BleepingComputer.com: n.exn, trojan virus

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 5 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • You cannot reply to this topic

n.exn, trojan virus Do not know how to remove

#1 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 06 February 2010 - 12:36 PM

Recently, my computer (internet browsing in particular, using Firefox) has noticeably slowed. I will occasionally receive a warning from AVG anti-virus that I am infected with a Trojan virus, and this morning, my firewall (ZoneAlarm) blocked an attempt by n.exn, which is apparently used to steal banking information. Also I recently started to receive pop up windows for advertising sites in Firefox. I have since changed my passwords to my online baking site, and no suspicious activity has occurred. I followed the instructions provided for the actions to perform prior to this post, however I did run into an issue. While I was able to run DDS and save the accompanying log files with no issues, I was unable to get GMER to perform correctly. I tried on 2 occasions and both times, the program would hang, my cpu usage increased to 100% and I would have to power down my PC and reboot. I couldnt close the program manually or bring up task manager to use that to close it. I did use DeFogger to stop all CD Emu, and followed all other instructions verbatim, so am unsure as to what would cause this. I will still post the DDS.txt log and attach the attach.txt file from DDS as instructed. Any help with this issue would be greatly appreciated. Thank you. (edited for spelling/grammar)

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dave at 10:37:07.14 on Sat 02/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2040 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WizMouse\WizMouse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dave\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WizMouse] "c:\program files\wizmouse\WizMouse.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [RIMDeviceManager] "c:\program files\common files\research in motion\rimdevicemanager\RIMDeviceManager.exe" -RunServer
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [zuyalavaz] Rundll32.exe "c:\windows\system32\zijofege.dll",a
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\foldin~1.lnk - c:\docume~1\dave\applic~1\microsoft\installer\{6a90c837-054e-44ae-b9bd-1b1f87986bbc}\_98830A63A82EB98D7BA198.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263307874343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: detezija.dll c:\windows\system32\zijofege.dll
SSODL: suzetekur - {c0a5efe0-32b7-4420-b5f7-c71ee2624bd6} - c:\windows\system32\zijofege.dll
STS: kupuhivus: {c0a5efe0-32b7-4420-b5f7-c71ee2624bd6} - c:\windows\system32\zijofege.dll
LSA: Notification Packages = scecli aswapl.dll hukuwozu.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\q2au713i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.wow.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\dave\local settings\application data\huludesktop\instances\0.9.6.1\npHDPlg.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll
FF - HiddenExtension: XULRunner: {9D8EFD2E-9E2D-479C-8A9B-7F3581F3A312} - c:\documents and settings\dave\local settings\application data\{9D8EFD2E-9E2D-479C-8A9B-7F3581F3A312}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2010-1-26 22272]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-20 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-20 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-20 360584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-10 353672]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-17 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-17 285392]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2010-1-26 14856]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-20 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?]

=============== Created Last 30 ================

2010-02-06 15:27:17 176 ----a-w- c:\documents and settings\dave\defogger_reenable
2010-02-06 14:00:08 0 d-----w- C:\VundoFix Backups
2010-01-29 06:51:56 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
2010-01-29 06:51:56 1080 ----a-w- c:\windows\system32\settings.sfm
2010-01-27 00:42:04 0 d-----w- c:\program files\AMD
2010-01-27 00:41:55 22272 ----a-w- c:\windows\system32\drivers\amdtools.sys
2010-01-27 00:40:17 14856 ----a-w- c:\windows\system32\drivers\LGVirHid.sys
2010-01-24 03:58:19 0 d-----w- c:\docume~1\dave\applic~1\Realtime Soft
2010-01-24 03:58:06 0 d-----w- c:\program files\common files\Realtime Soft
2010-01-24 03:58:05 0 d-----w- c:\program files\UltraMon
2010-01-24 03:58:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Realtime Soft
2010-01-24 03:20:11 0 d-----w- c:\program files\Folding@home
2010-01-24 03:20:11 0 d-----w- c:\docume~1\dave\applic~1\Folding@home-gpu
2010-01-23 23:50:01 0 d-----w- c:\program files\ATI
2010-01-23 23:49:40 0 d-----w- c:\program files\ATI Technologies
2010-01-23 23:47:22 0 d-----w- C:\ATI
2010-01-21 20:14:31 120 ----a-w- c:\windows\Oxakada.dat
2010-01-21 20:14:31 0 ----a-w- c:\windows\Kbozoquqisefa.bin
2010-01-13 18:28:54 0 d-----w- c:\docume~1\dave\applic~1\IObit
2010-01-13 18:28:53 0 d-----w- c:\program files\IObit
2010-01-09 17:52:23 0 d-----w- c:\program files\PerformanceTest
2010-01-07 19:37:49 0 d-----w- c:\docume~1\dave\applic~1\Registry Mechanic

