Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Links Hijacked & IE Stopped Working False Meassage


  • This topic is locked This topic is locked
17 replies to this topic

#1 ForeverRogue

ForeverRogue

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 04 December 2009 - 12:28 AM

Running Vista 32-bit Home Premium Edition with Norton 360.

1- Within minutes of boot I get "IE has stopped working" error message - but IE has not been launched at this point (something trying to start IE?). This message occurs about 3-4 times per hour. I also get this message while surfing, but it is false. I just click "OK" and continue Surfing.
2- Google links lead elsewhere (usually other search engines). If I click the same link 3-4 times, I can eventually get to the desired link. Very rarely I can get to the link on the first attempt.
3- About 20-30% of the time, I get another message at boot - "A windows service has failed to start...." It's the one that prevents limited users from logging on.

This problem started about 2 weeks ago (Nov. 15).

I have run Spybot, Ad-Aware, Blacklight, MBAM, SuperAntiSpyware. MBAM has detected and removed a couple Trojans, and NAV has detected and removed BackdoorDM.Spammer, Backdoor.Trojan, Suspicious.MH690, Trojan Horse, AntiVirus 2008, Trojan.FakeAV, InfoStealer,

With this, my first post, I will attach the DDS files. RR is currently running and looks like it maye take a while. I may have to post that one tomorrow. I ran HiJack This, but not from the desktop. Also, I think your instructions said not to post the HJT log until asked.

Thanks for all your help - greatly appreciated.

DDS.txt ....

DDS (Ver_09-12-01.01) - NTFSx86
Run by ForeverRogue at 21:39:47.39 on 03/12/2009
Internet Explorer: 8.0.6001.18828
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.2.1033.18.2942.1383 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Windows Sidebar\sidebar.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\ForeverRogue\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ellengwhitetruth.com/free-resources/daily-devotional.aspx
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: AutorunsDisabled - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [<NO NAME>]
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [RegistryMonitor1] "c:\windows\temp\wpek.tmp\svchost.exe"
StartupFolder: c:\users\foreve~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: AutorunsDisabled\grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: hl_simple.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-17 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-9-15 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-9-15 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-9-15 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-11-15 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-9-15 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-9-15 48688]
S2 gupdate1c9a27ceb153d6;Google Update Service (gupdate1c9a27ceb153d6);c:\program files\google\update\GoogleUpdate.exe [2009-3-11 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-3 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-15 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
S3 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-25 809296]

=============== Created Last 30 ================

2009-12-04 04:11:03 0 d-----w- c:\program files\Trend Micro
2009-11-28 00:48:58 0 d-----w- c:\program files\Combined Community Codec Pack
2009-11-25 01:36:23 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 01:01:31 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 01:01:29 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 01:01:21 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-18 05:29:18 0 d-----w- c:\users\foreve~1\appdata\roaming\Malwarebytes
2009-11-18 05:29:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-18 05:29:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 05:29:10 0 d-----w- c:\programdata\Malwarebytes
2009-11-18 05:29:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-18 04:40:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-18 03:19:29 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-18 03:17:04 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-18 03:16:32 0 d-----w- c:\program files\Lavasoft
2009-11-18 01:35:14 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-18 01:34:39 0 d-----w- c:\users\foreve~1\appdata\roaming\SUPERAntiSpyware.com
2009-11-18 01:34:39 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-18 01:33:56 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-17 03:15:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-17 01:57:45 0 d-----w- c:\programdata\RegCure
2009-11-16 05:43:25 0 d-----w- c:\program files\Windows Portable Devices
2009-11-16 05:43:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-16 05:43:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-15 18:18:07 0 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-15 18:17:39 54632 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2009-11-15 18:11:21 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-15 18:11:15 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-15 18:10:24 0 d-----w- c:\program files\Microsoft
2009-11-15 18:10:13 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-15 18:06:28 0 d-----w- c:\program files\common files\Windows Live
2009-11-15 18:06:05 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-15 18:06:04 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-15 18:06:04 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-15 18:04:23 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-11-15 18:03:08 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-15 18:03:07 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-15 18:03:07 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-15 18:01:48 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-11-15 18:01:48 270848 ----a-w- c:\windows\system32\schannel.dll
2009-11-13 04:33:50 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-13 04:32:59 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-13 04:32:43 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-13 04:32:43 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-11 06:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 06:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-11 05:50:24 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 05:50:10 355328 ----a-w- c:\windows\system32\WSDApi.dll

==================== Find3M ====================

2009-11-16 05:43:23 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-16 05:43:23 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-16 05:43:23 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-16 05:43:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-01 04:17:55 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-10-28 02:58:56 12993816 ----a-w- c:\users\foreve~1\appdata\roaming\RegCure.exe
2009-10-28 02:52:34 2056616 ----a-w- c:\users\foreve~1\appdata\roaming\RegCureSetup_RW.exe
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-16 02:07:10 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 14:59:26 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 14:58:28 310784 ----a-w- c:\windows\system32\unregmp2.exe
2008-06-04 13:19:46 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-07-19 21:50:30 744809 ----a-w- c:\program files\vuepro80.exe
2009-03-30 07:47:30 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2009-03-30 07:47:30 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2009-03-30 07:47:40 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-03-30 07:46:58 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-03-30 07:47:30 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-03-30 07:47:30 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2009-03-30 07:47:30 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2009-03-30 07:47:30 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-03-30 07:46:58 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-05-15 23:02:40 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 21:41:32.61 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:16 AM

Posted 04 December 2009 - 08:15 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 04 December 2009 - 06:52 PM

Hi Sam,

Thank-you for help. Sorry for the delay in my reply - I had to work today. I am currently running the OTL scan and will then do the GMER and post the files as requested.

