24 03:20:11 0 d-----w- c:\program files\Folding@home 2010-01-24 03:20:11 0 d-----w- c:\docume~1\dave\applic~1\Folding@home-gpu 2010-01-23 23:50:01 0 d-----w- c:\program files\ATI 2010-01-23 23:49:40 0 d-----w- c:\program files\ATI Technologies 2010-01-23 23:47:22 0 d-----w- C:\ATI 2010-01-21 20:14:31 120 ----a-w- c:\windows\Oxakada.dat 2010-01-21 20:14:31 0 ----a-w- c:\windows\Kbozoquqisefa.bin 2010-01-13 18:28:54 0 d-----w- c:\docume~1\dave\applic~1\IObit 2010-01-13 18:28:53 0 d-----w- c:\program files\IObit 2010-01-09 17:52:23 0 d-----w- c:\program files\PerformanceTest 2010-01-07 19:37:49 0 d-----w- c:\docume~1\dave\applic~1\Registry Mechanic ==================== Find3M ==================== 2010-02-06 15:34:34 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-02-06 15:34:02 256 ----a-w- c:\documents and settings\dave\pool.bin 2010-01-25 21:32:31 444952 ----a-w- c:\windows\system32\wrap_oal.dll 2010-01-25 21:32:31 109080 ----a-w- c:\windows\system32\OpenAL32.dll 2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-25 03:27:54 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll 2009-11-25 03:26:52 300032 ----a-w- c:\windows\system32\ati2dvag.dll 2009-11-25 03:11:24 208896 ----a-w- c:\windows\system32\atipdlxx.dll 2009-11-25 03:11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll 2009-11-25 03:10:54 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe 2009-11-25 03:10:42 43520 ----a-w- c:\windows\system32\ati2edxx.dll 2009-11-25 03:10:28 155648 ----a-w- c:\windows\system32\ati2evxx.dll 2009-11-25 03:09:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe 2009-11-25 03:07:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL 2009-11-25 02:59:54 311296 ----a-w- c:\windows\system32\atiiiexx.dll 2009-11-25 02:59:04 3538496 ----a-w- c:\windows\system32\ati3duag.dll 2009-11-25 02:44:28 13533184 ----a-w- c:\windows\system32\atioglxx.dll 2009-11-25 02:43:18 2142848 ----a-w- c:\windows\system32\ativvaxx.dll 2009-11-25 02:42:54 887724 ----a-w- c:\windows\system32\ativva6x.dat 2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\atimpc32.dll 2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\amdpcom32.dll 2009-11-25 02:21:40 565248 ----a-w- c:\windows\system32\atikvmag.dll 2009-11-25 02:20:16 45056 ----a-w- c:\windows\system32\aticalrt.dll 2009-11-25 02:20:02 45056 ----a-w- c:\windows\system32\aticalcl.dll 2009-11-25 02:19:26 176128 ----a-w- c:\windows\system32\atiadlxx.dll 2009-11-25 02:18:58 17408 ----a-w- c:\windows\system32\atitvo32.dll 2009-11-25 02:18:26 3612672 ----a-w- c:\windows\system32\aticaldd.dll 2009-11-25 02:17:22 397312 ----a-w- c:\windows\system32\atiok3x2.dll 2009-11-25 02:12:38 638976 ----a-w- c:\windows\system32\ati2cqag.dll 2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe 2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-11-17 18:19:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll 1601-01-01 00:03:52 55808 --sha-w- c:\windows\system32\detezija.dll 1601-01-01 00:03:52 55808 --sha-w- c:\windows\system32\hukuwozu.dll 1601-01-01 00:03:28 42496 --sha-w- c:\windows\system32\larewabo.dll 1601-01-01 00:03:52 55808 --sha-w- c:\windows\system32\wenatune.dll 1601-01-01 00:03:28 96768 --sha-w- c:\windows\system32\zijofege.dll ============= FINISH: 10:38:16.95 =============== This post has been edited by goodwidp: Feb 7 2010, 01:12 AM Attached File(s) Attach.txt ( 15.22k ) Number of downloads: 8