==================== Find3M ====================

2010-02-06 15:34:34 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-06 15:34:02 256 ----a-w- c:\documents and settings\dave\pool.bin
2010-01-25 21:32:31 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-25 21:32:31 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 03:27:54 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:26:52 300032 ----a-w- c:\windows\system32\ati2dvag.dll
2009-11-25 03:11:24 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:10:54 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-25 03:10:42 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:10:28 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-11-25 03:09:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-11-25 03:07:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-11-25 02:59:54 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-11-25 02:59:04 3538496 ----a-w- c:\windows\system32\ati3duag.dll
2009-11-25 02:44:28 13533184 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:43:18 2142848 ----a-w- c:\windows\system32\ativvaxx.dll
2009-11-25 02:42:54 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:21:40 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-11-25 02:20:16 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:20:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:19:26 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:18:58 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-11-25 02:18:26 3612672 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:17:22 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2009-11-25 02:12:38 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-17 18:19:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
1601-01-01 00:03:52 55808 --sha-w- c:\windows\system32\detezija.dll
1601-01-01 00:03:52 55808 --sha-w- c:\windows\system32\hukuwozu.dll
1601-01-01 00:03:28 42496 --sha-w- c:\windows\system32\larewabo.dll
1601-01-01 00:03:52 55808 --sha-w- c:\windows\system32\wenatune.dll
1601-01-01 00:03:28 96768 --sha-w- c:\windows\system32\zijofege.dll

============= FINISH: 10:38:16.95 ===============

Attached File(s)


This post has been edited by goodwidp: 07 February 2010 - 01:12 AM

#2 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 07 February 2010 - 07:14 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
    • Please copy/paste below script into Custom Scans box
      CODE
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 07 February 2010 - 03:40 PM

First off, thank you very much for takign the time to assist me with this issue. I sincerely appreciate your help. While I was able to run comedian and OTS without issue, I did again have issues with getting GMER to finish successfully. Unlike the first few times I ran GMER (where the program would stall a little bit after starting the scan), I was able to get GMER to run a complete scan. After it finished, a GMER dialog box opened with a warning stating that GMER had discovered that a rootkit has modified system settings (taken from memory so not exact wording, but very close). At this point the program was unresponsive, cpu usage was at 100%, and I was unable to do anything else on my desktop, including opening task manager, so I had to power down and reboot. I will attach the OTS log with this post, but since I was unable to copy the results of GMER, I still am unable to provide that information.

Also, a new thing that began occurring over the past 24 hrs. is fake pop-up warnings from a scareware program calling itself "Protect your PC". I searched the forums here for info. on the program, and did have to use rkill to close it as I was unable to run any programs while Protect your PC was running.

I would certainly love to be able to clear up this issue without having to reformat my PC and start from scratch though I am aware this may be an inevitability.

Again, thanks very much for your time and effort in this matter.

Attached File(s)

  • Attached File  OTS.Txt (264.45K)
    Number of downloads: 23

#4 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 08 February 2010 - 06:55 AM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Drivers to delete:
AdbUpd
Files to delete:
c:\documents and settings\dave\desktop\your pc protector.lnk
c:\documents and settings\dave\local settings\application data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini
c:\documents and settings\dave\local settings\application data\prvlcl.dat
c:\program files\adc32.dll
c:\program files\alggui.exe
c:\program files\nuar.old
c:\program files\svchost.exe
c:\program files\wp3.dat
c:\program files\wp4.dat
c:\program files\wpp.exe
c:\windows\kbozoquqisefa.bin
c:\windows\oxakada.dat
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\system32\cmd.exe
c:\windows\system32\command.com
c:\windows\system32\dozibadi.dll
c:\windows\system32\dozibadi.dll_old
c:\windows\system32\fihisafu
c:\windows\system32\gudunowi.dll
c:\windows\system32\jasisaji.dll
c:\windows\system32\komeluwe.dll
c:\windows\system32\vusumuje.dll
c:\windows\system32\yuhoraki.dll
c:\windows\system32\zijofege.dll
c:\your pc protector.lnk
Folders to delete:
c:\program files\your pc protector


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.



NEXT


OTS Fix

Open OTS.. Copy/paste below into Paste Fix Here and then click on the Run Fix button.. Let it finishes and reboot the computer.. Post the log here in your next reply..

