Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine hijack and false virus popup


  • This topic is locked This topic is locked
34 replies to this topic

#1 Konadan

Konadan

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 30 November 2009 - 01:51 AM

I can't get rid of Search engine hijack in Firefox. It doesn't happen on every search, but after a few miss-directions, I get a false virus pop-up. After I see the pop-up, I restart my PC to avoid getting infected. I am running Vista, and I have ran Malwarebyts, Superantispyware, and Avira, and I am clean. Please, I need a helper to help me get rid of my problem. I went to the tech support at Superantispyware, and they couldn't help me.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:44 PM

Posted 30 November 2009 - 11:09 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 30 November 2009 - 03:14 PM

Per your request:


OTL logfile created on: 11/30/2009 11:54:01 AM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Users\Danny\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 57.37% Memory free
4.00 Gb Paging File | 3.48 Gb Available in Paging File | 86.91% Paging File free
Paging file location(s): c:\pagefile.sys 3000 3026 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 75.57 Gb Total Space | 43.02 Gb Free Space | 56.93% Space Free | Partition Type: NTFS
Drive D: | 73.48 Gb Total Space | 68.31 Gb Free Space | 92.96% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 3.84 Gb Total Space | 0.10 Gb Free Space | 2.49% Space Free | Partition Type: FAT32
Drive H: | 149.05 Gb Total Space | 78.60 Gb Free Space | 52.73% Space Free | Partition Type: NTFS
Drive I: | 232.88 Gb Total Space | 74.82 Gb Free Space | 32.13% Space Free | Partition Type: NTFS
Drive J: | 232.88 Gb Total Space | 54.41 Gb Free Space | 23.36% Space Free | Partition Type: NTFS

Computer Name: DANNY-PC
Current User Name: Danny
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/30 11:51:10 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Users\Danny\Desktop\OTL.exe
PRC - [2009/11/23 08:43:26 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/11 03:29:09 | 03,124,160 | ---- | M] (SlySoft, Inc.) -- D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
PRC - [2009/11/02 19:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- d:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/04/10 22:28:08 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/02/25 13:32:54 | 00,733,184 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe
PRC - [2008/09/19 07:28:49 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/01/18 23:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [1997/07/10 23:00:00 | 05,324,560 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\WINWORD.EXE


========== Modules (SafeList) ==========

MOD - [2009/11/30 11:51:10 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Users\Danny\Desktop\OTL.exe
MOD - [2009/11/23 10:38:10 | 00,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/04/10 22:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/09/24 17:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/02/25 13:32:54 | 00,733,184 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe -- (Ati External Event Utility)
SRV - [2008/09/19 07:28:49 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/01/18 23:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/11/02 04:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = BF 80 FC 0F 47 35 ED 43 AF 3C 4C B4 F7 BE 20 44 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = BF 80 FC 0F 47 35 ED 43 AF 3C 4C B4 F7 BE 20 44 [binary data]

IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.att.net/ [binary data]
IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E9 4C 0C 7E 87 71 CA 01 [binary data]
IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = BF 80 FC 0F 47 35 ED 43 AF 3C 4C B4 F7 BE 20 44 [binary data]
IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\S-1-5-21-3462626417-1902296538-3159851537-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://go.microsoft.com/fwlink/?LinkId=69157"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.5
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: {60eaab9e-9411-4297-bdaa-0dd0d3d330d5}:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/11/29 10:52:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: d:\Program Files\Mozilla Firefox\components [2009/11/21 14:48:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: d:\Program Files\Mozilla Firefox\plugins [2009/11/21 14:48:45 | 00,000,000 | ---D | M]

[2009/06/11 22:36:31 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Mozilla\Extensions
[2009/11/30 11:28:46 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\2oqqhu9n.default\extensions
[2009/11/08 16:39:38 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\2oqqhu9n.default\extensions\{60eaab9e-9411-4297-bdaa-0dd0d3d330d5}
[2009/11/19 19:41:39 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\2oqqhu9n.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/10/28 20:12:31 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\2oqqhu9n.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