fenzodahl512 View Member Profile	Feb 7 2010, 07:14 AM Post #2
Forum Addict Group: Malware Response Team Posts: 6,490 Joined: 4-December 07 Member No.: 174,482	Please download The Comedian.exe by Rorschach112 to your desktop Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how.. Double click the program to run it. It will only take around several minutes to run. It will do a series of tasks and tell you when each one is finished. You will be prompted to press any key after each step When it is done it will close and exit itself automatically. You can delete The_Comedian.exe once it is finished STOP! if you can't complete this step.. Tell me more about it.. *NEXT* Please download OTS by OldTimer and unzip it to your Desktop.. Note: You must be logged on to the system with an account that has Administrator privileges to run this program. Close ALL OTHER PROGRAMS. Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator). At the top, tick on Scan All Users section At File Age set it to 90 Days In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List. In the Files Created Within and Files Modified Within section, set it to File Age At the bottom, tick on all Safe List and Use Company Name WhiteList option Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them: Reg - Disabled MS Config Items Reg - Drivers32 Reg - Ext Reg - IE Explorer Bar Reg - NetSvcs Reg - Safeboot Minimal Reg - Safeboot Network File - Lop Check File - Purity Scan Please copy/paste below script into Custom Scans box CODE netsvcs %SYSTEMDRIVE%\.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\. /mp /s CREATERESTOREPOINT %systemroot%\system32\.dll /lockedfiles %systemroot%\Tasks\.job /lockedfiles %systemroot%\system32\drivers\.sys /lockedfiles %systemroot%\System32\config\.sav Do NOT change any other settings. Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post.. *NEXT* Please download GMER and unzip it to your Desktop. <<mirror>> Please rename the random filename or GMER into GAMERS Open the renamed program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’. Click on Scan. When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread. IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results ATTACH these logs in your next reply 1. OTS 2. GMER -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Will be back this October.. Wake me up when September ends...

goodwidp View Member Profile	Feb 7 2010, 03:40 PM Post #3
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	First off, thank you very much for takign the time to assist me with this issue. I sincerely appreciate your help. While I was able to run comedian and OTS without issue, I did again have issues with getting GMER to finish successfully. Unlike the first few times I ran GMER (where the program would stall a little bit after starting the scan), I was able to get GMER to run a complete scan. After it finished, a GMER dialog box opened with a warning stating that GMER had discovered that a rootkit has modified system settings (taken from memory so not exact wording, but very close). At this point the program was unresponsive, cpu usage was at 100%, and I was unable to do anything else on my desktop, including opening task manager, so I had to power down and reboot. I will attach the OTS log with this post, but since I was unable to copy the results of GMER, I still am unable to provide that information. Also, a new thing that began occurring over the past 24 hrs. is fake pop-up warnings from a scareware program calling itself "Protect your PC". I searched the forums here for info. on the program, and did have to use rkill to close it as I was unable to run any programs while Protect your PC was running. I would certainly love to be able to clear up this issue without having to reformat my PC and start from scratch though I am aware this may be an inevitability. Again, thanks very much for your time and effort in this matter. Attached File(s) OTS.Txt ( 264.45k ) Number of downloads: 20