CODE
[Kill All Processes]
[Unregister Dlls]
[Modules - Safe List]
YY -> jasisaji.dll -> C:\WINDOWS\system32\jasisaji.dll
YY -> gudunowi.dll -> C:\WINDOWS\system32\gudunowi.dll
[Win32 Services - Safe List]
YY -> (AdbUpd) Adobe Update Service [Auto | Stopped] -> C:\Program Files\svchost.exe
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} [HKLM] -> C:\Program Files\adc32.dll [ADC PlugIn]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "zuyalavaz" -> C:\WINDOWS\System32\dozibadi.DLL [Rundll32.exe "c:\windows\system32\dozibadi.dll",a]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YY -> "SpybotDeletingA2458" -> C:\WINDOWS\System32\command.com [command.com /c del "c:\windows\system32\dozibadi.dll_old"]
YY -> "SpybotDeletingA3992" -> C:\WINDOWS\System32\command.com [command.com /c del "C:\WINDOWS\system32\hukuwozu.dll.tmp_old"]
YY -> "SpybotDeletingA491" -> C:\WINDOWS\System32\command.com [command.com /c del "C:\WINDOWS\system32\detezija.dll.tmp_old"]
YY -> "SpybotDeletingC126" -> C:\WINDOWS\System32\cmd.exe [cmd.exe /c del "C:\WINDOWS\system32\hukuwozu.dll.tmp_old"]
YY -> "SpybotDeletingC2205" -> C:\WINDOWS\System32\cmd.exe [cmd.exe /c del "C:\WINDOWS\system32\detezija.dll.tmp_old"]
YY -> "SpybotDeletingC6637" -> C:\WINDOWS\System32\cmd.exe [cmd.exe /c del "c:\windows\system32\dozibadi.dll_old"]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> jasisaji.dll c:\windows\system32\dozibadi.dll -> C:\WINDOWS\System32\jasisaji.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{798ecf98-4c77-4aee-ab93-a417cc71dbce}" [HKLM] -> C:\WINDOWS\System32\dozibadi.dll [kekaterel]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{798ecf98-4c77-4aee-ab93-a417cc71dbce}" [HKLM] -> C:\WINDOWS\System32\dozibadi.dll [mujuzedij]
[Registry - Additional Scans - Safe List]
< Ext (Stats) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\
YY -> {77DC0BAA-3235-4BA9-8BE8-AA9EB678FA02} [HKLM] -> C:\Program Files\adc32.dll [ADC PlugIn]
[Files/Folders - Created Within 90 Days]
NY ->  adc32.dll -> C:\Program Files\adc32.dll
NY ->  Your PC Protector -> C:\Program Files\Your PC Protector
NY ->  wpp.exe -> C:\Program Files\wpp.exe
[Files/Folders - Modified Within 90 Days]
NY ->  zijofege.dll -> C:\WINDOWS\System32\zijofege.dll
NY ->  dozibadi.dll_old -> C:\WINDOWS\System32\dozibadi.dll_old
NY ->  yuhoraki.dll -> C:\WINDOWS\System32\yuhoraki.dll
NY ->  vusumuje.dll -> C:\WINDOWS\System32\vusumuje.dll
NY ->  jasisaji.dll -> C:\WINDOWS\System32\jasisaji.dll
NY ->  gudunowi.dll -> C:\WINDOWS\System32\gudunowi.dll
NY ->  komeluwe.dll -> C:\WINDOWS\System32\komeluwe.dll
NY ->  fihisafu -> C:\WINDOWS\System32\fihisafu
NY ->  wp4.dat -> C:\Program Files\wp4.dat
NY ->  wp3.dat -> C:\Program Files\wp3.dat
NY ->  adc32.dll -> C:\Program Files\adc32.dll
NY ->  alggui.exe -> C:\Program Files\alggui.exe
NY ->  Your PC Protector.lnk -> C:\Your PC Protector.lnk
NY ->  prvlcl.dat -> C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat
NY ->  nuar.old -> C:\Program Files\nuar.old
NY ->  svchost.exe -> C:\Program Files\svchost.exe
NY ->  Your PC Protector.lnk -> C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk
NY ->  wpp.exe -> C:\Program Files\wpp.exe
NY ->  DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY ->  Kbozoquqisefa.bin -> C:\WINDOWS\Kbozoquqisefa.bin
NY ->  Oxakada.dat -> C:\WINDOWS\Oxakada.dat
[Files - No Company Name]
NY ->  zijofege.dll -> C:\WINDOWS\System32\zijofege.dll
NY ->  dozibadi.dll_old -> C:\WINDOWS\System32\dozibadi.dll_old
NY ->  yuhoraki.dll -> C:\WINDOWS\System32\yuhoraki.dll
NY ->  vusumuje.dll -> C:\WINDOWS\System32\vusumuje.dll
NY ->  jasisaji.dll -> C:\WINDOWS\System32\jasisaji.dll
NY ->  gudunowi.dll -> C:\WINDOWS\System32\gudunowi.dll
NY ->  komeluwe.dll -> C:\WINDOWS\System32\komeluwe.dll
NY ->  fihisafu -> C:\WINDOWS\System32\fihisafu
NY ->  Your PC Protector.lnk -> C:\Your PC Protector.lnk
NY ->  nuar.old -> C:\Program Files\nuar.old
NY ->  alggui.exe -> C:\Program Files\alggui.exe
NY ->  svchost.exe -> C:\Program Files\svchost.exe
NY ->  wp4.dat -> C:\Program Files\wp4.dat
NY ->  wp3.dat -> C:\Program Files\wp3.dat
NY ->  Your PC Protector.lnk -> C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk
NY ->  Oxakada.dat -> C:\WINDOWS\Oxakada.dat
NY ->  Kbozoquqisefa.bin -> C:\WINDOWS\Kbozoquqisefa.bin
NY ->  prvlcl.dat -> C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat
NY ->  rasqervy.dll -> C:\WINDOWS\rasqervy.dll
NY ->  sdfinacs.dll -> C:\WINDOWS\sdfinacs.dll
NY ->  sdfixwcs.dll -> C:\WINDOWS\sdfixwcs.dll
[Alternate Data Streams]
NY -> @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
[Empty Temp Folders]
[CreateRestorePoint]
[Start Explorer]
[ZipFiles]
[Reboot]