O1 HOSTS File: (734 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O3 - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\..\Toolbar\WebBrowser: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000..\Run: [AnyDVD] d:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\..Trusted Domains: motive.com ([patttbc.att] https in Trusted sites)
O15 - HKU\S-1-5-21-3462626417-1902296538-3159851537-1000\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CA6F0A67-18BB-4E39-BB8A-A1E04D6AACDF} http://www.superadblocker.com/activex/sabminf.cab (SABMachineInfo Class)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.5.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (C:\Windows\System32\ddraw32.dll) - C:\Windows\System32\ddraw32.dll File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{ae9ec3fe-5ba7-11de-8185-00e018be0256}\Shell\AutoRun\command - "" = K:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/06/11 18:22:12 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2009/11/30 11:51:07 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Users\Danny\Desktop\OTL.exe
[2009/11/29 16:55:12 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/11/29 16:52:52 | 00,000,000 | ---D | C] -- C:\Users\Danny\AppData\Roaming\SUPERAntiSpyware.com
[2009/11/23 18:15:32 | 00,000,000 | ---D | C] -- C:\Users\Danny\AppData\Local\SUPERSystemInspector
[2009/11/21 13:03:27 | 00,000,000 | ---D | C] -- C:\Users\Danny\Desktop\IPO Litigation
[2009/11/16 13:30:08 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[1 C:\Users\Danny\Documents\*.tmp files -> C:\Users\Danny\Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/11/30 11:54:52 | 02,883,584 | -HS- | M] () -- C:\Users\Danny\NTUSER.DAT
[2009/11/30 11:51:10 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Users\Danny\Desktop\OTL.exe
[2009/11/30 11:45:33 | 00,038,912 | ---- | M] () -- C:\Users\Danny\Documents\Blueplate2.doc
[2009/11/30 10:49:26 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/11/30 10:49:26 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/11/30 10:49:26 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/11/29 18:44:54 | 00,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/11/29 18:44:53 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/11/29 18:44:53 | 00,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/11/29 18:37:13 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/11/29 18:36:56 | 16,101,94944 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/29 18:36:17 | 00,524,288 | -HS- | M] () -- C:\Users\Danny\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/11/29 18:36:17 | 00,065,536 | -HS- | M] () -- C:\Users\Danny\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/11/29 18:36:08 | 02,104,819 | -H-- | M] () -- C:\Users\Danny\AppData\Local\IconCache.db
[2009/11/29 15:37:51 | 00,234,496 | ---- | M] () -- C:\Users\Danny\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/28 11:22:41 | 00,000,124 | -HS- | M] () -- C:\ProgramData\.zreglib
[2009/11/21 18:35:21 | 00,052,952 | ---- | M] () -- C:\Users\Danny\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/11/21 17:18:52 | 00,243,752 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/11/21 15:44:37 | 00,000,734 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/11/21 13:54:27 | 00,000,595 | ---- | M] () -- C:\Users\Danny\Desktop\Uninstall Tool.lnk
[2009/11/21 10:56:02 | 00,003,148 | ---- | M] () -- C:\Users\Danny\Documents\cc_20091121_105556.reg
[2009/11/20 19:06:31 | 05,957,836 | ---- | M] () -- C:\Users\Danny\Documents\April 2000 Trust - Ariba, Covad, Sycamore Networks.jpg20091120190611DANNY-PCPDFCreator.pdf
[2009/11/20 19:03:59 | 15,899,730 | ---- | M] () -- C:\Users\Danny\Documents\C__Users_Danny_Desktop_Trust Brokarage files for CAL_April 2000 Trust - Ariba, Covad, Sycamore Networks_April 2000 Trust - Ariba, Covad, Sycamore Networks_jpg.ps
[2009/11/20 13:34:49 | 00,960,386 | ---- | M] () -- C:\Users\Danny\Documents\March 2000 Roth - Deltathree 001.jpg20091120133438DANNY-PCPDFCreator.pdf
[2009/11/20 13:25:24 | 02,861,637 | ---- | M] () -- C:\Users\Danny\Documents\C__Users_Danny_Desktop€9-11-20 March 2000 Roth - Deltathree_March 2000 Roth - Deltathree 001_jpg.ps
[2009/11/16 13:29:59 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2009/11/16 13:29:45 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[1 C:\Users\Danny\Documents\*.tmp files -> C:\Users\Danny\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/21 14:41:07 | 16,101,94944 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/21 13:54:27 | 00,000,595 | ---- | C] () -- C:\Users\Danny\Desktop\Uninstall Tool.lnk
[2009/11/21 10:55:59 | 00,003,148 | ---- | C] () -- C:\Users\Danny\Documents\cc_20091121_105556.reg
[2009/11/20 19:06:16 | 05,957,836 | ---- | C] () -- C:\Users\Danny\Documents\April 2000 Trust - Ariba, Covad, Sycamore Networks.jpg20091120190611DANNY-PCPDFCreator.pdf
[2009/11/20 19:04:00 | 15,899,730 | ---- | C] () -- C:\Users\Danny\Documents\C__Users_Danny_Desktop_Trust Brokarage files for CAL_April 2000 Trust - Ariba, Covad, Sycamore Networks_April 2000 Trust - Ariba, Covad, Sycamore Networks_jpg.ps