fenzodahl512 View Member Profile	Feb 8 2010, 06:55 AM Post #4
Forum Addict Group: Malware Response Team Posts: 6,490 Joined: 4-December 07 Member No.: 174,482	Please download The Avenger by Swandog46 and unzip it to your Desktop Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box.. CODE Begin copying here: Drivers to delete: AdbUpd Files to delete: c:\documents and settings\dave\desktop\your pc protector.lnk c:\documents and settings\dave\local settings\application data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini c:\documents and settings\dave\local settings\application data\prvlcl.dat c:\program files\adc32.dll c:\program files\alggui.exe c:\program files\nuar.old c:\program files\svchost.exe c:\program files\wp3.dat c:\program files\wp4.dat c:\program files\wpp.exe c:\windows\kbozoquqisefa.bin c:\windows\oxakada.dat c:\windows\rasqervy.dll c:\windows\sdfinacs.dll c:\windows\sdfixwcs.dll c:\windows\system32\cmd.exe c:\windows\system32\command.com c:\windows\system32\dozibadi.dll c:\windows\system32\dozibadi.dll_old c:\windows\system32\fihisafu c:\windows\system32\gudunowi.dll c:\windows\system32\jasisaji.dll c:\windows\system32\komeluwe.dll c:\windows\system32\vusumuje.dll c:\windows\system32\yuhoraki.dll c:\windows\system32\zijofege.dll c:\your pc protector.lnk Folders to delete: c:\program files\your pc protector Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Now, click on Execute. Just say Yes at every prompted The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. Please copy/paste the content of c:\avenger.txt into your reply. *NEXT* OTS Fix Open OTS.. Copy/paste below into Paste Fix Here and then click on the Run Fix button.. Let it finishes and reboot the computer.. Post the log here in your next reply.. CODE [Kill All Processes] [Unregister Dlls] [Modules - Safe List] YY -> jasisaji.dll -> C:\WINDOWS\system32\jasisaji.dll YY -> gudunowi.dll -> C:\WINDOWS\system32\gudunowi.dll [Win32 Services - Safe List] YY -> (AdbUpd) Adobe Update Service [Auto \| Stopped] -> C:\Program Files\svchost.exe [Registry - Safe List] < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ YY -> {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} [HKLM] -> C:\Program Files\adc32.dll [ADC PlugIn] < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YY -> "zuyalavaz" -> C:\WINDOWS\System32\dozibadi.DLL [Rundll32.exe "c:\windows\system32\dozibadi.dll",a] < RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce YY -> "SpybotDeletingA2458" -> C:\WINDOWS\System32\command.com [command.com /c del "c:\windows\system32\dozibadi.dll_old"] YY -> "SpybotDeletingA3992" -> C:\WINDOWS\System32\command.com [command.com /c del "C:\WINDOWS\system32\hukuwozu.dll.tmp_old"] YY -> "SpybotDeletingA491" -> C:\WINDOWS\System32\command.com [command.com /c del "C:\WINDOWS\system32\detezija.dll.tmp_old"] YY -> "SpybotDeletingC126" -> C:\WINDOWS\System32\cmd.exe [cmd.exe /c del "C:\WINDOWS\system32\hukuwozu.dll.tmp_old"] YY -> "SpybotDeletingC2205" -> C:\WINDOWS\System32\cmd.exe [cmd.exe /c del "C:\WINDOWS\system32\detezija.dll.tmp_old"] YY -> "SpybotDeletingC6637" -> C:\WINDOWS\System32\cmd.exe [cmd.exe /c del "c:\windows\system32\dozibadi.dll_old"] < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs AppInit_DLLs -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls YY -> jasisaji.dll c:\windows\system32\dozibadi.dll -> C:\WINDOWS\System32\jasisaji.dll < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs < SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad YY -> "{798ecf98-4c77-4aee-ab93-a417cc71dbce}" [HKLM] -> C:\WINDOWS\System32\dozibadi.dll [kekaterel] < SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler YY -> "{798ecf98-4c77-4aee-ab93-a417cc71dbce}" [HKLM] -> C:\WINDOWS\System32\dozibadi.dll [mujuzedij] [Registry - Additional Scans - Safe List] < Ext (Stats) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\ YY -> {77DC0BAA-3235-4BA9-8BE8-AA9EB678FA02} [HKLM] -> C:\Program Files\adc32.dll [ADC PlugIn] [Files/Folders - Created Within 90 Days] NY -> adc32.dll -> C:\Program Files\adc32.dll NY -> Your PC Protector -> C:\Program Files\Your PC Protector NY -> wpp.exe -> C:\Program Files\wpp.exe [Files/Folders - Modified Within 90 Days] NY -> zijofege.dll -> C:\WINDOWS\System32\zijofege.dll NY -> dozibadi.dll_old -> C:\WINDOWS\System32\dozibadi.dll_old NY -> yuhoraki.dll -> C:\WINDOWS\System32\yuhoraki.dll NY -> vusumuje.dll -> C:\WINDOWS\System32\vusumuje.dll NY -> jasisaji.dll -> C:\WINDOWS\System32\jasisaji.dll NY -> gudunowi.dll -> C:\WINDOWS\System32\gudunowi.dll NY -> komeluwe.dll -> C:\WINDOWS\System32\komeluwe.dll NY -> fihisafu -> C:\WINDOWS\System32\fihisafu NY -> wp4.dat -> C:\Program Files\wp4.dat NY -> wp3.dat -> C:\Program Files\wp3.dat NY -> adc32.dll -> C:\Program Files\adc32.dll NY -> alggui.exe -> C:\Program Files\alggui.exe NY -> Your PC Protector.lnk -> C:\Your PC Protector.lnk NY -> prvlcl.dat -> C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat NY -> nuar.old -> C:\Program Files\nuar.old NY -> svchost.exe -> C:\Program Files\svchost.exe NY -> Your PC Protector.lnk -> C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk NY -> wpp.exe -> C:\Program Files\wpp.exe NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini NY -> Kbozoquqisefa.bin -> C:\WINDOWS\Kbozoquqisefa.bin NY -> Oxakada.dat -> C:\WINDOWS\Oxakada.dat [Files - No Company Name] NY -> zijofege.dll -> C:\WINDOWS\System32\zijofege.dll NY -> dozibadi.dll_old -> C:\WINDOWS\System32\dozibadi.dll_old NY -> yuhoraki.dll -> C:\WINDOWS\System32\yuhoraki.dll NY -> vusumuje.dll -> C:\WINDOWS\System32\vusumuje.dll NY -> jasisaji.dll -> C:\WINDOWS\System32\jasisaji.dll NY -> gudunowi.dll -> C:\WINDOWS\System32\gudunowi.dll NY -> komeluwe.dll -> C:\WINDOWS\System32\komeluwe.dll NY -> fihisafu -> C:\WINDOWS\System32\fihisafu NY -> Your PC Protector.lnk -> C:\Your PC Protector.lnk NY -> nuar.old -> C:\Program Files\nuar.old NY -> alggui.exe -> C:\Program Files\alggui.exe NY -> svchost.exe -> C:\Program Files\svchost.exe NY -> wp4.dat -> C:\Program Files\wp4.dat NY -> wp3.dat -> C:\Program Files\wp3.dat NY -> Your PC Protector.lnk -> C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk NY -> Oxakada.dat -> C:\WINDOWS\Oxakada.dat NY -> Kbozoquqisefa.bin -> C:\WINDOWS\Kbozoquqisefa.bin NY -> prvlcl.dat -> C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat NY -> rasqervy.dll -> C:\WINDOWS\rasqervy.dll NY -> sdfinacs.dll -> C:\WINDOWS\sdfinacs.dll NY -> sdfixwcs.dll -> C:\WINDOWS\sdfixwcs.dll [Alternate Data Streams] NY -> @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 [Empty Temp Folders] [CreateRestorePoint] [Start Explorer] [ZipFiles] [Reboot] *NEXT* Please download TDSSKiller.zip and unzip it to your Desktop Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows) The log shall be named something like this one.. (TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log) *NEXT* Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given.. Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop. During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. NOTE: If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". After that, double-click and run Combo-Fix. Let it finish its job and post the log here If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest.. Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job.. Post these logs in your next reply.. 1. The Avenger 2. OTS 3. TDSS Killer 4. ComboFix -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Will be back this October.. Wake me up when September ends...**