NEXT



Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..




Post these logs in your next reply..

1. The Avenger
2. OTS
3. TDSS Killer
4. ComboFix
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#5 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 08 February 2010 - 06:20 PM

Thanks again for your prompt response and continued assistance. Unfortunately, I did run into another issue while following your instructions. I was able to run Avenger, OTS, and TDSSKiller with no problems, however when I went to use Combofix all that would happen is a small status bar pops up in the middle of my desktop with the text "Combofix" and a blue progress bar that quickly fills. After that nothing happens at all. In task manager I can see the Combofix process close after the status bar disappears. The PC doesn't hang or anything else abnormal appears to happen, but its obvious Combofix isn't doing anything once the status bar finishes loading. Keep in mind I followed all instructions relating to Combofix, including renaming it to Combo-fix and disabling AVG, teatimer, and Zonealarm firewall. Anyway, here are the reults from the logs of the other 3 programs...Thanks again!

Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "AdbUpd" deleted successfully.
File "c:\documents and settings\dave\desktop\your pc protector.lnk" deleted successfully.
File "c:\documents and settings\dave\local settings\application data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini" deleted successfully.
File "c:\documents and settings\dave\local settings\application data\prvlcl.dat" deleted successfully.
File "c:\program files\adc32.dll" deleted successfully.
File "c:\program files\alggui.exe" deleted successfully.
File "c:\program files\nuar.old" deleted successfully.
File "c:\program files\svchost.exe" deleted successfully.
File "c:\program files\wp3.dat" deleted successfully.
File "c:\program files\wp4.dat" deleted successfully.
File "c:\program files\wpp.exe" deleted successfully.
File "c:\windows\kbozoquqisefa.bin" deleted successfully.
File "c:\windows\oxakada.dat" deleted successfully.
File "c:\windows\rasqervy.dll" deleted successfully.
File "c:\windows\sdfinacs.dll" deleted successfully.
File "c:\windows\sdfixwcs.dll" deleted successfully.
File "c:\windows\system32\cmd.exe" deleted successfully.
File "c:\windows\system32\command.com" deleted successfully.

Error: file "c:\windows\system32\dozibadi.dll" not found!
Deletion of file "c:\windows\system32\dozibadi.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\dozibadi.dll_old" not found!
Deletion of file "c:\windows\system32\dozibadi.dll_old" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\fihisafu" deleted successfully.
File "c:\windows\system32\gudunowi.dll" deleted successfully.
File "c:\windows\system32\jasisaji.dll" deleted successfully.
File "c:\windows\system32\komeluwe.dll" deleted successfully.
File "c:\windows\system32\vusumuje.dll" deleted successfully.
File "c:\windows\system32\yuhoraki.dll" deleted successfully.
File "c:\windows\system32\zijofege.dll" deleted successfully.
File "c:\your pc protector.lnk" deleted successfully.
Folder "c:\program files\your pc protector" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

OTS log:

