Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet explorer keeps opening up by itself & google search links redirect me to random webpages


  • This topic is locked This topic is locked
25 replies to this topic

#1 royale_sufi

royale_sufi

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 05 December 2009 - 07:48 AM

I have tried the AVG computer scan and it doesnt seem to be removing it.

The internet explorer opens up by itself only when another internet explorer webpage is open and I get more and more internet explorer webpages opening up - a new webpage opens up every few seconds. When the internet explorer opens by itself it opens to my homepage.

With regards to the redirection from google search pages - I often get the page being redirected to a webpage that has a blue curly d as an icon on the address bar. Another icon I have also seen is some sort of green sphere with squares drawn inside. I have recently been getting redirected to www.ebay.co.uk.

I also get some audio adverts playing in the background - I assume its a hidden internet explorer webpage.



My DDS report is given below

=================================================


DDS (Ver_09-12-01.01) - NTFSx86
Run by Anwar at 12:14:37.01 on 05/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.242 [GMT 0:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Anwar\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - PC Tools Browser Guard BHO
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} -
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Wireless Manager] "c:\program files\virgin broadband wireless\Wireless Manager.exe" startup
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [CTSVolFE] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-12-4 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-4 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-4 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-4 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-4 360584]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-4 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-4 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-4 5832712]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-8-30 32512]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-4 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-12-4 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-12-4 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-12-4 25736]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-4 30104]

=============== Created Last 30 ================

2009-12-04 23:11:04 0 d--h--w- C:\$AVG
2009-12-04 23:10:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-04 23:10:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-04 23:10:51 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-04 23:10:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-04 23:10:38 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-04 23:10:36 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-04 23:10:16 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-04 23:10:04 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-04 23:10:04 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-04 23:10:02 0 d-----w- c:\program files\AVG
2009-12-04 23:09:53 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-30 17:27:36 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-30 17:27:36 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-30 17:26:10 0 d-----w- c:\program files\iPod
2009-11-30 17:26:03 0 d-----w- c:\program files\iTunes
2009-11-30 17:25:38 0 d-----w- c:\program files\Bonjour
2009-11-28 09:21:24 0 d-----w- c:\program files\SGPSA
2009-11-28 09:21:24 0 d-----w- c:\program files\Fast Browser Search
2009-11-28 09:21:19 0 d-----w- c:\windows\system32\appmgmt
2009-11-28 09:21:19 0 d-----w- c:\program files\Conduit
2009-11-28 09:21:18 0 d-----w- c:\program files\IObitCom
2009-11-28 09:21:18 0 d-----w- c:\docume~1\anwar\applic~1\IObit
2009-11-27 23:38:08 767952 ----a-w- c:\windows\BDTSupport(2).dll
2009-11-27 23:38:06 882 ----a-w- c:\windows\RegSDImport.xml
2009-11-27 23:38:06 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-27 23:38:05 131 ----a-w- c:\windows\IDB.zip
2009-11-27 23:38:04 1152444 ----a-w- c:\windows\UDB.zip
2009-11-27 23:35:30 0 d-----w- c:\program files\common files\PC Tools
2009-11-27 23:35:29 0 d-----w- c:\program files\Spyware Doctor
2009-11-27 22:43:19 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-11-27 22:28:59 0 d-----w- c:\program files\IObit
2009-11-20 13:09:00 0 d-sh--w- c:\windows\system32\lowsec
2009-11-20 13:04:35 0 d-----w- c:\windows\system32\scripting
2009-11-20 13:04:34 0 d-----w- c:\windows\system32\en
2009-11-20 13:04:33 0 d-----w- c:\windows\system32\bits
2009-11-20 12:56:28 0 d-----w- c:\windows\network diagnostic
2009-11-16 21:51:02 0 d-----w- c:\program files\Lavasoft
2009-11-16 21:25:11 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-16 21:10:21 13588 ----a-w- c:\windows\system32\wpa.bak
2009-11-16 21:10:15 96768 ----a-w- c:\windows\system32\dpcdll.dll.wga
2009-11-16 21:10:15 24064 ----a-w- c:\windows\system32\pidgen.dll.wga
2009-11-11 18:11:40 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-11 18:01:22 0 d-sh--w- c:\documents and settings\anwar\IECompatCache
2009-11-10 23:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-10 23:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-10 14:07:11 0 d-----w- c:\docume~1\alluse~1\applic~1\8907825

==================== Find3M ====================

2009-12-04 22:59:25 936992 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-04 22:59:25 905120 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-04 22:59:25 89936 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-04 22:59:25 67424032 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-02 15:12:28 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-29 21:54:02 38 ----a-w- c:\documents and settings\anwar\jagex_runescape_preferences.dat
2009-11-29 21:40:52 63 ----a-w- c:\documents and settings\anwar\jagex_runescape_preferences2.dat
2009-10-09 12:10:46 21616 ----a-w- c:\docume~1\anwar\applic~1\GDIPFONTCACHEV1.DAT
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 12:16:52.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:24 PM

Posted 07 December 2009 - 07:58 PM

Hello royale_sufi :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries










Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 royale_sufi

royale_sufi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 08 December 2009 - 05:40 PM

Thank you for the reply. The GMER rootkit scanner will not allow me to scan. Once I have unchecked all the appropriate boxes that you instructed it gives me a window with the following message:

"xw61zczu.exe has encountered a problem and needs to
close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on
might be lost.

For more information about this error, click here"

If I "Click here" I get a new similar window opening up that says:

"AppName: xw61zczu.exe AppVer: 1.0.15.15273 ModName: xw61zczu.exe
ModVer: 1.0.15.15273 Offset: 0000c4b1

To view technical information about the error report click here"

Then if I "Click here" again there is a new window with text and a lot of "0"s in the text. It is quite a long bit of text. If you want it, I will display it here for you on your request.

The first window I mentioned presents me with a close button on the bottom right hand corner and when i click it, it closes the program down. If I start the program up again and click scan again, the same message appears. If I start the program one further time it restarts my computer.

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:24 PM

Posted 08 December 2009 - 06:05 PM

Try running the following first and see if you can run GMER after doing so.


RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 royale_sufi

royale_sufi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 10 December 2009 - 03:38 PM

Whenever I ran any of the links given, a window with a message appeared describing that it was trying to terminate malware processes. After that window closed by itself my screen momentarily displayed only my desktop background before returning to its original state. After that I tried to run the GMER rootkit scanner. I am not entirely sure if thats what you meant for me to do.

After trying Link #1 and opening up the GMER rootkit scanner and making the relevant changes to the scan options, I clicked scan and the same error message window as before was displayed. Upon pressing close it closed down the window.

I then deleted Link #1 and tried Link #2. This time when I clicked the GMER rootkit scanner to open the program, my computer automatically restarted.

I deleted Link #2 so that I could try Link #3. This time i clicked scan on the GMER rootkit scanner and it was scanning for about 10 seconds then immediately restarted my computer.

After that, I deleted Link #3 and tried Link #4. The scan was successful and the results are shown below:

=================================

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-10 20:33:55
Windows 5.1.2600 Service Pack 3
Running: xw61zczu.exe; Driver: C:\DOCUME~1\Anwar\LOCALS~1\Temp\ufxoypoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF7953470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF7953520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF79535C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF7953660]

Code B4A82739 KeFindConfigurationNextEntry

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device -> \Driver\atapi \Device\Harddisk0\DR0 86F2D369

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Anwar\Local Settings\Temporary Internet Files\Content.IE5\OX9GL91A\109[3] 77 bytes
File C:\WINDOWS\Temp\3e36a930-2afb-4e82-b883-4f1474ba67d3.tmp (size mismatch) 264312/0 bytes executable
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:24 PM

Posted 10 December 2009 - 04:13 PM

You did right, now please perform the following:



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 royale_sufi

royale_sufi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 11 December 2009 - 03:22 PM

Thank you for the instructions. I have posted the log below:

==============================================

ComboFix 09-12-11.01 - Anwar 11/12/2009 19:48:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.561 [GMT 0:00]
Running from: c:\documents and settings\Anwar\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-11 11:00 . 2009-12-04 23:10 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2009-12-05 09:38 . 2009-12-05 09:38 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-05 09:38 . 2009-12-05 09:37 305944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgaspmx.dll
2009-12-05 09:38 . 2009-12-04 23:10 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-12-05 09:37 . 2009-12-05 09:37 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-12-05 09:37 . 2009-12-05 09:36 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-12-04 23:15 . 2009-10-16 12:13 1115392 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-12-04 23:11 . 2009-12-04 23:15 -------- d-----w- C:\$AVG
2009-12-04 23:10 . 2009-12-04 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-04 23:10 . 2009-12-04 23:10 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-04 23:10 . 2009-12-04 23:10 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-04 23:10 . 2009-12-04 23:10 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-04 23:10 . 2009-12-04 23:10 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-04 23:10 . 2009-12-11 16:32 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-04 23:10 . 2009-12-04 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-04 23:10 . 2009-12-04 23:10 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-04 23:10 . 2009-12-04 23:10 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-04 23:10 . 2009-12-04 23:10 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-04 23:10 . 2009-12-04 23:10 -------- d-----w- c:\program files\AVG
2009-12-04 23:09 . 2009-12-09 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-01 16:00 . 2009-12-07 21:07 79488 ----a-w- c:\documents and settings\Anwar\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-30 17:27 . 2009-05-18 14:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-30 17:27 . 2008-04-17 13:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-30 17:26 . 2009-11-30 17:26 -------- d-----w- c:\program files\iPod
2009-11-30 17:26 . 2009-11-30 17:27 -------- d-----w- c:\program files\iTunes
2009-11-30 17:25 . 2009-11-30 17:25 -------- d-----w- c:\program files\Bonjour
2009-11-30 17:23 . 2009-11-30 17:23 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-30 17:21 . 2009-11-30 17:21 -------- d-----w- c:\program files\QuickTime
2009-11-30 17:18 . 2009-11-30 17:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-28 09:21 . 2009-11-28 09:21 -------- d-----w- c:\program files\Conduit
2009-11-28 09:21 . 2009-11-28 09:21 -------- d-----w- c:\documents and settings\Anwar\Local Settings\Application Data\Conduit
2009-11-28 09:21 . 2009-11-28 09:21 -------- d-----w- c:\program files\IObitCom
2009-11-28 09:21 . 2009-11-28 09:21 -------- d-----w- c:\documents and settings\Anwar\Application Data\IObit
2009-11-27 23:38 . 2009-11-10 10:26 767952 ----a-w- c:\windows\BDTSupport(2).dll
2009-11-27 23:38 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2009-11-27 23:38 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
2009-11-27 23:35 . 2009-11-28 09:20 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-27 23:35 . 2009-11-28 09:21 -------- d-----w- c:\program files\Spyware Doctor
2009-11-27 22:43 . 2009-11-27 22:43 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-11-27 22:28 . 2009-11-27 22:28 -------- d-----w- c:\program files\IObit
2009-11-27 22:28 . 2009-11-04 16:49 635664 ----a-w- c:\documents and settings\Anwar\Application Data\IObit\Common\TB_Helper.exe
2009-11-20 13:04 . 2009-11-20 13:04 -------- d-----w- c:\windows\system32\scripting
2009-11-20 13:04 . 2009-11-20 13:04 -------- d-----w- c:\windows\system32\en
2009-11-20 13:04 . 2009-11-20 13:04 -------- d-----w- c:\windows\system32\bits
2009-11-18 18:57 . 2009-11-18 18:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-16 21:51 . 2009-11-16 21:51 -------- d-----w- c:\program files\Lavasoft
2009-11-16 21:28 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-16 21:25 . 2009-11-16 21:25 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-16 21:23 . 2009-11-16 21:23 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-16 17:18 . 2009-11-16 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 19:45 . 2004-08-04 01:07 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-06 20:48 . 2009-09-03 16:04 39 ----a-w- c:\documents and settings\Anwar\jagex_runescape_preferences.dat
2009-12-06 20:36 . 2009-09-03 16:04 69 ----a-w- c:\documents and settings\Anwar\jagex_runescape_preferences2.dat
2009-12-06 19:40 . 2009-08-30 23:20 66496 ----a-w- c:\documents and settings\Anwar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 22:59 . 2009-08-31 12:57 936992 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-04 22:59 . 2009-08-31 12:57 905120 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-04 22:59 . 2009-08-31 12:57 89936 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-04 22:59 . 2009-08-31 12:57 67424032 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-04 22:59 . 2009-08-31 12:52 -------- d-----w- c:\program files\InstallShield Installation Information
2009-12-04 22:59 . 2009-09-01 14:15 -------- d-----w- c:\documents and settings\Guest\Application Data\Virgin Broadband
2009-12-04 22:59 . 2009-08-31 12:22 -------- d-----w- c:\documents and settings\Anwar\Application Data\Virgin Broadband
2009-12-04 22:59 . 2009-08-31 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-12-04 22:58 . 2009-08-31 12:51 -------- d-----w- c:\program files\Virgin Broadband
2009-11-30 17:26 . 2009-11-11 18:07 -------- d-----w- c:\program files\Common Files\Apple
2009-11-30 17:21 . 2009-11-11 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-27 16:24 . 2009-09-01 21:45 -------- d-----w- c:\documents and settings\Anwar\Application Data\LimeWire
2009-11-20 13:12 . 2009-08-30 21:22 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-11 18:15 . 2009-11-11 18:13 -------- d-----w- c:\documents and settings\Anwar\Application Data\Apple Computer
2009-11-11 18:13 . 2009-11-11 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-11 18:09 . 2009-11-11 18:09 -------- d-----w- c:\program files\Apple Software Update
2009-11-11 18:07 . 2009-11-11 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-10 14:07 . 2009-11-10 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\8907825
2009-10-29 11:35 . 2009-09-02 14:24 38 ----a-w- c:\documents and settings\Guest\jagex_runescape_preferences.dat
2009-10-29 11:34 . 2009-09-02 14:25 63 ----a-w- c:\documents and settings\Guest\jagex_runescape_preferences2.dat
2009-10-29 07:45 . 2004-08-04 01:07 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 01:07 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 01:07 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 01:07 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 01:07 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 01:07 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 01:07 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-16 21:41 . 2009-09-01 14:17 21616 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[-] 2009-12-11 19:45 . 1515855F67B8FD9044FEA8BC6D45012A . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-31 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-01 136600]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-11 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-04 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [04/12/2009 23:10 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [04/12/2009 23:10 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/12/2009 23:10 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/12/2009 23:10 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [04/12/2009 23:10 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [04/12/2009 23:10 2303680]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [04/12/2009 23:10 5832712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [04/12/2009 23:10 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [04/12/2009 23:10 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [04/12/2009 23:10 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [04/12/2009 23:10 25736]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [04/12/2009 23:10 30104]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 20:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F3A369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e6f28
\Driver\ACPI -> ACPI.sys @ 0xf7459cb8
\Driver\atapi -> atapi.sys @ 0xf73eb852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1032)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Virgin Broadband Wireless\ndis_events.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2009-12-11 20:16:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-11 20:16

Pre-Run: 48,461,438,976 bytes free
Post-Run: 52,251,230,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5DAD744A8B3BEF19821C5714CD61EF38

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:24 PM

Posted 11 December 2009 - 04:25 PM

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 royale_sufi

royale_sufi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 11 December 2009 - 05:40 PM

I have included the report below:

===================================================

C:\Documents and Settings\Anwar\Local Settings\Temporary Internet Files\Content.IE5\KKTRL0AH\oHa2adb2c8V0100f080006Rdbccc971102Te98f1d26201l0809K2afee4d9317[1].pdf JS/Exploit.Pdfka.ASD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.RF virus deleted - quarantined

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:24 PM

Posted 11 December 2009 - 07:47 PM

Your Java is a few editions out of date. Let's get it updated because that can be a source of Malware exploitation. When you have completed the following let me know how your computer is running.



Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 royale_sufi

royale_sufi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 12 December 2009 - 03:53 AM

Thankyou. You seem to have fixed a lot of problems that my computer had, some of which I wasnt even aware of.

The overall speed of my computer has increased. You have more than halfed the time it takes for my computer to start up - that included decreasing the time it takes for my desktop to be displayed after I have entered the password for my computer. The webpages I surf onto seem to load a lot quicker. The time in which it takes my homepage to be displayed when I click the internet explorer icon to start it up has decreased.

You have fixed the problem of "internet explorer opening up by itself" (fixed a few days ago) which is the main reason Ive asked for your help so thankyou thankyou thankyou! And also I havent heard any unexpected audio play in the background for a few days now so i assume that is fixed as well.

The only thing that seems not to be fixed is the "google search links redirect me to random webpages".

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:24 PM

Posted 12 December 2009 - 11:34 AM

Well that sounds better, but it seems we still have a problem. Please run GMER for me again just like you did the first time and post the log it produces.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 royale_sufi

royale_sufi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 12 December 2009 - 12:34 PM

Link #4 no longer works. It displayed that original message I had got which closes down the program when I click "close", so i tried Link #1 again after deleting Link #4. It worked and the log is shown below:

===========================================

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-12 17:32:35
Windows 5.1.2600 Service Pack 3
Running: xw61zczu.exe; Driver: C:\DOCUME~1\Anwar\LOCALS~1\Temp\ufxoypoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xEFD28470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xEFD28520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xEFD285C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xEFD28660]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat AF7D0D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device -> \Driver\atapi \Device\Harddisk0\DR0 86F30369

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Anwar\Local Settings\Temporary Internet Files\Content.IE5\KKTRL0AH\109[1] 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by royale_sufi, 12 December 2009 - 12:35 PM.


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:24 PM

Posted 12 December 2009 - 12:40 PM

Thanks for telling me about the bad link.

Run this next and let's see if it helps:


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 royale_sufi

royale_sufi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 12 December 2009 - 01:08 PM

The contents of the file are posted below:

=============================================


Host Name: ANWARS-COMPUTER
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Anwar Sufi
Registered Organization:
Product ID: 55274-OEM-2256643-58403
Original Install Date: 30/08/2009, 22:25:23
System Up Time: 0 Days, 1 Hours, 19 Minutes, 30 Seconds
System Manufacturer: Dell Inc.
System Model: Dell DM051
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 4 Stepping 3 GenuineIntel ~2992 Mhz
BIOS Version: DELL - 7
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 1,022 MB
Available Physical Memory: 546 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,002 MB
Virtual Memory: In Use: 46 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\ANWARS-COMPUTER
Hotfix(s): 141 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: Q147222
[67]: KB929399
[68]: KB952069_WM9
[69]: KB954155_WM9
[70]: KB968816_WM9
[71]: KB973540_WM9L
[72]: KB939683
[73]: KB954154_WM11
[74]: KB941569
[75]: KB971961-IE8 - Update
[76]: KB972260-IE8 - Update
[77]: KB973874-IE8 - Update
[78]: KB974455-IE8 - Update
[79]: KB976325-IE8 - Update
[80]: KB976749-IE8 - Update
[81]: MSCompPackV1 - Update
[82]: KB936929 - Service Pack
[83]: KB923561 - Update
[84]: KB938464-v2 - Update
[85]: KB946648 - Update
[86]: KB950762 - Update
[87]: KB950974 - Update
[88]: KB951066 - Update
[89]: KB951376-v2 - Update
[90]: KB951748 - Update
[91]: KB951978 - Update
[92]: KB952004 - Update
[93]: KB952287 - Update
[94]: KB952954 - Update
[95]: KB954600 - Update
[96]: KB955069 - Update
[97]: KB956572 - Update
[98]: KB956744 - Update
[99]: KB956802 - Update
[100]: KB956803 - Update
[101]: KB956844 - Update
[102]: KB957097 - Update
[103]: KB958644 - Update
[104]: KB958687 - Update
[105]: KB958869 - Update
[106]: KB959426 - Update
[107]: KB960225 - Update
[108]: KB960803 - Update
[109]: KB960859 - Update
[110]: KB961371-v2 - Update
[111]: KB961501 - Update
[112]: KB961503 - Update
[113]: KB967715 - Update
[114]: KB968389 - Update
[115]: KB968537 - Update
[116]: KB969059 - Update
[117]: KB969947 - Update
[118]: KB970238 - Update
[119]: KB970430 - Update
[120]: KB970653-v3 - Update
[121]: KB971486 - Update
[122]: KB971557 - Update
[123]: KB971633 - Update
[124]: KB971657 - Update
[125]: KB971737 - Update
[126]: KB973346 - Update
[127]: KB973354 - Update
[128]: KB973507 - Update
[129]: KB973525 - Update
[130]: KB973687 - Update
[131]: KB973815 - Update
[132]: KB973869 - Update
[133]: KB973904 - Update
[134]: KB974112 - Update
[135]: KB974318 - Update
[136]: KB974392 - Update
[137]: KB974571 - Update
[138]: KB975025 - Update
[139]: KB975467 - Update
[140]: KB976098-v2 - Update
[141]: KB835221WXP - Update
NetWork Card(s): 2 NIC(s) Installed.
[01]: 1394 Net Adapter
Connection Name: 1394 Connection
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
[02]: Intel® PRO/100 VE Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.3
18:2:40:843 600 ForceUnloadDriver: NtUnloadDriver error 2
18:2:40:843 600 ForceUnloadDriver: NtUnloadDriver error 2
18:2:40:843 600 ForceUnloadDriver: NtUnloadDriver error 2
18:2:40:843 600 main: Driver KLMD successfully dropped
18:2:41:0 600 main: Driver KLMD successfully loaded
18:2:41:0 600
Scanning Registry ...
18:2:41:15 600 ScanServices: Searching service UACd.sys
18:2:41:15 600 ScanServices: Open/Create key error 2
18:2:41:15 600 ScanServices: Searching service TDSSserv.sys
18:2:41:15 600 ScanServices: Open/Create key error 2
18:2:41:15 600 ScanServices: Searching service gaopdxserv.sys
18:2:41:15 600 ScanServices: Open/Create key error 2
18:2:41:15 600 ScanServices: Searching service gxvxcserv.sys
18:2:41:15 600 ScanServices: Open/Create key error 2
18:2:41:15 600 ScanServices: Searching service MSIVXserv.sys
18:2:41:15 600 ScanServices: Open/Create key error 2
18:2:41:15 600 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
18:2:41:15 600 UnhookRegistry: Kernel local addr: E40000
18:2:41:31 600 UnhookRegistry: KeServiceDescriptorTable addr: EC5700
18:2:41:109 600 UnhookRegistry: KiServiceTable addr: E6D460
18:2:41:109 600 UnhookRegistry: NtEnumerateKey service number (local): 47
18:2:41:109 600 UnhookRegistry: NtEnumerateKey local addr: F8CFF2
18:2:41:125 600 KLMD_OpenDevice: Trying to open KLMD device
18:2:41:125 600 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
18:2:41:125 600 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
18:2:41:125 600 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
18:2:41:125 600 UnhookRegistry: NtEnumerateKey service number (kernel): 47
18:2:41:125 600 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
18:2:41:125 600 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
18:2:41:125 600 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
18:2:41:125 600 UnhookRegistry: No SDT hooks found on NtEnumerateKey
18:2:41:125 600 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
18:2:41:125 600 UnhookRegistry: No splicing found on NtEnumerateKey
18:2:41:125 600
Scanning Kernel memory ...
18:2:41:125 600 KLMD_OpenDevice: Trying to open KLMD device
18:2:41:125 600 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
18:2:41:125 600 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:2:41:125 600 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86F85A08
18:2:41:125 600 DetectCureTDL3: KLMD_GetDeviceObjectList returned 11 DevObjects
18:2:41:125 600 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86740B18
18:2:41:125 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86740B18
18:2:41:125 600 KLMD_ReadMem: Trying to ReadMemory 0x86740B18[0x38]