goodwidp View Member Profile	Feb 8 2010, 06:20 PM Post #5
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	Thanks again for your prompt response and continued assistance. Unfortunately, I did run into another issue while following your instructions. I was able to run Avenger, OTS, and TDSSKiller with no problems, however when I went to use Combofix all that would happen is a small status bar pops up in the middle of my desktop with the text "Combofix" and a blue progress bar that quickly fills. After that nothing happens at all. In task manager I can see the Combofix process close after the status bar disappears. The PC doesn't hang or anything else abnormal appears to happen, but its obvious Combofix isn't doing anything once the status bar finishes loading. Keep in mind I followed all instructions relating to Combofix, including renaming it to Combo-fix and disabling AVG, teatimer, and Zonealarm firewall. Anyway, here are the reults from the logs of the other 3 programs...Thanks again! Avenger log: Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! Driver "AdbUpd" deleted successfully. File "c:\documents and settings\dave\desktop\your pc protector.lnk" deleted successfully. File "c:\documents and settings\dave\local settings\application data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini" deleted successfully. File "c:\documents and settings\dave\local settings\application data\prvlcl.dat" deleted successfully. File "c:\program files\adc32.dll" deleted successfully. File "c:\program files\alggui.exe" deleted successfully. File "c:\program files\nuar.old" deleted successfully. File "c:\program files\svchost.exe" deleted successfully. File "c:\program files\wp3.dat" deleted successfully. File "c:\program files\wp4.dat" deleted successfully. File "c:\program files\wpp.exe" deleted successfully. File "c:\windows\kbozoquqisefa.bin" deleted successfully. File "c:\windows\oxakada.dat" deleted successfully. File "c:\windows\rasqervy.dll" deleted successfully. File "c:\windows\sdfinacs.dll" deleted successfully. File "c:\windows\sdfixwcs.dll" deleted successfully. File "c:\windows\system32\cmd.exe" deleted successfully. File "c:\windows\system32\command.com" deleted successfully. Error: file "c:\windows\system32\dozibadi.dll" not found! Deletion of file "c:\windows\system32\dozibadi.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\dozibadi.dll_old" not found! Deletion of file "c:\windows\system32\dozibadi.dll_old" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "c:\windows\system32\fihisafu" deleted successfully. File "c:\windows\system32\gudunowi.dll" deleted successfully. File "c:\windows\system32\jasisaji.dll" deleted successfully. File "c:\windows\system32\komeluwe.dll" deleted successfully. File "c:\windows\system32\vusumuje.dll" deleted successfully. File "c:\windows\system32\yuhoraki.dll" deleted successfully. File "c:\windows\system32\zijofege.dll" deleted successfully. File "c:\your pc protector.lnk" deleted successfully. Folder "c:\program files\your pc protector" deleted successfully. Completed script processing. ***************** Finished! Terminate. OTS log: All Processes Killed [Modules - Safe List] [Win32 Services - Safe List] Error: No service named AdbUpd was found to stop! Unable to stop service AdbUpd! File C:\Program Files\svchost.exe not found. [Registry - Safe List] Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\ not found. File C:\Program Files\adc32.dll not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\zuyalavaz not found. File C:\WINDOWS\System32\dozibadi.DLL not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingA2458 not found. File C:\WINDOWS\System32\command.com not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingA3992 not found. File C:\WINDOWS\System32\command.com not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingA491 not found. File C:\WINDOWS\System32\command.com not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingC126 not found. File C:\WINDOWS\System32\cmd.exe not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingC2205 not found. File C:\WINDOWS\System32\cmd.exe not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingC6637 not found. File C:\WINDOWS\System32\cmd.exe not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:jasisaji.dll c:\windows\system32\dozibadi.dll deleted successfully. File C:\WINDOWS\System32\jasisaji.dll not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\kekaterel not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{798ecf98-4c77-4aee-ab93-a417cc71dbce}\ not found. File C:\WINDOWS\System32\dozibadi.dll not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{798ecf98-4c77-4aee-ab93-a417cc71dbce} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{798ecf98-4c77-4aee-ab93-a417cc71dbce}\ not found. File C:\WINDOWS\System32\dozibadi.dll not found. [Registry - Additional Scans - Safe List] Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77DC0BAA-3235-4BA9-8BE8-AA9EB678FA02}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0BAA-3235-4BA9-8BE8-AA9EB678FA02}\ not found. File C:\Program Files\adc32.dll not found. [Files/Folders - Created Within 90 Days] File C:\Program Files\adc32.dll not found! File C:\Program Files\Your PC Protector not found! File C:\Program Files\wpp.exe not found! [Files/Folders - Modified Within 90 Days] File C:\WINDOWS\System32\zijofege.dll not found! File C:\WINDOWS\System32\dozibadi.dll_old not found! File C:\WINDOWS\System32\yuhoraki.dll not found! File C:\WINDOWS\System32\vusumuje.dll not found! File C:\WINDOWS\System32\jasisaji.dll not found! File C:\WINDOWS\System32\gudunowi.dll not found! File C:\WINDOWS\System32\komeluwe.dll not found! C:\WINDOWS\System32\fihisafu moved successfully. File C:\Program Files\wp4.dat not found! File C:\Program Files\wp3.dat not found! File C:\Program Files\adc32.dll not found! File C:\Program Files\alggui.exe not found! File C:\Your PC Protector.lnk not found! File C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat not found! File C:\Program Files\nuar.old not found! File C:\Program Files\svchost.exe not found! File C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk not found! File C:\Program Files\wpp.exe not found! File C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini not found! File C:\WINDOWS\Kbozoquqisefa.bin not found! File C:\WINDOWS\Oxakada.dat not found! [Files - No Company Name] File C:\WINDOWS\System32\zijofege.dll not found! File C:\WINDOWS\System32\dozibadi.dll_old not found! File C:\WINDOWS\System32\yuhoraki.dll not found! File C:\WINDOWS\System32\vusumuje.dll not found! File C:\WINDOWS\System32\jasisaji.dll not found! File C:\WINDOWS\System32\gudunowi.dll not found! File C:\WINDOWS\System32\komeluwe.dll not found! File C:\WINDOWS\System32\fihisafu not found! File C:\Your PC Protector.lnk not found! File C:\Program Files\nuar.old not found! File C:\Program Files\alggui.exe not found! File C:\Program Files\svchost.exe not found! File C:\Program Files\wp4.dat not found! File C:\Program Files\wp3.dat not found! File C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk not found! File C:\WINDOWS\Oxakada.dat not found! File C:\WINDOWS\Kbozoquqisefa.bin not found! File C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat not found! File C:\WINDOWS\rasqervy.dll not found! File C:\WINDOWS\sdfinacs.dll not found! File C:\WINDOWS\sdfixwcs.dll not found! [Alternate Data Streams] Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 . Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 . [Empty Temp Folders] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: Dave ->Temp folder emptied: 2198679 bytes ->Temporary Internet Files folder emptied: 93291 bytes ->Java cache emptied: 1875835 bytes ->FireFox cache emptied: 36556707 bytes ->Opera cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 256 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 39.00 mb Restore point Set: OTS Restore Point (64424509440) < End of fix log > OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02082010_172738 Files\Folders moved on Reboot... C:\Documents and Settings\Dave\Local Settings\Temp\~DF58A0.tmp moved successfully. File\Folder C:\WINDOWS\temp\ZLT00215.TMP not found! Registry entries deleted on Reboot... TDSSKiller log: 17:36:41:953 6120 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00 17:36:41:953 6120 ================================================================================ 17:36:41:953 6120 SystemInfo: 17:36:41:953 6120 OS Version: 5.1.2600 ServicePack: 2.0 17:36:41:953 6120 Product type: Workstation 17:36:41:953 6120 ComputerName: YOUR-85A8F7B8EC 17:36:41:953 6120 UserName: Dave 17:36:41:953 6120 Windows directory: C:\WINDOWS 17:36:41:953 6120 Processor architecture: Intel x86 17:36:41:953 6120 Number of processors: 2 17:36:41:953 6120 Page size: 0x1000 17:36:41:953 6120 Boot type: Normal boot 17:36:41:953 6120 ================================================================================ 17:36:41:953 6120 UnloadDriverW: NtUnloadDriver error 2 17:36:41:953 6120 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 17:36:41:984 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 17:36:42:015 6120 UtilityInit: KLMD drop and load success 17:36:42:015 6120 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010) 17:36:42:015 6120 UtilityInit: KLMD open success 17:36:42:015 6120 UtilityInit: Initialize success 17:36:42:015 6120 17:36:42:015 6120 Scanning Services ... 17:36:42:015 6120 CreateRegParser: Registry parser init started 17:36:42:015 6120 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127 17:36:42:015 6120 CreateRegParser: DisableWow64Redirection error 17:36:42:015 6120 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 17:36:42:015 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043 17:36:42:015 6120 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 17:36:42:015 6120 wfopen_ex: Trying to KLMD file open 17:36:42:015 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system 17:36:42:015 6120 wfopen_ex: File opened ok (Flags 2) 17:36:42:015 6120 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: C74AE8 17:36:42:015 6120 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 17:36:42:031 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043 17:36:42:031 6120 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 17:36:42:031 6120 wfopen_ex: Trying to KLMD file open 17:36:42:031 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software 17:36:42:031 6120 wfopen_ex: File opened ok (Flags 2) 17:36:42:031 6120 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: C74B90 17:36:42:031 6120 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127 17:36:42:031 6120 CreateRegParser: EnableWow64Redirection error 17:36:42:031 6120 CreateRegParser: RegParser init completed 17:36:42:640 6120 GetAdvancedServicesInfo: Raw services enum returned 380 services 17:36:42:640 6120 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 17:36:42:640 6120 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 17:36:42:640 6120 17:36:42:640 6120 Scanning Kernel memory ... 17:36:42:640 6120 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 17:36:42:640 6120 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8ACD4A08 17:36:42:640 6120 DetectCureTDL3: KLMD_GetDeviceObjectList returned 16 DevObjects 17:36:42:640 6120 17:36:42:640 6120 DetectCureTDL3: DEVICE_OBJECT: 897A4030 17:36:42:640 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 897A4030 17:36:42:640 6120 KLMD_ReadMem: Trying to ReadMemory 0x897A4030[0x38] 17:36:42:640 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:640 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:640 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:640 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:640 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:640 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:640 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:640 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:640 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:640 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:640 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:640 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:640 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:640 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:640 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:640 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:640 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:640 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:640 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:703 6120 17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8957A030 17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8957A030 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8957A030[0x38] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:703 6120 17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8AACE030 17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AACE030 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AACE030[0x38] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:703 6120 17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA1B210 17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA1B210 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA1B210[0x38] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:703 6120 17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8AB3E8F0 17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB3E8F0 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AB3E8F0[0x38] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:718 6120 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA03030 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA03030 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA03030[0x38] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:718 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:718 6120 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA4F928 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA4F928 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA4F928[0x38] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:718 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:718 6120 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8A9FFAB8 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A9FFAB8 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 896E2B48 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896E2B48 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x896E2B48[0x38] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8] 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218 17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218 17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C 17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C 17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180 17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6 17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0 17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E 17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400] 17:36:42:718 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 17:36:42:718 6120 TDL3_FileDetect: Processing driver: usbstor 17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:36:42:718 6120 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA0CAB8 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA0CAB8 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 896F2030 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896F2030 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x896F2030[0x38] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8] 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E] 