Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

keep getting redirected


  • This topic is locked This topic is locked
15 replies to this topic

#1 harper

harper

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 12 November 2009 - 07:58 PM

every time I do a search in IE (such as on Yahoo) when I click on the suggested site I get redirected to other sites. I have run McAfee and it finds nothing. I clear history, cookies, etc. and problem still exists. Please help!


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:55 PM, on 11/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} (Echospin Proxy Control) - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11275 bytes

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:11 AM

Posted 20 November 2009 - 10:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 November 2009 - 09:41 AM

Sorry for the delay, I have been away. Still getting redirected to sites that I don't want. If I do a search in Yahoo, when I click on the result I'm not taken to that site. Another site pops up.


Attached File  Attach.zip   4.53KB   2 downloads



DDS (Ver_09-11-24.02) - NTFSx86
Run by michael at 8:57:25.85 on Thu 11/26/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.88 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2009-11-11 15172]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-28 210216]

=============== Created Last 30 ================

2009-11-11 14:25:36 15172 ----a-w- c:\windows\system32\drivers\PzWDM.sys
2009-11-11 14:25:34 0 d--h--w- c:\docume~1\alluse~1\applic~1\esClient
2009-11-11 14:25:16 0 d-----w- c:\program files\echospin
2009-11-07 22:42:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-07 15:25:28 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-02 22:37:18 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-02 22:37:18 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-02 22:37:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-11-25 16:25:15 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-11-24 12:52:35 24448 ----a-w- c:\docume~1\michael\applic~1\wklnhst.dat
2009-11-07 02:07:33 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:00:20.98 ===============

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 AM

Posted 26 November 2009 - 03:05 PM

Hi harper,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Step2

Please download Malwarebytes' Anti-Malware from Here or Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Step3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

In your next reply, please post back:


1.GMER log
2.MBAM log
3.RSIT log.txt and info.txt. Thanks.

#5 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 28 November 2009 - 12:08 PM

GMER log, MBAM log, RSIT log.txt & info.txt





GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 10:32:59
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\michael\LOCALS~1\Temp\pxrdipog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEDC4878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEDC48821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEDC48738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEDC4874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEDC48835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEDC48861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEDC488CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEDC488B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEDC487CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEDC488FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEDC4880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEDC48710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEDC48724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEDC4879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEDC48937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEDC488A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEDC4888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEDC4884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEDC48923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEDC4890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEDC48776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEDC48762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEDC48877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEDC487F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEDC488E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEDC487E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEDC487B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B96FCD20
Device \FileSystem\Fastfat \Fat B97009F2

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Driver\00001071 -> \Driver\atapi \Device\Harddisk0\DR0 87373E07

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Malwarebytes' Anti-Malware 1.41
Database version: 3250
Windows 5.1.2600 Service Pack 3

11/28/2009 11:46:49 AM
mbam-log-2009-11-28 (11-46-49).txt

Scan type: Quick Scan
Objects scanned: 162292
Time elapsed: 15 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


info.txt logfile of random's system information tool 1.06 2009-11-28 12:01:43

======Uninstall list======

-->C:\Program Files\USBToolbox\setup.exe
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ivx MPEG-4 5.0.3 (remove only)-->"C:\Program Files\3ivx\3ivx MPEG-4 5.0.3\uninstaller.exe"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
America Online (Choose which version to remove)-->C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20040229.1 en)-->C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services-->C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOLIcon-->MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Mobile Device Support-->MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Corel Paint Shop Pro X-->MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
Corel Photo Album 6-->MsiExec.exe /X{8A9B8148-DDD7-448F-BD6C-358386D32354}
Dell CinePlayer-->MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Game Console-->"C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe"
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Content Portal-->MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Disney's Toontown Online-->C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
Documentation & Support Launcher-->MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
EarthLink setup files-->MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
Echospin Delivery Wizard-->RunDll32 advpack.dll,LaunchINFSectionEx C:\WINDOWS\Downloaded Program Files\esProxy.inf,DefaultUninstall
EducateU-->MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon-->MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
File Uploader-->MsiExec.exe /X{237CD223-1B9D-47E8-A76C-E478B83CCEA2}
Games, Music, & Photos Launcher-->MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"
Get High Speed Internet!-->MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB888795)-->"C:\WINDOWS\$NtUninstallKB888795$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB891593)-->"C:\WINDOWS\$NtUninstallKB891593$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB895961)-->"C:\WINDOWS\$NtUninstallKB895961$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB899337)-->"C:\WINDOWS\$NtUninstallKB899337$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB899510)-->"C:\WINDOWS\$NtUninstallKB899510$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB902841)-->"C:\WINDOWS\$NtUninstallKB902841$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
HP Deskjet 5900 series-->C:\Program Files\HP\Digital Imaging\{79546A5F-AE7C-4693-8670-A3401B43ABD2}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Image Zone 5.0-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.0-->C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® PROSet for Wired Connections-->MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Internet Service Offers Launcher-->MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
iTunes-->MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner-->C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
Logitech Desktop Messenger-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech Legacy USB Camera Driver Package-->"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\11.10.2016\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"legacyqcam_11.10" /clone_wait /hide_progress
Logitech QuickCam Driver Package-->"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.80.1048\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.80" /clone_wait /hide_progress
Logitech QuickCam-->MsiExec.exe /X{3AF8FCCD-F51A-4014-9002-F195E1CBC876}
Logitech Updater-->MsiExec.exe /I{53735ECE-E461-4FD0-B742-23A352436D3A}
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstaller-->C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft .NET Framework 1.0 Hotfix (KB887998)-->"C:\WINDOWS\$NtUninstallKB887998$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.0 Hotfix (KB930494)-->"C:\WINDOWS\$NtUninstallKB930494$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image Standard 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM VERSION=11
Microsoft Encarta Encyclopedia Standard 2006-->MsiExec.exe /I{06040048-3E21-46D6-9A91-D927BA08F41D}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel Viewer-->MsiExec.exe /I{95120000-003F-0409-0000-0000000FF1CE}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Streets & Trips 2006-->MsiExec.exe /I{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works Suite 2006 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2006\Setup\Launcher.exe /ARP D:\
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{17E3A651-12B9-4149-BAE8-E6FB9A5ADC4F}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
muvee Plugin 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82CA0A0C-A3EC-4167-B694-909205B2EDEC}\setup.exe" -l0x9
MVision-->MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZeroInstallers-->MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
Nikon Message Center-->MsiExec.exe /X{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}
Nikon Transfer-->MsiExec.exe /X{E9757890-7EC5-46C8-99AB-B00F07B6525C}
QuickTime-->MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Roxio DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
URGE-->MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
USB Mass Storage Toolbox-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62B002C5-1AB3-11D8-8092-00E018B21FC0}\Setup.exe"
WebCyberCoach 3.2 Dell-->"C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix - KB895316-->"C:\WINDOWS\$NtUninstallKB895316$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]-->C:\WINDOWS\$NtUninstallEmeraldQFE2$\spuninst\spuninst.exe
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890927-->C:\WINDOWS\$NtUninstallKB890927$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB908246-->"C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip 14.0-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240BA}

=====HijackThis Backups=====

O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\ywppyagl.dll",b [2007-12-16]
O2 - BHO: (no name) - {987DA7B8-2141-4C69-845A-0444FADA8749} - C:\WINDOWS\system32\pmnli.dll (file missing) [2007-12-16]
O2 - BHO: {0a04a6d7-5259-1e4b-10f4-0957237f8cf7} - {7fc8f732-7590-4f01-b4e1-95257d6a40a0} - C:\WINDOWS\system32\gargokso.dll (file missing) [2007-12-16]

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

======System event log======

Computer Name: FAMILYROOM
Event Code: 1002
Message: The IP address lease 68.197.246.0 for the Network Card with network address 001372C837D0 has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 321997
Source Name: Dhcp
Time Written: 20091104184728.000000-240
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001372C837D0. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 321996
Source Name: Dhcp
Time Written: 20091104184728.000000-240
Event Type: warning
User:

Computer Name: FAMILYROOM
Event Code: 1002
Message: The IP address lease 192.168.100.2 for the Network Card with network address 001372C837D0 has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 321057
Source Name: Dhcp
Time Written: 20091104082606.000000-240
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 32003
Message: The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Record Number: 321055
Source Name: ipnathlp
Time Written: 20091104082543.000000-240
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 1002
Message: The IP address lease 68.197.246.0 for the Network Card with network address 001372C837D0 has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 321054
Source Name: Dhcp
Time Written: 20091104082542.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: FAMILYROOM
Event Code: 1004
Message: Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS', component '{ACD935F6-53F3-469B-842F-2CE17B80840C}' failed. The resource 'HKEY_CURRENT_USER\Software\Corel\Auto Update\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Interval' does not exist.

Record Number: 17916
Source Name: MsiInstaller
Time Written: 20091122085056.000000-300
Event Type: warning
User: FAMILYROOM\michael

Computer Name: FAMILYROOM
Event Code: 1001
Message: Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Record Number: 17915
Source Name: MsiInstaller
Time Written: 20091122085055.000000-300
Event Type: warning
User: FAMILYROOM\michael

Computer Name: FAMILYROOM
Event Code: 1004
Message: Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS', component '{ACD935F6-53F3-469B-842F-2CE17B80840C}' failed. The resource 'HKEY_CURRENT_USER\Software\Corel\Auto Update\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Interval' does not exist.

Record Number: 17914
Source Name: MsiInstaller
Time Written: 20091122085055.000000-300
Event Type: warning
User: FAMILYROOM\michael

Computer Name: FAMILYROOM
Event Code: 1001
Message: Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Record Number: 17913
Source Name: MsiInstaller
Time Written: 20091122085052.000000-300
Event Type: warning
User: FAMILYROOM\michael

Computer Name: FAMILYROOM
Event Code: 1004
Message: Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS', component '{ACD935F6-53F3-469B-842F-2CE17B80840C}' failed. The resource 'HKEY_CURRENT_USER\Software\Corel\Auto Update\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Interval' does not exist.

Record Number: 17912
Source Name: MsiInstaller
Time Written: 20091122085052.000000-300
Event Type: warning
User: FAMILYROOM\michael

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\WINDOWS\system32;%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------


Logfile of random's system information tool 1.06 (written by random/random)
Run by michael at 2009-11-28 12:01:20
Microsoft Windows XP Professional Service Pack 3
System drive C: has 117 GB (79%) free of 148 GB
Total RAM: 1022 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:39 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\michael\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\michael.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} (Echospin Proxy Control) - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10865 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-11-07 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-07-08 246800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2006-05-03 98304]
"ISUSPM Startup"=c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2006-09-11 218032]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-09-11 86960]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-10 385024]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-01-15 267048]
"LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2008-08-14 565008]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\QuickCam\Quickcam.exe [2008-08-14 2407184]
"Nikon Transfer Monitor"=C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-09-30 485208]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2006-09-11 218032]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-10 15360]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-07 21633320]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AutorunsDisabled
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=177
"NoDriveAutoRun"=4294967295

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c6dc3dd-e24b-11dc-861d-00038a000015}]
shell\AutoRun\command - J:\system\viewer\FlipVideoforPC.exe
shell\Flip Video for PC\command - J:\system\viewer\FlipVideoforPC.exe


======List of files/folders created in the last 1 months======

2009-11-28 12:01:20 ----D---- C:\rsit
2009-11-28 10:35:56 ----D---- C:\Documents and Settings\michael\Application Data\Malwarebytes
2009-11-28 10:35:45 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-28 10:35:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-26 09:26:38 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2009-11-26 09:26:25 ----D---- C:\Program Files\WinZip
2009-11-11 09:25:34 ----HD---- C:\Documents and Settings\All Users\Application Data\esClient
2009-11-11 09:25:16 ----D---- C:\Program Files\echospin
2009-11-07 17:42:31 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-07 10:25:28 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-11-02 17:37:18 ----A---- C:\WINDOWS\system32\muweb.dll
2009-11-02 17:37:18 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-11-02 17:37:18 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-11-01 19:20:39 ----D---- C:\Program Files\Microsoft Silverlight

======List of files/folders modified in the last 1 months======

2009-11-28 12:01:24 ----D---- C:\WINDOWS\Prefetch
2009-11-28 12:01:22 ----D---- C:\WINDOWS\Temp
2009-11-28 11:54:04 ----D---- C:\WINDOWS
2009-11-28 11:49:41 ----D---- C:\WINDOWS\Registration
2009-11-28 11:49:40 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-11-28 11:48:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-28 11:44:16 ----D---- C:\Documents and Settings\michael\Application Data\Skype
2009-11-28 10:35:46 ----D---- C:\WINDOWS\system32\drivers
2009-11-28 10:35:44 ----D---- C:\Program Files
2009-11-28 09:44:34 ----D---- C:\Documents and Settings\michael\Application Data\skypePM
2009-11-27 23:13:21 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-26 11:45:11 ----D---- C:\WINDOWS\system32\FxsTmp
2009-11-26 09:27:37 ----SHD---- C:\WINDOWS\Installer
2009-11-26 09:27:36 ----HD---- C:\Config.Msi
2009-11-25 05:01:17 ----D---- C:\WINDOWS\system32
2009-11-19 19:22:32 ----D---- C:\Program Files\McAfee
2009-11-18 19:31:06 ----HD---- C:\WINDOWS\inf
2009-11-17 22:44:05 ----A---- C:\Documents and Settings\michael\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
2009-11-11 10:07:00 ----D---- C:\Program Files\iTunes
2009-11-11 09:25:29 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-07 10:23:10 ----D---- C:\Program Files\Microsoft Works
2009-11-07 10:22:15 ----D---- C:\WINDOWS\WinSxS
2009-11-02 17:39:51 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2008-07-26 25624]
R3 LVRS;Logitech RightSound Filter Driver; C:\WINDOWS\system32\DRIVERS\lvrs.sys [2008-07-26 627864]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2008-07-26 41752]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 pepifilter;Volume Adapter; C:\WINDOWS\system32\DRIVERS\lv302af.sys [2008-07-26 13848]
R3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2008-07-26 2570520]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-01-15 30464]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe [2004-04-07 1135728]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-01-15 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2008-07-26 186904]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2008-07-26 150040]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-09 865832]
R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MSK80Service;McAfee SpamKiller Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-07-08 26640]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-10 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-01-15 504104]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-10 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\wmpnetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 AM

Posted 28 November 2009 - 02:01 PM

Hi harper,



Looks better. :( but still have a rootkit onboard. We will deal with that and scan the remnants with Kas Online Scanner. It will take some time to run the full course. Please be patient and do the following:


Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.



Step2


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 17...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    Java™ 6 Update 3

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.


Step3


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step4


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.ComboFix log
2.Kas Online Scan Report


Tell me how your pc is running now.

#7 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 29 November 2009 - 11:18 AM

Have tried running Combofix several times and get no results. Twice I have let it run for over an hour and all I get is the program saying:

Scanning
It may take 10 minutes but heavily infected computers may double that time

I made sure McAfee antivirus turned off as well as firewall, also made sure Windows firewall off.

Any suggestions? Should I just let the program run? I'm sure I followed all the instructions on your combofix download instructions.

Thanks

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 AM

Posted 29 November 2009 - 12:06 PM

Hi harper,


The rootkit may block ComboFix somehow. Let's take another approach. Please proceed the following:


Step1

1.Go to this thread and Download TDSSKiller to your Desktop.
2.Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
3.Start > Run and copy/paste the following bolded command into run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

4.Follow the instructions to type in "delete" when it asks you what to do when if finds something.
5.When done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents in your next reply.


Step2

After that, plesae disable McAfee real time protection and delete the current copy of ComboFix, download it again and rerun it as instructed in my previous post.

How to disable McAfee:
  • Start McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.

    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)

  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Further info in This thread.



Please post back the logs in your next reply.

1.ComboFix log
2.Kas Online Scan Report
3.TDSSKiller log

#9 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 29 November 2009 - 07:56 PM

Don't know if I am doing the right thing - still having problems with Combofix. Was able to run the TDSSkiller and log is posted below. Deleted Combofix and when I go to download new version I am getting a popup from McAfee saying:

Detected: Artemis!3CB00E96D301 (Trojan), Artemis!3CB00E96D301 (Trojan)
Location: C:\Documents and Settings\michael\Local Settings\Temporary Internet Files\Content.IE5\6MNOXW8B\ComboFix[1].exe

I clik on ok that it has been blocked and go to continue with the download and then get the message that it cannot copy Combofix[1] : Access denied. Make sure disk is not full or write protected and that the file is not currently in use.

Maybe I did not delete correctly? I had tried running combofix once again and after an hour still had the same message: scanning for files....this typically doesn't take more than 10 minutes etc...

I have never recieved the message that it changed my clock or completed any stages.

After getting it installed should I just let it run...regardless of time?

Thanks.

#10 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 29 November 2009 - 07:59 PM

Sorry, forgot the TDSSkiller log

Host Name: FAMILYROOM
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: michael
Registered Organization:
Product ID: 76487-OEM-0011903-00825
Original Install Date: 5/19/2006, 11:40:26 PM
System Up Time: 0 Days, 8 Hours, 48 Minutes, 51 Seconds
System Manufacturer: Dell Inc.
System Model: Dell DM051
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 4 Stepping 7 GenuineIntel ~2793 Mhz
BIOS Version: DELL - 7
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 1,022 MB
Available Physical Memory: 306 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,004 MB
Virtual Memory: In Use: 44 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\FAMILYROOM
Hotfix(s): 329 Hotfix(s) Installed.
[01]: EmeraldQFE2 - Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: File 1
[100]: File 1
[101]: File 1
[102]: File 1
[103]: File 1
[104]: File 1
[105]: File 1
[106]: File 1
[107]: File 1
[108]: File 1
[109]: File 1
[110]: File 1
[111]: File 1
[112]: File 1
[113]: File 1
[114]: File 1
[115]: File 1
[116]: File 1
[117]: File 1
[118]: File 1
[119]: File 1
[120]: File 1
[121]: File 1
[122]: File 1
[123]: File 1
[124]: File 1
[125]: File 1
[126]: File 1
[127]: File 1
[128]: File 1
[129]: File 1
[130]: File 1
[131]: File 1
[132]: File 1
[133]: File 1
[134]: File 1
[135]: File 1
[136]: File 1
[137]: File 1
[138]: File 1
[139]: File 1
[140]: File 1
[141]: File 1
[142]: File 1
[143]: File 1
[144]: File 1
[145]: File 1
[146]: File 1
[147]: File 1
[148]: File 1
[149]: File 1
[150]: File 1
[151]: File 1
[152]: File 1
[153]: File 1
[154]: File 1
[155]: Q147222
[156]: KB887998 - QFE
[157]: KB930494 - QFE
[158]: SP3 - SP
[159]: M928366 - Update
[160]: S867460 - Update
[161]: KB900325 - Update
[162]: Q927978
[163]: Q936181
[164]: IDNMitigationAPIs - Update
[165]: NLSDownlevelMapping - Update
[166]: KB929399
[167]: KB911565
[168]: KB913800
[169]: KB917734_WMP10
[170]: KB926251
[171]: EmeraldQFE2 - Update
[172]: KB936782_WMP11
[173]: KB939683
[174]: KB925398_WMP64
[175]: KB923689
[176]: KB941569
[177]: KB938127-IE7 - Update
[178]: KB939653-IE7 - Update
[179]: KB942615-IE7 - Update
[180]: KB944533-IE7 - Update
[181]: KB947864-IE7 - Update
[182]: MSCompPackV1 - Update
[183]: KB873339 - Update
[184]: KB885250 - Update
[185]: KB885835 - Update
[186]: KB885836 - Update
[187]: KB885884 - Update
[188]: KB886185 - Update
[189]: KB887472 - Update
[190]: KB887742 - Update
[191]: KB887998 - Update
[192]: KB888113 - Update
[193]: KB888302 - Update
[194]: KB888795 - Update
[195]: KB889673 - Update
[196]: KB890046 - Update
[197]: KB890859 - Update
[198]: KB890927 - Update
[199]: KB891593 - Update
[200]: KB891781 - Update
[201]: KB893756 - Update
[202]: KB894391 - Update
[203]: KB896256 - Update
[204]: KB896358 - Update
[205]: KB896422 - Update
[206]: KB896423 - Update
[207]: KB896424 - Update
[208]: KB896428 - Update
[209]: KB898461 - Update
[210]: KB899337 - Update
[211]: KB899510 - Update
[212]: KB899587 - Update
[213]: KB899588 - Update
[214]: KB899589 - Update
[215]: KB899591 - Update
[216]: KB900485 - Update
[217]: KB900725 - Update
[218]: KB901017 - Update
[219]: KB901190 - Update
[220]: KB901214 - Update
[221]: KB902400 - Update
[222]: KB902841 - Update
[223]: KB904706 - Update
[224]: KB904942 - Update
[225]: KB905414 - Update
[226]: KB905749 - Update
[227]: KB905915 - Update
[228]: KB906569 - Update
[229]: KB908519 - Update
[230]: KB908531 - Update
[231]: KB908673 - Update
[232]: KB910437 - Update
[233]: KB911280 - Update
[234]: KB911562 - Update
[235]: K

NetWork Card(s): 1 NIC(s) Installed.
[01]: Intel® PRO/100 VE Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.107.128.1
IP address(es)
[01]: 68.197.246.0
17:26:57:875 2588 ForceUnloadDriver: NtUnloadDriver error 2
17:26:57:890 2588 ForceUnloadDriver: NtUnloadDriver error 2
17:26:57:890 2588 ForceUnloadDriver: NtUnloadDriver error 2
17:26:57:953 2588 main: Driver KLMD successfully dropped
17:26:58:0 2588 main: Driver KLMD successfully loaded
17:26:58:0 2588
Scanning Registry ...
17:26:58:15 2588 ScanServices: Searching service UACd.sys
17:26:58:15 2588 ScanServices: Open/Create key error 2
17:26:58:15 2588 ScanServices: Searching service TDSSserv.sys
17:26:58:15 2588 ScanServices: Open/Create key error 2
17:26:58:15 2588 ScanServices: Searching service gaopdxserv.sys
17:26:58:15 2588 ScanServices: Open/Create key error 2
17:26:58:15 2588 ScanServices: Searching service gxvxcserv.sys
17:26:58:15 2588 ScanServices: Open/Create key error 2
17:26:58:15 2588 ScanServices: Searching service MSIVXserv.sys
17:26:58:15 2588 ScanServices: Open/Create key error 2
17:26:58:15 2588 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
17:26:58:296 2588 UnhookRegistry: Kernel local addr: 1010000
17:26:58:296 2588 UnhookRegistry: KeServiceDescriptorTable addr: 1095700
17:26:58:312 2588 UnhookRegistry: KiServiceTable addr: 103D450
17:26:58:312 2588 UnhookRegistry: NtEnumerateKey service number (local): 47
17:26:58:312 2588 UnhookRegistry: NtEnumerateKey local addr: 115CFC6
17:26:58:328 2588 KLMD_OpenDevice: Trying to open KLMD device
17:26:58:328 2588 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
17:26:58:328 2588 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
17:26:58:328 2588 KLMD_ReadMem: Trying to ReadMemory 0x805002B9[0x4]
17:26:58:328 2588 UnhookRegistry: NtEnumerateKey service number (kernel): 47
17:26:58:328 2588 KLMD_ReadMem: Trying to ReadMemory 0x8050456C[0x4]
17:26:58:328 2588 UnhookRegistry: NtEnumerateKey real addr: 80623FC6
17:26:58:328 2588 UnhookRegistry: NtEnumerateKey calc addr: 80623FC6
17:26:58:328 2588 UnhookRegistry: No SDT hooks found on NtEnumerateKey
17:26:58:328 2588 KLMD_ReadMem: Trying to ReadMemory 0x80623FC6[0xA]
17:26:58:328 2588 UnhookRegistry: Splicing found on NtEnumerateKey
17:26:58:328 2588 KLMD_WriteMem: Trying to WriteMemory 0x80623FC6[0xA]
17:26:58:328 2588 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully
17:26:58:328 2588
Scanning Kernel memory ...
17:26:58:328 2588 KLMD_OpenDevice: Trying to open KLMD device
17:26:58:328 2588 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
17:26:58:328 2588 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:26:58:328 2588 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8738D910
17:26:58:328 2588 DetectCureTDL3: KLMD_GetDeviceObjectList returned 12 DevObjects
17:26:58:328 2588 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 87187220
17:26:58:328 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87187220
17:26:58:328 2588 KLMD_ReadMem: Trying to ReadMemory 0x87187220[0x38]
17:26:58:328 2588 DetectCureTDL3: DRIVER_OBJECT addr: 8738D910
17:26:58:328 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738D910[0xA8]
17:26:58:328 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1AAB080[0x208]
17:26:58:328 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:26:58:328 2588 DetectCureTDL3: IrpHandler (0) addr: F7618BB0
17:26:58:328 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (2) addr: F7618BB0
17:26:58:328 2588 DetectCureTDL3: IrpHandler (3) addr: F7612D1F
17:26:58:328 2588 DetectCureTDL3: IrpHandler (4) addr: F7612D1F
17:26:58:328 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (9) addr: F76132E2
17:26:58:328 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (14) addr: F76133BB
17:26:58:328 2588 DetectCureTDL3: IrpHandler (15) addr: F7616F28
17:26:58:328 2588 DetectCureTDL3: IrpHandler (16) addr: F76132E2
17:26:58:328 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (22) addr: F7614C82
17:26:58:328 2588 DetectCureTDL3: IrpHandler (23) addr: F761999E
17:26:58:328 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:328 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:328 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:328 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:375 2588 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8728BC68
17:26:58:375 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8728BC68
17:26:58:375 2588 KLMD_ReadMem: Trying to ReadMemory 0x8728BC68[0x38]
17:26:58:375 2588 DetectCureTDL3: DRIVER_OBJECT addr: 8738D910
17:26:58:375 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738D910[0xA8]
17:26:58:375 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1AAB080[0x208]
17:26:58:375 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:26:58:375 2588 DetectCureTDL3: IrpHandler (0) addr: F7618BB0
17:26:58:375 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (2) addr: F7618BB0
17:26:58:375 2588 DetectCureTDL3: IrpHandler (3) addr: F7612D1F
17:26:58:375 2588 DetectCureTDL3: IrpHandler (4) addr: F7612D1F
17:26:58:375 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (9) addr: F76132E2
17:26:58:375 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (14) addr: F76133BB
17:26:58:375 2588 DetectCureTDL3: IrpHandler (15) addr: F7616F28
17:26:58:375 2588 DetectCureTDL3: IrpHandler (16) addr: F76132E2
17:26:58:375 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (22) addr: F7614C82
17:26:58:375 2588 DetectCureTDL3: IrpHandler (23) addr: F761999E
17:26:58:375 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:375 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:375 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:375 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:375 2588 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86BFA728
17:26:58:375 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86BFA728
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0x86BFA728[0x38]
17:26:58:390 2588 DetectCureTDL3: DRIVER_OBJECT addr: 8738D910
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738D910[0xA8]
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1AAB080[0x208]
17:26:58:390 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:26:58:390 2588 DetectCureTDL3: IrpHandler (0) addr: F7618BB0
17:26:58:390 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (2) addr: F7618BB0
17:26:58:390 2588 DetectCureTDL3: IrpHandler (3) addr: F7612D1F
17:26:58:390 2588 DetectCureTDL3: IrpHandler (4) addr: F7612D1F
17:26:58:390 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (9) addr: F76132E2
17:26:58:390 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (14) addr: F76133BB
17:26:58:390 2588 DetectCureTDL3: IrpHandler (15) addr: F7616F28
17:26:58:390 2588 DetectCureTDL3: IrpHandler (16) addr: F76132E2
17:26:58:390 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (22) addr: F7614C82
17:26:58:390 2588 DetectCureTDL3: IrpHandler (23) addr: F761999E
17:26:58:390 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:390 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:390 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:390 2588 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8724DC68
17:26:58:390 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8724DC68
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0x8724DC68[0x38]
17:26:58:390 2588 DetectCureTDL3: DRIVER_OBJECT addr: 8738D910
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738D910[0xA8]
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1AAB080[0x208]
17:26:58:390 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:26:58:390 2588 DetectCureTDL3: IrpHandler (0) addr: F7618BB0
17:26:58:390 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (2) addr: F7618BB0
17:26:58:390 2588 DetectCureTDL3: IrpHandler (3) addr: F7612D1F
17:26:58:390 2588 DetectCureTDL3: IrpHandler (4) addr: F7612D1F
17:26:58:390 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (9) addr: F76132E2
17:26:58:390 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (14) addr: F76133BB
17:26:58:390 2588 DetectCureTDL3: IrpHandler (15) addr: F7616F28
17:26:58:390 2588 DetectCureTDL3: IrpHandler (16) addr: F76132E2
17:26:58:390 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (22) addr: F7614C82
17:26:58:390 2588 DetectCureTDL3: IrpHandler (23) addr: F761999E
17:26:58:390 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:390 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:390 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:390 2588 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86DCA030
17:26:58:390 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86DCA030
17:26:58:390 2588 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86BF2740
17:26:58:390 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86BF2740
17:26:58:390 2588 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86C184C8
17:26:58:390 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C184C8
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0x86C184C8[0x38]
17:26:58:390 2588 DetectCureTDL3: DRIVER_OBJECT addr: 872D08A8
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0x872D08A8[0xA8]
17:26:58:390 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1DDB048[0x208]
17:26:58:390 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:26:58:390 2588 DetectCureTDL3: IrpHandler (0) addr: F79DF218
17:26:58:390 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (2) addr: F79DF218
17:26:58:390 2588 DetectCureTDL3: IrpHandler (3) addr: F79DF23C
17:26:58:390 2588 DetectCureTDL3: IrpHandler (4) addr: F79DF23C
17:26:58:390 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (9) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (14) addr: F79DF180
17:26:58:390 2588 DetectCureTDL3: IrpHandler (15) addr: F79DA9E6
17:26:58:390 2588 DetectCureTDL3: IrpHandler (16) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (22) addr: F79DE5F0
17:26:58:390 2588 DetectCureTDL3: IrpHandler (23) addr: F79DCA6E
17:26:58:390 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:390 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:390 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:390 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:406 2588 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 86BF2AB8
17:26:58:406 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86BF2AB8
17:26:58:406 2588 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 86C91288
17:26:58:406 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C91288
17:26:58:406 2588 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 871496F8
17:26:58:406 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 871496F8
17:26:58:406 2588 KLMD_ReadMem: Trying to ReadMemory 0x871496F8[0x38]
17:26:58:406 2588 DetectCureTDL3: DRIVER_OBJECT addr: 872D08A8
17:26:58:406 2588 KLMD_ReadMem: Trying to ReadMemory 0x872D08A8[0xA8]
17:26:58:406 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1DDB048[0x208]
17:26:58:406 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:26:58:406 2588 DetectCureTDL3: IrpHandler (0) addr: F79DF218
17:26:58:406 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (2) addr: F79DF218
17:26:58:406 2588 DetectCureTDL3: IrpHandler (3) addr: F79DF23C
17:26:58:406 2588 DetectCureTDL3: IrpHandler (4) addr: F79DF23C
17:26:58:406 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (9) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (14) addr: F79DF180
17:26:58:406 2588 DetectCureTDL3: IrpHandler (15) addr: F79DA9E6
17:26:58:406 2588 DetectCureTDL3: IrpHandler (16) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (22) addr: F79DE5F0
17:26:58:406 2588 DetectCureTDL3: IrpHandler (23) addr: F79DCA6E
17:26:58:406 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:406 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:406 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:406 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:531 2588 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 86BF2030
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86BF2030
17:26:58:531 2588 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 86C915F0
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C915F0
17:26:58:531 2588 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 87283888
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87283888
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0x87283888[0x38]
17:26:58:531 2588 DetectCureTDL3: DRIVER_OBJECT addr: 872D08A8
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0x872D08A8[0xA8]
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1DDB048[0x208]
17:26:58:531 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:26:58:531 2588 DetectCureTDL3: IrpHandler (0) addr: F79DF218
17:26:58:531 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (2) addr: F79DF218
17:26:58:531 2588 DetectCureTDL3: IrpHandler (3) addr: F79DF23C
17:26:58:531 2588 DetectCureTDL3: IrpHandler (4) addr: F79DF23C
17:26:58:531 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (9) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (14) addr: F79DF180
17:26:58:531 2588 DetectCureTDL3: IrpHandler (15) addr: F79DA9E6
17:26:58:531 2588 DetectCureTDL3: IrpHandler (16) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (22) addr: F79DE5F0
17:26:58:531 2588 DetectCureTDL3: IrpHandler (23) addr: F79DCA6E
17:26:58:531 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:531 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:531 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:531 2588 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 86C91968
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C91968
17:26:58:531 2588 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 86C91ED0
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C91ED0
17:26:58:531 2588 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 86C92CA0
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C92CA0
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0x86C92CA0[0x38]
17:26:58:531 2588 DetectCureTDL3: DRIVER_OBJECT addr: 872D08A8
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0x872D08A8[0xA8]
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1DDB048[0x208]
17:26:58:531 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:26:58:531 2588 DetectCureTDL3: IrpHandler (0) addr: F79DF218
17:26:58:531 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (2) addr: F79DF218
17:26:58:531 2588 DetectCureTDL3: IrpHandler (3) addr: F79DF23C
17:26:58:531 2588 DetectCureTDL3: IrpHandler (4) addr: F79DF23C
17:26:58:531 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (9) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (14) addr: F79DF180
17:26:58:531 2588 DetectCureTDL3: IrpHandler (15) addr: F79DA9E6
17:26:58:531 2588 DetectCureTDL3: IrpHandler (16) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (22) addr: F79DE5F0
17:26:58:531 2588 DetectCureTDL3: IrpHandler (23) addr: F79DCA6E
17:26:58:531 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:531 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:531 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
17:26:58:531 2588 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 87386C68
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87386C68
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0x87386C68[0x38]
17:26:58:531 2588 DetectCureTDL3: DRIVER_OBJECT addr: 8738D910
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738D910[0xA8]
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1AAB080[0x208]
17:26:58:531 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:26:58:531 2588 DetectCureTDL3: IrpHandler (0) addr: F7618BB0
17:26:58:531 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (2) addr: F7618BB0
17:26:58:531 2588 DetectCureTDL3: IrpHandler (3) addr: F7612D1F
17:26:58:531 2588 DetectCureTDL3: IrpHandler (4) addr: F7612D1F
17:26:58:531 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (9) addr: F76132E2
17:26:58:531 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (14) addr: F76133BB
17:26:58:531 2588 DetectCureTDL3: IrpHandler (15) addr: F7616F28
17:26:58:531 2588 DetectCureTDL3: IrpHandler (16) addr: F76132E2
17:26:58:531 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (22) addr: F7614C82
17:26:58:531 2588 DetectCureTDL3: IrpHandler (23) addr: F761999E
17:26:58:531 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:531 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:531 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:531 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:531 2588 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 87387C68
17:26:58:531 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87387C68
17:26:58:531 2588 KLMD_ReadMem: Trying to ReadMemory 0x87387C68[0x38]
17:26:58:546 2588 DetectCureTDL3: DRIVER_OBJECT addr: 8738D910
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738D910[0xA8]
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1AAB080[0x208]
17:26:58:546 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:26:58:546 2588 DetectCureTDL3: IrpHandler (0) addr: F7618BB0
17:26:58:546 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (2) addr: F7618BB0
17:26:58:546 2588 DetectCureTDL3: IrpHandler (3) addr: F7612D1F
17:26:58:546 2588 DetectCureTDL3: IrpHandler (4) addr: F7612D1F
17:26:58:546 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (9) addr: F76132E2
17:26:58:546 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (14) addr: F76133BB
17:26:58:546 2588 DetectCureTDL3: IrpHandler (15) addr: F7616F28
17:26:58:546 2588 DetectCureTDL3: IrpHandler (16) addr: F76132E2
17:26:58:546 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (22) addr: F7614C82
17:26:58:546 2588 DetectCureTDL3: IrpHandler (23) addr: F761999E
17:26:58:546 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:546 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:546 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:546 2588 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 87388C68
17:26:58:546 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87388C68
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x87388C68[0x38]
17:26:58:546 2588 DetectCureTDL3: DRIVER_OBJECT addr: 8738D910
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738D910[0xA8]
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1AAB080[0x208]
17:26:58:546 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:26:58:546 2588 DetectCureTDL3: IrpHandler (0) addr: F7618BB0
17:26:58:546 2588 DetectCureTDL3: IrpHandler (1) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (2) addr: F7618BB0
17:26:58:546 2588 DetectCureTDL3: IrpHandler (3) addr: F7612D1F
17:26:58:546 2588 DetectCureTDL3: IrpHandler (4) addr: F7612D1F
17:26:58:546 2588 DetectCureTDL3: IrpHandler (5) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (6) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (7) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (8) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (9) addr: F76132E2
17:26:58:546 2588 DetectCureTDL3: IrpHandler (10) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (11) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (12) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (13) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (14) addr: F76133BB
17:26:58:546 2588 DetectCureTDL3: IrpHandler (15) addr: F7616F28
17:26:58:546 2588 DetectCureTDL3: IrpHandler (16) addr: F76132E2
17:26:58:546 2588 DetectCureTDL3: IrpHandler (17) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (18) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (19) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (20) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (21) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (22) addr: F7614C82
17:26:58:546 2588 DetectCureTDL3: IrpHandler (23) addr: F761999E
17:26:58:546 2588 DetectCureTDL3: IrpHandler (24) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (25) addr: 804F4552
17:26:58:546 2588 DetectCureTDL3: IrpHandler (26) addr: 804F4552
17:26:58:546 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:546 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
17:26:58:546 2588 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 87389AB8
17:26:58:546 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87389AB8
17:26:58:546 2588 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 8738BD98
17:26:58:546 2588 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8738BD98
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x8738BD98[0x38]
17:26:58:546 2588 DetectCureTDL3: DRIVER_OBJECT addr: 86E66458
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x86E66458[0xA8]
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x8737CB00[0x38]
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x873911B0[0xA8]
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0xE1A83330[0x208]
17:26:58:546 2588 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:26:58:546 2588 DetectCureTDL3: IrpHandler (0) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (1) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (2) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (3) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (4) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (5) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (6) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (7) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (8) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (9) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (10) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (11) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (12) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (13) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (14) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (15) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (16) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (17) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (18) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (19) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (20) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (21) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (22) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (23) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (24) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (25) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: IrpHandler (26) addr: 87338E07
17:26:58:546 2588 DetectCureTDL3: All IRP handlers pointed to one addr: 87338E07
17:26:58:546 2588 KLMD_ReadMem: Trying to ReadMemory 0x87338E07[0x400]
17:26:58:546 2588 TDL3_HookDetect: CheckParameters: 7, FFDF0308, 441, 99, 3, 88
17:26:58:546 2588 Driver atapi infected by TDSS rootkit ... 17:26:58:546 2588 TDL3_HookCure: Processing driver in memory: atapi
17:26:58:546 2588 KLMD_WriteMem: Trying to WriteMemory 0x87338E6A[0xD]
17:26:58:546 2588 cured
17:26:58:546 2588 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
17:26:58:546 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
17:26:58:578 2588 File C:\WINDOWS\system32\Drivers\atapi.sys infected by TDSS rootkit ... 17:26:58:578 2588 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
17:26:58:578 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
17:26:58:578 2588 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
17:26:58:765 2588 cured
17:26:58:765 2588
Completed

Results:
17:26:58:765 2588 Infected / Cured drivers in memory: 1 / 1
17:26:58:765 2588 Infected / Cured drivers on disk: 1 / 1
17:26:58:765 2588 Files deleted on next reboot: 0
17:26:58:765 2588 Registry nodes deleted on next reboot: 0
17:26:58:765 2588

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 AM

Posted 29 November 2009 - 08:44 PM

Hi harper,


Start Windows Task Manager by pressing Ctrl+Alt+Del, then click the Processes tap, and under image Name colum, click on something like CF23456,cfxxe, then press End Process button in the right hand bottom.

Restart your pc and delete the following bolded file manually. C:\Documents and Settings\michael\Local Settings\Temporary Internet Files\Content.IE5\6MNOXW8B\ComboFix[1].exe

Now, please delete the current copy of CF in your desktop and disable McAfee real time protection as well. Please redownload it and rename it as harper.exe before saving it to your desktop.

Please rerun it or you may run it in the safe mode if the problem still persists. McAfee is notorious for blocking our tools, but seems to have no way to defend Malware efficiently. After that, please do the following:

Step1

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Filefind
    atapi*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


In your next reply, please post back:


1.ComboFix log
2.SystemLook.txt
3.Kas Online Scanner report

Edited by sundavis, 29 November 2009 - 08:49 PM.


#12 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 01 December 2009 - 06:30 AM

Running combofix in safe mode seemed to do the trick. Here are the logs. Looks like we have stopped being redirected and pages are loading correctly (and quicker) Thanks.

Combofix

ComboFix 09-11-29.03 - michael 11/29/2009 22:22.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.812 [GMT -5:00]
Running from: c:\documents and settings\michael\Desktop\harper.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\_005249_.tmp.dll
c:\windows\system32\_005250_.tmp.dll
c:\windows\system32\_005251_.tmp.dll
c:\windows\system32\_005252_.tmp.dll
c:\windows\system32\_005259_.tmp.dll
c:\windows\system32\_005260_.tmp.dll
c:\windows\system32\_005261_.tmp.dll
c:\windows\system32\_005262_.tmp.dll
c:\windows\system32\_005264_.tmp.dll
c:\windows\system32\_005265_.tmp.dll
c:\windows\system32\_005268_.tmp.dll
c:\windows\system32\_005269_.tmp.dll
c:\windows\system32\_005271_.tmp.dll
c:\windows\system32\_005272_.tmp.dll
c:\windows\system32\_005273_.tmp.dll
c:\windows\system32\_005275_.tmp.dll
c:\windows\system32\_005276_.tmp.dll
c:\windows\system32\_005278_.tmp.dll
c:\windows\system32\_005279_.tmp.dll
c:\windows\system32\_005283_.tmp.dll
c:\windows\system32\_005284_.tmp.dll
c:\windows\system32\_005286_.tmp.dll
c:\windows\system32\_005289_.tmp.dll
c:\windows\system32\_005291_.tmp.dll
c:\windows\system32\_005292_.tmp.dll
c:\windows\system32\_005293_.tmp.dll
c:\windows\system32\_005294_.tmp.dll
c:\windows\system32\_005295_.tmp.dll
c:\windows\system32\_005298_.tmp.dll
c:\windows\system32\_005299_.tmp.dll
c:\windows\system32\_005300_.tmp.dll
c:\windows\system32\_005301_.tmp.dll
c:\windows\system32\_005302_.tmp.dll
c:\windows\system32\_005307_.tmp.dll
c:\windows\system32\_005309_.tmp.dll
c:\windows\system32\_005310_.tmp.dll
c:\windows\system32\mbjhwwvw.ini
c:\windows\system32\SETC36.tmp

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 03:32 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-28 17:01 . 2009-11-28 17:01 -------- d-----w- C:\rsit
2009-11-28 15:35 . 2009-11-28 15:35 -------- d-----w- c:\documents and settings\michael\Application Data\Malwarebytes
2009-11-28 15:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 15:35 . 2009-11-28 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-28 15:35 . 2009-11-28 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 15:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 14:26 . 2009-11-26 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-11-11 14:25 . 2009-11-11 14:25 -------- d--h--w- c:\documents and settings\michael\Local Settings\Application Data\esTools
2009-11-11 14:25 . 2009-11-11 14:25 15172 ----a-w- c:\windows\system32\drivers\PzWDM.sys
2009-11-11 14:25 . 2009-11-11 14:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\esClient
2009-11-11 14:25 . 2009-11-11 14:25 -------- d-----w- c:\program files\echospin
2009-11-07 22:42 . 2009-11-07 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-07 15:25 . 2009-11-07 15:25 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-02 22:37 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-02 22:37 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-02 00:20 . 2009-11-02 00:20 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 02:43 . 2008-05-17 02:16 -------- d-----w- c:\documents and settings\michael\Application Data\Skype
2009-11-30 00:43 . 2008-05-17 02:17 -------- d-----w- c:\documents and settings\michael\Application Data\skypePM
2009-11-29 22:26 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-28 21:15 . 2009-05-25 13:21 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-11-27 22:41 . 2008-08-28 23:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-26 16:45 . 2006-05-20 20:48 24580 ----a-w- c:\documents and settings\michael\Application Data\wklnhst.dat
2009-11-20 00:22 . 2006-05-17 21:31 -------- d-----w- c:\program files\McAfee
2009-11-11 15:07 . 2008-02-02 15:54 -------- d-----w- c:\program files\iTunes
2009-11-11 14:25 . 2009-11-11 14:25 0 ----a-w- c:\documents and settings\michael\Local Settings\Application Data\esP597.tmp
2009-11-07 15:23 . 2006-05-17 21:27 -------- d-----w- c:\program files\Microsoft Works
2009-11-07 02:07 . 2006-05-22 02:31 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-07 02:07 . 2006-05-22 02:31 88 --sh--r- c:\windows\system32\BFB3B10679.sys
2009-11-04 23:41 . 2006-06-20 03:08 56 -csh--r- c:\windows\system32\7906B1B3BF.sys
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-06 01:21 . 2008-02-02 15:48 -------- d-----w- c:\program files\Apple Software Update
2009-10-06 00:55 . 2006-07-22 20:20 -------- d-----w- c:\program files\Wal-Mart Music Downloads Store
2009-10-06 00:54 . 2006-05-17 21:21 -------- d-----w- c:\program files\Common Files\Real
2009-09-24 01:50 . 2009-09-24 01:50 64000 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-24 01:50 . 2009-09-24 01:50 52288 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-24 01:50 . 2009-09-24 01:50 50688 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-24 01:50 . 2009-09-24 01:50 114688 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-16 22:34 . 2009-09-16 22:34 17204720 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\rp\.exe
2009-09-16 22:34 . 2009-09-16 22:34 8406648 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-16 22:33 . 2009-09-16 22:33 10309448 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-16 14:22 . 2006-12-09 14:56 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2006-12-09 14:56 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2006-12-09 14:56 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2006-12-09 14:56 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2006-12-09 14:56 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

------- Sigcheck -------

[-] 2009-11-29 22:26 . B6689A334B3550394B7963A77A869915 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-17 24576]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-5-16 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [11/11/2009 9:25 AM 15172]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/28/2008 5:41 PM 210216]
.
Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-09 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-09 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-PictureItPrem_v11 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=PREM VERSION=11
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3388343466-673415731-620953523-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-29 22:38
ComboFix-quarantined-files.txt 2009-11-30 03:37

Pre-Run: 123,903,717,376 bytes free
Post-Run: 125,050,830,848 bytes free

- - End Of File - - 29AE0B78D2885D04622A13881C1071C1

Kaspersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, December 1, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, December 01, 2009 02:02:22
Records in database: 3316780
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 80213
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:56:20

No threats found. Scanned area is clean.

Selected area has been scanned.



Systemlook
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 06:19 on 01/12/2009 by michael (Administrator - Elevation successful)

========== Filefind ==========

Searching for "atapi*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [03:59 04/08/2004] [03:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\dell\ATAPI.EXE --a--c 28672 bytes [20:53 17/05/2006] [20:22 14/07/2004] 9C559E4CF8C3B2268818F1F6C6B1EE39
C:\i386\atapi.sys --a--c 95360 bytes [13:37 20/05/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [10:39 08/06/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:00 08/06/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys --a--- 96512 bytes [05:00 08/06/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [03:59 04/08/2004] [22:26 29/11/2009] B6689A334B3550394B7963A77A869915
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--c 95360 bytes [21:03 17/05/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys --a--c 95360 bytes [21:03 17/05/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 AM

Posted 01 December 2009 - 07:12 AM

Hi harper,



Yes, the culprit is gone. Well done. :( We still have some work to do. Please be patient and do the following:

Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

DDS::
uInternet Settings,ProxyOverride = *.local

FileLook::
c:\windows\system32\BFB3B10679.sys
c:\windows\system32\7906B1B3BF.sys


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next reply, please post back:


1.ComboFix log

Let me know if you have any remaining concerns on your pc.