All Processes Killed
[Modules - Safe List]
[Win32 Services - Safe List]
Error: No service named AdbUpd was found to stop!
Unable to stop service AdbUpd!
File C:\Program Files\svchost.exe not found.
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\ not found.
File C:\Program Files\adc32.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\zuyalavaz not found.
File C:\WINDOWS\System32\dozibadi.DLL not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingA2458 not found.
File C:\WINDOWS\System32\command.com not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingA3992 not found.
File C:\WINDOWS\System32\command.com not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingA491 not found.
File C:\WINDOWS\System32\command.com not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingC126 not found.
File C:\WINDOWS\System32\cmd.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingC2205 not found.
File C:\WINDOWS\System32\cmd.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\SpybotDeletingC6637 not found.
File C:\WINDOWS\System32\cmd.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:jasisaji.dll c:\windows\system32\dozibadi.dll deleted successfully.
File C:\WINDOWS\System32\jasisaji.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\kekaterel not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{798ecf98-4c77-4aee-ab93-a417cc71dbce}\ not found.
File C:\WINDOWS\System32\dozibadi.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{798ecf98-4c77-4aee-ab93-a417cc71dbce} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{798ecf98-4c77-4aee-ab93-a417cc71dbce}\ not found.
File C:\WINDOWS\System32\dozibadi.dll not found.
[Registry - Additional Scans - Safe List]
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77DC0BAA-3235-4BA9-8BE8-AA9EB678FA02}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0BAA-3235-4BA9-8BE8-AA9EB678FA02}\ not found.
File C:\Program Files\adc32.dll not found.
[Files/Folders - Created Within 90 Days]
File C:\Program Files\adc32.dll not found!
File C:\Program Files\Your PC Protector not found!
File C:\Program Files\wpp.exe not found!
[Files/Folders - Modified Within 90 Days]
File C:\WINDOWS\System32\zijofege.dll not found!
File C:\WINDOWS\System32\dozibadi.dll_old not found!
File C:\WINDOWS\System32\yuhoraki.dll not found!
File C:\WINDOWS\System32\vusumuje.dll not found!
File C:\WINDOWS\System32\jasisaji.dll not found!
File C:\WINDOWS\System32\gudunowi.dll not found!
File C:\WINDOWS\System32\komeluwe.dll not found!
C:\WINDOWS\System32\fihisafu moved successfully.
File C:\Program Files\wp4.dat not found!
File C:\Program Files\wp3.dat not found!
File C:\Program Files\adc32.dll not found!
File C:\Program Files\alggui.exe not found!
File C:\Your PC Protector.lnk not found!
File C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat not found!
File C:\Program Files\nuar.old not found!
File C:\Program Files\svchost.exe not found!
File C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk not found!
File C:\Program Files\wpp.exe not found!
File C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini not found!
File C:\WINDOWS\Kbozoquqisefa.bin not found!
File C:\WINDOWS\Oxakada.dat not found!
[Files - No Company Name]
File C:\WINDOWS\System32\zijofege.dll not found!
File C:\WINDOWS\System32\dozibadi.dll_old not found!
File C:\WINDOWS\System32\yuhoraki.dll not found!
File C:\WINDOWS\System32\vusumuje.dll not found!
File C:\WINDOWS\System32\jasisaji.dll not found!
File C:\WINDOWS\System32\gudunowi.dll not found!
File C:\WINDOWS\System32\komeluwe.dll not found!
File C:\WINDOWS\System32\fihisafu not found!
File C:\Your PC Protector.lnk not found!
File C:\Program Files\nuar.old not found!
File C:\Program Files\alggui.exe not found!
File C:\Program Files\svchost.exe not found!
File C:\Program Files\wp4.dat not found!
File C:\Program Files\wp3.dat not found!
File C:\Documents and Settings\Dave\Desktop\Your PC Protector.lnk not found!
File C:\WINDOWS\Oxakada.dat not found!
File C:\WINDOWS\Kbozoquqisefa.bin not found!
File C:\Documents and Settings\Dave\Local Settings\Application Data\prvlcl.dat not found!
File C:\WINDOWS\rasqervy.dll not found!
File C:\WINDOWS\sdfinacs.dll not found!
File C:\WINDOWS\sdfixwcs.dll not found!
[Alternate Data Streams]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Dave
->Temp folder emptied: 2198679 bytes
->Temporary Internet Files folder emptied: 93291 bytes
->Java cache emptied: 1875835 bytes
->FireFox cache emptied: 36556707 bytes
->Opera cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 256 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 39.00 mb

Restore point Set: OTS Restore Point (64424509440)
< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02082010_172738

Files\Folders moved on Reboot...
C:\Documents and Settings\Dave\Local Settings\Temp\~DF58A0.tmp moved successfully.
File\Folder C:\WINDOWS\temp\ZLT00215.TMP not found!

Registry entries deleted on Reboot...

TDSSKiller log:

17:36:41:953 6120 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
17:36:41:953 6120 ================================================================================
17:36:41:953 6120 SystemInfo:

17:36:41:953 6120 OS Version: 5.1.2600 ServicePack: 2.0
17:36:41:953 6120 Product type: Workstation
17:36:41:953 6120 ComputerName: YOUR-85A8F7B8EC
17:36:41:953 6120 UserName: Dave
17:36:41:953 6120 Windows directory: C:\WINDOWS
17:36:41:953 6120 Processor architecture: Intel x86
17:36:41:953 6120 Number of processors: 2
17:36:41:953 6120 Page size: 0x1000
17:36:41:953 6120 Boot type: Normal boot
17:36:41:953 6120 ================================================================================
17:36:41:953 6120 UnloadDriverW: NtUnloadDriver error 2
17:36:41:953 6120 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:36:41:984 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:36:42:015 6120 UtilityInit: KLMD drop and load success
17:36:42:015 6120 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
17:36:42:015 6120 UtilityInit: KLMD open success
17:36:42:015 6120 UtilityInit: Initialize success
17:36:42:015 6120
17:36:42:015 6120 Scanning Services ...
17:36:42:015 6120 CreateRegParser: Registry parser init started
17:36:42:015 6120 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:36:42:015 6120 CreateRegParser: DisableWow64Redirection error
17:36:42:015 6120 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:36:42:015 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:36:42:015 6120 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:36:42:015 6120 wfopen_ex: Trying to KLMD file open
17:36:42:015 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:36:42:015 6120 wfopen_ex: File opened ok (Flags 2)
17:36:42:015 6120 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: C74AE8
17:36:42:015 6120 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:36:42:031 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:36:42:031 6120 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:36:42:031 6120 wfopen_ex: Trying to KLMD file open
17:36:42:031 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:36:42:031 6120 wfopen_ex: File opened ok (Flags 2)
17:36:42:031 6120 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: C74B90
17:36:42:031 6120 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:36:42:031 6120 CreateRegParser: EnableWow64Redirection error
17:36:42:031 6120 CreateRegParser: RegParser init completed
17:36:42:640 6120 GetAdvancedServicesInfo: Raw services enum returned 380 services
17:36:42:640 6120 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:36:42:640 6120 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:36:42:640 6120
17:36:42:640 6120 Scanning Kernel memory ...
17:36:42:640 6120 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:36:42:640 6120 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8ACD4A08
17:36:42:640 6120 DetectCureTDL3: KLMD_GetDeviceObjectList returned 16 DevObjects
17:36:42:640 6120
17:36:42:640 6120 DetectCureTDL3: DEVICE_OBJECT: 897A4030
17:36:42:640 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 897A4030
17:36:42:640 6120 KLMD_ReadMem: Trying to ReadMemory 0x897A4030[0x38]
17:36:42:640 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:640 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:640 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:640 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:640 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:640 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:640 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:640 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:640 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:640 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:640 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:640 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:640 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:640 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:640 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:640 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:640 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:640 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:640 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:703 6120
17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8957A030
17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8957A030
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8957A030[0x38]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:703 6120
17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8AACE030
17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AACE030
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AACE030[0x38]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:703 6120
17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA1B210
17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA1B210
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA1B210[0x38]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:703 6120
17:36:42:703 6120 DetectCureTDL3: DEVICE_OBJECT: 8AB3E8F0
17:36:42:703 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB3E8F0
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AB3E8F0[0x38]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:703 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:703 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:703 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:703 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:703 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:703 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:703 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:703 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:703 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:703 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:703 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:703 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:703 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:718 6120
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA03030
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA03030
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA03030[0x38]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:718 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:718 6120
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA4F928
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA4F928
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA4F928[0x38]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:718 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:718 6120
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8A9FFAB8
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A9FFAB8
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 896E2B48
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896E2B48
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x896E2B48[0x38]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8]
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218
17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218
17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C
17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C
17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180
17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6
17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0
17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E
17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400]
17:36:42:718 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:36:42:718 6120 TDL3_FileDetect: Processing driver: usbstor
17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:36:42:718 6120
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA0CAB8
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA0CAB8
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 896F2030
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896F2030
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x896F2030[0x38]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8]
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E]
17:36:42:718 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
17:36:42:718 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218
17:36:42:718 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218
17:36:42:718 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C
17:36:42:718 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C
17:36:42:718 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180
17:36:42:718 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6
17:36:42:718 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0
17:36:42:718 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E