17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218 17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218 17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C 17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C 17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180 17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6 17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0 17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E 17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400] 17:36:42:718 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 17:36:42:718 6120 TDL3_FileDetect: Processing driver: usbstor 17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:36:42:718 6120 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8950A030 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8950A030 17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 896DF468 17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896DF468 17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x896DF468[0x38] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8] 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180 17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6 17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0 17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E 17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400] 17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor 17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:36:42:734 6120 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA0D660 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA0D660 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 896EA370 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896EA370 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x896EA370[0x38] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8] 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180 17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6 17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0 17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E 17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400] 17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor 17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:36:42:734 6120 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8AAC0258 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAC0258 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 897A6448 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 897A6448 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x897A6448[0x38] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8] 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180 17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6 17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0 17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E 17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400] 17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor 17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:36:42:734 6120 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 894D8778 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 894D8778 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8973A868 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8973A868 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8973A868[0x38] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8] 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218 17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C 17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180 17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6 17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0 17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E 17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400] 17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor 17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:36:42:734 6120 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8AC42C68 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC42C68 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AC42C68[0x38] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:734 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:734 6120 17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACA99F0 17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACA99F0 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACA99F0[0x38] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8] 17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18] 17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30 17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30 17:36:42:750 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B 17:36:42:750 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B 17:36:42:750 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366 17:36:42:750 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D 17:36:42:750 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3 17:36:42:750 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366 17:36:42:750 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3 17:36:42:750 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24 17:36:42:750 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:750 6120 TDL3_FileDetect: Processing driver: Disk 17:36:42:750 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:750 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 17:36:42:750 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:36:42:750 6120 17:36:42:750 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACC9AB8 17:36:42:750 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACC9AB8 17:36:42:750 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACAF9A0 17:36:42:750 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACAF9A0 17:36:42:750 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACBBD98 17:36:42:750 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACBBD98 17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACBBD98[0x38] 17:36:42:750 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACAE900 17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACAE900[0xA8] 17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0xE101D848[0x1A] 17:36:42:750 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 17:36:42:750 6120 DetectCureTDL3: IrpHandler (0) addr: B7F15572 17:36:42:750 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (2) addr: B7F15572 17:36:42:750 6120 DetectCureTDL3: IrpHandler (3) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (4) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (14) addr: B7F15592 17:36:42:750 6120 DetectCureTDL3: IrpHandler (15) addr: B7F117B4 17:36:42:750 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (22) addr: B7F155BC 17:36:42:750 6120 DetectCureTDL3: IrpHandler (23) addr: B7F1C164 17:36:42:750 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476 17:36:42:750 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476 17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0xB7F127C6[0x400] 17:36:42:750 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 17:36:42:750 6120 TDL3_FileDetect: Processing driver: atapi 17:36:42:750 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 17:36:42:750 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys 17:36:42:859 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean 17:36:42:859 6120 17:36:42:859 6120 Completed 17:36:42:859 6120 17:36:42:859 6120 Results: 17:36:42:859 6120 Memory objects infected / cured / cured on reboot: 0 / 0 / 0 17:36:42:859 6120 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 17:36:42:859 6120 File objects infected / cured / cured on reboot: 0 / 0 / 0 17:36:42:859 6120 17:36:42:859 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 17:36:42:859 6120 UtilityDeinit: KLMD(ARK) unloaded successfully