18:2:41:125 600 DetectCureTDL3: DRIVER_OBJECT addr: 86F85A08
18:2:41:125 600 KLMD_ReadMem: Trying to ReadMemory 0x86F85A08[0xA8]
18:2:41:125 600 KLMD_ReadMem: Trying to ReadMemory 0xE16F7648[0x208]
18:2:41:125 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:2:41:125 600 DetectCureTDL3: IrpHandler (0) addr: F75B8BB0
18:2:41:125 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (2) addr: F75B8BB0
18:2:41:125 600 DetectCureTDL3: IrpHandler (3) addr: F75B2D1F
18:2:41:125 600 DetectCureTDL3: IrpHandler (4) addr: F75B2D1F
18:2:41:125 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (9) addr: F75B32E2
18:2:41:125 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:125 600 DetectCureTDL3: IrpHandler (14) addr: F75B33BB
18:2:41:140 600 DetectCureTDL3: IrpHandler (15) addr: F75B6F28
18:2:41:140 600 DetectCureTDL3: IrpHandler (16) addr: F75B32E2
18:2:41:140 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (22) addr: F75B4C82
18:2:41:140 600 DetectCureTDL3: IrpHandler (23) addr: F75B999E
18:2:41:140 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:2:41:140 600 KLMD_ReadMem: DeviceIoControl error 1
18:2:41:140 600 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:2:41:140 600 TDL3_FileDetect: Processing driver: Disk
18:2:41:140 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:2:41:140 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:2:41:140 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:2:41:140 600 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86741030
18:2:41:140 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86741030
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0x86741030[0x38]
18:2:41:140 600 DetectCureTDL3: DRIVER_OBJECT addr: 86F85A08
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0x86F85A08[0xA8]
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0xE16F7648[0x208]
18:2:41:140 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:2:41:140 600 DetectCureTDL3: IrpHandler (0) addr: F75B8BB0
18:2:41:140 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (2) addr: F75B8BB0
18:2:41:140 600 DetectCureTDL3: IrpHandler (3) addr: F75B2D1F
18:2:41:140 600 DetectCureTDL3: IrpHandler (4) addr: F75B2D1F
18:2:41:140 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (9) addr: F75B32E2
18:2:41:140 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (14) addr: F75B33BB
18:2:41:140 600 DetectCureTDL3: IrpHandler (15) addr: F75B6F28
18:2:41:140 600 DetectCureTDL3: IrpHandler (16) addr: F75B32E2
18:2:41:140 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (22) addr: F75B4C82
18:2:41:140 600 DetectCureTDL3: IrpHandler (23) addr: F75B999E
18:2:41:140 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:2:41:140 600 KLMD_ReadMem: DeviceIoControl error 1
18:2:41:140 600 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:2:41:140 600 TDL3_FileDetect: Processing driver: Disk
18:2:41:140 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:2:41:140 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:2:41:140 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:2:41:140 600 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 867482C8
18:2:41:140 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867482C8
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0x867482C8[0x38]
18:2:41:140 600 DetectCureTDL3: DRIVER_OBJECT addr: 86F85A08
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0x86F85A08[0xA8]
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0xE16F7648[0x208]
18:2:41:140 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:2:41:140 600 DetectCureTDL3: IrpHandler (0) addr: F75B8BB0
18:2:41:140 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (2) addr: F75B8BB0
18:2:41:140 600 DetectCureTDL3: IrpHandler (3) addr: F75B2D1F
18:2:41:140 600 DetectCureTDL3: IrpHandler (4) addr: F75B2D1F
18:2:41:140 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (9) addr: F75B32E2
18:2:41:140 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (14) addr: F75B33BB
18:2:41:140 600 DetectCureTDL3: IrpHandler (15) addr: F75B6F28
18:2:41:140 600 DetectCureTDL3: IrpHandler (16) addr: F75B32E2
18:2:41:140 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (22) addr: F75B4C82
18:2:41:140 600 DetectCureTDL3: IrpHandler (23) addr: F75B999E
18:2:41:140 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:140 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:140 600 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:2:41:140 600 KLMD_ReadMem: DeviceIoControl error 1
18:2:41:140 600 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:2:41:156 600 TDL3_FileDetect: Processing driver: Disk
18:2:41:156 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:2:41:156 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:2:41:156 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:2:41:156 600 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86747B60
18:2:41:156 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86747B60
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0x86747B60[0x38]
18:2:41:156 600 DetectCureTDL3: DRIVER_OBJECT addr: 86F85A08
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0x86F85A08[0xA8]
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0xE16F7648[0x208]
18:2:41:156 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:2:41:156 600 DetectCureTDL3: IrpHandler (0) addr: F75B8BB0
18:2:41:156 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (2) addr: F75B8BB0
18:2:41:156 600 DetectCureTDL3: IrpHandler (3) addr: F75B2D1F