Thanks again!

#4 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 04 December 2009 - 07:39 PM

Hi Sam,

I'm having some problems with GMER. The first scan attempt immediately went to black screen & restarted the machine. At this boot-up I got the "Windows Service failed to start" message. Nonetheless, I tried another scan and about 5 minutes into the scan, I got "b0ijgnqr.exe has stopped working" message. This is the name of the GMER program, btw. They said some maleware will not allow GMER to run, so they (the powers that be) named it "b0ijgnqr.exe". So I did another reboot and got safely to the desktop and tried again - same issue, "program has stopped working"

In the meantime, I will attach the OTL files.

Thanks again! I'll look forward to hearing from you...

OTL logfile created on: 04/12/2009 4:38:52 PM - Run 1
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Users\ForeverRogue\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: | Country: | Language: | Date Format:

2.00 Gb Total Physical Memory | 1.50 Gb Available Physical Memory | 74.89% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 291.83 Gb Total Space | 165.87 Gb Free Space | 56.84% Space Free | Partition Type: NTFS
Drive D: | 6.26 Gb Total Space | 0.88 Gb Free Space | 14.10% Space Free | Partition Type: NTFS
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FOREVERROGUE-PC
Current User Name: ForeverRogue
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/04 16:38:02 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Users\ForeverRogue\Desktop\OTL.exe
PRC - [2009/11/20 20:19:27 | 00,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/11/20 20:19:26 | 01,184,912 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/11/18 17:53:05 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/26 22:23:17 | 00,638,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/22 01:14:09 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
PRC - [2009/07/17 20:12:12 | 00,257,440 | R--- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil10c.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/10 23:28:08 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2009/04/10 23:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/05 15:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/05/22 20:49:00 | 00,118,784 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2008/03/24 16:48:52 | 03,310,928 | ---- | M] (Webshots.com) -- C:\Program Files\Webshots\Webshots.scr
PRC - [2008/01/19 00:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2007/05/16 14:56:44 | 00,067,128 | ---- | M] (Hewlett-Packard Company) -- C:\hp\KBD\kbd.exe
PRC - [2006/09/28 06:42:24 | 00,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe


========== Modules (SafeList) ==========

MOD - [2009/12/04 16:38:02 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Users\ForeverRogue\Desktop\OTL.exe
MOD - [2009/10/21 18:49:31 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
MOD - [2009/04/10 23:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2007/04/22 18:12:44 | 00,018,432 | ---- | M] () -- C:\Windows\System32\hl_simple.dll
MOD - [2007/01/19 10:13:58 | 00,004,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\detoured.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/20 20:19:26 | 01,184,912 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/11/18 17:53:04 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/09/24 18:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/22 01:14:09 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe -- (N360)
SRV - [2009/08/05 22:48:42 | 00,704,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/11 12:03:06 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a27ceb153d6) Google Update Service (gupdate1c9a27ceb153d6)
SRV - [2008/11/14 09:17:27 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/14 12:39:56 | 00,809,296 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/05/22 20:49:00 | 00,118,784 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)
SRV - [2008/02/01 18:08:50 | 00,394,704 | ---- | M] (Symantec, Inc.) -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2008/01/19 00:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 06:37:04 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2007/03/14 19:19:10 | 00,779,824 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService)
SRV - [2007/03/14 11:07:30 | 00,062,984 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe -- (HP Health Check Service)
SRV - [2007/03/13 01:23:18 | 00,225,280 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2007/03/13 01:23:18 | 00,131,072 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2007/03/12 13:49:46 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2006/12/19 15:23:00 | 00,272,024 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo) Cyberlink RichVideo Service(CRVS)
SRV - [2006/11/08 15:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 15:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2006/11/02 05:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/11/01 12:58:02 | 00,078,752 | R--- | M] (MicroVision Development, Inc.) -- c:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/19 14:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ellengwhitetruth.com/free-resou...devotional.aspx
IE - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\S-1-5-21-2667105145-273593332-1706482461-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\S-1-5-21-2667105145-273593332-1706482461-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://whiteestate.org/devotional/tmk/12_31.asp"
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


[2008/09/23 00:53:38 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Mozilla\Extensions
[2009/03/24 17:02:11 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Mozilla\Firefox\Profiles\n1xc1hju.default\extensions

O1 HOSTS File: (911 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\.DEFAULT..\Run: [RegistryMonitor1] C:\Windows\TEMP\wpek.tmp\svchost.exe File not found
O4 - HKU\S-1-5-18..\Run: [RegistryMonitor1] C:\Windows\TEMP\wpek.tmp\svchost.exe File not found
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Users\ForeverRogue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (Webshots.com)
O7 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O15 - HKLM\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2667105145-273593332-1706482461-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwa...are/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...S/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (Get_ActiveX Control)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.184.13 64.59.184.15 64.59.190.242
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\lbxfile {56831180-F115-11d2-B6AA-00104B2B9943} - C:\Program Files\Libronix DLS\System\FileProt.dll (Libronix Corporation)
O18 - Protocol\Handler\lbxres {24508F1B-9E94-40EE-9759-9AF5795ADF52} - C:\Program Files\Libronix DLS\System\ResProt.dll (Libronix Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (hl_simple.dll) - C:\Windows\System32\hl_simple.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/19 02:16:14 | 00,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/06/04 06:10:07 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2009/12/04 16:37:52 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Users\ForeverRogue\Desktop\OTL.exe
[2009/12/03 21:47:26 | 00,472,064 | ---- | C] ( ) -- C:\Users\ForeverRogue\Desktop\RootRepeal.exe
[2009/12/03 21:11:03 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/27 17:50:19 | 00,000,000 | ---D | C] -- C:\Users\ForeverRogue\AppData\Roaming\Media Player Classic
[2009/11/27 17:48:58 | 00,000,000 | ---D | C] -- C:\Program Files\Combined Community Codec Pack
[2009/11/24 20:37:00 | 01,137,360 | ---- | C] (F-Secure Corporation) -- C:\Users\ForeverRogue\Desktop\fsbl.exe
[2009/11/23 19:08:07 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/10/27 19:52:34 | 02,056,616 | ---- | C] (ParetoLogic Inc.) -- C:\Users\ForeverRogue\AppData\Roaming\RegCureSetup_RW.exe

========== Files - Modified Within 14 Days ==========

[2009/12/04 16:42:19 | 07,340,032 | -HS- | M] () -- C:\Users\ForeverRogue\ntuser.dat
[2009/12/04 16:38:02 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Users\ForeverRogue\Desktop\OTL.exe
[2009/12/04 16:30:52 | 00,000,432 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{C96B7881-CC93-4E36-A7DE-CD8799C376AF}.job
[2009/12/04 16:29:58 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/12/04 16:29:44 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/04 16:29:44 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/04 16:29:41 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/04 16:28:48 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/04 16:28:32 | 30,854,92224 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/04 07:14:41 | 00,524,288 | -HS- | M] () -- C:\Users\ForeverRogue\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/12/04 07:14:41 | 00,065,536 | -HS- | M] () -- C:\Users\ForeverRogue\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/12/04 06:58:00 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/12/04 06:31:45 | 02,149,377 | -H-- | M] () -- C:\Users\ForeverRogue\AppData\Local\IconCache.db
[2009/12/03 21:48:00 | 00,000,000 | ---- | M] () -- C:\Users\ForeverRogue\Desktop\settings.dat
[2009/12/03 21:47:36 | 00,472,064 | ---- | M] ( ) -- C:\Users\ForeverRogue\Desktop\RootRepeal.exe
[2009/12/03 21:36:01 | 00,524,288 | ---- | M] () -- C:\Users\ForeverRogue\Desktop\dds.scr
[2009/12/03 21:11:04 | 00,001,876 | ---- | M] () -- C:\Users\ForeverRogue\Desktop\HijackThis.lnk
[2009/12/03 21:04:13 | 00,002,075 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/11/27 22:36:54 | 00,036,352 | ---- | M] () -- C:\Users\ForeverRogue\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/27 22:16:41 | 00,716,194 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/11/27 22:16:41 | 00,622,516 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/11/27 22:16:41 | 00,107,948 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/11/24 20:39:13 | 01,137,360 | ---- | M] (F-Secure Corporation) -- C:\Users\ForeverRogue\Desktop\fsbl.exe
[2009/11/23 18:47:27 | 00,007,984 | ---- | M] () -- C:\Users\ForeverRogue\Documents\The Methods of Praise.rtf
[2009/11/23 18:43:18 | 00,023,142 | ---- | M] () -- C:\Users\ForeverRogue\Documents\Deman Letter.pdf
[2009/11/23 18:09:07 | 00,000,378 | ---- | M] () -- C:\Windows\tasks\RegCure Program Check.job
[2009/11/23 18:09:07 | 00,000,318 | ---- | M] () -- C:\Windows\tasks\RegCure Startup.job
[2009/11/23 18:09:07 | 00,000,312 | ---- | M] () -- C:\Windows\tasks\RegCure.job

========== Files Created - No Company Name ==========

[2009/12/03 21:48:00 | 00,000,000 | ---- | C] () -- C:\Users\ForeverRogue\Desktop\settings.dat
[2009/12/03 21:35:00 | 00,524,288 | ---- | C] () -- C:\Users\ForeverRogue\Desktop\dds.scr
[2009/12/03 21:11:04 | 00,001,876 | ---- | C] () -- C:\Users\ForeverRogue\Desktop\HijackThis.lnk
[2009/12/03 21:04:13 | 00,002,075 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/11/30 21:18:38 | 30,854,92224 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/23 18:47:22 | 00,007,984 | ---- | C] () -- C:\Users\ForeverRogue\Documents\The Methods of Praise.rtf
[2009/11/23 18:43:12 | 00,023,142 | ---- | C] () -- C:\Users\ForeverRogue\Documents\Deman Letter.pdf
[2009/10/27 19:58:56 | 12,993,816 | ---- | C] () -- C:\Users\ForeverRogue\AppData\Roaming\RegCure.exe
[2009/09/20 06:25:08 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/01/03 11:23:04 | 00,000,636 | ---- | C] () -- C:\Users\ForeverRogue\AppData\Roaming\wklnhst.dat
[2008/09/08 07:21:57 | 00,744,809 | ---- | C] () -- C:\Program Files\vuepro80.exe
[2008/04/16 17:24:36 | 00,000,156 | ---- | C] () -- C:\Windows\vuepro32.ini
[2007/11/17 22:12:06 | 00,000,000 | ---- | C] () -- C:\Windows\asym.ini
[2007/10/26 17:51:24 | 00,110,624 | ---- | C] () -- C:\Windows\System32\drivers\nvstor32.sys
[2007/06/03 11:31:15 | 00,000,087 | ---- | C] () -- C:\Windows\ARTGALRY.INI
[2007/06/03 11:31:13 | 00,001,526 | ---- | C] () -- C:\Windows\MSPUB.INI
[2007/05/08 09:57:11 | 00,001,300 | ---- | C] () -- C:\Windows\logos20.ini
[2007/04/22 18:12:44 | 00,018,432 | ---- | C] () -- C:\Windows\System32\hl_simple.dll
[2007/04/17 05:06:47 | 00,036,352 | ---- | C] () -- C:\Users\ForeverRogue\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/16 19:23:23 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/04/15 13:33:12 | 00,001,805 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2007/04/15 13:25:04 | 00,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2006/12/19 02:05:15 | 00,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom24.dll
[2006/12/19 02:05:15 | 00,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes24.dll
[2006/11/09 07:19:08 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 05:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/08/11 00:00:40 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/08/11 00:00:40 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2004/09/16 13:24:26 | 03,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll
[2004/07/10 17:55:38 | 00,252,416 | ---- | C] () -- C:\Windows\System32\wsiShared.dll