fenzodahl512 View Member Profile	Feb 9 2010, 07:07 AM Post #6
Forum Addict Group: Malware Response Team Posts: 6,490 Joined: 4-December 07 Member No.: 174,482	Can you run ComboFix on Safe Mode? If yes please do that and post the log here -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Will be back this October.. Wake me up when September ends...

goodwidp View Member Profile	Feb 9 2010, 11:14 AM Post #7
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	Unfortunately, running Windows in Safe Mode made no difference in terms of successfully running Combofix. The same exact thing happened when I tried running it in normal Windows. Progress bar appears, finishes loading, but then disappears and that is it. Again, I sincerely appreciate your help and look forward to your next response.

fenzodahl512 View Member Profile	Feb 9 2010, 11:29 AM Post #8
Forum Addict Group: Malware Response Team Posts: 6,490 Joined: 4-December 07 Member No.: 174,482	Please run a free online scan with the ESET Online Scanner *Note*: You will need to use Internet Explorer for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the ActiveX control to install Click Start Make sure that the options Remove found threats and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic Please download avz4.zip and unzip it to your Desktop Double click on avz.exe to run it. From the "File" menu, choose "Standard Scripts" Put a check next to item 2: Advanced System Analysis Click Execute selected scripts At the next prompt, click the OK button Let the scan run and click "OK" when the completion prompt pops up Now Close out of the Standard Scripts window, and exit AVZ Navigate to the avz4 folder and locate the folder LOG Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip Attach virusinfo_syscheck.htm AND virusinfo_syscure.htm to your next reply -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Will be back this October.. Wake me up when September ends...

goodwidp View Member Profile	Feb 9 2010, 01:44 PM Post #9
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	ESET Online Scanner Log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=c019cb6be30ea845a6be70a02bef443c # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-02-09 06:09:43 # local_time=2010-02-09 01:09:43 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=1024 16777175 100 0 6334827 6334827 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # compatibility_mode=9217 16777214 75 74 17536727 33083339 0 0 # scanned=121517 # found=3 # cleaned=3 # scan_time=4191 C:\Avenger\zijofege.dll a variant of Win32/Adware.Virtumonde.NGW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\schtml\dbsinit.exe Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C C:\Program Files\schtml\wispex.html Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C In the AVZ4/LOG directory I was able to locate the virusinfo_syscheck.htm and virusinfo_syscheck.zip files, but was unable to locate any file named virusinfo_syscure.htm. Inside the .zip archive was a file named avz_sysinfo.htm, so I attached that along with virusinfo_syscheck.htm. EDIT: I am unable to attach either of the aforementioned files as I get a message stating "the file was larger than the available space"...The 2 files are @1.2mb each and my max. single upload size is 219K. Please let me know what you would like me to do as an alternative and I will be happy to comply. I must say, while I know we're not finished, I have already noticed an improvement. The Your PC Protector scareware is no longer showing up nor are the pop up advertising pages in Firefox. I know I sound like a broken record saying this over and over again, but I really do appreciate you taking the time to help with this. Thanks again!

fenzodahl512 View Member Profile	Feb 10 2010, 05:52 AM Post #10
Forum Addict Group: Malware Response Team Posts: 6,490 Joined: 4-December 07 Member No.: 174,482	Please put all logs into a folder >> zip the folder >> upload it at RapidShare or MegaUpload >> post the download link here -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Will be back this October.. Wake me up when September ends...