17:36:42:718 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:718 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400]
17:36:42:718 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:36:42:718 6120 TDL3_FileDetect: Processing driver: usbstor
17:36:42:718 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:718 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:718 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:36:42:718 6120
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 8950A030
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8950A030
17:36:42:718 6120 DetectCureTDL3: DEVICE_OBJECT: 896DF468
17:36:42:718 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896DF468
17:36:42:718 6120 KLMD_ReadMem: Trying to ReadMemory 0x896DF468[0x38]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8]
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180
17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6
17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0
17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E
17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400]
17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor
17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:36:42:734 6120
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8AA0D660
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA0D660
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 896EA370
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 896EA370
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x896EA370[0x38]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8]
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180
17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6
17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0
17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E
17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400]
17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor
17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:36:42:734 6120
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8AAC0258
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAC0258
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 897A6448
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 897A6448
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x897A6448[0x38]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8]
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180
17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6
17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0
17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E
17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400]
17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor
17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:36:42:734 6120
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 894D8778
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 894D8778
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8973A868
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8973A868
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8973A868[0x38]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8AA57930
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AA57930[0xA8]
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE1D04458[0x1E]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B838D218
17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B838D23C
17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B838D180
17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B83889E6
17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B838C5F0
17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B838AA6E
17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xB8389F26[0x400]
17:36:42:734 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:36:42:734 6120 TDL3_FileDetect: Processing driver: usbstor
17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:36:42:734 6120
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8AC42C68
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC42C68
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8AC42C68[0x38]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:734 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:734 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:734 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:734 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:734 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:734 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:734 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:734 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:734 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:734 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:734 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:734 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:734 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:734 6120
17:36:42:734 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACA99F0
17:36:42:734 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACA99F0
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACA99F0[0x38]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACD4A08
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACD4A08[0xA8]
17:36:42:734 6120 KLMD_ReadMem: Trying to ReadMemory 0xE17223C8[0x18]
17:36:42:734 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:36:42:734 6120 DetectCureTDL3: IrpHandler (0) addr: B810EC30
17:36:42:734 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:734 6120 DetectCureTDL3: IrpHandler (2) addr: B810EC30
17:36:42:750 6120 DetectCureTDL3: IrpHandler (3) addr: B8108D9B
17:36:42:750 6120 DetectCureTDL3: IrpHandler (4) addr: B8108D9B
17:36:42:750 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (9) addr: B8109366
17:36:42:750 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (14) addr: B810944D
17:36:42:750 6120 DetectCureTDL3: IrpHandler (15) addr: B810CFC3
17:36:42:750 6120 DetectCureTDL3: IrpHandler (16) addr: B8109366
17:36:42:750 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (22) addr: B810AEF3
17:36:42:750 6120 DetectCureTDL3: IrpHandler (23) addr: B810FA24
17:36:42:750 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:750 6120 TDL3_FileDetect: Processing driver: Disk
17:36:42:750 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:750 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:36:42:750 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:36:42:750 6120
17:36:42:750 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACC9AB8
17:36:42:750 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACC9AB8
17:36:42:750 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACAF9A0
17:36:42:750 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACAF9A0
17:36:42:750 6120 DetectCureTDL3: DEVICE_OBJECT: 8ACBBD98
17:36:42:750 6120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ACBBD98
17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACBBD98[0x38]
17:36:42:750 6120 DetectCureTDL3: DRIVER_OBJECT: 8ACAE900
17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0x8ACAE900[0xA8]
17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0xE101D848[0x1A]
17:36:42:750 6120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:36:42:750 6120 DetectCureTDL3: IrpHandler (0) addr: B7F15572
17:36:42:750 6120 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (2) addr: B7F15572
17:36:42:750 6120 DetectCureTDL3: IrpHandler (3) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (4) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (14) addr: B7F15592
17:36:42:750 6120 DetectCureTDL3: IrpHandler (15) addr: B7F117B4
17:36:42:750 6120 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (22) addr: B7F155BC
17:36:42:750 6120 DetectCureTDL3: IrpHandler (23) addr: B7F1C164
17:36:42:750 6120 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:36:42:750 6120 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:36:42:750 6120 KLMD_ReadMem: Trying to ReadMemory 0xB7F127C6[0x400]
17:36:42:750 6120 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:36:42:750 6120 TDL3_FileDetect: Processing driver: atapi
17:36:42:750 6120 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:36:42:750 6120 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:36:42:859 6120 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
17:36:42:859 6120
17:36:42:859 6120 Completed
17:36:42:859 6120
17:36:42:859 6120 Results:
17:36:42:859 6120 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:36:42:859 6120 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:36:42:859 6120 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:36:42:859 6120
17:36:42:859 6120 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:36:42:859 6120 UtilityDeinit: KLMD(ARK) unloaded successfully

