Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My FireFox Keeps Opening More and More tabs and windows


  • This topic is locked This topic is locked
11 replies to this topic

#1 Matthew94

Matthew94

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 04 December 2009 - 09:05 AM

Hey Guys

I really do need your help,i am currently using , Avg free, Spybot s&d , And malware bytes

My firefox keeps opening new windows with 4 tabs opening up everytime here is whats the each tabs have in the url bar;

file:///C:/Documents%20and%20Settings/Matt/

http://t/

hxxp://yS%C2%A4%C2%B6%1An8%C3%90%10%11%E2%80%A1m%15%40%01Xg5%C3%B5%C2%A3%C3%A5W%C3%95%0E%C3%95%E2%80%94%C2%A8%C3%92%C3%9C%C2%8D%E2%80%B9+%C2%A5~@xn--8 tq3a}-jra04cm9dn1i/;%1F%C3%B6%C2%B8&%C3%B2%C2%B0%E2%80%94U%C3%8E%11%14UD:%E2%80%93%C3%AE%C3%A1%C3%B4%C3%94v%C3%B6%C3%8F%E2%80%B0%%C3%B3%C3%95%CB%9C#q+%C2%BA5w%C3%90%27%C3%BC%18E@%C3%AF%E2%80%A0%04%C3%94%C3%88%C3%86%13%02%C3%93Ws%C2%BE%E2%80%94S%C3%8DjL%C3%9C%C3%84%%C2%BA-f%C2%BAr%C6%928%1F%C3%98\%C3%83%E2%84%A2:

hxxp://g_,c~q‚‚ž‚šupʧ€œ[ne4ž6%`~7$ok€™{u‚€ž5{q€ša/@%C3%8BE%200%C3%9D%C3%A3QB%E2%80%94%C3%BDA!M%C3%8A%C3%BCA%C3%A3%C2%B34%C3%85%C3%B7%C3%A7%C2%B5%E2%80%94?%1E%9F%FC%CD%BA%F5R2%D6%99%F9Tj%ABq%EFq]%F1%C1%99%F6%02%AF%0CqH%B7%ED%20P%0E%89,f.%B8%A0%C5W.%07%18M%F7%8B%AE%90

i dont really have much experience with computer viruses, so i really need help , Heres my hijack this scan log

Matt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:02:25, on 04/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\MSI\Common\RaUI.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?sourceid=nav...nt&ie=UTF-8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [acygmcq] "c:\windows\system32\acygmcq.exe" acygmcq
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] "C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE" -Update -1020023 -iexplore.exe7.0
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: MSI Wireless Utility.lnk = C:\Program Files\MSI\Common\RaUI.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital Music Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 11355 bytes

Edited by Orange Blossom, 04 December 2009 - 11:32 AM.
Deactivate links and move to HiJack This forum. ~ OB


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:22 AM

Posted 06 December 2009 - 05:40 PM

Hello Matthew94 :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:


Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop then post the DDS.txt in the reply window and attach the other





Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries







Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Matthew94

Matthew94
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 08 December 2009 - 04:14 PM

Hey The wall :(

Heres my dds.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by Matt at 16:56:24.92 on 08/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.391 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\MSI\Common\RaUI.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee Security Scan\1.0.150\McUICnt.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/webhp?sourceid=navclient&ie=UTF-8
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
mWinlogon: SFCDisable=4 (0x4)
mWinlogon: Userinit=userinit.exe,c:\windows\system32\twext.exe,
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] "c:\windows\system32\macromed\shockw~1\SWHELP~1.EXE" -Update -1020023 -iexplore.exe7.0
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [acygmcq] "c:\windows\system32\acygmcq.exe" acygmcq
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\msiwir~1.lnk - c:\program files\msi\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\uleadp~1.lnk - c:\program files\ulead systems\ulead photo express 4.0 se\CalCheck.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} - hxxp://www.virgindigital.co.uk/activeX/VirginWMA.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\\windows\\system32\\pmnlj
LSA: Notification Packages = scecli apiacwsr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\bwlrykug.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\matt\application data\mozilla\firefox\profiles\bwlrykug.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-8 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-8 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-8 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S1 azsueeaq;azsueeaq;\??\c:\windows\system32\drivers\azsueeaq.sys --> c:\windows\system32\drivers\azsueeaq.sys [?]
S1 dpdpyrkt;dpdpyrkt;\??\c:\windows\system32\drivers\dpdpyrkt.sys --> c:\windows\system32\drivers\dpdpyrkt.sys [?]
S2 tfdhmjx;tfdhmjx;\??\c:\windows\system32\drivers\nuahrrgv.sys --> c:\windows\system32\drivers\nuahrrgv.sys [?]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2007-1-11 57744]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2007-1-11 8336]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2007-1-11 93328]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2007-1-11 73152]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-7 102448]
S3 PAC207;USB PC Cam Plus;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176]

=============== Created Last 30 ================

2009-12-04 13:47:36 0 d-----w- c:\program files\Trend Micro
2009-12-04 13:38:42 0 d-----w- C:\VundoFix Backups
2009-11-23 17:43:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-22 12:17:02 434 ----a-w- C:\2.js
2009-11-16 20:24:30 0 d-----w- C:\Music
2009-11-16 20:21:04 0 d-----w- c:\program files\Sagasoft
2009-11-13 16:35:55 0 d-sh--w- c:\documents and settings\matt\PrivacIE
2009-11-13 16:21:54 0 d-----w- c:\windows\system32\MpEngineStore

==================== Find3M ====================

2009-11-13 18:18:59 205251 ----a-w- c:\windows\system32\kbiwkmbwuycvnm.dat
2009-10-13 19:46:05 58792 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-18 18:47:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-08-17 12:34:18 0 ----a-w- c:\program files\temp01
2008-10-19 15:47:37 2 --shatr- c:\windows\winstart.bat
2007-10-22 11:05:28 6505 --sha-w- c:\windows\system32\jlnmp.bak1
2007-10-29 15:44:28 502118 --sha-w- c:\windows\system32\jlnmp.bak2
2009-09-07 16:13:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090720090908\index.dat

============= FINISH: 16:58:55.34 ===============


Heres my GMER scan

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-08 21:07:06
Windows 5.1.2600 Service Pack 3
Running: rootkit scanner.exe; Driver: C:\DOCUME~1\Matt\LOCALS~1\Temp\fwtdypow.sys


---- System - GMER 1.0.15 ----

Code 85C31A00 ZwCreateSection
Code 85C3C018 ZwDuplicateObject
Code 85C2EEE8 ZwSetInformationFile
Code 86185018 ZwSetSystemInformation
Code 85C32820 ZwWriteFile
Code 85C319FF NtCreateSection
Code 85C3C017 NtDuplicateObject
Code 85C2EEE7 NtSetInformationFile
Code 85C3281F NtWriteFile

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom Code 85D7B438

AttachedDevice \Driver\Tcpip \Device\Ip FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)

Device \FileSystem\Fastfat \Fat Code 85D7B438

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86330369

---- Services - GMER 1.0.15 ----

Service system32\drivers\kbiwkmlepuhacv.sys (*** hidden *** ) [SYSTEM] kbiwkmtcvscpki <-- ROOTKIT !!!
Service system32\drivers\kbiwkmrmpjwbee.sys (*** hidden *** ) [SYSTEM] kbiwkmwhkltepa <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki@imagepath \systemroot\system32\drivers\kbiwkmlepuhacv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmlepuhacv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmonbwucfq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmylogsncj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmtcvscpki\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmyxtqwkwq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa@imagepath \systemroot\system32\drivers\kbiwkmrmpjwbee.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main\injector@svchost.exe kbiwkmcont.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmrmpjwbee.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmtakxvhyf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmbwuycvnm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmdrduxtit.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkm.dat \systemroot\system32\kbiwkmhfryckiq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmlbbmuwqe.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmconz.dll \systemroot\system32\kbiwkmrpuwqvdl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmcone.dll \systemroot\system32\kbiwkmbpxnsvdb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwhkltepa\modules@kbiwkmcont.dll \systemroot\system32\kbiwkmiphqltqs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki@imagepath \systemroot\system32\drivers\kbiwkmlepuhacv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmlepuhacv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmonbwucfq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmylogsncj.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmtcvscpki\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmyxtqwkwq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa@imagepath \systemroot\system32\drivers\kbiwkmrmpjwbee.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main\injector@svchost.exe kbiwkmcont.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmrmpjwbee.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmtakxvhyf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmbwuycvnm.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmdrduxtit.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkm.dat \systemroot\system32\kbiwkmhfryckiq.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmlbbmuwqe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmconz.dll \systemroot\system32\kbiwkmrpuwqvdl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmcone.dll \systemroot\system32\kbiwkmbpxnsvdb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmwhkltepa\modules@kbiwkmcont.dll \systemroot\system32\kbiwkmiphqltqs.dll

i have attatched the other one you asked for .

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:22 AM

Posted 08 December 2009 - 06:03 PM

OK Matthew, the first thing we need to do is get all of these firewalls and antivirus programs down to one each. Having all of these programs can cause serious issues with your machine as each of them try to access your computer. They can at times lead to lock down of the entire system.

Pick one each of a firewall and a antivirus and uninstall the others.

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}





When you have completed that please move on to the following. It is important that you disable the remaining antivirus on your computer as well as TeaTimer before running ComboFix.




Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Matthew94

Matthew94
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 09 December 2009 - 01:20 PM

hey the wall heres the log promised:)

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.417 [GMT 0:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
c:\documents and settings\Matt\My Documents\picsrv.manutd.com
c:\windows\kb913800.exe
c:\windows\system32\BSTIeprintctl1.dll
c:\windows\system32\cvibjdyr.ini
c:\windows\system32\eewdhknm.ini
c:\windows\system32\jlnmp.bak1
c:\windows\system32\jlnmp.bak2
c:\windows\system32\jlnmp.ini
c:\windows\system32\kbiwkmbwuycvnm.dat
c:\windows\system32\kbiwkmhfryckiq.dat
c:\windows\system32\kbiwkmylogsncj.dat
c:\windows\system32\lscuwcgp.ini
c:\windows\system32\owjawepx.ini
c:\windows\system32\rclyhqgo.ini
c:\windows\system32\vMW07a
c:\windows\system32\yvgfesnc.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_kbiwkmtcvscpki
-------\Legacy_kbiwkmwhkltepa
-------\Service_kbiwkmtcvscpki
-------\Service_kbiwkmwhkltepa


((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-09 17:56 . 2009-12-09 17:56 -------- d-----w- C:\found.000
2009-12-04 13:47 . 2009-12-04 13:47 -------- d-----w- c:\program files\Trend Micro
2009-12-04 13:38 . 2009-12-04 13:38 -------- d-----w- C:\VundoFix Backups
2009-11-23 17:43 . 2009-12-01 18:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-16 20:24 . 2009-11-16 20:28 -------- d-----w- C:\Music
2009-11-16 20:21 . 2009-11-16 20:21 -------- d-----w- c:\program files\Sagasoft
2009-11-13 16:35 . 2009-11-13 16:35 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE
2009-11-13 16:21 . 2009-11-13 16:21 -------- d-----w- c:\windows\system32\MpEngineStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 17:27 . 2006-09-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-09 17:27 . 2006-09-01 18:46 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-09 16:52 . 2009-10-11 11:23 -------- d-----w- c:\documents and settings\User\Application Data\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:08 -------- d-----w- c:\documents and settings\Matt\Application Data\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:08 -------- d-----w- c:\program files\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:26 -------- d-----w- c:\program files\Common Files\PestPatrol
2009-12-08 21:38 . 2009-09-18 18:50 -------- d-----w- c:\documents and settings\Matt\Application Data\FrostWire
2009-11-15 13:56 . 2009-09-08 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-10 16:44 . 2009-12-06 16:35 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-03 16:00 . 2009-08-10 17:46 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-02 16:55 . 2008-08-17 12:23 -------- d-----w- c:\documents and settings\Matt\Application Data\U3
2009-10-13 19:46 . 2009-10-13 19:46 58792 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-12 19:25 . 2009-09-18 19:13 4506256 ----a-w- c:\documents and settings\Matt\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
2009-10-11 11:28 . 2009-10-11 11:28 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-10-11 11:24 . 2009-10-11 11:24 71336 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-18 18:47 . 2009-09-18 18:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-18 18:47 . 2009-09-18 18:47 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-14 16:43 . 2009-09-14 16:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:18 . 2006-09-08 03:41 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-08-17 12:34 . 2008-08-17 12:34 0 ----a-w- c:\program files\temp01
2008-10-19 15:47 . 2008-10-19 15:47 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-18 149280]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-15 344064]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-06 2029336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
MSI Wireless Utility.lnk - c:\program files\MSI\Common\RaUI.exe [2006-12-28 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe,c:\windows\system32\twext.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-08 15:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-03-19 20:17 78960 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-08 14:38 496752 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-12-12 18:13 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-01-18 19:05 19417640 ----a-w- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vade Retro Outlook Express]
2006-02-16 15:46 295936 ----a-w- c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Matt\\My Documents\\My Received Files\\Media\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Matt\\My Documents\\My Videos\\My Skype Pictures\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13190:TCP"= 13190:TCP:BitComet 13190 TCP
"13190:UDP"= 13190:UDP:BitComet 13190 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/09/2009 15:45 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/09/2009 15:45 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/09/2009 15:01 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/09/2009 15:01 297752]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S1 azsueeaq;azsueeaq;\??\c:\windows\system32\drivers\azsueeaq.sys --> c:\windows\system32\drivers\azsueeaq.sys [?]
S1 dpdpyrkt;dpdpyrkt;\??\c:\windows\system32\drivers\dpdpyrkt.sys --> c:\windows\system32\drivers\dpdpyrkt.sys [?]
S2 tfdhmjx;tfdhmjx;\??\c:\windows\system32\drivers\nuahrrgv.sys --> c:\windows\system32\drivers\nuahrrgv.sys [?]
S3 PAC207;USB PC Cam Plus;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?sourceid=navclient&ie=UTF-8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} - hxxp://www.virgindigital.co.uk/activeX/VirginWMA.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542}
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\bwlrykug.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\bwlrykug.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\HOMERunner.exe
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
HKLM-Run-acygmcq - c:\windows\system32\acygmcq.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-brastk - c:\windows\system32\brastk.exe
AddRemove-Adobe Photoshop 7.0.1 - c:\windows\ISUNINST.EXE -fc:\program files\Adobe\Photoshop 7.0\Uninst.isu -cc:\program files\Adobe\Photoshop 7.0\Uninst.dll
AddRemove-SpyNoMore - c:\program files\SpyNoMore\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 18:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85EF0369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e1f28
\Driver\ACPI -> ACPI.sys @ 0xf7554cb8
\Driver\atapi -> atapi.sys @ 0xf74e6852
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: 802.11g PCI Wireless Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf73f4b0a
PacketIndicateHandler -> NDIS.sys @ 0xf73e1a0d
SendHandler -> NDIS.sys @ 0xf73f5b40
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-943110302-300764655-2038959681-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:06,a9,bd,5f,80,69,b9,d9,98,7a,ea,33,2d,ca,58,1e,f8,94,56,b5,05,2d,19,
17,a2,4e,40,f9,4a,89,0b,ca,93,4d,20,3e,05,67,34,b9,34,30,92,0f,91,77,df,53,\
"??"=hex:ed,7d,62,a1,0b,87,59,c7,c0,3a,09,93,00,c8,b3,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(604)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1360)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\Macromed\SHOCKW~1\SWHELP~1.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\Macromed\SHOCKW~1\SWHELP~1.EXE
.
**************************************************************************
.
Completion time: 2009-12-09 18:15:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-09 18:14

Pre-Run: 9,082,269,696 bytes free
Post-Run: 9,374,031,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 434CA69206DDCDE517E3162878B26D53

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:22 AM

Posted 09 December 2009 - 02:01 PM

That was good, these are the next things to do:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file in your next reply.








Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\azsueeaq.sys
c:\windows\system32\drivers\dpdpyrkt.sys
c:\windows\system32\drivers\nuahrrgv.sys
Driver::
azsueeaq
dpdpyrkt
tfdhmjx


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply along with the log from TDSSKiller.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Matthew94

Matthew94
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 10 December 2009 - 12:29 PM

Hey , i really appreciate you helping me

Host Name: MATTHEW
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Matt
Registered Organization:
Product ID: 76487-OEM-0011903-00824
Original Install Date: 27/12/2006, 17:59:54
System Up Time: 0 Days, 1 Hours, 10 Minutes, 22 Seconds
System Manufacturer: PACKARD BELL BV
System Model: ISTART 2369
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 4 Stepping 9 GenuineIntel ~3056 Mhz
BIOS Version: A M I - 8000624
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 959 MB
Available Physical Memory: 369 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,002 MB
Virtual Memory: In Use: 46 MB
Page File Location(s): C:\pagefile.sys
Domain: MSHOME
Logon Server: \\MATTHEW
Hotfix(s): 222 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: Q147222
[97]: KB887998 - QFE
[98]: KB930494 - QFE
[99]: KB953295 - QFE
[100]: SP3 - SP
[101]: M953297 - Update
[102]: S867460 - Update
[103]: KB900325 - Update
[104]: Q927978
[105]: Q936181
[106]: Q954430
[107]: Q973688
[108]: KB898458 - Update
[109]: IDNMitigationAPIs - Update
[110]: NLSDownlevelMapping - Update
[111]: KB929399
[112]: KB952069_WM9
[113]: KB954155_WM9
[114]: KB968816_WM9
[115]: KB973540_WM9
[116]: KB913800
[117]: KB917734_WMP10
[118]: KB926251
[119]: KB936782_WMP11
[120]: KB939683
[121]: KB954154_WM11
[122]: KB959772_WM11
[123]: KB925398_WMP64
[124]: KB923689
[125]: KB941569
[126]: KB928090-IE7 - Update
[127]: KB929969 - Update
[128]: KB931768-IE7 - Update
[129]: KB933566-IE7 - Update
[130]: KB937143-IE7 - Update
[131]: KB938127-IE7 - Update
[132]: KB939653-IE7 - Update
[133]: KB942615-IE7 - Update
[134]: KB944533-IE7 - Update
[135]: KB947864-IE7 - Update
[136]: KB950759-IE7 - Update
[137]: KB953838-IE7 - Update
[138]: KB956390-IE7 - Update
[139]: KB958215-IE7 - Update
[140]: KB960714-IE7 - Update
[141]: KB961260-IE7 - Update
[142]: KB963027-IE7 - Update
[143]: KB969897-IE7 - Update
[144]: KB971961-IE8 - Update
[145]: KB972260-IE7 - Update
[146]: KB972260-IE8 - Update
[147]: KB974455-IE8 - Update
[148]: KB976749-IE8 - Update
[149]: MSCompPackV1 - Update
[150]: KB936929 - Service Pack
[151]: KB953295 - Update
[152]: KB923561 - Update
[153]: KB938464 - Update
[154]: KB938464-v2 - Update
[155]: KB946648 - Update
[156]: KB950760 - Update
[157]: KB950762 - Update
[158]: KB950974 - Update
[159]: KB951066 - Update
[160]: KB951072-v2 - Update
[161]: KB951376-v2 - Update
[162]: KB951698 - Update
[163]: KB951748 - Update
[164]: KB951978 - Update
[165]: KB952004 - Update
[166]: KB952287 - Update
[167]: KB952954 - Update
[168]: KB953839 - Update
[169]: KB954211 - Update
[170]: KB954459 - Update
[171]: KB954550-v5 - Update
[172]: KB954600 - Update
[173]: KB955069 - Update
[174]: KB955839 - Update
[175]: KB956391 - Update
[176]: KB956572 - Update
[177]: KB956744 - Update
[178]: KB956802 - Update
[179]: KB956803 - Update
[180]: KB956841 - Update
[181]: KB956844 - Update
[182]: KB957095 - Update
[183]: KB957097 - Update
[184]: KB958644 - Update
[185]: KB958687 - Update
[186]: KB958690 - Update
[187]: KB958869 - Update
[188]: KB959426 - Update
[189]: KB960225 - Update
[190]: KB960715 - Update
[191]: KB960803 - Update
[192]: KB960859 - Update
[193]: KB961118 - Update
[194]: KB961371 - Update
[195]: KB961373 - Update
[196]: KB961501 - Update
[197]: KB961503 - Update
[198]: KB967715 - Update
[199]: KB968389 - Update
[200]: KB968537 - Update
[201]: KB969059 - Update
[202]: KB969898 - Update
[203]: KB969947 - Update
[204]: KB970238 - Update
[205]: KB970653-v3 - Update
[206]: KB971486 - Update
[207]: KB971557 - Update
[208]: KB971633 - Update
[209]: KB971657 - Update
[210]: KB971961 -

NetWork Card(s): 2 NIC(s) Installed.
[01]: Realtek RTL8139/810x Family Fast Ethernet NIC
Connection Name: Local Area Connection
[02]: 802.11g PCI Wireless Adapter
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.102
19:9:49:611 3676 ForceUnloadDriver: NtUnloadDriver error 2
19:9:49:627 3676 ForceUnloadDriver: NtUnloadDriver error 2
19:9:49:627 3676 ForceUnloadDriver: NtUnloadDriver error 2
19:9:49:643 3676 main: Driver KLMD successfully dropped
19:9:49:783 3676 main: Driver KLMD successfully loaded
19:9:49:783 3676
Scanning Registry ...
19:9:49:815 3676 ScanServices: Searching service UACd.sys
19:9:49:815 3676 ScanServices: Open/Create key error 2
19:9:49:815 3676 ScanServices: Searching service TDSSserv.sys
19:9:49:815 3676 ScanServices: Open/Create key error 2
19:9:49:815 3676 ScanServices: Searching service gaopdxserv.sys
19:9:49:815 3676 ScanServices: Open/Create key error 2
19:9:49:815 3676 ScanServices: Searching service gxvxcserv.sys
19:9:49:815 3676 ScanServices: Open/Create key error 2
19:9:49:815 3676 ScanServices: Searching service MSIVXserv.sys
19:9:49:815 3676 ScanServices: Open/Create key error 2
19:9:49:815 3676 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
19:9:49:861 3676 UnhookRegistry: Kernel local addr: E40000
19:9:49:861 3676 UnhookRegistry: KeServiceDescriptorTable addr: ECB520
19:9:49:908 3676 UnhookRegistry: KiServiceTable addr: E4D8B0
19:9:49:908 3676 UnhookRegistry: NtEnumerateKey service number (local): 47
19:9:49:908 3676 UnhookRegistry: NtEnumerateKey local addr: EE1E14
19:9:49:924 3676 KLMD_OpenDevice: Trying to open KLMD device
19:9:49:924 3676 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
19:9:49:924 3676 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
19:9:49:924 3676 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]
19:9:49:924 3676 UnhookRegistry: NtEnumerateKey service number (kernel): 47
19:9:49:924 3676 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]
19:9:49:924 3676 UnhookRegistry: NtEnumerateKey real addr: 80578E14
19:9:49:924 3676 UnhookRegistry: NtEnumerateKey calc addr: 80578E14
19:9:49:924 3676 UnhookRegistry: No SDT hooks found on NtEnumerateKey
19:9:49:924 3676 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA]
19:9:49:924 3676 UnhookRegistry: No splicing found on NtEnumerateKey
19:9:49:924 3676
Scanning Kernel memory ...
19:9:49:924 3676 KLMD_OpenDevice: Trying to open KLMD device
19:9:49:924 3676 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
19:9:49:924 3676 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:9:49:924 3676 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85F832D8
19:9:49:924 3676 DetectCureTDL3: KLMD_GetDeviceObjectList returned 13 DevObjects
19:9:49:924 3676 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 857CFAF8
19:9:49:924 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 857CFAF8
19:9:49:924 3676 KLMD_ReadMem: Trying to ReadMemory 0x857CFAF8[0x38]
19:9:49:924 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F832D8
19:9:49:924 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F832D8[0xA8]
19:9:49:924 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1023980[0x208]
19:9:49:924 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:9:49:924 3676 DetectCureTDL3: IrpHandler (0) addr: F75E3BB0
19:9:49:924 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (2) addr: F75E3BB0
19:9:49:924 3676 DetectCureTDL3: IrpHandler (3) addr: F75DDD1F
19:9:49:924 3676 DetectCureTDL3: IrpHandler (4) addr: F75DDD1F
19:9:49:924 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (9) addr: F75DE2E2
19:9:49:924 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (14) addr: F75DE3BB
19:9:49:924 3676 DetectCureTDL3: IrpHandler (15) addr: F75E1F28
19:9:49:924 3676 DetectCureTDL3: IrpHandler (16) addr: F75DE2E2
19:9:49:924 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (22) addr: F75DFC82
19:9:49:924 3676 DetectCureTDL3: IrpHandler (23) addr: F75E499E
19:9:49:924 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:49:924 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:49:924 3676 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:9:49:924 3676 KLMD_ReadMem: DeviceIoControl error 1
19:9:49:924 3676 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:9:49:924 3676 TDL3_FileDetect: Processing driver: Disk
19:9:49:924 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:9:49:924 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:9:49:924 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:9:49:971 3676 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 857513E0
19:9:49:971 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 857513E0
19:9:49:971 3676 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 82CF1310
19:9:49:971 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82CF1310
19:9:49:971 3676 KLMD_ReadMem: Trying to ReadMemory 0x82CF1310[0x38]
19:9:49:971 3676 DetectCureTDL3: DRIVER_OBJECT addr: 858F2998
19:9:49:971 3676 KLMD_ReadMem: Trying to ReadMemory 0x858F2998[0xA8]
19:9:49:971 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1BEED88[0x208]
19:9:49:971 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
19:9:49:971 3676 DetectCureTDL3: IrpHandler (0) addr: EECC4218
19:9:49:971 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (2) addr: EECC4218
19:9:49:971 3676 DetectCureTDL3: IrpHandler (3) addr: EECC423C
19:9:49:971 3676 DetectCureTDL3: IrpHandler (4) addr: EECC423C
19:9:49:971 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (9) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (14) addr: EECC4180
19:9:49:971 3676 DetectCureTDL3: IrpHandler (15) addr: EECBF9E6
19:9:49:971 3676 DetectCureTDL3: IrpHandler (16) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (22) addr: EECC35F0
19:9:49:971 3676 DetectCureTDL3: IrpHandler (23) addr: EECC1A6E
19:9:49:971 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:49:971 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:49:971 3676 KLMD_ReadMem: Trying to ReadMemory 0xEECC0F26[0x400]
19:9:49:971 3676 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:9:49:971 3676 TDL3_FileDetect: Processing driver: usbstor
19:9:49:971 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
19:9:49:971 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:9:49:971 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:2 3676 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 858EF5B0
19:9:50:2 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858EF5B0
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x858EF5B0[0x38]
19:9:50:2 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F832D8
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F832D8[0xA8]
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1023980[0x208]
19:9:50:2 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:9:50:2 3676 DetectCureTDL3: IrpHandler (0) addr: F75E3BB0
19:9:50:2 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (2) addr: F75E3BB0
19:9:50:2 3676 DetectCureTDL3: IrpHandler (3) addr: F75DDD1F
19:9:50:2 3676 DetectCureTDL3: IrpHandler (4) addr: F75DDD1F
19:9:50:2 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (9) addr: F75DE2E2
19:9:50:2 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (14) addr: F75DE3BB
19:9:50:2 3676 DetectCureTDL3: IrpHandler (15) addr: F75E1F28
19:9:50:2 3676 DetectCureTDL3: IrpHandler (16) addr: F75DE2E2
19:9:50:2 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (22) addr: F75DFC82
19:9:50:2 3676 DetectCureTDL3: IrpHandler (23) addr: F75E499E
19:9:50:2 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:9:50:2 3676 KLMD_ReadMem: DeviceIoControl error 1
19:9:50:2 3676 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:9:50:2 3676 TDL3_FileDetect: Processing driver: Disk
19:9:50:2 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:9:50:2 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:9:50:2 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:9:50:2 3676 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 858D3660
19:9:50:2 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858D3660
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x858D3660[0x38]
19:9:50:2 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F832D8
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F832D8[0xA8]
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1023980[0x208]
19:9:50:2 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:9:50:2 3676 DetectCureTDL3: IrpHandler (0) addr: F75E3BB0
19:9:50:2 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (2) addr: F75E3BB0
19:9:50:2 3676 DetectCureTDL3: IrpHandler (3) addr: F75DDD1F
19:9:50:2 3676 DetectCureTDL3: IrpHandler (4) addr: F75DDD1F
19:9:50:2 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (9) addr: F75DE2E2
19:9:50:2 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (14) addr: F75DE3BB
19:9:50:2 3676 DetectCureTDL3: IrpHandler (15) addr: F75E1F28
19:9:50:2 3676 DetectCureTDL3: IrpHandler (16) addr: F75DE2E2
19:9:50:2 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (22) addr: F75DFC82
19:9:50:2 3676 DetectCureTDL3: IrpHandler (23) addr: F75E499E
19:9:50:2 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:9:50:2 3676 KLMD_ReadMem: DeviceIoControl error 1
19:9:50:2 3676 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:9:50:2 3676 TDL3_FileDetect: Processing driver: Disk
19:9:50:2 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:9:50:2 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:9:50:2 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:9:50:2 3676 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 858C5748
19:9:50:2 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858C5748
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x858C5748[0x38]
19:9:50:2 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F832D8
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F832D8[0xA8]
19:9:50:2 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1023980[0x208]
19:9:50:2 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:9:50:2 3676 DetectCureTDL3: IrpHandler (0) addr: F75E3BB0
19:9:50:2 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (2) addr: F75E3BB0
19:9:50:2 3676 DetectCureTDL3: IrpHandler (3) addr: F75DDD1F
19:9:50:2 3676 DetectCureTDL3: IrpHandler (4) addr: F75DDD1F
19:9:50:2 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (9) addr: F75DE2E2
19:9:50:2 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:2 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (14) addr: F75DE3BB
19:9:50:18 3676 DetectCureTDL3: IrpHandler (15) addr: F75E1F28
19:9:50:18 3676 DetectCureTDL3: IrpHandler (16) addr: F75DE2E2
19:9:50:18 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (22) addr: F75DFC82
19:9:50:18 3676 DetectCureTDL3: IrpHandler (23) addr: F75E499E
19:9:50:18 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:9:50:18 3676 KLMD_ReadMem: DeviceIoControl error 1
19:9:50:18 3676 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:9:50:18 3676 TDL3_FileDetect: Processing driver: Disk
19:9:50:18 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:9:50:18 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:9:50:18 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:9:50:18 3676 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 858D0030
19:9:50:18 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858D0030
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x858D0030[0x38]
19:9:50:18 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F832D8
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F832D8[0xA8]
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1023980[0x208]
19:9:50:18 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:9:50:18 3676 DetectCureTDL3: IrpHandler (0) addr: F75E3BB0
19:9:50:18 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (2) addr: F75E3BB0
19:9:50:18 3676 DetectCureTDL3: IrpHandler (3) addr: F75DDD1F
19:9:50:18 3676 DetectCureTDL3: IrpHandler (4) addr: F75DDD1F
19:9:50:18 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (9) addr: F75DE2E2
19:9:50:18 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (14) addr: F75DE3BB
19:9:50:18 3676 DetectCureTDL3: IrpHandler (15) addr: F75E1F28
19:9:50:18 3676 DetectCureTDL3: IrpHandler (16) addr: F75DE2E2
19:9:50:18 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (22) addr: F75DFC82
19:9:50:18 3676 DetectCureTDL3: IrpHandler (23) addr: F75E499E
19:9:50:18 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:9:50:18 3676 KLMD_ReadMem: DeviceIoControl error 1
19:9:50:18 3676 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:9:50:18 3676 TDL3_FileDetect: Processing driver: Disk
19:9:50:18 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:9:50:18 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:9:50:18 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:9:50:18 3676 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 858EC6F8
19:9:50:18 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858EC6F8
19:9:50:18 3676 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 858CE378
19:9:50:18 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858CE378
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x858CE378[0x38]
19:9:50:18 3676 DetectCureTDL3: DRIVER_OBJECT addr: 858F2998
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x858F2998[0xA8]
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1BEED88[0x208]
19:9:50:18 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
19:9:50:18 3676 DetectCureTDL3: IrpHandler (0) addr: EECC4218
19:9:50:18 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (2) addr: EECC4218
19:9:50:18 3676 DetectCureTDL3: IrpHandler (3) addr: EECC423C
19:9:50:18 3676 DetectCureTDL3: IrpHandler (4) addr: EECC423C
19:9:50:18 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (9) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (14) addr: EECC4180
19:9:50:18 3676 DetectCureTDL3: IrpHandler (15) addr: EECBF9E6
19:9:50:18 3676 DetectCureTDL3: IrpHandler (16) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (22) addr: EECC35F0
19:9:50:18 3676 DetectCureTDL3: IrpHandler (23) addr: EECC1A6E
19:9:50:18 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0xEECC0F26[0x400]
19:9:50:18 3676 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:9:50:18 3676 TDL3_FileDetect: Processing driver: usbstor
19:9:50:18 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
19:9:50:18 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:18 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:18 3676 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 858DCAB8
19:9:50:18 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858DCAB8
19:9:50:18 3676 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8599D910
19:9:50:18 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8599D910
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x8599D910[0x38]
19:9:50:18 3676 DetectCureTDL3: DRIVER_OBJECT addr: 858F2998
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0x858F2998[0xA8]
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1BEED88[0x208]
19:9:50:18 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
19:9:50:18 3676 DetectCureTDL3: IrpHandler (0) addr: EECC4218
19:9:50:18 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (2) addr: EECC4218
19:9:50:18 3676 DetectCureTDL3: IrpHandler (3) addr: EECC423C
19:9:50:18 3676 DetectCureTDL3: IrpHandler (4) addr: EECC423C
19:9:50:18 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (9) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (14) addr: EECC4180
19:9:50:18 3676 DetectCureTDL3: IrpHandler (15) addr: EECBF9E6
19:9:50:18 3676 DetectCureTDL3: IrpHandler (16) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (22) addr: EECC35F0
19:9:50:18 3676 DetectCureTDL3: IrpHandler (23) addr: EECC1A6E
19:9:50:18 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:18 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:18 3676 KLMD_ReadMem: Trying to ReadMemory 0xEECC0F26[0x400]
19:9:50:18 3676 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:9:50:18 3676 TDL3_FileDetect: Processing driver: usbstor
19:9:50:33 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
19:9:50:33 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:33 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:33 3676 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 858DEAB8
19:9:50:33 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858DEAB8
19:9:50:33 3676 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 858CFD08
19:9:50:33 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858CFD08
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0x858CFD08[0x38]
19:9:50:33 3676 DetectCureTDL3: DRIVER_OBJECT addr: 858F2998
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0x858F2998[0xA8]
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1BEED88[0x208]
19:9:50:33 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
19:9:50:33 3676 DetectCureTDL3: IrpHandler (0) addr: EECC4218
19:9:50:33 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (2) addr: EECC4218
19:9:50:33 3676 DetectCureTDL3: IrpHandler (3) addr: EECC423C
19:9:50:33 3676 DetectCureTDL3: IrpHandler (4) addr: EECC423C
19:9:50:33 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (9) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (14) addr: EECC4180
19:9:50:33 3676 DetectCureTDL3: IrpHandler (15) addr: EECBF9E6
19:9:50:33 3676 DetectCureTDL3: IrpHandler (16) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (22) addr: EECC35F0
19:9:50:33 3676 DetectCureTDL3: IrpHandler (23) addr: EECC1A6E
19:9:50:33 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0xEECC0F26[0x400]
19:9:50:33 3676 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:9:50:33 3676 TDL3_FileDetect: Processing driver: usbstor
19:9:50:33 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
19:9:50:33 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:33 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:33 3676 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 858DE338
19:9:50:33 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 858DE338
19:9:50:33 3676 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 85915C18
19:9:50:33 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85915C18
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0x85915C18[0x38]
19:9:50:33 3676 DetectCureTDL3: DRIVER_OBJECT addr: 858F2998
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0x858F2998[0xA8]
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1BEED88[0x208]
19:9:50:33 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
19:9:50:33 3676 DetectCureTDL3: IrpHandler (0) addr: EECC4218
19:9:50:33 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (2) addr: EECC4218
19:9:50:33 3676 DetectCureTDL3: IrpHandler (3) addr: EECC423C
19:9:50:33 3676 DetectCureTDL3: IrpHandler (4) addr: EECC423C
19:9:50:33 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (9) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (14) addr: EECC4180
19:9:50:33 3676 DetectCureTDL3: IrpHandler (15) addr: EECBF9E6
19:9:50:33 3676 DetectCureTDL3: IrpHandler (16) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (22) addr: EECC35F0
19:9:50:33 3676 DetectCureTDL3: IrpHandler (23) addr: EECC1A6E
19:9:50:33 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0xEECC0F26[0x400]
19:9:50:33 3676 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:9:50:33 3676 TDL3_FileDetect: Processing driver: usbstor
19:9:50:33 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
19:9:50:33 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:33 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:9:50:33 3676 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 85F58C68
19:9:50:33 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85F58C68
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F58C68[0x38]
19:9:50:33 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F832D8
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F832D8[0xA8]
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1023980[0x208]
19:9:50:33 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:9:50:33 3676 DetectCureTDL3: IrpHandler (0) addr: F75E3BB0
19:9:50:33 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (2) addr: F75E3BB0
19:9:50:33 3676 DetectCureTDL3: IrpHandler (3) addr: F75DDD1F
19:9:50:33 3676 DetectCureTDL3: IrpHandler (4) addr: F75DDD1F
19:9:50:33 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (9) addr: F75DE2E2
19:9:50:33 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (14) addr: F75DE3BB
19:9:50:33 3676 DetectCureTDL3: IrpHandler (15) addr: F75E1F28
19:9:50:33 3676 DetectCureTDL3: IrpHandler (16) addr: F75DE2E2
19:9:50:33 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (22) addr: F75DFC82
19:9:50:33 3676 DetectCureTDL3: IrpHandler (23) addr: F75E499E
19:9:50:33 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:33 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:33 3676 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:9:50:33 3676 KLMD_ReadMem: DeviceIoControl error 1
19:9:50:33 3676 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:9:50:33 3676 TDL3_FileDetect: Processing driver: Disk
19:9:50:33 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:9:50:33 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:9:50:33 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:9:50:49 3676 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 85FE7A98
19:9:50:49 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85FE7A98
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x85FE7A98[0x38]
19:9:50:49 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F832D8
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F832D8[0xA8]
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1023980[0x208]
19:9:50:49 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:9:50:49 3676 DetectCureTDL3: IrpHandler (0) addr: F75E3BB0
19:9:50:49 3676 DetectCureTDL3: IrpHandler (1) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (2) addr: F75E3BB0
19:9:50:49 3676 DetectCureTDL3: IrpHandler (3) addr: F75DDD1F
19:9:50:49 3676 DetectCureTDL3: IrpHandler (4) addr: F75DDD1F
19:9:50:49 3676 DetectCureTDL3: IrpHandler (5) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (6) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (7) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (8) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (9) addr: F75DE2E2
19:9:50:49 3676 DetectCureTDL3: IrpHandler (10) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (11) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (12) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (13) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (14) addr: F75DE3BB
19:9:50:49 3676 DetectCureTDL3: IrpHandler (15) addr: F75E1F28
19:9:50:49 3676 DetectCureTDL3: IrpHandler (16) addr: F75DE2E2
19:9:50:49 3676 DetectCureTDL3: IrpHandler (17) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (18) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (19) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (20) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (21) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (22) addr: F75DFC82
19:9:50:49 3676 DetectCureTDL3: IrpHandler (23) addr: F75E499E
19:9:50:49 3676 DetectCureTDL3: IrpHandler (24) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (25) addr: 804F9739
19:9:50:49 3676 DetectCureTDL3: IrpHandler (26) addr: 804F9739
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:9:50:49 3676 KLMD_ReadMem: DeviceIoControl error 1
19:9:50:49 3676 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:9:50:49 3676 TDL3_FileDetect: Processing driver: Disk
19:9:50:49 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:9:50:49 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:9:50:49 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:9:50:49 3676 DetectCureTDL3: 12 Curr stack PDEVICE_OBJECT: 85EEAAB8
19:9:50:49 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85EEAAB8
19:9:50:49 3676 DetectCureTDL3: 12 Curr stack PDEVICE_OBJECT: 85F4FA98
19:9:50:49 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85F4FA98
19:9:50:49 3676 DetectCureTDL3: 12 Curr stack PDEVICE_OBJECT: 85F54D98
19:9:50:49 3676 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85F54D98
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F54D98[0x38]
19:9:50:49 3676 DetectCureTDL3: DRIVER_OBJECT addr: 85F64D30
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F64D30[0xA8]
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F89D98[0x38]
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x85F4F428[0xA8]
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0xE1001728[0x208]
19:9:50:49 3676 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:9:50:49 3676 DetectCureTDL3: IrpHandler (0) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (1) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (2) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (3) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (4) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (5) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (6) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (7) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (8) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (9) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (10) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (11) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (12) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (13) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (14) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (15) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (16) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (17) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (18) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (19) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (20) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (21) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (22) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (23) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (24) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (25) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: IrpHandler (26) addr: 85EF0369
19:9:50:49 3676 DetectCureTDL3: All IRP handlers pointed to one addr: 85EF0369
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0x85EF0369[0x400]
19:9:50:49 3676 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
19:9:50:49 3676 Driver "atapi" Irp handler infected by TDSS rootkit ... 19:9:50:49 3676 KLMD_WriteMem: Trying to WriteMemory 0x85EF03CE[0xD]
19:9:50:49 3676 cured
19:9:50:49 3676 KLMD_ReadMem: Trying to ReadMemory 0xF74E7864[0x400]
19:9:50:49 3676 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
19:9:50:49 3676 TDL3_FileDetect: Processing driver: atapi
19:9:50:49 3676 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
19:9:50:49 3676 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
19:9:50:49 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
19:9:50:80 3676 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 19:9:50:80 3676 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
19:9:50:80 3676 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
19:9:50:96 3676 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_atapi.sys
19:9:50:127 3676 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
19:9:50:127 3676 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_atapi.sys, C:\WINDOWS\system32\drivers\atapi.sys) success
19:9:50:127 3676 will be cured on next reboot
19:9:50:143 3676
Completed