========== LOP Check ==========

[2007/05/11 11:51:01 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Aim
[2009/11/30 20:27:01 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Azureus
[2009/02/21 00:01:46 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\FileZilla
[2009/08/17 19:32:48 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\FUJIFILM
[2009/02/13 10:08:49 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Image Zone Express
[2008/03/23 20:30:14 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Leadertech
[2008/12/11 22:32:52 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Libronix DLS
[2007/05/23 21:57:07 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Printer Info Cache
[2009/04/06 12:35:55 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Softplicity
[2009/01/03 11:23:05 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Template
[2008/04/26 21:47:28 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\Webshots
[2007/05/08 00:57:24 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\WildTangent
[2009/03/11 23:36:45 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\WinBatch
[2009/03/16 09:18:36 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\wsInspector
[2007/05/23 22:01:56 | 00,000,000 | ---D | M] -- C:\Users\ForeverRogue\AppData\Roaming\{A004037C-8B9A-4390-9074-1D3EEE0A3BDF}
[2009/11/23 18:09:07 | 00,000,378 | ---- | M] () -- C:\Windows\Tasks\RegCure Program Check.job
[2009/11/23 18:09:07 | 00,000,318 | ---- | M] () -- C:\Windows\Tasks\RegCure Startup.job
[2009/11/23 18:09:07 | 00,000,312 | ---- | M] () -- C:\Windows\Tasks\RegCure.job
[2009/12/04 07:14:35 | 00,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/12/04 16:30:52 | 00,000,432 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{C96B7881-CC93-4E36-A7DE-CD8799C376AF}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2009/04/10 23:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2006/11/02 02:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2008/01/19 00:36:19 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/10 23:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2009/04/10 23:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2006/11/02 02:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2008/01/19 00:35:36 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll
[2009/04/10 23:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >
[2006/11/02 02:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 02:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >
[2006/11/02 02:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/19 00:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2006/11/02 02:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 00:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2009/04/10 23:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2008/02/13 07:05:59 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2009/04/10 23:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2006/11/02 02:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/01/19 00:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/02/13 07:05:59 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/02/13 07:05:59 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
[2008/01/19 00:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2009/04/10 23:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2006/11/02 02:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/19 00:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2006/11/02 02:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys
[2008/01/19 00:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 00:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 00:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

========== Files - Unicode (All) ==========
[2007/04/22 18:55:26 | 00,000,000 | ---D | M](C:\Users\ForeverRogue\AppData\Roaming\???????sAppData) -- C:\Users\ForeverRogue\AppData\Roaming\敎潲䍄敔灭慬整sAppData
[2007/04/22 18:55:26 | 00,000,000 | ---D | M](C:\Users\ForeverRogue\AppData\Roaming\???????sAppData) -- C:\Users\ForeverRogue\AppData\Roaming\敎潲䍄敔灭慬整sAppData
(C:\Users\ForeverRogue\AppData\Roaming\???????sAppData) -- C:\Users\ForeverRogue\AppData\Roaming\敎潲䍄敔灭慬整sAppData

========== Alternate Data Streams ==========

@Alternate Data Stream - 813 bytes -> C:\Users\ForeverRogue\Documents\RICK RAMJOHN Resume 2006.eml:OECustomProperty
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >

Attached Files


Edited by Buckeye_Sam, 05 December 2009 - 08:25 AM.


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:16 AM

Posted 05 December 2009 - 08:30 AM

Ok, we'll hold off on Gmer for now.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 05 December 2009 - 11:05 AM

Hi Sam!

Thanks again for your help on this matter. TDSSKiller found one in memory and one file on the drive.

Here is the TDSSKiller log...