[2009/11/20 13:34:47 | 00,960,386 | ---- | C] () -- C:\Users\Danny\Documents\March 2000 Roth - Deltathree 001.jpg20091120133438DANNY-PCPDFCreator.pdf
[2009/11/20 13:25:24 | 02,861,637 | ---- | C] () -- C:\Users\Danny\Documents\C__Users_Danny_Desktop€9-11-20 March 2000 Roth - Deltathree_March 2000 Roth - Deltathree 001_jpg.ps
[2009/11/16 13:29:59 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2009/11/16 13:29:45 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2009/11/08 16:39:17 | 00,005,609 | -HS- | C] () -- C:\Users\Danny\AppData\Roaming\02000000a77c7480697C.manifest
[2009/11/08 16:39:17 | 00,002,045 | -HS- | C] () -- C:\Users\Danny\AppData\Roaming\02000000a77c7480697P.manifest
[2009/11/08 16:39:17 | 00,000,568 | -HS- | C] () -- C:\Users\Danny\AppData\Roaming\02000000a77c7480697O.manifest
[2009/11/08 16:39:17 | 00,000,011 | -HS- | C] () -- C:\Users\Danny\AppData\Roaming\02000000a77c7480697S.manifest
[2009/11/06 17:27:56 | 00,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2009/06/15 18:17:20 | 00,234,496 | ---- | C] () -- C:\Users\Danny\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/13 05:42:23 | 00,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/06/12 14:11:10 | 00,000,199 | ---- | C] () -- C:\Windows\Quicken.ini
[2009/06/12 12:47:15 | 00,000,124 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/06/11 23:25:02 | 00,000,022 | ---- | C] () -- C:\Windows\exchng.ini
[2009/06/11 23:25:00 | 00,000,611 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/06/11 20:37:01 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/06/10 20:40:19 | 00,000,680 | ---- | C] () -- C:\Users\Danny\AppData\Local\d3d9caps.dat
[2009/05/28 08:41:40 | 04,472,538 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2009/05/25 08:38:22 | 00,830,004 | ---- | C] () -- C:\Windows\System32\ff_x264.dll
[2009/05/17 15:37:12 | 00,557,469 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2009/04/21 08:38:32 | 00,328,334 | ---- | C] () -- C:\Windows\System32\ff_kernelDeint.dll
[2009/04/21 08:08:22 | 00,425,040 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll
[2009/04/21 07:54:54 | 00,146,098 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll
[2009/04/21 07:52:08 | 00,828,029 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/04/02 06:23:32 | 00,098,304 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll
[2009/04/02 06:21:50 | 00,084,480 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/03/02 08:19:36 | 00,183,296 | ---- | C] () -- C:\Windows\System32\ff_samplerate.dll
[2009/03/02 08:19:30 | 00,178,688 | ---- | C] () -- C:\Windows\System32\ff_libmad.dll
[2009/03/02 08:19:14 | 00,113,152 | ---- | C] () -- C:\Windows\System32\ff_unrar.dll
[2009/03/02 08:18:46 | 00,146,944 | ---- | C] () -- C:\Windows\System32\ff_tremor.dll
[2009/03/02 08:18:32 | 00,257,024 | ---- | C] () -- C:\Windows\System32\ff_libdts.dll
[2009/03/02 08:18:28 | 00,142,848 | ---- | C] () -- C:\Windows\System32\ff_liba52.dll
[2009/03/02 08:18:18 | 00,486,400 | ---- | C] () -- C:\Windows\System32\ff_libfaad2.dll
[2009/01/10 14:17:32 | 00,163,840 | ---- | C] () -- C:\Windows\System32\ts.dll
[2009/01/10 14:16:56 | 00,148,480 | ---- | C] () -- C:\Windows\System32\mkx.dll
[2009/01/10 14:16:50 | 00,108,032 | ---- | C] () -- C:\Windows\System32\avi.dll
[2009/01/10 14:16:14 | 00,141,312 | ---- | C] () -- C:\Windows\System32\mp4.dll
[2009/01/10 14:15:54 | 00,120,832 | ---- | C] () -- C:\Windows\System32\ogm.dll
[2009/01/10 14:15:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\mmfinfo.dll
[2009/01/10 14:15:32 | 00,102,400 | ---- | C] () -- C:\Windows\System32\avss.dll
[2009/01/10 14:15:28 | 00,246,784 | ---- | C] () -- C:\Windows\System32\dxr.dll
[2009/01/10 14:15:12 | 00,097,280 | ---- | C] () -- C:\Windows\System32\avs.dll
[2009/01/10 14:14:08 | 00,079,360 | ---- | C] () -- C:\Windows\System32\mkzlib.dll
[2009/01/10 14:14:06 | 00,023,552 | ---- | C] () -- C:\Windows\System32\mkunicode.dll
[2008/12/03 14:11:50 | 00,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008/11/06 08:37:32 | 03,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/11/06 08:34:00 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2008/11/06 08:34:00 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest
[2008/06/03 02:35:18 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2007/10/13 01:30:20 | 00,000,137 | ---- | C] () -- C:\Windows\System32\Registration.ini
[2007/07/10 09:10:12 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2007/04/24 12:22:02 | 00,274,432 | ---- | C] () -- C:\Windows\System32\MFT_anet.dll
[2006/12/04 00:25:14 | 00,022,723 | ---- | C] () -- C:\Windows\System32\sugo3l3.dll
[2006/11/02 04:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/01 23:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[1997/07/10 23:00:00 | 00,031,232 | ---- | C] () -- C:\Windows\System32\XLREC.DLL
[1997/07/10 23:00:00 | 00,025,600 | ---- | C] () -- C:\Windows\System32\RECNCL.DLL
[1997/07/10 23:00:00 | 00,022,016 | ---- | C] () -- C:\Windows\System32\ODBCSTF.DLL
[1997/07/10 23:00:00 | 00,022,016 | ---- | C] () -- C:\Windows\System32\DOCOBJ.DLL
[1997/07/10 23:00:00 | 00,012,288 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL

========== LOP Check ==========

[2009/06/23 17:48:47 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\AT&T
[2009/06/23 17:47:29 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\ATTToolbar
[2009/08/02 12:16:37 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\IObit
[2009/06/13 05:53:51 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Static Windows Mail Backup
[2009/09/11 10:43:30 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Tific
[2009/10/04 19:14:48 | 00,000,000 | ---D | M] -- C:\Users\Danny\AppData\Roaming\Titanium Gears
[2009/11/29 18:36:20 | 00,032,616 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/11/08 22:50:09 | 00,000,384 | ---- | M] () -- C:\Windows\Tasks\SmartDefrag.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2006/11/02 01:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2008/01/18 23:36:19 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2006/11/02 01:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2008/01/18 23:35:36 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >
[2006/11/02 01:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/18 23:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2006/11/02 01:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/18 23:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2008/01/18 21:06:48 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\SoftwareDistribution\Download\c0a17eb89d8e2d806cdee4a2d05890b4\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/01/18 20:33:23 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\SoftwareDistribution\Download\c0a17eb89d8e2d806cdee4a2d05890b4\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/06/10 23:22:07 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2006/11/02 01:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/01/18 23:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2009/06/10 23:22:07 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2009/06/10 23:22:06 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
[2008/01/18 23:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2006/11/02 01:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/18 23:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2006/11/02 01:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys
[2008/01/18 23:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/18 23:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/18 23:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 72 bytes -> C:\Windows:0F4B35867515EF68
< End of report >

#4 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 30 November 2009 - 03:25 PM

Sam,

I sincerely appreciate your help. I am running GMER, now.

#5 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 30 November 2009 - 03:53 PM

Sam,

GMER Log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 12:50:44
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Danny\AppData\Local\Temp\fglcapog.sys


---- System - GMER 1.0.15 ----

SSDT 91F74D7C ZwCreateThread
SSDT 91F74D68 ZwOpenProcess
SSDT 91F74D6D ZwOpenThread
SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x86EB00B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueue + 411 81CBFA48 4 Bytes [7C, 4D, F7, 91]
.text ntoskrnl.exe!KeInsertQueue + 5E1 81CBFC18 4 Bytes [68, 4D, F7, 91]
.text ntoskrnl.exe!KeInsertQueue + 5FD 81CBFC34 4 Bytes [6D, 4D, F7, 91]
.text ntoskrnl.exe!KeInsertQueue + 811 81CBFE48 4 Bytes [B0, 00, EB, 86] {MOV AL, 0x0; JMP 0xffffffffffffff8a}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8A403000, 0x2585E6, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D97817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73DEA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D9BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D8F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D975E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D8E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73DC8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73D9DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D8FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D8FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D871CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73E1CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73DBC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D8D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D86853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D8687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1796] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D92AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-3 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1690D01E-7277-6E91-C1F9-6BE4A7AF9AB4}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1690D01E-7277-6E91-C1F9-6BE4A7AF9AB4}@jaholhpmcjmknclabgma 0x62 0x61 0x6D 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1690D01E-7277-6E91-C1F9-6BE4A7AF9AB4}@iahnjnaeponnncppkl 0x6B 0x61 0x65 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1690D01E-7277-6E91-C1F9-6BE4A7AF9AB4}@jaholhpmcjmknclabgaa 0x62 0x61 0x6D 0x66 ...

---- EOF - GMER 1.0.15 ----

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:44 PM

Posted 30 November 2009 - 06:31 PM

Can you recreate the issue with Internet Explorer, or is it solely with Firefox?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 30 November 2009 - 09:29 PM

No, can't re-create same issues with IE. I went to every possible site on a search list.