#6 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 09 February 2010 - 07:07 AM

Can you run ComboFix on Safe Mode?

If yes please do that and post the log here smile.gif
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#7 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 09 February 2010 - 11:14 AM

Unfortunately, running Windows in Safe Mode made no difference in terms of successfully running Combofix. The same exact thing happened when I tried running it in normal Windows. Progress bar appears, finishes loading, but then disappears and that is it. Again, I sincerely appreciate your help and look forward to your next response.

#8 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 09 February 2010 - 11:29 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic




Please download avz4.zip and unzip it to your Desktop
  • Double click on avz.exe to run it.
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Analysis
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm AND virusinfo_syscure.htm to your next reply

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#9 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 09 February 2010 - 01:44 PM

ESET Online Scanner Log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c019cb6be30ea845a6be70a02bef443c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-09 06:09:43
# local_time=2010-02-09 01:09:43 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777175 100 0 6334827 6334827 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 74 17536727 33083339 0 0
# scanned=121517
# found=3
# cleaned=3
# scan_time=4191
C:\Avenger\zijofege.dll a variant of Win32/Adware.Virtumonde.NGW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\schtml\dbsinit.exe Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\schtml\wispex.html Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

In the AVZ4/LOG directory I was able to locate the virusinfo_syscheck.htm and virusinfo_syscheck.zip files, but was unable to locate any file named virusinfo_syscure.htm. Inside the .zip archive was a file named avz_sysinfo.htm, so I attached that along with virusinfo_syscheck.htm.

EDIT: I am unable to attach either of the aforementioned files as I get a message stating "the file was larger than the available space"...The 2 files are @1.2mb each and my max. single upload size is 219K. Please let me know what you would like me to do as an alternative and I will be happy to comply.

I must say, while I know we're not finished, I have already noticed an improvement. The Your PC Protector scareware is no longer showing up nor are the pop up advertising pages in Firefox. I know I sound like a broken record saying this over and over again, but I really do appreciate you taking the time to help with this. Thanks again!

#10 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 10 February 2010 - 05:52 AM

Please put all logs into a folder >> zip the folder >> upload it at RapidShare or MegaUpload >> post the download link here smile.gif
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#11 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 10 February 2010 - 10:35 AM

I hope its OK, but I use WINRAR as my extractor as opposed to WINZIP, so the archive is in .rar format. If this is a problem, let me know and I will get WINZIP and redo it. While I said in my last post that some things had improved, I am still getting messages from AVG for a few different infected .dll files. The one name I can remember is polekove.dll, and I cant recall the other 2 common ones. Also, teatimer.exe tends to use much more cpu usage than normal after a few hours of computer usage, a reboot will fix it for a little bit, but it always seems to revert back.

Here is the link for the AVZ4 and ESET online scanner logs:
Logs archive



Thanks again!

#12 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 11 February 2010 - 06:45 AM

Hello.. First, please uninstall Spybot S&D


Then do below..






AVZ FIX :

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before this fix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

  • Close all windows then double click on AVZ.exe
  • Click File >> Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program

    CODE
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    DelBHO('{05a44286-4915-434b-b9c8-a3b2dcc2225c}');
    BC_DeleteFile('C:\WINDOWS\system32\bizikife.dll');
    BC_DeleteFile('c:\windows\system32\boravupi.dll');
    BC_DeleteFile('C:\WINDOWS\system32\nobiwuna.dll');
    BC_DeleteFile('C:\WINDOWS\system32\polekove.dll');
    BC_DeleteFile('C:\WINDOWS\system32\yivoboki.dll');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','zuyalavaz');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{8f0edec0-5f05-45e9-876a-62a60fd2daed}');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','jumeredog');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','jimefufiki');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run-','jimefufiki');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.


  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.



NEXT


Please download the OTM by OldTimer
  • Save it to your Desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    CODE
    :processes
    explorer.exe

    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]

  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Then try to run either GMER or ComboFix and post the log here
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#13 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 11 February 2010 - 12:44 PM

I was able to run the AVZ fix and OTM successfully and will post the OTM log below. Unfortunately, I am still running into the same issues with GMER and ComboFix. Combo still does nothing after the progress bar finishes loading, and GMER simply restarted my PC after scanning for a while, without showing any signs or confirmation of finishing the scan. There was no log or any sort of results posted as the scan was unable to reach 100% completion.

As always, thanks SO much for your continued assistance!

OTM Log-

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Dave
->Temp folder emptied: 66846663 bytes
->Temporary Internet Files folder emptied: 436060 bytes
->Java cache emptied: 3912506 bytes
->FireFox cache emptied: 76983213 bytes
->Opera cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22084 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 11154175 bytes

Total Files Cleaned = 152.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02112010_112159

Files moved on Reboot...
C:\Documents and Settings\Dave\Local Settings\Temp\~DF57BD.tmp moved successfully.
File C:\WINDOWS\temp\ZLT00086.TMP not found!

Registry entries deleted on Reboot...

#14 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 12 February 2010 - 04:53 AM

Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and attach the log here.



NEXT


Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#15 User is offline   goodwidp 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 04-November 08

Posted 12 February 2010 - 02:54 PM

Here is the MBR.exe log...I have also attached the SysProt log. Thank you.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x01749DDC1 !


Attached File(s)


Share this topic:


  • 5 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users