goodwidp View Member Profile	Feb 10 2010, 10:35 AM Post #11
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	I hope its OK, but I use WINRAR as my extractor as opposed to WINZIP, so the archive is in .rar format. If this is a problem, let me know and I will get WINZIP and redo it. While I said in my last post that some things had improved, I am still getting messages from AVG for a few different infected .dll files. The one name I can remember is polekove.dll, and I cant recall the other 2 common ones. Also, teatimer.exe tends to use much more cpu usage than normal after a few hours of computer usage, a reboot will fix it for a little bit, but it always seems to revert back. Here is the link for the AVZ4 and ESET online scanner logs: Logs archive Thanks again!

fenzodahl512 View Member Profile	Feb 11 2010, 06:45 AM Post #12
Forum Addict Group: Malware Response Team Posts: 6,490 Joined: 4-December 07 Member No.: 174,482	Hello.. First, please uninstall Spybot S&D Then do below.. AVZ FIX : Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before this fix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given.. Close all windows then double click on AVZ.exe Click File >> Custom scripts Copy & paste the contents of the following codebox in the box in the program CODE begin SearchRootkit(true, true); SetAVZGuardStatus(True); DelBHO('{05a44286-4915-434b-b9c8-a3b2dcc2225c}'); BC_DeleteFile('C:\WINDOWS\system32\bizikife.dll'); BC_DeleteFile('c:\windows\system32\boravupi.dll'); BC_DeleteFile('C:\WINDOWS\system32\nobiwuna.dll'); BC_DeleteFile('C:\WINDOWS\system32\polekove.dll'); BC_DeleteFile('C:\WINDOWS\system32\yivoboki.dll'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','zuyalavaz'); RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{8f0edec0-5f05-45e9-876a-62a60fd2daed}'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','jumeredog'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','jimefufiki'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run-','jimefufiki'); BC_ImportDeletedList; ExecuteSysClean; BC_Activate; RebootWindows(true); end. Note: When you run the script, your PC will be restarted Click Run Restart your PC if it doesn't do it automatically. *NEXT* Please download the OTM by OldTimer Save it to your Desktop. Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator") Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar) CODE :processes explorer.exe :reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 :commands [purity] [emptytemp] [start explorer] [reboot] Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTM If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Then try to run either GMER or ComboFix and post the log here -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Will be back this October.. Wake me up when September ends...

goodwidp View Member Profile	Feb 11 2010, 12:44 PM Post #13
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	I was able to run the AVZ fix and OTM successfully and will post the OTM log below. Unfortunately, I am still running into the same issues with GMER and ComboFix. Combo still does nothing after the progress bar finishes loading, and GMER simply restarted my PC after scanning for a while, without showing any signs or confirmation of finishing the scan. There was no log or any sort of results posted as the scan was unable to reach 100% completion. As always, thanks SO much for your continued assistance! OTM Log- All processes killed ========== PROCESSES ========== Process explorer.exe killed successfully! ========== REGISTRY ========== HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"\|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully! HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"\|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully! ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: All Users User: Dave ->Temp folder emptied: 66846663 bytes ->Temporary Internet Files folder emptied: 436060 bytes ->Java cache emptied: 3912506 bytes ->FireFox cache emptied: 76983213 bytes ->Opera cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 22084 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 11154175 bytes Total Files Cleaned = 152.00 mb OTM by OldTimer - Version 3.1.8.0 log created on 02112010_112159 Files moved on Reboot... C:\Documents and Settings\Dave\Local Settings\Temp\~DF57BD.tmp moved successfully. File C:\WINDOWS\temp\ZLT00086.TMP not found! Registry entries deleted on Reboot...

fenzodahl512 View Member Profile	Feb 12 2010, 04:53 AM Post #14
Forum Addict Group: Malware Response Team Posts: 6,490 Joined: 4-December 07 Member No.: 174,482	Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop Run SysProt >> Click on the Log tab Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options) Hit the Create Log button When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button) Let it scan until finish Find the log.txt inside the SysProt folder and attach the log here. *NEXT* Download this tool to desktop: http://www2.gmer.net/mbr/mbr.exe Double click it & post the log it creates on desktop. (mbr.log) -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Will be back this October.. Wake me up when September ends...

goodwidp View Member Profile	Feb 12 2010, 02:54 PM Post #15
Member Group: Members Posts: 41 Joined: 4-November 08 Member No.: 253,022	Here is the MBR.exe log...I have also attached the SysProt log. Thank you. Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK PE file found in sector at 0x01749DDC1 ! Attached File(s) SysProtLog.txt ( 37.69k ) Number of downloads: 12

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

5 Pages

1 2 3 > »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 6th September 2010 - 03:34 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides