Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with search redirection help please


  • This topic is locked This topic is locked
15 replies to this topic

#1 grendel67

grendel67

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 22 November 2009 - 11:30 PM

Hi
Can someone help me. I am getting redirected when using google I click on what I want but it then goes to something different everytime. Here is my Hijackthis log. Can someone look at it.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:29 PM, on 11/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ASUS\AASP\1.00.64\aaCenter.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yma2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Media Player.lnk = ?
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O22 - SharedTaskScheduler: MSMAPIDL - {8BCCCA80-77A9-409D-8954-DFF8ED16818E} - C:\WINDOWS\system32\msmapiddl.dll
O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 8595 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 29 November 2009 - 05:50 AM

Hi,

Download ComboFix from here

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply, together with a new Hijackthislog.

#3 grendel67

grendel67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 November 2009 - 08:36 PM

Here is the updated logs

ComboFix 09-11-29.03 - Ron 11/29/2009 19:08.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1565 [GMT -6:00]
Running from: c:\documents and settings\Ron\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-27 01:10 . 2009-11-27 01:10 152576 ----a-w- c:\documents and settings\Ron\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-27 01:10 . 2009-11-27 01:10 79488 ----a-w- c:\documents and settings\Ron\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 00:41 . 2009-11-27 00:58 -------- d-----w- c:\documents and settings\Ron\.housecall6.6
2009-11-26 23:07 . 2009-11-26 23:07 72704 ----a-w- c:\windows\system32\drivers\jnrfbgnmbevc.sys
2009-11-23 04:29 . 2009-11-23 04:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-23 03:51 . 2009-11-27 01:48 -------- d-----w- c:\program files\Trend Micro
2009-11-23 03:08 . 2008-04-13 18:40 36352 ----a-w- c:\windows\system32\drivers\disk_2.sys
2009-11-21 03:35 . 2009-11-04 22:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-21 03:35 . 2009-11-04 22:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-21 03:35 . 2009-11-04 22:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-21 03:31 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-14 18:25 . 2009-11-14 18:25 0 ----a-w- c:\windows\nsreg.dat
2009-11-14 18:25 . 2009-11-14 18:25 -------- d-----w- c:\documents and settings\Ron\Local Settings\Application Data\Mozilla
2009-11-11 04:21 . 2009-11-11 04:37 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-11-11 04:08 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-11 04:08 . 2009-11-14 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-11 04:08 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 00:58 . 2008-10-13 01:42 -------- d-----w- c:\documents and settings\Ron\Application Data\WTablet
2009-11-30 00:56 . 2009-08-07 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-30 00:56 . 2008-10-13 20:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-11-27 01:12 . 2008-10-06 02:23 -------- d-----w- c:\program files\Java
2009-11-23 03:56 . 2008-10-02 15:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 05:42 . 2008-10-03 04:41 -------- d-----w- c:\documents and settings\Ron\Application Data\AdobeUM
2009-11-18 03:23 . 2008-10-03 05:32 69232 ----a-w- c:\documents and settings\Ron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 03:15 . 2008-10-03 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 03:14 . 2008-10-03 05:21 -------- d-----w- c:\program files\Microsoft Works
2009-11-15 05:26 . 2009-08-21 04:46 -------- d-----w- c:\program files\Yahoo!
2009-11-15 04:51 . 2009-07-24 02:15 -------- d-----w- c:\program files\SHOUTcast Source
2009-11-15 04:48 . 2009-03-01 04:50 -------- d-----w- c:\documents and settings\Ron\Application Data\uTorrent
2009-11-15 04:45 . 2008-11-18 01:52 -------- d-----w- c:\program files\Google
2009-11-15 04:01 . 2009-08-21 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-14 06:27 . 2008-10-06 02:25 -------- d-----w- c:\documents and settings\Ron\Application Data\FrostWire
2009-10-31 21:56 . 2008-10-06 23:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-25 00:26 . 2009-10-25 00:26 -------- d-----w- c:\documents and settings\Ron\Application Data\Malwarebytes
2009-10-25 00:26 . 2009-10-25 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-24 03:17 . 2008-10-06 23:40 -------- d-----w- c:\program files\Spyware Doctor
2009-10-11 10:17 . 2009-08-07 15:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 00:19 . 2009-10-06 00:19 -------- d-----w- c:\documents and settings\Ron\Application Data\Blitware
2009-10-05 01:11 . 2009-10-05 00:40 -------- d-----w- c:\program files\Common Files\DAZ
2009-10-05 01:10 . 2009-10-05 01:10 -------- d-----w- c:\program files\DAZ
2009-10-04 23:13 . 2009-10-04 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Poser
2009-10-04 23:12 . 2009-10-04 23:12 -------- d-----w- c:\documents and settings\Ron\Application Data\Poser
2009-10-04 22:57 . 2009-10-04 22:57 -------- d-----w- c:\program files\Smith Micro
2009-10-02 02:53 . 2009-10-02 02:53 1078 ----a-r- c:\documents and settings\Ron\Application Data\Microsoft\Installer\{01979CA0-B550-47D0-AD16-553B2C3FCF97}\New_Shortcut_S1727_01979CA0B55047D0AD16553B2C3FCF97.exe
2009-10-02 02:53 . 2009-10-02 02:53 -------- d-----w- c:\program files\Auction Sentry Deluxe
2009-09-18 19:51 . 2009-02-28 00:19 69232 ----a-w- c:\documents and settings\Quintin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 15:45 . 2009-02-25 03:52 43872 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-03 15:45 . 2009-02-25 03:52 129520 ------w- c:\windows\system32\pxafs.dll
2009-09-03 15:45 . 2009-02-25 03:52 120568 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-03 15:45 . 2009-02-25 03:52 118256 ------w- c:\windows\system32\pxinsi64.exe
2008-10-06 23:30 . 2008-10-06 23:30 16317 ----a-w- c:\program files\Common Files\yqylerapa.ban
2009-07-22 22:43 . 2009-07-22 22:43 69632 --sha-r- c:\windows\system32\msmapiddl.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 91DA9F1FF62E24DEB2ED0E7DDE908052 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-25_02.18.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 00:56 . 2009-11-30 00:56 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
- 2008-07-14 11:09 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2008-07-14 11:09 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2004-08-04 12:00 . 2009-11-01 23:19 68360 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-10-24 01:21 68360 c:\windows\system32\perfc009.dat
+ 2009-11-14 18:38 . 2009-11-14 18:38 85173 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-11-23 04:29 . 2009-11-23 04:28 32768 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2008-10-02 15:31 . 2009-11-30 00:56 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-23 04:28 . 2009-11-23 04:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009112220091123\index.dat
+ 2008-10-02 15:31 . 2009-11-30 00:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-02 15:31 . 2009-10-25 00:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-23 04:28 . 2009-11-23 04:29 56320 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B6BD4D61-D7E8-11DE-8D37-001FC6C1BB67}.dat
- 2009-10-24 14:31 . 2009-10-25 00:44 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-24 14:31 . 2009-11-30 00:56 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2008-10-02 15:31 . 2009-11-30 00:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-25 01:04 . 2009-11-25 01:04 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 35088 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 35088 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 18704 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 18704 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 20240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 20240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-07-24 15:50 . 2006-07-24 15:50 47920 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.6425\VBAME.DLL
+ 2006-07-24 15:50 . 2006-07-24 15:50 92976 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.6425\MSADDNDR.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 15672 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\SMARTTAGINSTALL.EXE
+ 2006-10-27 00:49 . 2006-10-27 00:49 34104 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\SETLANG.EXE
+ 2006-10-27 01:12 . 2006-10-27 01:12 40424 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\REFIEBAR.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 46936 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\OSETUPPS.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 18760 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\OPHPROXY.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 16728 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\OMUOPTINPS.DLL
+ 2006-10-27 01:00 . 2006-10-27 01:00 23392 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\OISCTRL.DLL
+ 2006-10-27 20:11 . 2006-10-27 20:11 54680 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\OFFRHD.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 43832 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSSH.DLL
+ 2006-10-27 20:26 . 2006-10-27 20:26 35152 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSOSTYLE.DLL
+ 2006-10-27 00:52 . 2006-10-27 00:52 66368 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSOMSE.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 67896 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSOHTMED.EXE
+ 2006-10-27 20:01 . 2006-10-27 20:01 76088 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSOHEV.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 19768 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSMH.DLL
+ 2006-10-27 00:52 . 2006-10-27 00:52 48424 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSE7.EXE
+ 2006-10-27 01:12 . 2006-10-27 01:12 89400 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\METCONV.DLL
+ 2006-10-27 02:41 . 2006-10-27 02:41 66368 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\INLAUNCH.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 53576 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\AUTHZAX.DLL
+ 2006-10-27 02:18 . 2006-10-27 02:18 94016 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\ACCOLK.DLL
+ 2009-11-23 04:28 . 2009-11-23 04:28 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B6BD4D5F-D7E8-11DE-8D37-001FC6C1BB67}.dat
+ 2004-08-04 12:00 . 2009-11-01 23:19 435590 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-10-24 01:21 435590 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-11-27 01:12 . 2009-10-11 10:17 149280 c:\windows\system32\javaws.exe
+ 2009-11-27 01:12 . 2009-10-11 10:17 145184 c:\windows\system32\javaw.exe
+ 2009-11-27 01:12 . 2009-10-11 10:17 145184 c:\windows\system32\java.exe
+ 2009-11-21 03:30 . 2009-11-21 03:30 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2009-11-25 01:04 . 2009-11-25 01:04 429568 c:\windows\Installer\12a4bf.msi
- 2008-10-03 05:22 . 2009-10-16 05:55 888080 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 888080 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 272648 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 272648 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 922384 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 922384 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 845584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 845584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 217864 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 217864 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 159504 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 159504 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-11-18 03:12 . 2009-11-18 03:12 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-10-07 00:42 . 2008-10-07 00:42 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2007-06-08 00:51 . 2007-06-08 00:51 125320 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.6425\SSGEN.DLL
+ 2007-06-08 00:51 . 2007-06-08 00:51 465800 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.6425\OUTLFLTR.DLL
+ 2006-10-27 01:49 . 2006-10-27 01:49 509200 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\WRD12CVR.DLL
+ 2006-10-27 02:07 . 2006-10-27 02:07 368968 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\PPSLAX.DLL
+ 2006-10-20 13:37 . 2006-10-20 13:37 637744 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\OGALEGIT.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 145688 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSTORE.EXE
+ 2006-10-26 19:47 . 2006-10-26 19:47 727840 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSPROOF6.DLL
+ 2006-10-26 18:58 . 2006-10-26 18:58 290576 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MSCDM.DLL
+ 2006-10-27 00:52 . 2006-10-27 00:52 460616 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\MODHELP.DLL
+ 2006-10-27 01:00 . 2006-10-27 01:00 178488 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\IETAG.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 106824 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\DSSM.EXE
+ 2009-11-04 04:28 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-04 04:28 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2008-12-24 21:38 . 2008-12-24 21:38 386048 c:\windows\Downloaded Program Files\Housecall_ActiveX.dll
+ 2009-07-21 06:03 . 2009-07-21 06:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2004-08-04 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2008-10-03 04:12 . 2009-07-31 16:05 1372672 c:\windows\system32\msxml6.dll
+ 2009-07-21 06:05 . 2009-07-21 06:05 1348432 c:\windows\system32\msxml4.dll
+ 2004-08-04 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2004-08-04 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-02 10:07 . 2009-11-18 23:38 2331472 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-14 21:01 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2008-10-03 04:12 . 2009-07-31 16:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-11-12 22:53 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-04 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-04-04 23:10 . 2009-04-04 23:10 1282560 c:\windows\Installer\e7f81a.msp
+ 2009-04-04 23:10 . 2009-04-04 23:10 7888384 c:\windows\Installer\e7f80f.msp
+ 2009-04-04 23:10 . 2009-04-04 23:10 9926144 c:\windows\Installer\e7f802.msp
+ 2009-04-04 16:14 . 2009-04-04 16:14 1094656 c:\windows\Installer\e7f68e.msp
+ 2009-10-16 13:03 . 2009-10-16 13:03 5003776 c:\windows\Installer\9b244.msp
+ 2009-08-18 18:58 . 2009-08-18 18:58 8301056 c:\windows\Installer\9b22c.msp
+ 2009-08-18 18:57 . 2009-08-18 18:57 9122304 c:\windows\Installer\9b214.msp
- 2008-10-03 05:22 . 2009-10-16 05:55 1172240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 1172240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-10-03 05:22 . 2009-10-16 05:55 1165584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-10-03 05:22 . 2009-11-18 03:15 1165584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-10-26 19:47 . 2006-10-26 19:47 1512304 c:\windows\Installer\$PatchCache$\Managed\00002119110000000000000000F01FEC\12.0.4518\NLSD0000.DLL
+ 2009-11-04 04:28 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2009-11-11 04:39 . 2009-11-05 15:36 26768832 c:\windows\system32\MRT.exe
+ 2009-04-04 23:09 . 2009-04-04 23:09 15190016 c:\windows\Installer\e7f6b2.msp
+ 2009-04-04 17:36 . 2009-04-04 17:36 21390848 c:\windows\Installer\e7f68f.msp
+ 2009-04-04 23:08 . 2009-04-04 23:08 343058432 c:\windows\Installer\e7f7f4.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2008-05-23 2137600]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Malwarebytes Anti-Malware (reboot)"="c:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\malwarebytes' anti-malware\mbamgui.exe" [2009-09-10 420176]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{8BCCCA80-77A9-409D-8954-DFF8ED16818E}"= "c:\windows\system32\msmapiddl.dll" [2009-07-22 69632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Mass Effect\\Binaries\\MassEffect.exe"=
"g:\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"g:\combat arms\CombatArms.exe"= g:\combat arms\CombatArms.exe:*Enabled:CombatArms.exe
"g:\combat arms\Engine.exe"= g:\combat arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 MBAMService;MBAMService;c:\malwarebytes' anti-malware\mbamservice.exe [11/10/2009 10:21 PM 269648]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [10/12/2008 7:42 PM 3406120]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [10/2/2008 9:56 AM 36864]
R3 ITE;ITE;c:\windows\system32\drivers\ITE.SYS [10/8/2009 8:08 AM 36768]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2009 10:08 PM 19160]
S1 diskdumpp;diskdumpp;c:\windows\system32\drivers\diskdumpp.sys --> c:\windows\system32\drivers\diskdumpp.sys [?]
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist --> c:\program files\AMD\OverDrive\AODAssist [?]
S2 shdzc;shdzc;c:\windows\system32\drivers\jnrfbgnmbevc.sys [11/26/2009 5:07 PM 72704]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AODDRIVER
*Deregistered* - AODDriver
.
Contents of the 'Scheduled Tasks' folder

2009-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-27 c:\windows\Tasks\Malwarebytes' Scheduled Update for Ron.job
- c:\malwarebytes' anti-malware\mbam.exe [2009-11-11 20:53]

2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{C5645E1C-8A10-4AE7-812C-69FC5DF3E3C4}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma2
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ron\Application Data\Mozilla\Firefox\Profiles\oy7cgeah.default\
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('...ri.enabled', 'allAccess');c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 19:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A683E07]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8fcf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xba5f2bb0
PacketIndicateHandler -> NDIS.sys @ 0xba5ffa21
SendHandler -> NDIS.sys @ 0xba5dd87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AODService]
"ImagePath"="c:\program files\AMD\OverDrive\AODAssist"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-706699826-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:bf,b6,45,b6,c7,55,f7,ff,49,cb,b3,34,74,3a,dd,29,60,6f,cb,d9,30,
4f,30,a1,5f,94,f0,1b,7a,72,bc,1d,5d,60,57,e4,61,ab,1d,8e,b9,45,21,65,8a,4d,\
"rkeysecu"=hex:d3,56,06,c0,e2,76,fe,0b,a9,6f,6b,00,54,0c,f7,71
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-29 19:23
ComboFix-quarantined-files.txt 2009-11-30 01:23
ComboFix2.txt 2009-10-25 02:27

Pre-Run: 107,084,058,624 bytes free
Post-Run: 107,141,095,424 bytes free

- - End Of File - - 63C642AAE838C1EB6BD33E8B9882AA2B










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:55 PM, on 11/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ASUS\AASP\1.00.64\aaCenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yma2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: Adobe Media Player.lnk = ?
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O22 - SharedTaskScheduler: MSMAPIDL - {8BCCCA80-77A9-409D-8954-DFF8ED16818E} - C:\WINDOWS\system32\msmapiddl.dll
O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 6817 bytes

#4 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 30 November 2009 - 09:46 AM

Hi,

1. Open My Computer (you can find it on your Desktop, and in your Start menu)
Double click on your C-drive.
Now go to File > New > Folder
Enter this for the name of the folder: TDSSKiller

2. Download TDSSKiller.zip
Save it to the folder C:\TDSSKiller

3. Unzip the file. Follow these steps to unzip:
Go, if you are not already there, to the folder: C:\TDSSKiller
Now right click on TDSSKiller.zip and choose Extract all
Click on Next every time, and click Finish in the last screen.

4. Open a Notepad file.
Copy the code below into this Notepad file.

@ECHO OFF
TDSSKiller.exe -l report.txt -v
DEL %0
Go to File - Save as.
At "Save to", choose: C:\TDSSKiller
At "File name", choose: start.bat
At "File type" select: All files (*.*).
Now click on the Save button.

Double click on start.bat
This will activate TDSSKiller.
Please post the contents from the file that opens (report.txt).

Edited by Black_Bird, 30 November 2009 - 09:46 AM.


#5 grendel67

grendel67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 30 November 2009 - 04:00 PM

Here is the report.

Host Name: RON-1B90B907BDF
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Ron Cotty
Registered Organization:
Product ID: 76487-OEM-2252881-92158
Original Install Date: 10/2/2008, 10:28:29 AM
System Up Time: 0 Days, 1 Hours, 8 Minutes, 45 Seconds
System Manufacturer: System manufacturer
System Model: System Product Name
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 107 Stepping 2 AuthenticAMD ~2700 Mhz
BIOS Version: 041808 - 20080418
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,554 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,001 MB
Virtual Memory: In Use: 47 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\RON-1B90B907BDF
Hotfix(s): 186 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: Q147222
[86]: Q936181
[87]: Q954430
[88]: Q973688
[89]: IDNMitigationAPIs - Update
[90]: NLSDownlevelMapping - Update
[91]: KB929399
[92]: KB952069_WM9
[93]: KB954155_WM9
[94]: KB968816_WM9
[95]: KB973540_WM9
[96]: KB936782_WMP11
[97]: KB939683
[98]: KB954154_WM11
[99]: KB959772_WM11
[100]: KB941569
[101]: KB938127-IE7 - Update
[102]: KB938127-v2-IE7 - Update
[103]: KB953838-IE7 - Update
[104]: KB956390-IE7 - Update
[105]: KB958215-IE7 - Update
[106]: KB960714-IE7 - Update
[107]: KB961260-IE7 - Update
[108]: KB963027-IE7 - Update
[109]: KB969897-IE7 - Update
[110]: KB969897-IE8 - Update
[111]: KB971180-IE8 - Update
[112]: KB971961-IE8 - Update
[113]: KB972260-IE8 - Update
[114]: KB974455-IE8 - Update
[115]: KB976749-IE8 - Update
[116]: MSCompPackV1 - Update
[117]: KB936929 - Service Pack
[118]: KB923561 - Update
[119]: KB938464 - Update
[120]: KB938464-v2 - Update
[121]: KB946648 - Update
[122]: KB950762 - Update
[123]: KB950974 - Update
[124]: KB951066 - Update
[125]: KB951072-v2 - Update
[126]: KB951376-v2 - Update
[127]: KB951698 - Update
[128]: KB951748 - Update
[129]: KB951978 - Update
[130]: KB952004 - Update
[131]: KB952287 - Update
[132]: KB952954 - Update
[133]: KB953839 - Update
[134]: KB954211 - Update
[135]: KB954459 - Update
[136]: KB954550-v5 - Update
[137]: KB954600 - Update
[138]: KB955069 - Update
[139]: KB955839 - Update
[140]: KB956391 - Update
[141]: KB956572 - Update
[142]: KB956744 - Update
[143]: KB956802 - Update
[144]: KB956803 - Update
[145]: KB956841 - Update
[146]: KB956844 - Update
[147]: KB957095 - Update
[148]: KB957097 - Update
[149]: KB958644 - Update
[150]: KB958687 - Update
[151]: KB958690 - Update
[152]: KB958869 - Update
[153]: KB959426 - Update
[154]: KB960225 - Update
[155]: KB960715 - Update
[156]: KB960803 - Update
[157]: KB960859 - Update
[158]: KB961118 - Update
[159]: KB961371 - Update
[160]: KB961373 - Update
[161]: KB961501 - Update
[162]: KB967715 - Update
[163]: KB968389 - Update
[164]: KB968537 - Update
[165]: KB969059 - Update
[166]: KB969898 - Update
[167]: KB969947 - Update
[168]: KB970238 - Update
[169]: KB970653-v3 - Update
[170]: KB971486 - Update
[171]: KB971557 - Update
[172]: KB971633 - Update
[173]: KB971657 - Update
[174]: KB973346 - Update
[175]: KB973354 - Update
[176]: KB973507 - Update
[177]: KB973525 - Update
[178]: KB973687 - Update
[179]: KB973815 - Update
[180]: KB973869 - Update
[181]: KB974112 - Update
[182]: KB974571 - Update
[183]: KB975025 - Update
[184]: KB975467 - Update
[185]: KB976098-v2 - Update
[186]: XpsEP
NetWork Card(s): 2 NIC(s) Installed.
[01]: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.100
[02]: Linksys Wireless-G PCI Adapter
Connection Name: Wireless Network Connection
14:55:6:640 3516 ForceUnloadDriver: NtUnloadDriver error 2
14:55:6:640 3516 ForceUnloadDriver: NtUnloadDriver error 2
14:55:6:640 3516 ForceUnloadDriver: NtUnloadDriver error 2
14:55:6:640 3516 main: Driver KLMD successfully dropped
14:55:6:656 3516 main: Driver KLMD successfully loaded
14:55:6:656 3516
Scanning Registry ...
14:55:6:671 3516 ScanServices: Searching service UACd.sys
14:55:6:671 3516 ScanServices: Open/Create key error 2
14:55:6:671 3516 ScanServices: Searching service TDSSserv.sys
14:55:6:671 3516 ScanServices: Open/Create key error 2
14:55:6:671 3516 ScanServices: Searching service gaopdxserv.sys
14:55:6:671 3516 ScanServices: Open/Create key error 2
14:55:6:671 3516 ScanServices: Searching service gxvxcserv.sys
14:55:6:671 3516 ScanServices: Open/Create key error 2
14:55:6:671 3516 ScanServices: Searching service MSIVXserv.sys
14:55:6:671 3516 ScanServices: Open/Create key error 2
14:55:6:671 3516 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
14:55:6:718 3516 UnhookRegistry: Kernel local addr: 1110000
14:55:6:718 3516 UnhookRegistry: KeServiceDescriptorTable addr: 1195700
14:55:6:765 3516 UnhookRegistry: KiServiceTable addr: 113D460
14:55:6:765 3516 UnhookRegistry: NtEnumerateKey service number (local): 47
14:55:6:765 3516 UnhookRegistry: NtEnumerateKey local addr: 125CFF2
14:55:6:781 3516 KLMD_OpenDevice: Trying to open KLMD device
14:55:6:781 3516 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
14:55:6:781 3516 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
14:55:6:781 3516 UnhookRegistry: NtEnumerateKey service number (kernel): 47
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
14:55:6:781 3516 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
14:55:6:781 3516 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
14:55:6:781 3516 UnhookRegistry: No SDT hooks found on NtEnumerateKey
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
14:55:6:781 3516 UnhookRegistry: No splicing found on NtEnumerateKey
14:55:6:781 3516
Scanning Kernel memory ...
14:55:6:781 3516 KLMD_OpenDevice: Trying to open KLMD device
14:55:6:781 3516 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
14:55:6:781 3516 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:55:6:781 3516 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A6FC628
14:55:6:781 3516 DetectCureTDL3: KLMD_GetDeviceObjectList returned 9 DevObjects
14:55:6:781 3516 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8A5135C0
14:55:6:781 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5135C0
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A5135C0[0x38]
14:55:6:781 3516 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1715B40[0x208]
14:55:6:781 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:55:6:781 3516 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
14:55:6:781 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
14:55:6:781 3516 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
14:55:6:781 3516 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
14:55:6:781 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
14:55:6:781 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
14:55:6:781 3516 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
14:55:6:781 3516 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
14:55:6:781 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
14:55:6:781 3516 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
14:55:6:781 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:781 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:781 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:781 3516 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A45FAB8
14:55:6:781 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A45FAB8
14:55:6:781 3516 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 89CF7370
14:55:6:781 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89CF7370
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0x89CF7370[0x38]
14:55:6:781 3516 DetectCureTDL3: DRIVER_OBJECT addr: 89FFEDA0
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0x89FFEDA0[0xA8]
14:55:6:781 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1C65930[0x208]
14:55:6:781 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:55:6:781 3516 DetectCureTDL3: IrpHandler (0) addr: BACA5218
14:55:6:781 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (2) addr: BACA5218
14:55:6:781 3516 DetectCureTDL3: IrpHandler (3) addr: BACA523C
14:55:6:781 3516 DetectCureTDL3: IrpHandler (4) addr: BACA523C
14:55:6:781 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (9) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (14) addr: BACA5180
14:55:6:781 3516 DetectCureTDL3: IrpHandler (15) addr: BACA09E6
14:55:6:781 3516 DetectCureTDL3: IrpHandler (16) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (22) addr: BACA45F0
14:55:6:781 3516 DetectCureTDL3: IrpHandler (23) addr: BACA2A6E
14:55:6:781 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:781 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:781 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
14:55:6:781 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
14:55:6:796 3516 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A6AD030
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6AD030
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6AD030[0x38]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1715B40[0x208]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:55:6:796 3516 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
14:55:6:796 3516 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
14:55:6:796 3516 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
14:55:6:796 3516 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
14:55:6:796 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:796 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8A6AE8A0
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6AE8A0
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6AE8A0[0x38]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1715B40[0x208]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:55:6:796 3516 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
14:55:6:796 3516 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
14:55:6:796 3516 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
14:55:6:796 3516 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
14:55:6:796 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:796 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8A6AEC68
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6AEC68
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6AEC68[0x38]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1715B40[0x208]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:55:6:796 3516 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
14:55:6:796 3516 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
14:55:6:796 3516 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
14:55:6:796 3516 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
14:55:6:796 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:796 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 8A696C68
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A696C68
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A696C68[0x38]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1715B40[0x208]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:55:6:796 3516 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
14:55:6:796 3516 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
14:55:6:796 3516 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
14:55:6:796 3516 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
14:55:6:796 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:796 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 8A698C68
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A698C68
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A698C68[0x38]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0xE1715B40[0x208]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:55:6:796 3516 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
14:55:6:796 3516 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
14:55:6:796 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
14:55:6:796 3516 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
14:55:6:796 3516 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
14:55:6:796 3516 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
14:55:6:796 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:796 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
14:55:6:796 3516 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A6B3AB8
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6B3AB8
14:55:6:796 3516 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A6BAF18
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6BAF18
14:55:6:796 3516 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A650B00
14:55:6:796 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A650B00
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A650B00[0x38]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT addr: 8A6B8030
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6B8030[0xA8]
14:55:6:796 3516 KLMD_ReadMem: Trying to ReadMemory 0xE101EA48[0x208]
14:55:6:796 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:55:6:796 3516 DetectCureTDL3: IrpHandler (0) addr: BA7156F2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (2) addr: BA7156F2
14:55:6:796 3516 DetectCureTDL3: IrpHandler (3) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (4) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (9) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (14) addr: BA715712
14:55:6:796 3516 DetectCureTDL3: IrpHandler (15) addr: BA711852
14:55:6:796 3516 DetectCureTDL3: IrpHandler (16) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (22) addr: BA71573C
14:55:6:796 3516 DetectCureTDL3: IrpHandler (23) addr: BA71C336
14:55:6:796 3516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:55:6:796 3516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:55:6:796 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:796 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:828 3516 File C:\WINDOWS\system32\Drivers\atapi.sys infected by TDSS rootkit ... 14:55:6:828 3516 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:828 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:828 3516 TDL3_FileCure: Driver file C:\WINDOWS\system32\Drivers\atapi.sys cure failed
14:55:6:828 3516 cure failed
14:55:6:828 3516 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A699AB8
14:55:6:828 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A699AB8
14:55:6:828 3516 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A71AA38
14:55:6:828 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A71AA38
14:55:6:828 3516 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A6A2940
14:55:6:828 3516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6A2940
14:55:6:828 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6A2940[0x38]
14:55:6:828 3516 DetectCureTDL3: DRIVER_OBJECT addr: 89FE4340
14:55:6:828 3516 KLMD_ReadMem: Trying to ReadMemory 0x89FE4340[0xA8]
14:55:6:828 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A69B030[0x38]
14:55:6:828 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A6B8030[0xA8]
14:55:6:828 3516 KLMD_ReadMem: Trying to ReadMemory 0xE101EA48[0x208]
14:55:6:828 3516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:55:6:828 3516 DetectCureTDL3: IrpHandler (0) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (1) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (2) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (3) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (4) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (5) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (6) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (7) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (8) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (9) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (10) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (11) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (12) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (13) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (14) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (15) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (16) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (17) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (18) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (19) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (20) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (21) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (22) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (23) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (24) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (25) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: IrpHandler (26) addr: 8A666E07
14:55:6:828 3516 DetectCureTDL3: All IRP handlers pointed to one addr: 8A666E07
14:55:6:828 3516 KLMD_ReadMem: Trying to ReadMemory 0x8A666E07[0x400]
14:55:6:828 3516 TDL3_HookDetect: CheckParameters: 7, FFDF0308, 441, 99, 3, 88
14:55:6:828 3516 Driver atapi infected by TDSS rootkit ... 14:55:6:828 3516 TDL3_HookCure: Processing driver in memory: atapi
14:55:6:828 3516 KLMD_WriteMem: Trying to WriteMemory 0x8A666E6A[0xD]
14:55:6:828 3516 cured
14:55:6:828 3516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:828 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:828 3516 File C:\WINDOWS\system32\Drivers\atapi.sys infected by TDSS rootkit ... 14:55:6:828 3516 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:828 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
14:55:6:828 3516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
14:55:7:31 3516 cured
14:55:7:78 3516
Completed

Results:
14:55:7:78 3516 Infected / Cured drivers in memory: 1 / 1
14:55:7:78 3516 Infected / Cured drivers on disk: 2 / 1
14:55:7:78 3516 Files deleted on next reboot: 0
14:55:7:78 3516 Registry nodes deleted on next reboot: 0
14:55:7:78 3516

#6 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 02 December 2009 - 11:08 AM

Hi,

1. Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

2. Download RSIT
Save it to your desktop.

Double click on RSIT to start the program.
Click Continue when the disclaimer window appears.
When the scan has been completed, two logfiles will be opened. Post the contents from log.txt (<info.txt (<

#7 grendel67

grendel67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 05 December 2009 - 10:27 AM

Here is the Gmer Log I could not run RSIT gave a error AutoIT Error -subsctipt used with non-array variable.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-05 09:20:13
Windows 5.1.2600 Service Pack 3
Running: ls5dwv2n.exe; Driver: C:\DOCUME~1\Ron\LOCALS~1\Temp\pgwirkow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB3C9E6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB3C9E574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB3C9EA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB3C9E14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB3C9E64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB3C9E08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB3C9E0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB3C9E76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB3C9E72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB3C9E8AE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes JMP 924AB3C9
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes CALL 4144FC0A
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB770E360, 0x32E00D, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\ITE.sys entry point in "init" section [0xBAC5832C]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[772] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[772] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

#8 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 05 December 2009 - 01:23 PM

Hi,

Please do this instead of running RSIT:
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


#9 grendel67

grendel67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 05 December 2009 - 08:07 PM

First log
OTL logfile created on: 12/5/2009 6:58:25 PM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Documents and Settings\Ron\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 74.29% Memory free
3.85 Gb Paging File | 3.45 Gb Available in Paging File | 89.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 99.53 Gb Free Space | 66.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 48.83 Gb Total Space | 8.91 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive F: | 48.83 Gb Total Space | 9.82 Gb Free Space | 20.10% Space Free | Partition Type: NTFS
Drive G: | 73.24 Gb Total Space | 2.81 Gb Free Space | 3.84% Space Free | Partition Type: NTFS
Drive H: | 61.98 Gb Total Space | 7.09 Gb Free Space | 11.44% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: RON-1B90B907BDF
Current User Name: Ron
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Ron\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\system32\ASTSRV.EXE (Nalpeiron Ltd.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe (Wacom Technology, Corp.)
PRC - C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.)
PRC - C:\Program Files\ASUS\PC Probe II\Probe2.exe (ASUS)
PRC - C:\Program Files\ASUS\AASP\1.00.64\aaCenter.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Ron\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll (ALWIL Software)


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- C:\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (astcc) -- C:\WINDOWS\system32\ASTSRV.EXE (Nalpeiron Ltd.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (AODService) -- C:\Program Files\AMD\OverDrive\AODAssist.exe ()
SRV - (TabletServiceWacom) -- C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (atapi) -- C:\WINDOWS\system32\DRIVERS\atapi.sys ()
DRV - (shdzc) -- C:\WINDOWS\system32\drivers\jnrfbgnmbevc.sys ()
DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (adfs) -- C:\WINDOWS\system32\drivers\adfs.sys (Adobe Systems, Inc.)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()
DRV - (AtcL001) -- C:\WINDOWS\system32\drivers\l151x86.sys (Atheros Communications, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AmdLLD) -- C:\WINDOWS\system32\drivers\AmdLLD.sys (AMD, Inc.)
DRV - (motmodem) -- C:\WINDOWS\system32\drivers\motmodem.sys (Motorola)
DRV - (wacommousefilter) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys (Wacom Technology)
DRV - (wacomvhid) -- C:\WINDOWS\system32\drivers\wacomvhid.sys (Wacom Technology)
DRV - (WacomVKHid) -- C:\WINDOWS\system32\drivers\WacomVKHid.sys (Wacom Technology)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (HPZius12) -- C:\WINDOWS\system32\drivers\HPZius12.sys (HP)
DRV - (RT2500) -- C:\WINDOWS\system32\drivers\RT2500.sys (Ralink Technology Inc.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (ITE) -- C:\WINDOWS\system32\drivers\ITE.SYS (Integrated Technology Express, INC.)
DRV - (ONSIO) -- C:\WINDOWS\system32\drivers\onsio.sys ()
DRV - (SMPLSCSI) -- C:\WINDOWS\System32\drivers\SMPLSCSI.SYS (OnSpec Electronic, Inc.)
DRV - (ASPI32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yma2

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.8.6
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: multipletab@piro.sakura.ne.jp:0.5.2009110501
FF - prefs.js..extensions.enabledItems: webmynd@yourentirelife.com:0.8.3
FF - prefs.js..extensions.enabledItems: {d9284e50-81fc-11da-a72b-0800200c9a66}:6.2.1
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/14 12:25:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/26 19:12:19 | 00,000,000 | ---D | M]

[2009/11/14 12:25:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ron\Application Data\Mozilla\Extensions
[2009/12/04 23:06:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\oy7cgeah.default\extensions
[2009/11/14 12:55:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\oy7cgeah.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/11/14 12:56:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\oy7cgeah.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}
[2009/11/14 12:55:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\oy7cgeah.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2009/11/14 12:55:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\oy7cgeah.default\extensions\multipletab@piro.sakura.ne.jp
[2009/11/14 12:56:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\oy7cgeah.default\extensions\webmynd@yourentirelife.com
[2009/12/04 23:06:00 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe ()
O4 - HKLM..\Run: [Launch PC Probe II] C:\Program Files\ASUS\PC Probe II\Probe2.exe (ASUS)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk = File not found
O4 - Startup: C:\Documents and Settings\Ron\Start Menu\Programs\Startup\Adobe Media Player.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/sdccommon/download/tgctlsr.cab (SupportSoft Script Runner Class)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab (DLM Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O22 - SharedTaskScheduler: {8BCCCA80-77A9-409D-8954-DFF8ED16818E} - MSMAPIDL - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/02 09:26:23 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/30 01:13:59 | 00,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/08/14 00:00:35 | 00,006,033 | ---- | M] () - E:\AutoEyeuninstal.log -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/05 18:55:26 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ron\Desktop\OTL.exe
[2009/12/03 18:19:50 | 00,000,000 | ---D | C] -- C:\rsit
[2009/12/01 21:50:27 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/12/01 21:50:26 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/12/01 21:50:26 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/12/01 21:50:24 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/12/01 21:50:24 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/12/01 21:50:24 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/12/01 21:50:24 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/12/01 21:50:24 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/12/01 21:50:08 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/11/30 22:32:27 | 00,000,000 | ---D | C] -- C:\Program Files\FrostWire
[2009/11/30 14:50:39 | 00,000,000 | ---D | C] -- C:\TDSSKILLER
[2009/11/26 19:12:19 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/26 19:12:19 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/26 19:12:19 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/26 18:41:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ron\.housecall6.6
[2009/11/22 21:51:49 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/21 20:44:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ron\Desktop\GooredFix Backups
[2009/11/20 21:35:08 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/11/20 21:35:08 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/11/20 21:35:07 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/11/20 21:31:12 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/11/14 23:38:53 | 00,186,880 | ---- | C] (CEXX.ORG) -- C:\Documents and Settings\Ron\My Documents\LSPFix.exe
[2009/11/14 22:45:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/11/14 12:25:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ron\Local Settings\Application Data\Mozilla
[2009/11/14 12:25:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ron\Application Data\Mozilla
[2009/11/14 12:25:00 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/11/10 22:21:16 | 00,000,000 | ---D | C] -- C:\Malwarebytes' Anti-Malware
[2009/11/10 22:08:21 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/10 22:08:19 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/10 22:08:19 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/22 16:43:10 | 00,069,632 | RHS- | C] ( ) -- C:\WINDOWS\System32\msmapiddl.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/05 18:55:27 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ron\Desktop\OTL.exe
[2009/12/05 18:53:58 | 00,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C5645E1C-8A10-4AE7-812C-69FC5DF3E3C4}.job
[2009/12/05 18:50:46 | 00,193,559 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/05 18:50:40 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/05 18:50:13 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/05 18:50:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/05 09:27:45 | 05,505,024 | -H-- | M] () -- C:\Documents and Settings\Ron\NTUSER.DAT
[2009/12/05 00:55:30 | 00,137,728 | ---- | M] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/04 20:00:10 | 00,000,414 | ---- | M] () -- C:\WINDOWS\tasks\Malwarebytes' Scheduled Update for Ron.job
[2009/12/03 17:33:17 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\RSIT.exe
[2009/12/03 17:32:44 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\ls5dwv2n.exe
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 01:28:57 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Ron\ntuser.ini
[2009/12/01 21:50:27 | 00,001,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/01 21:50:24 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/30 22:59:34 | 00,003,532 | ---- | M] () -- C:\drmHeader.bin
[2009/11/30 22:32:45 | 00,000,852 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\FrostWire 4.18.4.lnk
[2009/11/30 18:52:30 | 00,062,464 | ---- | M] () -- C:\Documents and Settings\Ron\My Documents\Publication1.pub
[2009/11/30 14:55:06 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2009/11/29 19:19:57 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/29 19:03:13 | 03,571,933 | R--- | M] () -- C:\Documents and Settings\Ron\Desktop\ComboFix.exe
[2009/11/26 17:07:16 | 00,072,704 | ---- | M] () -- C:\WINDOWS\System32\drivers\jnrfbgnmbevc.sys
[2009/11/24 19:04:39 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/24 17:54:29 | 01,280,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/11/24 17:51:09 | 00,093,424 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/11/24 17:50:59 | 00,094,160 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/11/24 17:50:12 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/11/24 17:50:00 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/11/24 17:47:28 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/11/22 21:59:13 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 21:51:49 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\HijackThis.lnk
[2009/11/22 21:25:25 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/22 21:05:53 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/21 22:59:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/20 23:42:14 | 00,047,625 | ---- | M] () -- C:\Documents and Settings\Ron\My Documents\5th_grade.pdf
[2009/11/18 17:38:53 | 02,331,472 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/17 21:23:29 | 00,069,232 | ---- | M] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/17 21:13:05 | 00,000,690 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/15 21:31:47 | 00,003,460 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\visreport.html
[2009/11/14 12:25:20 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/11/14 12:25:04 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/13 13:50:50 | 00,843,264 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\OCT-09 112-82 SS Med.Tractor Build Scorecard MQ Folder1 (version 1).xls
[2009/11/13 13:12:12 | 00,673,792 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\OCT09 112-80 SS Med Tractor Launch Scorecard MQ Folder.xls
[2009/11/11 15:52:00 | 05,379,072 | ---- | M] () -- C:\Documents and Settings\Ron\Desktop\OCT 09 Teammeeting launchbuild .PPt
[2009/11/10 22:37:58 | 00,000,564 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/10 22:25:06 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\rufejibi
[2009/11/10 22:18:11 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\Ron\My Documents\rkill.com
[2009/11/10 14:51:32 | 00,033,792 | ---- | M] () -- C:\Documents and Settings\Ron\My Documents\Monthly Management review minutes Blank.doc
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/03 17:33:16 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\RSIT.exe
[2009/12/03 17:32:43 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\ls5dwv2n.exe
[2009/12/01 21:50:27 | 00,001,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/01 21:50:08 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/11/30 18:52:30 | 00,062,464 | ---- | C] () -- C:\Documents and Settings\Ron\My Documents\Publication1.pub
[2009/11/29 19:00:17 | 03,571,933 | R--- | C] () -- C:\Documents and Settings\Ron\Desktop\ComboFix.exe
[2009/11/26 17:07:16 | 00,072,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\jnrfbgnmbevc.sys
[2009/11/22 21:59:13 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 21:51:49 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\HijackThis.lnk
[2009/11/22 21:08:29 | 00,036,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\disk_2.sys
[2009/11/22 20:47:58 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/20 23:42:14 | 00,047,625 | ---- | C] () -- C:\Documents and Settings\Ron\My Documents\5th_grade.pdf
[2009/11/15 21:31:47 | 00,003,460 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\visreport.html
[2009/11/15 14:46:05 | 00,033,792 | ---- | C] () -- C:\Documents and Settings\Ron\My Documents\Monthly Management review minutes Blank.doc
[2009/11/15 14:46:02 | 05,379,072 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\OCT 09 Teammeeting launchbuild .PPt
[2009/11/15 14:45:59 | 00,843,264 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\OCT-09 112-82 SS Med.Tractor Build Scorecard MQ Folder1 (version 1).xls
[2009/11/15 14:45:56 | 00,673,792 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\OCT09 112-80 SS Med Tractor Launch Scorecard MQ Folder.xls
[2009/11/14 23:38:53 | 00,011,445 | ---- | C] () -- C:\Documents and Settings\Ron\My Documents\LSPFix-source.zip
[2009/11/14 12:25:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/11/14 12:25:04 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/11 21:45:26 | 00,000,852 | ---- | C] () -- C:\Documents and Settings\Ron\Desktop\FrostWire 4.18.4.lnk
[2009/11/10 22:18:08 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\Ron\My Documents\rkill.com
[2009/11/10 22:08:23 | 00,000,564 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/08 09:19:35 | 00,285,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\onsio.sys
[2009/10/08 09:19:35 | 00,000,206 | ---- | C] () -- C:\WINDOWS\SWISNIFE.INI
[2009/08/01 20:16:38 | 00,000,074 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2009/07/24 12:44:49 | 00,000,021 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\spupdwxp.log
[2009/06/20 13:13:18 | 04,477,539 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2009/06/20 13:13:18 | 00,832,632 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2009/06/20 13:13:18 | 00,829,781 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/06/20 13:13:18 | 00,557,469 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2009/06/20 13:13:18 | 00,336,384 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2009/06/20 13:13:18 | 00,216,064 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2009/06/20 13:13:18 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2009/06/20 13:13:18 | 00,146,098 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2009/06/20 13:13:18 | 00,126,976 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2009/06/20 13:13:18 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2009/06/20 13:13:16 | 00,176,640 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2009/06/20 13:13:16 | 00,117,760 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2009/06/20 13:13:16 | 00,095,744 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2009/06/20 12:28:02 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/06/14 09:21:32 | 00,256,512 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2009/06/14 09:21:32 | 00,237,056 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2009/06/14 09:21:32 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/02 18:06:43 | 00,000,054 | ---- | C] () -- C:\WINDOWS\ScreenHunter.INI
[2009/03/02 15:55:37 | 00,000,082 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
[2009/01/10 16:17:32 | 00,163,840 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2009/01/10 16:16:56 | 00,148,480 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2009/01/10 16:16:50 | 00,108,032 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2009/01/10 16:16:14 | 00,141,312 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2009/01/10 16:15:54 | 00,120,832 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2009/01/10 16:15:44 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2009/01/10 16:15:32 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2009/01/10 16:15:28 | 00,246,784 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2009/01/10 16:15:12 | 00,097,280 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2009/01/10 16:14:08 | 00,079,360 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2009/01/10 16:14:06 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2008/12/03 16:11:50 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/11/12 18:14:35 | 00,000,294 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/06 10:37:32 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 10:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/10/19 18:15:37 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\909a74a55f64538e
[2008/10/19 18:15:27 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\45be4ab21b1df844
[2008/10/19 18:15:22 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\fdd43e39c351f673
[2008/10/19 18:15:17 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\4302b22048bea1ef
[2008/10/19 18:15:07 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\4dd955b7e0504131
[2008/10/19 18:14:57 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\bbe4ddb753ffa51e
[2008/10/19 18:14:47 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\ecadf69838418526
[2008/10/19 18:14:02 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\de91383a5642d8ac
[2008/10/19 18:13:58 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\ef2e93825c40d4a
[2008/10/19 18:13:58 | 00,000,118 | -H-- | C] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\Thumbs.db
[2008/10/19 18:13:47 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\dbc76c47554524ea
[2008/10/19 18:13:07 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\7aaddfedd42799d1
[2008/10/19 18:13:02 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\d805567fcf062db
[2008/10/19 18:12:57 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\9fdb7026f6893efa
[2008/10/19 18:11:52 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\4ee067e1e21ef3c
[2008/10/19 18:11:47 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\297556319dbf8fcd
[2008/10/19 18:11:02 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\4138262e174a6545
[2008/10/19 18:10:57 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\ecf123c4c19ded3f
[2008/10/19 18:10:47 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\1c6cb04c7be3b456
[2008/10/19 18:10:37 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\28a6930cdbf025aa
[2008/10/19 18:10:27 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\84a96c4d5fcfe85
[2008/10/19 18:08:37 | 00,003,262 | ---- | C] () -- C:\Documents and Settings\Ron\Application Data\56a3695b6666651e
[2008/10/11 11:47:45 | 00,011,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2008/10/11 11:47:45 | 00,010,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2008/10/06 19:31:44 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/10/06 17:30:51 | 00,016,424 | ---- | C] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\elafa.exe
[2008/10/06 17:30:51 | 00,016,317 | ---- | C] () -- C:\Program Files\Common Files\yqylerapa.ban
[2008/10/06 17:30:51 | 00,015,417 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ycis.dat
[2008/10/06 17:30:51 | 00,015,167 | ---- | C] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\vigojag.pif
[2008/10/06 17:30:51 | 00,014,004 | ---- | C] () -- C:\WINDOWS\System32\sorehixo.dll
[2008/10/06 17:30:51 | 00,010,354 | ---- | C] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\exeju.bin
[2008/10/05 20:39:01 | 00,137,728 | ---- | C] () -- C:\Documents and Settings\Ron\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/05 19:20:04 | 00,000,397 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/10/04 21:13:22 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2008/10/04 21:13:22 | 00,012,400 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2008/10/04 21:12:39 | 00,019,782 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/10/02 09:41:18 | 00,020,103 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008/10/02 09:40:55 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/10/02 09:40:41 | 00,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/10/02 09:22:17 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\clbcatex.dll
[2008/08/23 22:46:32 | 00,003,509 | ---- | C] () -- C:\WINDOWS\System32\ASPRTMM4.DLL
[2008/05/16 13:01:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 13:01:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 13:01:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 13:01:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/02/04 17:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/10/13 03:30:20 | 00,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2006/02/13 23:05:00 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/02/13 23:05:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/04 06:00:00 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2004/08/04 06:00:00 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\spwxtg5.dll
[2004/08/04 06:00:00 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2004/08/04 06:00:00 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2004/08/04 06:00:00 | 00,000,337 | ---- | C] () -- C:\WINDOWS\System32\he5joyl.dll
[2004/08/04 06:00:00 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2004/08/04 06:00:00 | 00,000,072 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\zb6ax9d.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\yuiwhwd.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\xmgv5lj.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\ww5gtky.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\wpeo12w.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\wc9dtsr.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\tdfagah.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\n9rz0co.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\mxtd7rx.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\lnmbfku.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\l5cicx8.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\h2qxwyv.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\frd0q1r.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\f7rcw8a.dll
[2004/08/04 06:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\d781jc2.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F8B88761
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#10 grendel67

grendel67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 05 December 2009 - 08:10 PM

Second log
OTL Extras logfile created on: 12/5/2009 6:58:26 PM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Documents and Settings\Ron\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 74.29% Memory free
3.85 Gb Paging File | 3.45 Gb Available in Paging File | 89.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 99.53 Gb Free Space | 66.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 48.83 Gb Total Space | 8.91 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive F: | 48.83 Gb Total Space | 9.82 Gb Free Space | 20.10% Space Free | Partition Type: NTFS
Drive G: | 73.24 Gb Total Space | 2.81 Gb Free Space | 3.84% Space Free | Partition Type: NTFS
Drive H: | 61.98 Gb Total Space | 7.09 Gb Free Space | 11.44% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: RON-1B90B907BDF
Current User Name: Ron
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"G:\Combat Arms\CombatArms.exe" = G:\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon)
"G:\Combat Arms\Engine.exe" = G:\Combat Arms\Engine.exe:*Enabled:Engine.exe -- (Nexon)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"G:\Mass Effect\Binaries\MassEffect.exe" = G:\Mass Effect\Binaries\MassEffect.exe:*:Enabled:Mass Effect Game -- (BioWare)
"G:\Mass Effect\MassEffectLauncher.exe" = G:\Mass Effect\MassEffectLauncher.exe:*:Enabled:Mass Effect Launcher -- (BioWare)
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"G:\Combat Arms\CombatArms.exe" = G:\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon)
"G:\Combat Arms\Engine.exe" = G:\Combat Arms\Engine.exe:*Enabled:Engine.exe -- (Nexon)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{01979CA0-B550-47D0-AD16-553B2C3FCF97}" = Auction Sentry Deluxe
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}" = Search Settings 1.2.1
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0E6ED660-498C-42F7-9EF4-FB0C96DFC01A}" = Snagit 9.1
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{17A7779A-D23F-11D3-8753-0050BABE1202}" = Microtek ScanWizard
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}" = Cool & Quiet
"{1B0FBB9A-995D-47cd-87CD-13E68B676E4F}" = Mass Effect
"{1F698102-5739-441E-96F0-74F4EA540F06}" = Atheros Ethernet Utility
"{25DBE5A6-C574-4BEA-878D-E9FBA3BA0E8F}" = Test
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 17
"{2B59AB31-EBD0-45E4-A725-7112904DA605}" = Family Tree Maker Version 16
"{2DFAC810-6DD8-4E23-96A4-BEB118408203}" = Mask Pro 4.1
"{30852BD9-1787-4834-B0B5-D20C6CF10666}" = AMD OverDrive
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4EB092F5-185E-4FE6-8ED7-23F61C17D76C}" = MYSTAT 12
"{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A69D94E-C569-4154-9643-72E94D1DDFDA}" = XPS Essentials Pack
"{6E19F210-3813-4002-B561-94D66AA182B6}" = Atheros Communications Inc.® L1 Gigabit Ethernet Driver
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D669429-A2E4-4793-B7A0-283D259F39AF}" = Adobe Photoshop Lightroom 2.5
"{9EB46587-4354-411C-BBAC-A9BBB2131F3D}" = FocalPoint 1.1.1
"{9FD6F1A8-5550-46AF-8509-271DF0E768B5}" = Dual-Core Optimizer
"{A0383B7D-81A2-49D3-BE06-C0FD9EFB9DFC}" = Corel Painter IX
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-0000-7EC8-7489-000000000603}" = Adobe Acrobat and Reader 6.0.3 Update
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B01DD5B7-9862-43D7-BCA3-7882A17E4328}" = PhotoTools 2.0 Professional Edition
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}" = HP Software Update
"{DE2EBD6F-81B6-4E9A-B137-C11FD6790CFF}" = PSShortcutsP
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{EFE26D3B-2789-4068-A5BB-77E389FAEB98}" = PSUsage
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCADA4FF-142C-42A8-B73C-0A54A7F83345}" = Genuine Fractals 6.0.2 Professional Edition
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"ArtStudioPro_is1" = ArtStudioPro
"avast!" = avast! Antivirus
"CD Audio Reader Filter" = CD Audio Reader Filter (remove only)
"Cole2k Media - Codec Pack" = Cole2k Media - Codec Pack (Advanced) 7.7.0
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DC-Bass Source" = DC-Bass Source 1.1.1
"DirectVobSub" = DirectVobSub (remove only)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders
"Easy DVD Player_is1" = Easy DVD Player 2.0
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"FrostWire" = FrostWire 4.18.4
"HaaliMkx" = Haali Media Splitter
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Management_Scientist_6.0" = The Management Scientist 6.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MONOGRAM AMR Splitter/Decoder" = MONOGRAM AMR Splitter/Decoder (remove only)
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenSource DTS/AC3/DD+ Source Filter" = OpenSource DTS/AC3/DD+ Source Filter (remove only)
"OpenSource Flash Video Splitter" = OpenSource Flash Video Splitter (remove only)
"Poser 8_is1" = Poser 8 (8.0.0.10157)
"PROPLUSR" = Microsoft Office Professional Plus 2007
"RealMedia" = RealMedia (remove only)
"SystemRequirementsLab" = System Requirements Lab
"Wacom Tablet Driver" = Wacom Tablet
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 2.3d
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEP" = XPS Essentials Pack 1.0
"ZoomPlayer" = Zoom Player (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"TwistedBrush Pro Studio" = TwistedBrush Pro Studio
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/2/2009 3:16:51 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6504.5000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/2/2009 3:17:04 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1001
Description = Fault bucket 1303216512.

Error - 8/12/2009 11:26:17 PM | Computer Name = RON-1B90B907BDF | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6504.5000, stamp 49e7f47e,
faulting module mspst32.dll, version 12.0.6504.5000, stamp 49e7f409, debug? 0,
fault address 0x00055946.

Error - 8/12/2009 11:26:34 PM | Computer Name = RON-1B90B907BDF | Source = Microsoft Office 12 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Outlook.

Error - 8/13/2009 7:44:40 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/25/2009 7:10:37 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/25/2009 10:47:03 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/25/2009 10:47:05 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 9/2/2009 10:28:22 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/2/2009 10:28:25 PM | Computer Name = RON-1B90B907BDF | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

[ OSession Events ]
Error - 8/12/2009 11:26:15 PM | Computer Name = RON-1B90B907BDF | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/12/2009 11:25:48 PM | Computer Name = RON-1B90B907BDF | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/30/2009 3:47:11 PM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 11/30/2009 9:04:08 PM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 12/1/2009 11:57:05 AM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 12/1/2009 11:44:28 PM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 12/2/2009 12:11:02 AM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 12/2/2009 12:11:15 AM | Computer Name = RON-1B90B907BDF | Source = AmdLLD | ID = 180092939
Description = AdjustCoreTSC() Node[ 0 ] Core[ 0 ] Cpu[ 0 ] Affinity[ 0x1 ] Error:
HalGetBusDataByOffset() failed reading north-bridge TSC.

Error - 12/2/2009 4:30:26 PM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 12/3/2009 7:30:00 PM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 12/4/2009 8:20:00 PM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 12/5/2009 8:50:19 PM | Computer Name = RON-1B90B907BDF | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.


< End of report >

#11 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 06 December 2009 - 04:05 AM

Hi,

Go to Virustotal.com
Upload the following file by copy/paste the following (so do not use "Browse"!)): C:\WINDOWS\system32\DRIVERS\ITE.sys
Wait untill the results appear, and post them in your next reply.

Do this also with this file: C:\WINDOWS\System32\drivers\disk_2.sys

#12 grendel67

grendel67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 06 December 2009 - 09:44 PM

results for
C:\WINDOWS\system32\DRIVERS\ITE.sys

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 -
AhnLab-V3 5.0.0.2 2009.12.06 -
AntiVir 7.9.1.92 2009.12.06 -
Antiy-AVL 2.0.3.7 2009.12.04 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 -
AVG 8.5.0.426 2009.12.06 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.05 -
ClamAV 0.94.1 2009.12.07 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.06 -
eTrust-Vet 35.1.7159 2009.12.04 -
F-Prot 4.5.1.85 2009.12.06 -
F-Secure 9.0.15370.0 2009.12.03 -
Fortinet 4.0.14.0 2009.12.06 -
GData 19 2009.12.07 -
Ikarus T3.1.1.74.0 2009.12.07 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.912 2009.12.05 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5824 2009.12.06 -
McAfee+Artemis 5824 2009.12.06 -
McAfee-GW-Edition 6.8.5 2009.12.07 -
Microsoft 1.5302 2009.12.06 -
NOD32 4665 2009.12.06 -
Norman 6.03.02 2009.12.05 -
nProtect 2009.1.8.0 2009.12.06 -
Panda 10.0.2.2 2009.12.06 -
PCTools 7.0.3.5 2009.12.07 -
Prevx 3.0 2009.12.07 -
Rising 22.25.00.01 2009.12.07 -
Sophos 4.48.0 2009.12.07 -
Sunbelt 3.2.1858.2 2009.12.06 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.086 2009.12.05 -
TrendMicro 9.100.0.1001 2009.12.06 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.4.2072 2009.12.04 -
VirusBuster 5.0.21.0 2009.12.06 -
Additional information
File size: 36768 bytes
MD5...: 63f2f1e5fb55c04bc3a67ff273153417
SHA1..: 375c24c7f36dcc2e10242ac22f8242037e5f6125
SHA256: 5cc553f85f346371d76564d1c3f595b4e61053ffad8705646af2599a1b6e2000
ssdeep: 768:zuGNJJ4j6ZRxEErCOrGiZXk10E1ztzFojo342KqNoF+UGE0+74rr9eu/8oPA
LD+f:zuGNJJ4j6ZvEErZr1ZU10E1ztzFojo3b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x32c
timedatestamp.....: 0x3fcbe851 (Tue Dec 02 01:18:09 2003)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
init 0x2e0 0xd0 0xe0 5.37 c9f3ee5a2f2640e08e40aaa024c8cc89
page 0x3c0 0x2d46 0x2d60 6.51 e896338f68f5621f4b95cbe9b86fe7c3
.text 0x3120 0x17f6 0x1800 6.44 5af723007ae79894d92e5d631a36e00c
.data 0x4920 0x231 0x240 3.27 f814443ca8792f7cf8f4e06127de03d5
INIT 0x4b60 0x492 0x4a0 4.99 ce2439c47141363ca34bfb9a28697145
.rsrc 0x5000 0x410 0x420 3.24 188853d0d795f7daf205225e8177e79e
.reloc 0x5420 0x3c0 0x3c0 5.83 39f3436b4f188e7d9bd7ce46d44f681b

( 2 imports )
> NTOSKRNL.EXE: IoDeleteDevice, RtlFreeUnicodeString, IoRegisterDeviceInterface, DbgPrint, IoDetachDevice, KeInitializeDpc, IoCreateDevice, PoSetPowerState, IoAttachDeviceToDeviceStack, IofCallDriver, KeInitializeEvent, KeSetEvent, IoSetDeviceInterfaceState, IofCompleteRequest, ExFreePool, ExAllocatePoolWithTag, ObfReferenceObject, PoCallDriver, KeWaitForSingleObject, IoIsWdmVersionAvailable, ExQueueWorkItem, PoStartNextPowerIrp, MmUnmapIoSpace, IoConnectInterrupt, MmMapIoSpace, IoDisconnectInterrupt, InterlockedDecrement, InterlockedIncrement, ObfDereferenceObject, IoBuildSynchronousFsdRequest, IoGetAttachedDeviceReference, RtlWriteRegistryValue, wcscat, wcscpy, RtlQueryRegistryValues, RtlInitUnicodeString, wcslen, swprintf, IoAllocateIrp, IoFreeIrp, PoRequestPowerIrp, RtlUnwind
> HAL.DLL: WRITE_PORT_UCHAR, KeGetCurrentIrql, READ_PORT_UCHAR

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Integrated Technology Express, INC.
copyright....: Copyright 2000 Integrated Technology Express, INC.
product......: ITE8872 Device Driver
description..: ITE.sys
original name: ITE.sys
internal name: ITE
file version.: 16, 06, 03, 0
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

results for
C:\WINDOWS\System32\drivers\disk_2.sys

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 -
AhnLab-V3 5.0.0.2 2009.12.06 -
AntiVir 7.9.1.92 2009.12.06 -
Antiy-AVL 2.0.3.7 2009.12.04 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 -
AVG 8.5.0.426 2009.12.06 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.05 -
ClamAV 0.94.1 2009.12.07 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.06 -
eTrust-Vet 35.1.7159 2009.12.04 -
F-Prot 4.5.1.85 2009.12.06 -
F-Secure 9.0.15370.0 2009.12.03 -
Fortinet 4.0.14.0 2009.12.06 -
GData 19 2009.12.07 -
Ikarus T3.1.1.74.0 2009.12.07 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.912 2009.12.05 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5824 2009.12.06 -
McAfee+Artemis 5824 2009.12.06 -
McAfee-GW-Edition 6.8.5 2009.12.07 -
Microsoft 1.5302 2009.12.06 -
NOD32 4665 2009.12.06 -
Norman 6.03.02 2009.12.05 -
nProtect 2009.1.8.0 2009.12.06 -
Panda 10.0.2.2 2009.12.06 -
PCTools 7.0.3.5 2009.12.07 -
Prevx 3.0 2009.12.07 -
Rising 22.25.00.01 2009.12.07 -
Sophos 4.48.0 2009.12.07 -
Sunbelt 3.2.1858.2 2009.12.06 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.086 2009.12.05 -
TrendMicro 9.100.0.1001 2009.12.06 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.4.2072 2009.12.04 -
VirusBuster 5.0.21.0 2009.12.06 -
Additional information
File size: 36352 bytes
MD5...: 837784962a9f5fecc3df21b6e0507860
SHA1..: faf2aff1392269d36db7dbcc211f3d97b3f526ed
SHA256: 1fe3b06aac001b1c5abba8650f760bc3347e8d0e5c64b197d6fa2ac1d09b8803
ssdeep: 3::
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: OpenGL object (29.2%)
Lotus 123 Worksheet (generic) (14.6%)
HSC music composer song (9.2%)
Game Music Creator Music (8.2%)
MacBinary 1 header (7.5%)

#13 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 07 December 2009 - 09:23 AM

Hi,

1. Open My Computer (you can find it on your Desktop, and in your Start menu)
Double click on your C-drive.
Now go to File > New > Folder
Enter this for the name of the folder: TDSSKiller

2. Download TDSSKiller.zip
Save it to the folder C:\TDSSKiller

3. Unzip the file. Follow these steps to unzip:
Go, if you are not already there, to the folder: C:\TDSSKiller
Now right click on TDSSKiller.zip and choose Extract all
Click on Next every time, and click Finish in the last screen.

4. Open a Notepad file.
Copy the code below into this Notepad file.

@ECHO OFF
TDSSKiller.exe -l report.txt -v
DEL %0
Go to File - Save as.
At "Save to", choose: C:\TDSSKiller
At "File name", choose: start.bat
At "File type" select: All files (*.*).
Now click on the Save button.

Double click on start.bat
This will activate TDSSKiller.
Please post the contents from the file that opens (report.txt).

#14 grendel67

grendel67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 07 December 2009 - 07:54 PM

Host Name: RON-1B90B907BDF
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Ron Cotty
Registered Organization:
Product ID: 76487-OEM-2252881-92158
Original Install Date: 10/2/2008, 10:28:29 AM
System Up Time: 0 Days, 0 Hours, 25 Minutes, 21 Seconds
System Manufacturer: System manufacturer
System Model: System Product Name
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 107 Stepping 2 AuthenticAMD ~2700 Mhz
BIOS Version: 041808 - 20080418
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,507 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\RON-1B90B907BDF
Hotfix(s): 186 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: Q147222
[86]: Q936181
[87]: Q954430
[88]: Q973688
[89]: IDNMitigationAPIs - Update
[90]: NLSDownlevelMapping - Update
[91]: KB929399
[92]: KB952069_WM9
[93]: KB954155_WM9
[94]: KB968816_WM9
[95]: KB973540_WM9
[96]: KB936782_WMP11
[97]: KB939683
[98]: KB954154_WM11
[99]: KB959772_WM11
[100]: KB941569
[101]: KB938127-IE7 - Update
[102]: KB938127-v2-IE7 - Update
[103]: KB953838-IE7 - Update
[104]: KB956390-IE7 - Update
[105]: KB958215-IE7 - Update
[106]: KB960714-IE7 - Update
[107]: KB961260-IE7 - Update
[108]: KB963027-IE7 - Update
[109]: KB969897-IE7 - Update
[110]: KB969897-IE8 - Update
[111]: KB971180-IE8 - Update
[112]: KB971961-IE8 - Update
[113]: KB972260-IE8 - Update
[114]: KB974455-IE8 - Update
[115]: KB976749-IE8 - Update
[116]: MSCompPackV1 - Update
[117]: KB936929 - Service Pack
[118]: KB923561 - Update
[119]: KB938464 - Update
[120]: KB938464-v2 - Update
[121]: KB946648 - Update
[122]: KB950762 - Update
[123]: KB950974 - Update
[124]: KB951066 - Update
[125]: KB951072-v2 - Update
[126]: KB951376-v2 - Update
[127]: KB951698 - Update
[128]: KB951748 - Update
[129]: KB951978 - Update
[130]: KB952004 - Update
[131]: KB952287 - Update
[132]: KB952954 - Update
[133]: KB953839 - Update
[134]: KB954211 - Update
[135]: KB954459 - Update
[136]: KB954550-v5 - Update
[137]: KB954600 - Update
[138]: KB955069 - Update
[139]: KB955839 - Update
[140]: KB956391 - Update
[141]: KB956572 - Update
[142]: KB956744 - Update
[143]: KB956802 - Update
[144]: KB956803 - Update
[145]: KB956841 - Update
[146]: KB956844 - Update
[147]: KB957095 - Update
[148]: KB957097 - Update
[149]: KB958644 - Update
[150]: KB958687 - Update
[151]: KB958690 - Update
[152]: KB958869 - Update
[153]: KB959426 - Update
[154]: KB960225 - Update
[155]: KB960715 - Update
[156]: KB960803 - Update
[157]: KB960859 - Update
[158]: KB961118 - Update
[159]: KB961371 - Update
[160]: KB961373 - Update
[161]: KB961501 - Update
[162]: KB967715 - Update
[163]: KB968389 - Update
[164]: KB968537 - Update
[165]: KB969059 - Update
[166]: KB969898 - Update
[167]: KB969947 - Update
[168]: KB970238 - Update
[169]: KB970653-v3 - Update
[170]: KB971486 - Update
[171]: KB971557 - Update
[172]: KB971633 - Update
[173]: KB971657 - Update
[174]: KB973346 - Update
[175]: KB973354 - Update
[176]: KB973507 - Update
[177]: KB973525 - Update
[178]: KB973687 - Update
[179]: KB973815 - Update
[180]: KB973869 - Update
[181]: KB974112 - Update
[182]: KB974571 - Update
[183]: KB975025 - Update
[184]: KB975467 - Update
[185]: KB976098-v2 - Update
[186]: XpsEP
NetWork Card(s): 2 NIC(s) Installed.
[01]: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.100
[02]: Linksys Wireless-G PCI Adapter
Connection Name: Wireless Network Connection
18:52:19:421 1256 ForceUnloadDriver: NtUnloadDriver error 2
18:52:19:421 1256 ForceUnloadDriver: NtUnloadDriver error 2
18:52:19:421 1256 ForceUnloadDriver: NtUnloadDriver error 2
18:52:19:437 1256 main: Driver KLMD successfully dropped
18:52:19:453 1256 main: Driver KLMD successfully loaded
18:52:19:453 1256
Scanning Registry ...
18:52:19:484 1256 ScanServices: Searching service UACd.sys
18:52:19:484 1256 ScanServices: Open/Create key error 2
18:52:19:484 1256 ScanServices: Searching service TDSSserv.sys
18:52:19:484 1256 ScanServices: Open/Create key error 2
18:52:19:484 1256 ScanServices: Searching service gaopdxserv.sys
18:52:19:484 1256 ScanServices: Open/Create key error 2
18:52:19:484 1256 ScanServices: Searching service gxvxcserv.sys
18:52:19:484 1256 ScanServices: Open/Create key error 2
18:52:19:484 1256 ScanServices: Searching service MSIVXserv.sys
18:52:19:484 1256 ScanServices: Open/Create key error 2
18:52:19:484 1256 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
18:52:19:640 1256 UnhookRegistry: Kernel local addr: A40000
18:52:19:640 1256 UnhookRegistry: KeServiceDescriptorTable addr: AC5700
18:52:19:671 1256 UnhookRegistry: KiServiceTable addr: A6D460
18:52:19:671 1256 UnhookRegistry: NtEnumerateKey service number (local): 47
18:52:19:671 1256 UnhookRegistry: NtEnumerateKey local addr: B8CFF2
18:52:19:671 1256 KLMD_OpenDevice: Trying to open KLMD device
18:52:19:671 1256 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
18:52:19:671 1256 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
18:52:19:671 1256 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
18:52:19:671 1256 UnhookRegistry: NtEnumerateKey service number (kernel): 47
18:52:19:671 1256 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
18:52:19:671 1256 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
18:52:19:671 1256 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
18:52:19:671 1256 UnhookRegistry: No SDT hooks found on NtEnumerateKey
18:52:19:671 1256 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
18:52:19:671 1256 UnhookRegistry: No splicing found on NtEnumerateKey
18:52:19:671 1256
Scanning Kernel memory ...
18:52:19:671 1256 KLMD_OpenDevice: Trying to open KLMD device
18:52:19:671 1256 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
18:52:19:671 1256 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:52:19:671 1256 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A6FC628
18:52:19:671 1256 DetectCureTDL3: KLMD_GetDeviceObjectList returned 9 DevObjects
18:52:19:671 1256 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8A4F5030
18:52:19:671 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4F5030
18:52:19:671 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A4F5030[0x38]
18:52:19:671 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
18:52:19:671 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
18:52:19:671 1256 KLMD_ReadMem: Trying to ReadMemory 0xE1002350[0x208]
18:52:19:671 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:52:19:671 1256 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
18:52:19:671 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
18:52:19:671 1256 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
18:52:19:671 1256 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
18:52:19:671 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
18:52:19:671 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
18:52:19:671 1256 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
18:52:19:671 1256 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
18:52:19:671 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
18:52:19:671 1256 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
18:52:19:671 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:671 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:671 1256 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:52:19:671 1256 KLMD_ReadMem: DeviceIoControl error 1
18:52:19:671 1256 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:52:19:671 1256 TDL3_FileDetect: Processing driver: Disk
18:52:19:671 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:52:19:671 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:52:19:671 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:52:19:687 1256 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 89AFF030
18:52:19:687 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89AFF030
18:52:19:687 1256 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 89B6E5E0
18:52:19:687 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B6E5E0
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0x89B6E5E0[0x38]
18:52:19:687 1256 DetectCureTDL3: DRIVER_OBJECT addr: 89BF0950
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0x89BF0950[0xA8]
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0xE359A5C0[0x208]
18:52:19:687 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:52:19:687 1256 DetectCureTDL3: IrpHandler (0) addr: BABB5218
18:52:19:687 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (2) addr: BABB5218
18:52:19:687 1256 DetectCureTDL3: IrpHandler (3) addr: BABB523C
18:52:19:687 1256 DetectCureTDL3: IrpHandler (4) addr: BABB523C
18:52:19:687 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (9) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (14) addr: BABB5180
18:52:19:687 1256 DetectCureTDL3: IrpHandler (15) addr: BABB09E6
18:52:19:687 1256 DetectCureTDL3: IrpHandler (16) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (22) addr: BABB45F0
18:52:19:687 1256 DetectCureTDL3: IrpHandler (23) addr: BABB2A6E
18:52:19:687 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0xBABB1F26[0x400]
18:52:19:687 1256 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
18:52:19:687 1256 TDL3_FileDetect: Processing driver: USBSTOR
18:52:19:687 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
18:52:19:687 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
18:52:19:687 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
18:52:19:687 1256 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A68E030
18:52:19:687 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A68E030
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A68E030[0x38]
18:52:19:687 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0xE1002350[0x208]
18:52:19:687 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:52:19:687 1256 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
18:52:19:687 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
18:52:19:687 1256 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
18:52:19:687 1256 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
18:52:19:687 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
18:52:19:687 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
18:52:19:687 1256 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
18:52:19:687 1256 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
18:52:19:687 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
18:52:19:687 1256 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
18:52:19:687 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:52:19:687 1256 KLMD_ReadMem: DeviceIoControl error 1
18:52:19:687 1256 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:52:19:687 1256 TDL3_FileDetect: Processing driver: Disk
18:52:19:687 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:52:19:687 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:52:19:687 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:52:19:687 1256 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8A6B38A0
18:52:19:687 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6B38A0
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6B38A0[0x38]
18:52:19:687 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
18:52:19:687 1256 KLMD_ReadMem: Trying to ReadMemory 0xE1002350[0x208]
18:52:19:687 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:52:19:687 1256 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
18:52:19:687 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
18:52:19:687 1256 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
18:52:19:687 1256 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
18:52:19:687 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
18:52:19:687 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
18:52:19:687 1256 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
18:52:19:687 1256 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
18:52:19:687 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
18:52:19:687 1256 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
18:52:19:687 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:687 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:52:19:703 1256 KLMD_ReadMem: DeviceIoControl error 1
18:52:19:703 1256 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:52:19:703 1256 TDL3_FileDetect: Processing driver: Disk
18:52:19:703 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:52:19:703 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8A6B3C68
18:52:19:703 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6B3C68
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6B3C68[0x38]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0xE1002350[0x208]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:52:19:703 1256 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
18:52:19:703 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
18:52:19:703 1256 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
18:52:19:703 1256 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
18:52:19:703 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
18:52:19:703 1256 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
18:52:19:703 1256 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
18:52:19:703 1256 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
18:52:19:703 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:52:19:703 1256 KLMD_ReadMem: DeviceIoControl error 1
18:52:19:703 1256 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:52:19:703 1256 TDL3_FileDetect: Processing driver: Disk
18:52:19:703 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:52:19:703 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 8A6B2C68
18:52:19:703 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6B2C68
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6B2C68[0x38]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0xE1002350[0x208]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:52:19:703 1256 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
18:52:19:703 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
18:52:19:703 1256 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
18:52:19:703 1256 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
18:52:19:703 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
18:52:19:703 1256 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
18:52:19:703 1256 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
18:52:19:703 1256 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
18:52:19:703 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:52:19:703 1256 KLMD_ReadMem: DeviceIoControl error 1
18:52:19:703 1256 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:52:19:703 1256 TDL3_FileDetect: Processing driver: Disk
18:52:19:703 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:52:19:703 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 8A69AC68
18:52:19:703 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A69AC68
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A69AC68[0x38]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6FC628
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6FC628[0xA8]
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0xE1002350[0x208]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:52:19:703 1256 DetectCureTDL3: IrpHandler (0) addr: BA8FEBB0
18:52:19:703 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (2) addr: BA8FEBB0
18:52:19:703 1256 DetectCureTDL3: IrpHandler (3) addr: BA8F8D1F
18:52:19:703 1256 DetectCureTDL3: IrpHandler (4) addr: BA8F8D1F
18:52:19:703 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (9) addr: BA8F92E2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (14) addr: BA8F93BB
18:52:19:703 1256 DetectCureTDL3: IrpHandler (15) addr: BA8FCF28
18:52:19:703 1256 DetectCureTDL3: IrpHandler (16) addr: BA8F92E2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (22) addr: BA8FAC82
18:52:19:703 1256 DetectCureTDL3: IrpHandler (23) addr: BA8FF99E
18:52:19:703 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:52:19:703 1256 KLMD_ReadMem: DeviceIoControl error 1
18:52:19:703 1256 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:52:19:703 1256 TDL3_FileDetect: Processing driver: Disk
18:52:19:703 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:52:19:703 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:52:19:703 1256 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A6B5AB8
18:52:19:703 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6B5AB8
18:52:19:703 1256 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A705DD8
18:52:19:703 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A705DD8
18:52:19:703 1256 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A69ED98
18:52:19:703 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A69ED98
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A69ED98[0x38]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6A1788
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6A1788[0xA8]
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0xE173C378[0x208]
18:52:19:703 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
18:52:19:703 1256 DetectCureTDL3: IrpHandler (0) addr: BA7156F2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (2) addr: BA7156F2
18:52:19:703 1256 DetectCureTDL3: IrpHandler (3) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (4) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (9) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (14) addr: BA715712
18:52:19:703 1256 DetectCureTDL3: IrpHandler (15) addr: BA711852
18:52:19:703 1256 DetectCureTDL3: IrpHandler (16) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (22) addr: BA71573C
18:52:19:703 1256 DetectCureTDL3: IrpHandler (23) addr: BA71C336
18:52:19:703 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:703 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:703 1256 KLMD_ReadMem: Trying to ReadMemory 0xBA712864[0x400]
18:52:19:703 1256 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
18:52:19:703 1256 TDL3_FileDetect: Processing driver: atapi
18:52:19:703 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
18:52:19:703 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
18:52:19:703 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
18:52:19:718 1256 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A676AB8
18:52:19:718 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A676AB8
18:52:19:718 1256 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A71AE30
18:52:19:718 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A71AE30
18:52:19:718 1256 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A69FD98
18:52:19:718 1256 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A69FD98
18:52:19:718 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A69FD98[0x38]
18:52:19:718 1256 DetectCureTDL3: DRIVER_OBJECT addr: 8A6A1788
18:52:19:718 1256 KLMD_ReadMem: Trying to ReadMemory 0x8A6A1788[0xA8]
18:52:19:718 1256 KLMD_ReadMem: Trying to ReadMemory 0xE173C378[0x208]
18:52:19:718 1256 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
18:52:19:718 1256 DetectCureTDL3: IrpHandler (0) addr: BA7156F2
18:52:19:718 1256 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (2) addr: BA7156F2
18:52:19:718 1256 DetectCureTDL3: IrpHandler (3) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (4) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (9) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (14) addr: BA715712
18:52:19:718 1256 DetectCureTDL3: IrpHandler (15) addr: BA711852
18:52:19:718 1256 DetectCureTDL3: IrpHandler (16) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (22) addr: BA71573C
18:52:19:718 1256 DetectCureTDL3: IrpHandler (23) addr: BA71C336
18:52:19:718 1256 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:52:19:718 1256 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:52:19:718 1256 KLMD_ReadMem: Trying to ReadMemory 0xBA712864[0x400]
18:52:19:718 1256 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
18:52:19:718 1256 TDL3_FileDetect: Processing driver: atapi
18:52:19:718 1256 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
18:52:19:718 1256 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
18:52:19:718 1256 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
18:52:19:718 1256
Completed

Results:
18:52:19:718 1256 Infected objects in memory: 0
18:52:19:718 1256 Cured objects in memory: 0
18:52:19:718 1256 Infected objects on disk: 0
18:52:19:718 1256 Objects on disk cured on reboot: 0
18:52:19:718 1256 Objects on disk deleted on reboot: 0
18:52:19:718 1256 Registry nodes deleted on reboot: 0
18:52:19:718 1256

#15 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 09 December 2009 - 08:37 AM

Hi,

Can you please give me fresh logfiles from GMER and OTL? :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users