Host Name: FOREVERROGUE-PC
OS Name: Microsoft Windows VistaT Home Premium
OS Version: 6.0.6002 Service Pack 2 Build 6002
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: ForeverRogue
Registered Organization: Hewlett-Packard Company
Product ID: 89578-OEM-7332157-00061
Original Install Date: 28/02/2007, 10:22:29 PM
System Boot Time: 04/12/2009, 11:12:24 PM
System Manufacturer: HP-Pavilion
System Model: RK574AA-ABA a1730n
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 15 Model 75 Stepping 2 AuthenticAMD ~2400 Mhz
BIOS Version: Phoenix Technologies, LTD 5.04, 15/12/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-ca;English (Canada)
Input Locale: en-us;English (United States)
Time Zone: (GMT-07:00) Mountain Time (US & Canada)
Total Physical Memory: 2,942 MB
Available Physical Memory: 1,450 MB
Page File: Max Size: 6,092 MB
Page File: Available: 4,807 MB
Page File: In Use: 1,285 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\FOREVERROGUE-PC
Hotfix(s): 187 Hotfix(s) Installed.
[01]: {AC76BA86-7AD7-0000-2550-7A8C40000817} -
[02]: {8B2F38F1-6D3C-4D87-AD2F-954AF6942800}
[03]: KB937286
[04]: KB971513
[05]: KB971512
[06]: 944036
[07]: KB960362
[08]: KB971514
[09]: KB925902
[10]: KB929399
[11]: KB929685
[12]: KB929735
[13]: KB930178
[14]: KB930857
[15]: KB931099
[16]: KB931573
[17]: KB932471
[18]: KB932818
[19]: KB933579
[20]: KB933729
[21]: KB935652
[22]: KB936021
[23]: KB936782
[24]: KB936825
[25]: KB937077
[26]: KB938127
[27]: KB939159
[28]: KB941202
[29]: KB941229
[30]: KB941568
[31]: KB941569
[32]: KB941600
[33]: KB941644
[34]: KB943055
[35]: KB943078
[36]: KB945553
[37]: KB946026
[38]: KB946456
[39]: KB947172
[40]: KB905866
[41]: KB928089
[42]: KB929123
[43]: KB929916
[44]: KB931213
[45]: KB931768
[46]: KB931836
[47]: KB932246
[48]: KB933360
[49]: KB933566
[50]: KB933928
[51]: KB935280
[52]: KB935807
[53]: KB936824
[54]: KB937143
[55]: KB937287
[56]: KB938123
[57]: KB938194
[58]: KB938371
[59]: KB938464
[60]: KB938979
[61]: KB939653
[62]: KB941649
[63]: KB941651
[64]: KB941693
[65]: KB942615
[66]: KB942624
[67]: KB942763
[68]: KB943302
[69]: KB943411
[70]: KB943899
[71]: KB944533
[72]: KB946041
[73]: KB947562
[74]: KB947864
[75]: KB948590
[76]: KB948609
[77]: KB948610
[78]: KB948881
[79]: KB950124
[80]: KB950125
[81]: KB950126
[82]: KB950582
[83]: KB950759
[84]: KB950760
[85]: KB950762
[86]: KB950974
[87]: KB951066
[88]: KB951072
[89]: KB951376
[90]: KB951618
[91]: KB951698
[92]: KB951978
[93]: KB952004
[94]: KB952069
[95]: KB952287
[96]: KB952709
[97]: KB953155
[98]: KB953733
[99]: KB953838
[100]: KB953839
[101]: KB954154
[102]: KB954155
[103]: KB954211
[104]: KB954366
[105]: KB954459
[106]: KB955020
[107]: KB955069
[108]: KB955302
[109]: KB955430
[110]: KB955519
[111]: KB955839
[112]: KB956390
[113]: KB956391
[114]: KB956572
[115]: KB956744
[116]: KB956802
[117]: KB956841
[118]: KB957055
[119]: KB957095
[120]: KB957097
[121]: KB957200
[122]: KB957321
[123]: KB957388
[124]: KB958215
[125]: KB958481
[126]: KB958483
[127]: KB958623
[128]: KB958624
[129]: KB958644
[130]: KB958687
[131]: KB958690
[132]: KB958869
[133]: KB959108
[134]: KB959130
[135]: KB959426
[136]: KB959772
[137]: KB960225
[138]: KB960544
[139]: KB960714
[140]: KB960715
[141]: KB960803
[142]: KB961260
[143]: KB961371
[144]: KB961501
[145]: KB963027
[146]: KB967632
[147]: KB967723
[148]: KB968389
[149]: KB968537
[150]: KB968816
[151]: KB969897
[152]: KB969897
[153]: KB969898
[154]: KB969947
[155]: KB970238
[156]: KB970653
[157]: KB970710
[158]: KB971486
[159]: KB971557
[160]: KB971657
[161]: KB971930
[162]: KB971961
[163]: KB972036
[164]: KB972145
[165]: KB972260
[166]: KB972636
[167]: KB973346
[168]: KB973507
[169]: KB973525
[170]: KB973540
[171]: KB973565
[172]: KB973687
[173]: KB973768
[174]: KB973874
[175]: KB974306
[176]: KB974455
[177]: KB974469
[178]: KB974470
[179]: KB974571
[180]: KB975364
[181]: KB975467
[182]: KB975517
[183]: KB976098
[184]: KB976470
[185]: KB976749
[186]: KB948465
[187]: 940157
Network Card(s): 1 NIC(s) Installed.
[01]: NVIDIA nForce 10/100/1000 Mbps Ethernet
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 64.59.184.40
IP address(es)
[01]: 68.150.54.129
[02]: fe80::c173:dc53:d3cc:c334
8:58:52:276 3876 ForceUnloadDriver: NtUnloadDriver error 2
8:58:52:276 3876 ForceUnloadDriver: NtUnloadDriver error 2
8:58:52:276 3876 ForceUnloadDriver: NtUnloadDriver error 2
8:58:52:307 3876 main: Driver KLMD successfully dropped
8:58:52:448 3876 main: Driver KLMD successfully loaded
8:58:52:448 3876
Scanning Registry ...
8:58:52:448 3876 ScanServices: Searching service UACd.sys
8:58:52:448 3876 ScanServices: Open/Create key error 2
8:58:52:448 3876 ScanServices: Searching service TDSSserv.sys
8:58:52:448 3876 ScanServices: Open/Create key error 2
8:58:52:448 3876 ScanServices: Searching service gaopdxserv.sys
8:58:52:448 3876 ScanServices: Open/Create key error 2
8:58:52:448 3876 ScanServices: Searching service gxvxcserv.sys
8:58:52:448 3876 ScanServices: Open/Create key error 2
8:58:52:448 3876 ScanServices: Searching service MSIVXserv.sys
8:58:52:448 3876 ScanServices: Open/Create key error 2
8:58:52:448 3876 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 8221A000
8:58:52:479 3876 UnhookRegistry: Kernel local addr: 1D20000
8:58:52:479 3876 UnhookRegistry: KeServiceDescriptorTable addr: 1E57B00
8:58:52:573 3876 UnhookRegistry: KiServiceTable addr: 1DCC82C
8:58:52:573 3876 UnhookRegistry: NtEnumerateKey service number (local): 85
8:58:52:573 3876 UnhookRegistry: NtEnumerateKey local addr: 1F1D0BA
8:58:52:573 3876 KLMD_OpenDevice: Trying to open KLMD device
8:58:52:573 3876 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
8:58:52:573 3876 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
8:58:52:573 3876 KLMD_ReadMem: Trying to ReadMemory 0x82262D19[0x4]
8:58:52:573 3876 UnhookRegistry: NtEnumerateKey service number (kernel): 85
8:58:52:573 3876 KLMD_ReadMem: Trying to ReadMemory 0x822C6A40[0x4]
8:58:52:573 3876 UnhookRegistry: NtEnumerateKey real addr: 824170BA
8:58:52:573 3876 UnhookRegistry: NtEnumerateKey calc addr: 824170BA
8:58:52:573 3876 UnhookRegistry: No SDT hooks found on NtEnumerateKey
8:58:52:573 3876 KLMD_ReadMem: Trying to ReadMemory 0x824170BA[0xA]
8:58:52:573 3876 UnhookRegistry: No splicing found on NtEnumerateKey
8:58:52:573 3876
Scanning Kernel memory ...
8:58:52:573 3876 KLMD_OpenDevice: Trying to open KLMD device
8:58:52:573 3876 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
8:58:52:573 3876 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
8:58:52:573 3876 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8627D6C8