#14 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 01 December 2009 - 07:52 PM

Things seem to be working fine. No more redirects. Do you have any suggestions? Should I delete all the downloads and logs that are now on the desktop? Is it worth keeping the malware bytes? Thank you so much for your time and all that you have done. This is the second time I have come to Bleeping computer for help and both times you all have been very helpful and fixed the problem. Thanks again.

Here is the combofix log:


ComboFix 09-11-29.03 - michael 12/01/2009 19:16.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.822 [GMT -5:00]
Running from: c:\documents and settings\michael\Desktop\harper.exe
Command switches used :: c:\documents and settings\michael\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-01 12:59 . 2009-12-01 12:59 -------- d-----w- c:\windows\LastGood
2009-12-01 02:17 . 2009-12-01 02:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-01 02:16 . 2009-12-01 02:16 152576 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-01 02:15 . 2009-12-01 02:15 79488 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-30 03:39 . 2009-12-02 00:07 -------- d-----w- c:\documents and settings\michael\combofixlog
2009-11-30 03:32 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-30 03:21 . 2009-11-30 03:38 -------- d-----w- C:\harper
2009-11-28 17:01 . 2009-11-28 17:01 -------- d-----w- C:\rsit
2009-11-28 15:35 . 2009-11-28 15:35 -------- d-----w- c:\documents and settings\michael\Application Data\Malwarebytes
2009-11-28 15:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 15:35 . 2009-11-28 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-28 15:35 . 2009-11-28 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 15:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 14:26 . 2009-11-26 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-11-11 14:25 . 2009-11-11 14:25 -------- d--h--w- c:\documents and settings\michael\Local Settings\Application Data\esTools
2009-11-11 14:25 . 2009-11-11 14:25 15172 ----a-w- c:\windows\system32\drivers\PzWDM.sys
2009-11-11 14:25 . 2009-11-11 14:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\esClient
2009-11-11 14:25 . 2009-11-11 14:25 -------- d-----w- c:\program files\echospin
2009-11-07 22:42 . 2009-11-07 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-07 15:25 . 2009-11-07 15:25 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-02 22:37 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-02 22:37 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 00:09 . 2008-05-17 02:16 -------- d-----w- c:\documents and settings\michael\Application Data\Skype
2009-12-01 12:59 . 2006-05-17 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-01 12:59 . 2006-05-17 21:31 -------- d-----w- c:\program files\McAfee
2009-12-01 05:02 . 2008-05-17 02:17 -------- d-----w- c:\documents and settings\michael\Application Data\skypePM
2009-12-01 02:16 . 2007-12-20 00:21 -------- d-----w- c:\program files\Java
2009-11-30 23:41 . 2006-05-20 20:48 24580 ----a-w- c:\documents and settings\michael\Application Data\wklnhst.dat
2009-11-28 21:15 . 2009-05-25 13:21 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-11-27 22:41 . 2008-08-28 23:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-11 15:07 . 2008-02-02 15:54 -------- d-----w- c:\program files\iTunes
2009-11-11 14:25 . 2009-11-11 14:25 0 ----a-w- c:\documents and settings\michael\Local Settings\Application Data\esP597.tmp
2009-11-07 15:23 . 2006-05-17 21:27 -------- d-----w- c:\program files\Microsoft Works
2009-11-07 02:07 . 2006-05-22 02:31 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-07 02:07 . 2006-05-22 02:31 88 --sh--r- c:\windows\system32\BFB3B10679.sys
2009-11-04 23:41 . 2006-06-20 03:08 56 -csh--r- c:\windows\system32\7906B1B3BF.sys
2009-11-02 00:20 . 2009-11-02 00:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-06 01:21 . 2008-02-02 15:48 -------- d-----w- c:\program files\Apple Software Update
2009-10-06 00:55 . 2006-07-22 20:20 -------- d-----w- c:\program files\Wal-Mart Music Downloads Store
2009-10-06 00:54 . 2006-05-17 21:21 -------- d-----w- c:\program files\Common Files\Real
2009-09-24 01:50 . 2009-09-24 01:50 64000 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-24 01:50 . 2009-09-24 01:50 52288 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-24 01:50 . 2009-09-24 01:50 50688 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-24 01:50 . 2009-09-24 01:50 114688 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-16 22:34 . 2009-09-16 22:34 17204720 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\rp\.exe
2009-09-16 22:34 . 2009-09-16 22:34 8406648 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-16 22:33 . 2009-09-16 22:33 10309448 ----a-w- c:\documents and settings\michael\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-16 14:22 . 2006-12-09 14:56 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2006-12-09 14:56 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2006-12-09 14:56 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2006-12-09 14:56 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2006-12-09 14:56 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\7906B1B3BF.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 56
Created time: 2006-06-20 03:08
Modified time: 2009-11-04 23:41
MD5: 34280058C7230949357075D7D8C57600
SHA1: 3DA077EEB4C31E7BEA277FFADCE299B2E50EB06E


--- c:\windows\system32\BFB3B10679.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 88
Created time: 2006-05-22 02:31
Modified time: 2009-11-07 02:07
MD5: 8780C73281CBC42CF8110388E6367857
SHA1: F8A4A368F295E5A71C2F4B7C688DF1D5F395924F


((((((((((((((((((((((((((((( SnapShot@2009-11-30_03.35.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-22 13:31 . 2009-12-01 22:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-22 13:31 . 2009-11-30 02:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-20 02:52 . 2009-12-01 22:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-20 02:52 . 2009-11-30 02:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-20 02:52 . 2009-11-30 02:53 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-30 12:53 . 2009-12-01 22:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-01 02:17 . 2009-12-01 02:16 149280 c:\windows\system32\javaws.exe
+ 2009-12-01 02:17 . 2009-12-01 02:16 145184 c:\windows\system32\javaw.exe
+ 2009-12-01 02:17 . 2009-12-01 02:16 145184 c:\windows\system32\java.exe
+ 2009-12-01 02:16 . 2009-12-01 02:16 537600 c:\windows\Installer\a0ca3f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-01 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-17 24576]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-5-16 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [11/11/2009 9:25 AM 15172]
S2 0290851259672372mcinstcleanup;McAfee Application Installer Cleanup (0290851259672372);c:\windows\TEMP\029085~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\029085~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/28/2008 5:41 PM 93320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0290851259672372MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-09 16:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-09 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3388343466-673415731-620953523-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-12-01 19:29
ComboFix-quarantined-files.txt 2009-12-02 00:29
ComboFix2.txt 2009-11-30 03:38

Pre-Run: 125,035,163,648 bytes free
Post-Run: 125,019,168,768 bytes free

- - End Of File - - 8DCC5AC737484B16DBCAC82218783C41

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 AM

Posted 02 December 2009 - 12:18 AM

Hi harper,



Is it worth keeping the malware bytes?

Yes, it's quite effective to deal with brand new threats.

Other than that, the logs look good to me. Your system appears to be clean now. :( If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.

Step1

Please rename harper.exe back to ComboFix.exe

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Download OTC by OldTimer and save it to your desktop.
  • Double click OTC and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Please delete all the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info:go to This thread .
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users