I have uninstalled FireFox and all extensions, and re-installed. No help.

I just realized that I may have given you miss-leading info. The search engines work OK in FireFox, but when I get to a Google search list of sites, and I click on one of the site candidates, I get miss-directed and/or get the false virus notification pop-up. Doesn't happen every time. But the more I do it, the better chance I have of getting miss-directed and/or getting the pop-up

#8 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 30 November 2009 - 09:50 PM

I tried a Bing search list, and after a few tries, I got the virus pop-up.

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:44 PM

Posted 01 December 2009 - 07:50 AM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 01 December 2009 - 12:27 PM

Hi Sam,

Should I run this in Safe Mode?

Edited by Konadan, 01 December 2009 - 03:33 PM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:44 PM

Posted 01 December 2009 - 06:52 PM

Nope, no reason to run it in safe mode.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 01 December 2009 - 09:18 PM

Per your request:



GooredFix by jpshortstuff (27.11.09.1)
Log created at 18:14 on 01/12/2009 (Danny)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [03:07 13/11/2009]

---------- Old Logs ----------
GooredFix[02.13.40_02-12-2009].txt

-=E.O.F=

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:44 PM

Posted 02 December 2009 - 08:44 AM

Nothing to worry about there.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Konadan

Konadan
  • Topic Starter

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 02 December 2009 - 09:23 AM

Per your request:


Host Name: DANNY-PC
OS Name: Microsoftr Windows VistaT Home Premium
OS Version: 6.0.6002 Service Pack 2 Build 6002
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Danny
Registered Organization:
Product ID: 89578-015-2342181-71921
Original Install Date: 6/10/2009, 9:27:42 PM
System Boot Time: 12/2/2009, 1:46:35 AM
System Manufacturer: Sony Corporation
System Model: PCV-RX850(UC)
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 2 Stepping 4 GenuineIntel ~2400 Mhz
BIOS Version: Award Software, Inc. ACPI BIOS Revision 1001, 8/20/2002
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 1,535 MB
Available Physical Memory: 979 MB
Page File: Max Size: 4,489 MB
Page File: Available: 3,651 MB
Page File: In Use: 838 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\DANNY-PC
Hotfix(s): 133 Hotfix(s) Installed.
[01]: {AC76BA86-7AD7-0000-2550-7A8C40000912} -
[02]: {8B2F38F1-6D3C-4D87-AD2F-954AF6942800}
[03]: KB971513
[04]: KB971512
[05]: 944036
[06]: KB960362
[07]: KB971514
[08]: KB925902
[09]: KB929399
[10]: KB929735
[11]: KB930178
[12]: KB930857
[13]: KB931099
[14]: KB931573
[15]: KB936357
[16]: KB936782
[17]: KB936825
[18]: KB938127
[19]: KB939159
[20]: KB941569
[21]: KB941600
[22]: KB943055
[23]: KB945553
[24]: KB946026
[25]: KB946456
[26]: KB949939
[27]: KB905866
[28]: KB929123
[29]: KB929916
[30]: KB931213
[31]: KB933928
[32]: KB935807
[33]: KB936824
[34]: KB937287
[35]: KB938123
[36]: KB938194
[37]: KB938371
[38]: KB938464
[39]: KB938979
[40]: KB941649
[41]: KB941651
[42]: KB942624
[43]: KB943411
[44]: KB943899
[45]: KB946041
[46]: KB948609
[47]: KB948610
[48]: KB950124
[49]: KB950125
[50]: KB950760
[51]: KB950762
[52]: KB950974
[53]: KB951066
[54]: KB951376
[55]: KB951698
[56]: KB951978
[57]: KB952004
[58]: KB952069
[59]: KB952287
[60]: KB952709
[61]: KB953155
[62]: KB953733
[63]: KB954154
[64]: KB954155
[65]: KB954459
[66]: KB955020
[67]: KB955069
[68]: KB955302
[69]: KB955430
[70]: KB955839
[71]: KB956572
[72]: KB956744
[73]: KB956802
[74]: KB957097
[75]: KB957200
[76]: KB957321
[77]: KB957388
[78]: KB958481
[79]: KB958483
[80]: KB958623
[81]: KB958624
[82]: KB958644
[83]: KB958687
[84]: KB959108
[85]: KB959130
[86]: KB959426
[87]: KB959772
[88]: KB960225
[89]: KB960803
[90]: KB961371
[91]: KB961501
[92]: KB967632
[93]: KB967723
[94]: KB968389
[95]: KB968537
[96]: KB968816
[97]: KB969897
[98]: KB969897
[99]: KB969898
[100]: KB969947
[101]: KB970238
[102]: KB970653
[103]: KB970710
[104]: KB971180
[105]: KB971486
[106]: KB971557
[107]: KB971657
[108]: KB971930
[109]: KB971961
[110]: KB972036
[111]: KB972145
[112]: KB972260
[113]: KB972636
[114]: KB973346
[115]: KB973507
[116]: KB973525
[117]: KB973540
[118]: KB973565
[119]: KB973687
[120]: KB973768
[121]: KB973874
[122]: KB974306
[123]: KB974455
[124]: KB974470
[125]: KB974571
[126]: KB975364
[127]: KB975467
[128]: KB975517
[129]: KB976098
[130]: KB976470
[131]: KB976749
[132]: KB948465
[133]: 940157
Network Card(s): 1 NIC(s) Installed.
[01]: Realtek RTL8139/810x Family Fast Ethernet NIC
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.5.1
IP address(es)
[01]: 192.168.5.2
[02]: fe80::3c45:16c8:620a:1866
6:12:2:442 2540 ForceUnloadDriver: NtUnloadDriver error 2
6:12:2:442 2540 ForceUnloadDriver: NtUnloadDriver error 2
6:12:2:442 2540 ForceUnloadDriver: NtUnloadDriver error 2
6:12:2:473 2540 main: Driver KLMD successfully dropped
6:12:2:488 2540 main: Driver KLMD successfully loaded
6:12:2:488 2540
Scanning Registry ...
6:12:2:504 2540 ScanServices: Searching service UACd.sys
6:12:2:504 2540 ScanServices: Open/Create key error 2
6:12:2:504 2540 ScanServices: Searching service TDSSserv.sys
6:12:2:504 2540 ScanServices: Open/Create key error 2
6:12:2:504 2540 ScanServices: Searching service gaopdxserv.sys
6:12:2:504 2540 ScanServices: Open/Create key error 2
6:12:2:504 2540 ScanServices: Searching service gxvxcserv.sys
6:12:2:504 2540 ScanServices: Open/Create key error 2
6:12:2:504 2540 ScanServices: Searching service MSIVXserv.sys
6:12:2:504 2540 ScanServices: Open/Create key error 2
6:12:2:504 2540 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntoskrnl.exe, base addr: 81C3C000
6:12:2:504 2540 UnhookRegistry: Kernel local addr: 1A30000
6:12:2:504 2540 UnhookRegistry: KeServiceDescriptorTable addr: 1B5C8C0
6:12:2:504 2540 UnhookRegistry: KiServiceTable addr: 1A9D910
6:12:2:504 2540 UnhookRegistry: NtEnumerateKey service number (local): 85
6:12:2:504 2540 UnhookRegistry: NtEnumerateKey local addr: 1C03366
6:12:2:520 2540 KLMD_OpenDevice: Trying to open KLMD device
6:12:2:520 2540 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
6:12:2:520 2540 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
6:12:2:520 2540 KLMD_ReadMem: Trying to ReadMemory 0x81C919F5[0x4]
6:12:2:520 2540 UnhookRegistry: NtEnumerateKey service number (kernel): 85
6:12:2:520 2540 KLMD_ReadMem: Trying to ReadMemory 0x81CA9B24[0x4]
6:12:2:520 2540 UnhookRegistry: NtEnumerateKey real addr: 81E0F366
6:12:2:520 2540 UnhookRegistry: NtEnumerateKey calc addr: 81E0F366
6:12:2:520 2540 UnhookRegistry: No SDT hooks found on NtEnumerateKey
6:12:2:520 2540 KLMD_ReadMem: Trying to ReadMemory 0x81E0F366[0xA]
6:12:2:520 2540 UnhookRegistry: No splicing found on NtEnumerateKey
6:12:2:520 2540
Scanning Kernel memory ...
6:12:2:520 2540 KLMD_OpenDevice: Trying to open KLMD device
6:12:2:520 2540 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
6:12:2:520 2540 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
6:12:2:520 2540 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8482F778
6:12:2:520 2540 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
6:12:2:520 2540 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 85A533A8
6:12:2:520 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85A533A8
6:12:2:520 2540 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 85A53030
6:12:2:520 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85A53030
6:12:2:520 2540 KLMD_ReadMem: Trying to ReadMemory 0x85A53030[0x38]
6:12:2:520 2540 DetectCureTDL3: DRIVER_OBJECT addr: 857C47F0
6:12:2:520 2540 KLMD_ReadMem: Trying to ReadMemory 0x857C47F0[0xA8]
6:12:2:520 2540 KLMD_ReadMem: Trying to ReadMemory 0x8589AD28[0x208]
6:12:2:520 2540 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
6:12:2:520 2540 DetectCureTDL3: IrpHandler (0) addr: 86F88FC8
6:12:2:520 2540 DetectCureTDL3: IrpHandler (1) addr: 81CCB7B7
6:12:2:520 2540 DetectCureTDL3: IrpHandler (2) addr: 86F89040
6:12:2:520 2540 DetectCureTDL3: IrpHandler (3) addr: 86F890B8
6:12:2:520 2540 DetectCureTDL3: IrpHandler (4) addr: 86F890B8
6:12:2:520 2540 DetectCureTDL3: IrpHandler (5) addr: 81CCB7B7
6:12:2:520 2540 DetectCureTDL3: IrpHandler (6) addr: 81CCB7B7
6:12:2:520 2540 DetectCureTDL3: IrpHandler (7) addr: 81CCB7B7
6:12:2:520 2540 DetectCureTDL3: IrpHandler (8) addr: 81CCB7B7
6:12:2:520 2540 DetectCureTDL3: IrpHandler (9) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (10) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (11) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (12) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (13) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (14) addr: 86F88BC4
6:12:2:535 2540 DetectCureTDL3: IrpHandler (15) addr: 86F7C7E4
6:12:2:535 2540 DetectCureTDL3: IrpHandler (16) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (17) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (18) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (19) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (20) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (21) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (22) addr: 86F8759C
6:12:2:535 2540 DetectCureTDL3: IrpHandler (23) addr: 86F847A2
6:12:2:535 2540 DetectCureTDL3: IrpHandler (24) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (25) addr: 81CCB7B7
6:12:2:535 2540 DetectCureTDL3: IrpHandler (26) addr: 81CCB7B7
6:12:2:535 2540 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:535 2540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:551 2540 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 859FBAC8
6:12:2:551 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 859FBAC8
6:12:2:551 2540 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 859F89A0
6:12:2:551 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 859F89A0
6:12:2:551 2540 KLMD_ReadMem: Trying to ReadMemory 0x859F89A0[0x38]
6:12:2:551 2540 DetectCureTDL3: DRIVER_OBJECT addr: 857C47F0
6:12:2:551 2540 KLMD_ReadMem: Trying to ReadMemory 0x857C47F0[0xA8]
6:12:2:551 2540 KLMD_ReadMem: Trying to ReadMemory 0x8589AD28[0x208]
6:12:2:551 2540 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
6:12:2:551 2540 DetectCureTDL3: IrpHandler (0) addr: 86F88FC8
6:12:2:551 2540 DetectCureTDL3: IrpHandler (1) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (2) addr: 86F89040
6:12:2:551 2540 DetectCureTDL3: IrpHandler (3) addr: 86F890B8
6:12:2:551 2540 DetectCureTDL3: IrpHandler (4) addr: 86F890B8
6:12:2:551 2540 DetectCureTDL3: IrpHandler (5) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (6) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (7) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (8) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (9) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (10) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (11) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (12) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (13) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (14) addr: 86F88BC4
6:12:2:551 2540 DetectCureTDL3: IrpHandler (15) addr: 86F7C7E4
6:12:2:551 2540 DetectCureTDL3: IrpHandler (16) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (17) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (18) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (19) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (20) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (21) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (22) addr: 86F8759C
6:12:2:551 2540 DetectCureTDL3: IrpHandler (23) addr: 86F847A2
6:12:2:551 2540 DetectCureTDL3: IrpHandler (24) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (25) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (26) addr: 81CCB7B7
6:12:2:551 2540 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:551 2540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:551 2540 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 85966AC8
6:12:2:551 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85966AC8
6:12:2:551 2540 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 85947030
6:12:2:551 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85947030
6:12:2:551 2540 KLMD_ReadMem: Trying to ReadMemory 0x85947030[0x38]
6:12:2:551 2540 DetectCureTDL3: DRIVER_OBJECT addr: 857C47F0
6:12:2:551 2540 KLMD_ReadMem: Trying to ReadMemory 0x857C47F0[0xA8]
6:12:2:551 2540 KLMD_ReadMem: Trying to ReadMemory 0x8589AD28[0x208]
6:12:2:551 2540 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
6:12:2:551 2540 DetectCureTDL3: IrpHandler (0) addr: 86F88FC8
6:12:2:551 2540 DetectCureTDL3: IrpHandler (1) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (2) addr: 86F89040
6:12:2:551 2540 DetectCureTDL3: IrpHandler (3) addr: 86F890B8
6:12:2:551 2540 DetectCureTDL3: IrpHandler (4) addr: 86F890B8
6:12:2:551 2540 DetectCureTDL3: IrpHandler (5) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (6) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (7) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (8) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (9) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (10) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (11) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (12) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (13) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (14) addr: 86F88BC4
6:12:2:551 2540 DetectCureTDL3: IrpHandler (15) addr: 86F7C7E4
6:12:2:551 2540 DetectCureTDL3: IrpHandler (16) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (17) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (18) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (19) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (20) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (21) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (22) addr: 86F8759C
6:12:2:551 2540 DetectCureTDL3: IrpHandler (23) addr: 86F847A2
6:12:2:551 2540 DetectCureTDL3: IrpHandler (24) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (25) addr: 81CCB7B7
6:12:2:551 2540 DetectCureTDL3: IrpHandler (26) addr: 81CCB7B7
6:12:2:551 2540 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:551 2540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:567 2540 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 857E9AC8
6:12:2:567 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 857E9AC8
6:12:2:567 2540 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 85901520
6:12:2:567 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85901520
6:12:2:567 2540 KLMD_ReadMem: Trying to ReadMemory 0x85901520[0x38]
6:12:2:567 2540 DetectCureTDL3: DRIVER_OBJECT addr: 857C47F0
6:12:2:567 2540 KLMD_ReadMem: Trying to ReadMemory 0x857C47F0[0xA8]
6:12:2:567 2540 KLMD_ReadMem: Trying to ReadMemory 0x8589AD28[0x208]
6:12:2:567 2540 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
6:12:2:567 2540 DetectCureTDL3: IrpHandler (0) addr: 86F88FC8
6:12:2:567 2540 DetectCureTDL3: IrpHandler (1) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (2) addr: 86F89040
6:12:2:567 2540 DetectCureTDL3: IrpHandler (3) addr: 86F890B8
6:12:2:567 2540 DetectCureTDL3: IrpHandler (4) addr: 86F890B8
6:12:2:567 2540 DetectCureTDL3: IrpHandler (5) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (6) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (7) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (8) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (9) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (10) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (11) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (12) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (13) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (14) addr: 86F88BC4
6:12:2:567 2540 DetectCureTDL3: IrpHandler (15) addr: 86F7C7E4
6:12:2:567 2540 DetectCureTDL3: IrpHandler (16) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (17) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (18) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (19) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (20) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (21) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (22) addr: 86F8759C
6:12:2:567 2540 DetectCureTDL3: IrpHandler (23) addr: 86F847A2
6:12:2:567 2540 DetectCureTDL3: IrpHandler (24) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (25) addr: 81CCB7B7
6:12:2:567 2540 DetectCureTDL3: IrpHandler (26) addr: 81CCB7B7
6:12:2:567 2540 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:567 2540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
6:12:2:582 2540 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 84C408F8
6:12:2:582 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84C408F8
6:12:2:582 2540 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 846DEB10
6:12:2:582 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 846DEB10
6:12:2:582 2540 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 83D5B030
6:12:2:582 2540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83D5B030
6:12:2:582 2540 KLMD_ReadMem: Trying to ReadMemory 0x83D5B030[0x38]
6:12:2:582 2540 DetectCureTDL3: DRIVER_OBJECT addr: 83D568F8
6:12:2:582 2540 KLMD_ReadMem: Trying to ReadMemory 0x83D568F8[0xA8]
6:12:2:582 2540 KLMD_ReadMem: Trying to ReadMemory 0x846CBF90[0x208]
6:12:2:582 2540 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
6:12:2:582 2540 DetectCureTDL3: IrpHandler (0) addr: 82B70140
6:12:2:582 2540 DetectCureTDL3: IrpHandler (1) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (2) addr: 82B70140
6:12:2:582 2540 DetectCureTDL3: IrpHandler (3) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (4) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (5) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (6) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (7) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (8) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (9) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (10) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (11) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (12) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (13) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (14) addr: 8A991F16
6:12:2:582 2540 DetectCureTDL3: IrpHandler (15) addr: 8A992A7E
6:12:2:582 2540 DetectCureTDL3: IrpHandler (16) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (17) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (18) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (19) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (20) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (21) addr: 81CCB7B7
6:12:2:582 2540 DetectCureTDL3: IrpHandler (22) addr: 82B5EA88
6:12:2:582 2540 DetectCureTDL3: IrpHandler (23) addr: 82B6BB70
6:12:2:598 2540 DetectCureTDL3: IrpHandler (24) addr: 81CCB7B7
6:12:2:598 2540 DetectCureTDL3: IrpHandler (25) addr: 81CCB7B7
6:12:2:598 2540 DetectCureTDL3: IrpHandler (26) addr: 81CCB7B7
6:12:2:598 2540 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\atapi.sys
6:12:2:598 2540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\atapi.sys
6:12:2:598 2540
Completed

Results:
6:12:2:598 2540 Infected / Cured drivers in memory: 0 / 0
6:12:2:598 2540 Infected / Cured drivers on disk: 0 / 0
6:12:2:598 2540 Files deleted on next reboot: 0
6:12:2:598 2540 Registry nodes deleted on next reboot: 0
6:12:2:613 2540

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:44 PM

Posted 02 December 2009 - 06:47 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users