18:2:41:156 600 DetectCureTDL3: IrpHandler (4) addr: F75B2D1F
18:2:41:156 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (9) addr: F75B32E2
18:2:41:156 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (14) addr: F75B33BB
18:2:41:156 600 DetectCureTDL3: IrpHandler (15) addr: F75B6F28
18:2:41:156 600 DetectCureTDL3: IrpHandler (16) addr: F75B32E2
18:2:41:156 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (22) addr: F75B4C82
18:2:41:156 600 DetectCureTDL3: IrpHandler (23) addr: F75B999E
18:2:41:156 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:2:41:156 600 KLMD_ReadMem: DeviceIoControl error 1
18:2:41:156 600 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:2:41:156 600 TDL3_FileDetect: Processing driver: Disk
18:2:41:156 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:2:41:156 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:2:41:156 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:2:41:156 600 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 867456E0
18:2:41:156 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867456E0
18:2:41:156 600 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86748690
18:2:41:156 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86748690
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0x86748690[0x38]
18:2:41:156 600 DetectCureTDL3: DRIVER_OBJECT addr: 8682D2C0
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0x8682D2C0[0xA8]
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0xE1CECF20[0x208]
18:2:41:156 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
18:2:41:156 600 DetectCureTDL3: IrpHandler (0) addr: F228F218
18:2:41:156 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (2) addr: F228F218
18:2:41:156 600 DetectCureTDL3: IrpHandler (3) addr: F228F23C
18:2:41:156 600 DetectCureTDL3: IrpHandler (4) addr: F228F23C
18:2:41:156 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (9) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (14) addr: F228F180
18:2:41:156 600 DetectCureTDL3: IrpHandler (15) addr: F228A9E6
18:2:41:156 600 DetectCureTDL3: IrpHandler (16) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (22) addr: F228E5F0
18:2:41:156 600 DetectCureTDL3: IrpHandler (23) addr: F228CA6E
18:2:41:156 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:156 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0xF228BF26[0x400]
18:2:41:156 600 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
18:2:41:156 600 TDL3_FileDetect: Processing driver: usbstor
18:2:41:156 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
18:2:41:156 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:156 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:156 600 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 86745030
18:2:41:156 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86745030
18:2:41:156 600 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 8677BEA0
18:2:41:156 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8677BEA0
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0x8677BEA0[0x38]
18:2:41:156 600 DetectCureTDL3: DRIVER_OBJECT addr: 8682D2C0
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0x8682D2C0[0xA8]
18:2:41:156 600 KLMD_ReadMem: Trying to ReadMemory 0xE1CECF20[0x208]
18:2:41:156 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
18:2:41:156 600 DetectCureTDL3: IrpHandler (0) addr: F228F218
18:2:41:156 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (2) addr: F228F218
18:2:41:171 600 DetectCureTDL3: IrpHandler (3) addr: F228F23C
18:2:41:171 600 DetectCureTDL3: IrpHandler (4) addr: F228F23C
18:2:41:171 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (9) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (14) addr: F228F180
18:2:41:171 600 DetectCureTDL3: IrpHandler (15) addr: F228A9E6
18:2:41:171 600 DetectCureTDL3: IrpHandler (16) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (22) addr: F228E5F0
18:2:41:171 600 DetectCureTDL3: IrpHandler (23) addr: F228CA6E
18:2:41:171 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0xF228BF26[0x400]
18:2:41:171 600 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
18:2:41:171 600 TDL3_FileDetect: Processing driver: usbstor
18:2:41:171 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
18:2:41:171 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:171 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:171 600 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 867CE030
18:2:41:171 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867CE030
18:2:41:171 600 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 867BC030
18:2:41:171 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867BC030
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0x867BC030[0x38]
18:2:41:171 600 DetectCureTDL3: DRIVER_OBJECT addr: 8682D2C0
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0x8682D2C0[0xA8]
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0xE1CECF20[0x208]
18:2:41:171 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
18:2:41:171 600 DetectCureTDL3: IrpHandler (0) addr: F228F218
18:2:41:171 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (2) addr: F228F218
18:2:41:171 600 DetectCureTDL3: IrpHandler (3) addr: F228F23C
18:2:41:171 600 DetectCureTDL3: IrpHandler (4) addr: F228F23C
18:2:41:171 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (9) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (14) addr: F228F180
18:2:41:171 600 DetectCureTDL3: IrpHandler (15) addr: F228A9E6