8:58:52:573 3876 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
8:58:52:573 3876 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 88275AC8
8:58:52:573 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88275AC8
8:58:52:573 3876 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8825C888
8:58:52:573 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8825C888
8:58:52:573 3876 KLMD_ReadMem: Trying to ReadMemory 0x8825C888[0x38]
8:58:52:573 3876 DetectCureTDL3: DRIVER_OBJECT addr: 880EA358
8:58:52:573 3876 KLMD_ReadMem: Trying to ReadMemory 0x880EA358[0xA8]
8:58:52:573 3876 KLMD_ReadMem: Trying to ReadMemory 0x87321A68[0x208]
8:58:52:573 3876 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
8:58:52:573 3876 DetectCureTDL3: IrpHandler (0) addr: 8F4F0FC8
8:58:52:573 3876 DetectCureTDL3: IrpHandler (1) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (2) addr: 8F4F1040
8:58:52:573 3876 DetectCureTDL3: IrpHandler (3) addr: 8F4F10B8
8:58:52:573 3876 DetectCureTDL3: IrpHandler (4) addr: 8F4F10B8
8:58:52:573 3876 DetectCureTDL3: IrpHandler (5) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (6) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (7) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (8) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (9) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (10) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (11) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (12) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (13) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (14) addr: 8F4F0BC4
8:58:52:573 3876 DetectCureTDL3: IrpHandler (15) addr: 8F4E47E4
8:58:52:573 3876 DetectCureTDL3: IrpHandler (16) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (17) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (18) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (19) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (20) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (21) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (22) addr: 8F4EF59C
8:58:52:573 3876 DetectCureTDL3: IrpHandler (23) addr: 8F4EC7A2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (24) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (25) addr: 822429D2
8:58:52:573 3876 DetectCureTDL3: IrpHandler (26) addr: 822429D2
8:58:52:573 3876 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:573 3876 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:604 3876 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 88275030
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88275030
8:58:52:604 3876 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 88259888
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88259888
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x88259888[0x38]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT addr: 880EA358
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x880EA358[0xA8]
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x87321A68[0x208]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
8:58:52:604 3876 DetectCureTDL3: IrpHandler (0) addr: 8F4F0FC8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (1) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (2) addr: 8F4F1040
8:58:52:604 3876 DetectCureTDL3: IrpHandler (3) addr: 8F4F10B8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (4) addr: 8F4F10B8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (5) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (6) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (7) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (8) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (9) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (10) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (11) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (12) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (13) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (14) addr: 8F4F0BC4
8:58:52:604 3876 DetectCureTDL3: IrpHandler (15) addr: 8F4E47E4
8:58:52:604 3876 DetectCureTDL3: IrpHandler (16) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (17) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (18) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (19) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (20) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (21) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (22) addr: 8F4EF59C
8:58:52:604 3876 DetectCureTDL3: IrpHandler (23) addr: 8F4EC7A2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (24) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (25) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (26) addr: 822429D2
8:58:52:604 3876 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:604 3876 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:604 3876 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8824AAC8
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8824AAC8
8:58:52:604 3876 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 88204888
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88204888
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x88204888[0x38]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT addr: 880EA358
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x880EA358[0xA8]
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x87321A68[0x208]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
8:58:52:604 3876 DetectCureTDL3: IrpHandler (0) addr: 8F4F0FC8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (1) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (2) addr: 8F4F1040
8:58:52:604 3876 DetectCureTDL3: IrpHandler (3) addr: 8F4F10B8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (4) addr: 8F4F10B8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (5) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (6) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (7) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (8) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (9) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (10) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (11) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (12) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (13) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (14) addr: 8F4F0BC4
8:58:52:604 3876 DetectCureTDL3: IrpHandler (15) addr: 8F4E47E4