Results:
19:9:50:143 3676 Infected objects in memory: 1
19:9:50:143 3676 Cured objects in memory: 1
19:9:50:143 3676 Infected objects on disk: 1
19:9:50:143 3676 Objects on disk cured on reboot: 1
19:9:50:143 3676 Objects on disk deleted on reboot: 0
19:9:50:143 3676 Registry nodes deleted on reboot: 0
19:9:50:143 3676

Combofix log

ComboFix 09-12-08.07 - Matt 10/12/2009 17:05:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.483 [GMT 0:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\azsueeaq.sys"
"c:\windows\system32\drivers\dpdpyrkt.sys"
"c:\windows\system32\drivers\nuahrrgv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TFDHMJX
-------\Service_azsueeaq
-------\Service_tfdhmjx


((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-09 19:09 . 2009-12-09 19:09 96512 ----a-w- c:\windows\system32\drivers\tsk_atapi.sys
2009-12-09 19:09 . 2009-12-09 19:09 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2009-12-09 17:56 . 2009-12-09 17:56 -------- d-----w- C:\found.000
2009-12-04 13:47 . 2009-12-04 13:47 -------- d-----w- c:\program files\Trend Micro
2009-12-04 13:38 . 2009-12-04 13:38 -------- d-----w- C:\VundoFix Backups
2009-11-23 17:43 . 2009-12-01 18:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-16 20:24 . 2009-11-16 20:28 -------- d-----w- C:\Music
2009-11-16 20:21 . 2009-11-16 20:21 -------- d-----w- c:\program files\Sagasoft
2009-11-13 16:35 . 2009-11-13 16:35 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE
2009-11-13 16:21 . 2009-11-13 16:21 -------- d-----w- c:\windows\system32\MpEngineStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 19:12 . 2006-09-08 03:35 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-09 18:43 . 2009-09-18 18:50 -------- d-----w- c:\documents and settings\Matt\Application Data\FrostWire
2009-12-09 17:27 . 2006-09-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-09 17:27 . 2006-09-01 18:46 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-09 16:52 . 2009-10-11 11:23 -------- d-----w- c:\documents and settings\User\Application Data\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:08 -------- d-----w- c:\documents and settings\Matt\Application Data\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:08 -------- d-----w- c:\program files\Virgin Broadband
2009-12-09 16:52 . 2007-03-24 17:26 -------- d-----w- c:\program files\Common Files\PestPatrol
2009-11-15 13:56 . 2009-09-08 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-10 16:44 . 2009-12-06 16:35 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-03 16:00 . 2009-08-10 17:46 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-02 16:55 . 2008-08-17 12:23 -------- d-----w- c:\documents and settings\Matt\Application Data\U3
2009-10-29 07:45 . 2006-08-09 02:25 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-09-08 03:43 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-09-08 03:38 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 19:46 . 2009-10-13 19:46 58792 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 10:30 . 2006-09-08 03:42 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 19:25 . 2009-09-18 19:13 4506256 ----a-w- c:\documents and settings\Matt\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
2009-10-12 13:38 . 2006-09-08 03:42 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-09-08 03:42 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:24 . 2009-10-11 11:24 71336 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-18 18:47 . 2009-09-18 18:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-18 18:47 . 2009-09-18 18:47 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-14 16:43 . 2009-09-14 16:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2008-08-17 12:34 . 2008-08-17 12:34 0 ----a-w- c:\program files\temp01
2008-10-19 15:47 . 2008-10-19 15:47 2 --shatr- c:\windows\winstart.bat
.

------- Sigcheck -------

[-] 2009-12-09 19:12 . E8D919DCA4344A8AA0019E8AD59C3571 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[7] 2006-03-15 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-18 149280]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-15 344064]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-06 2029336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
MSI Wireless Utility.lnk - c:\program files\MSI\Common\RaUI.exe [2006-12-28 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-08 15:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-03-19 20:17 78960 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-08 14:38 496752 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-12-12 18:13 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-01-18 19:05 19417640 ----a-w- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vade Retro Outlook Express]
2006-02-16 15:46 295936 ----a-w- c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Matt\\My Documents\\My Received Files\\Media\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Matt\\My Documents\\My Videos\\My Skype Pictures\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13190:TCP"= 13190:TCP:BitComet 13190 TCP
"13190:UDP"= 13190:UDP:BitComet 13190 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/09/2009 15:45 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/09/2009 15:45 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/09/2009 15:01 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/09/2009 15:01 297752]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 PAC207;USB PC Cam Plus;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?sourceid=navclient&ie=UTF-8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} - hxxp://www.virgindigital.co.uk/activeX/VirginWMA.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\bwlrykug.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\bwlrykug.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 17:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-943110302-300764655-2038959681-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:06,a9,bd,5f,80,69,b9,d9,98,7a,ea,33,2d,ca,58,1e,f8,94,56,b5,05,2d,19,
17,a2,4e,40,f9,4a,89,0b,ca,93,4d,20,3e,05,67,34,b9,34,30,92,0f,91,77,df,53,\
"??"=hex:ed,7d,62,a1,0b,87,59,c7,c0,3a,09,93,00,c8,b3,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\PAStiSvc.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\Macromed\SHOCKW~1\SWHELP~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\Macromed\SHOCKW~1\SWHELP~1.EXE
.
**************************************************************************
.
Completion time: 2009-12-10 17:23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-10 17:23
ComboFix2.txt 2009-12-09 18:15

Pre-Run: 9,049,772,032 bytes free
Post-Run: 9,030,615,040 bytes free

- - End Of File - - 6AD4948B9EFAC84952889BBF060B0C5D

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:22 AM

Posted 10 December 2009 - 01:20 PM

No problem, I'm glad I can do it. :(

Did the system reboot after ComboFix ran? If it didn't reboot it now and let me know how things are running now.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Matthew94

Matthew94
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 10 December 2009 - 01:29 PM

Heyy


Things seem to be running alot smother and no windows seem to be opening! thanks so much!!
Your a real lifesaver!

Is it alright to contact you again if a related problem occurs??

Matthew94

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:22 AM

Posted 10 December 2009 - 02:08 PM

Board rules are that I have to take logs as they are posted if possible. So if you encounter another problem you will have to post it like you did this time and wait for it to be picked up.


We have a little more to do before we are finished.


Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.






Although your Java is not that far out of date you do have an older version still on your machine. Please perform the following:


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.









I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:22 AM

Posted 14 December 2009 - 12:28 PM

Are you still there?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:22 AM

Posted 15 December 2009 - 12:04 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users