8:58:52:604 3876 DetectCureTDL3: IrpHandler (16) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (17) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (18) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (19) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (20) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (21) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (22) addr: 8F4EF59C
8:58:52:604 3876 DetectCureTDL3: IrpHandler (23) addr: 8F4EC7A2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (24) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (25) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (26) addr: 822429D2
8:58:52:604 3876 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:604 3876 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:604 3876 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 88260AC8
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88260AC8
8:58:52:604 3876 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 880B8888
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 880B8888
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x880B8888[0x38]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT addr: 880EA358
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x880EA358[0xA8]
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x87321A68[0x208]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
8:58:52:604 3876 DetectCureTDL3: IrpHandler (0) addr: 8F4F0FC8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (1) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (2) addr: 8F4F1040
8:58:52:604 3876 DetectCureTDL3: IrpHandler (3) addr: 8F4F10B8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (4) addr: 8F4F10B8
8:58:52:604 3876 DetectCureTDL3: IrpHandler (5) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (6) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (7) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (8) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (9) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (10) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (11) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (12) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (13) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (14) addr: 8F4F0BC4
8:58:52:604 3876 DetectCureTDL3: IrpHandler (15) addr: 8F4E47E4
8:58:52:604 3876 DetectCureTDL3: IrpHandler (16) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (17) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (18) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (19) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (20) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (21) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (22) addr: 8F4EF59C
8:58:52:604 3876 DetectCureTDL3: IrpHandler (23) addr: 8F4EC7A2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (24) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (25) addr: 822429D2
8:58:52:604 3876 DetectCureTDL3: IrpHandler (26) addr: 822429D2
8:58:52:604 3876 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:604 3876 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys
8:58:52:604 3876 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86730930
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86730930
8:58:52:604 3876 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8585F700
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8585F700
8:58:52:604 3876 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 85857790
8:58:52:604 3876 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85857790
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x85857790[0x38]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT addr: 8707DED0
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x8707DED0[0xA8]
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x8585B958[0x38]
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x85851948[0xA8]
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x85839C08[0x208]
8:58:52:604 3876 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvstor32, Driver Name: nvstor32
8:58:52:604 3876 DetectCureTDL3: IrpHandler (0) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (1) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (2) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (3) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (4) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (5) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (6) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (7) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (8) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (9) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (10) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (11) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (12) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (13) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (14) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (15) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (16) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (17) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (18) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (19) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (20) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (21) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (22) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (23) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (24) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (25) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: IrpHandler (26) addr: 8590C170
8:58:52:604 3876 DetectCureTDL3: All IRP handlers pointed to one addr: 8590C170
8:58:52:604 3876 KLMD_ReadMem: Trying to ReadMemory 0x8590C170[0x400]
8:58:52:604 3876 TDL3_HookDetect: CheckParameters: 5, FFDF0308, 341, 99, 3, 88
8:58:52:604 3876 Driver nvstor32 infected by TDSS rootkit ... 8:58:52:604 3876 TDL3_HookCure: Processing driver in memory: nvstor32
8:58:52:604 3876 KLMD_WriteMem: Trying to WriteMemory 0x8590C1D3[0xD]
8:58:52:604 3876 cured
8:58:52:619 3876 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\nvstor32.sys
8:58:52:619 3876 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\nvstor32.sys
8:58:52:635 3876 File C:\Windows\system32\Drivers\nvstor32.sys infected by TDSS rootkit ... 8:58:52:635 3876 TDL3_FileCure: Processing driver file: C:\Windows\system32\Drivers\nvstor32.sys
8:58:52:635 3876 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\nvstor32.sys
8:58:52:635 3876 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\nvstor32.sys
8:58:52:651 3876 cured
8:58:52:651 3876
Completed

Results:
8:58:52:651 3876 Infected / Cured drivers in memory: 1 / 1
8:58:52:651 3876 Infected / Cured drivers on disk: 1 / 1
8:58:52:651 3876 Files deleted on next reboot: 0
8:58:52:651 3876 Registry nodes deleted on next reboot: 0
8:58:52:651 3876

#7 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 05 December 2009 - 11:24 AM

Hi Sam,

UPDATE - I did a reboot to free-up some memory - I haven't had any "IE Stopped Working" messages and my google links now seem fine. Looks like it's fixed/cured, but I will monitor this thread to see what you think.

Thank-you for your time & effort!!

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:16 AM

Posted 05 December 2009 - 11:33 AM

Looks good to me! :(

It's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 05 December 2009 - 12:34 PM

Hi Sam,

Thanks AGAIN for all your help!!. I will be donating as soon as possible, friend.

One thing - when I ran the OTL Cleanup, it didn't appear to dl any tools. Perhaps I misunderstood your post. It did remove itself and ask for a re-boot, which I did.

Also, one of the big annoyances of this issue was that... for years now, I have run 3 main security softwares on my system and have 'sworn' by them. They are NAV, Spybot and Ad-Aware. That's why I was VERY disappointed that I got this problem in the first place. When I tried to work with Symantec, they wanted to charge a fee to help fix the problem. I explained to them that I thought it was very unreasonable to expect a 'paid' subscriber to 'pay extra' for a clean-up service that their software failed to prevent in the first place.

My thinking was... Yes, there are free AV's out there, but they 'may' not be as strong as the paid AV's and so it would be well worth it to pay the $70/year for the reputable product. Not so if you still have to pay extra when something 'slips by' the reputable product. I might as well go with the free product and deal with any issues as they come up. This is the first time in approximately 15 years that I've had to even contact NAV or Technical Forum boards.

Needless to say - I will NOT be renewing my subscription to NAV. I'm either going to wait for it to expire (about 150 days remaining), or I'm just going to uninstall and remove it now and switch to a FREE security package that my ISP offers. I would be interested in your opinion - should I wait the 150 days, since it's paid for, or should I just get rid of it now. It already let one through.

Now I'm off to delete the myriad of tools I've dl'd while trying to resolve this issue - MBAM, SuperSntiSpyware Remover, Blacklight, TDSSKiller, HJT and RootRepealer. I'm thinking since I'm already in the removal process, I might as well go through the motions for NAV as well.

By the time I'm done, I'm hoping to have just the AV from the ISP, along with Spybot, Ad-aware... and possibly SpywareBlaster (only because you recommend it). Your thoughts on this will be appreciated as well.

Thanks again for your time and help, Sam.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:16 AM

Posted 05 December 2009 - 01:25 PM

It sounds like you've got a good security plan. One recommendation I would make is to replace Adaware with Malwarebytes. Adaware just isn't the program it once was and Malwarebytes is excellent and very capable of dealing with the majority of infections.

I've never been a fan of Symantec's products. While they've improved a bit from a few years ago there are still better options. For what it's worth, I use the free version of Avast antivirus on my computers. I could also recommend looking into Kaspersky or Nod32 if you don't mind paying a few bucks.

The only thing OTL might need to download before removal is a list of the items that it's removing. Although I think maybe that's been updated in the latest versions so it sounds like it worked correctly.

:(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 05 December 2009 - 05:36 PM

Hello Sam,

Thank-you for your advice! I will be keeping MBAM and uninstalling Ad-aware as per your valued reccomendation. I agree with you about Avast - I use it on my laptop and will consider putting it on this comp as well.

Any thoughts about security software provided for free from the ISP? My ISP is Shaw Cable (Edmonton, Canada). I recently heard a couple of opinions from other Shaw clients saying they were very happy with the security - however, I'm not sure I trust their experience on the net (I'm not sure how much actual surfing and dl'ing they do, or if they are really able to give a valid opinion, no insult intended). On the other hand, I myself, you and a few other techies I know reccomend Avast.

I'm thinking that since NAV already let one get through, it doesn't make sense to continue to use it for the remaining 150 days - on the other hand, it has been great up until this issue. Can you tell I'm terrible with decisions??

Also, you had reccomended SpywareBlaster. If I go with it, would I still want Spybot as well? Do they compliment each other or do I just need the one?

So far, it looks like I'll end-up with Avast, MBAM and either Spybot or SpywareBlaster... or both.

Your opinions, advice and/or reccomendations are greatly appreciated, Sam! Please let me know what you think (or just tell me what configuration you use :( - I promise I won't consider you liable for any ill-effects :( ).

Edited by ForeverRogue, 05 December 2009 - 05:45 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:16 AM

Posted 06 December 2009 - 10:26 AM

I don't know much about Shaw. I'm guessing they license the program from on the more well known companies and just put their name on it for branding. But I'm not sure which one it is. Spywareblaster is a different type of program. It doesn't do a thing to remove malware, but what it does is prevent malware from ever accessing your computer in the first place. And it doesn't need to run in the background. Just update it every week, enable all protection, and the close it.

I use Avast, Malwarebytes, Spybot, Spywareblaster, and the Windows firewall on my computers.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 06 December 2009 - 10:47 AM

Hi Sam

Thank-you very much for your time, as well as the valuable information. System is clean thanks to your help, and running ALOT smoother :( . Faster boot without Norton as well!!

I just have to install SpywareBlaster and I'm done.

Can't say "thank-you" enough!!! Your services, and this forum, are greatly appreciated. Will donate soon.

Live long & prosper!

Edited by ForeverRogue, 06 December 2009 - 10:50 AM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:16 AM

Posted 06 December 2009 - 11:53 PM

Glad I could help! :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 25 December 2009 - 12:21 PM

*UPDATE* It seems I have a new issue since this fix and I am wondering if it has to do with NVSTORE32. ALL downloads or streaming video now cause high CPU usage on either or both cores. I have tried disabling the AV and Firewall as well as MBAM and SAS with no change in this symptom. Other forums have indicated this may be caused by FLASH, but should FLASH affect my DL's? I have updated my drivers. I have tried to peek at Task Manager but haven't noticed anything unusual in there when this is happening, although I may not be sure what I'm looking for. I may try to download a nvstore32 file in the next couple days (if it's even possible) and will post an update if I haven't heard a reply by then.

Any & all suggestions appreciated

Edited by ForeverRogue, 25 December 2009 - 12:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users