18:2:41:171 600 DetectCureTDL3: IrpHandler (16) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (22) addr: F228E5F0
18:2:41:171 600 DetectCureTDL3: IrpHandler (23) addr: F228CA6E
18:2:41:171 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0xF228BF26[0x400]
18:2:41:171 600 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
18:2:41:171 600 TDL3_FileDetect: Processing driver: usbstor
18:2:41:171 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
18:2:41:171 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:171 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:171 600 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 86748920
18:2:41:171 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86748920
18:2:41:171 600 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 867D48C0
18:2:41:171 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867D48C0
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0x867D48C0[0x38]
18:2:41:171 600 DetectCureTDL3: DRIVER_OBJECT addr: 8682D2C0
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0x8682D2C0[0xA8]
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0xE1CECF20[0x208]
18:2:41:171 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
18:2:41:171 600 DetectCureTDL3: IrpHandler (0) addr: F228F218
18:2:41:171 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (2) addr: F228F218
18:2:41:171 600 DetectCureTDL3: IrpHandler (3) addr: F228F23C
18:2:41:171 600 DetectCureTDL3: IrpHandler (4) addr: F228F23C
18:2:41:171 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (9) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (14) addr: F228F180
18:2:41:171 600 DetectCureTDL3: IrpHandler (15) addr: F228A9E6
18:2:41:171 600 DetectCureTDL3: IrpHandler (16) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (22) addr: F228E5F0
18:2:41:171 600 DetectCureTDL3: IrpHandler (23) addr: F228CA6E
18:2:41:171 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0xF228BF26[0x400]
18:2:41:171 600 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
18:2:41:171 600 TDL3_FileDetect: Processing driver: usbstor
18:2:41:171 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys
18:2:41:171 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:171 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
18:2:41:171 600 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 86FD0C68
18:2:41:171 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FD0C68
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0x86FD0C68[0x38]
18:2:41:171 600 DetectCureTDL3: DRIVER_OBJECT addr: 86F85A08
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0x86F85A08[0xA8]
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0xE16F7648[0x208]
18:2:41:171 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:2:41:171 600 DetectCureTDL3: IrpHandler (0) addr: F75B8BB0
18:2:41:171 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (2) addr: F75B8BB0
18:2:41:171 600 DetectCureTDL3: IrpHandler (3) addr: F75B2D1F
18:2:41:171 600 DetectCureTDL3: IrpHandler (4) addr: F75B2D1F
18:2:41:171 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (9) addr: F75B32E2
18:2:41:171 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (14) addr: F75B33BB
18:2:41:171 600 DetectCureTDL3: IrpHandler (15) addr: F75B6F28
18:2:41:171 600 DetectCureTDL3: IrpHandler (16) addr: F75B32E2
18:2:41:171 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (22) addr: F75B4C82
18:2:41:171 600 DetectCureTDL3: IrpHandler (23) addr: F75B999E
18:2:41:171 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:171 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:171 600 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:2:41:171 600 KLMD_ReadMem: DeviceIoControl error 1
18:2:41:171 600 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:2:41:171 600 TDL3_FileDetect: Processing driver: Disk
18:2:41:171 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:2:41:171 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:2:41:171 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:2:41:187 600 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 86F819F0
18:2:41:187 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F819F0
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x86F819F0[0x38]
18:2:41:187 600 DetectCureTDL3: DRIVER_OBJECT addr: 86F85A08
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x86F85A08[0xA8]
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0xE16F7648[0x208]
18:2:41:187 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:2:41:187 600 DetectCureTDL3: IrpHandler (0) addr: F75B8BB0
18:2:41:187 600 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (2) addr: F75B8BB0
18:2:41:187 600 DetectCureTDL3: IrpHandler (3) addr: F75B2D1F
18:2:41:187 600 DetectCureTDL3: IrpHandler (4) addr: F75B2D1F
18:2:41:187 600 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (9) addr: F75B32E2
18:2:41:187 600 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (14) addr: F75B33BB
18:2:41:187 600 DetectCureTDL3: IrpHandler (15) addr: F75B6F28
18:2:41:187 600 DetectCureTDL3: IrpHandler (16) addr: F75B32E2
18:2:41:187 600 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (22) addr: F75B4C82
18:2:41:187 600 DetectCureTDL3: IrpHandler (23) addr: F75B999E
18:2:41:187 600 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:2:41:187 600 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
18:2:41:187 600 KLMD_ReadMem: DeviceIoControl error 1
18:2:41:187 600 TDL3_StartIoHookDetect: Unable to get StartIo handler code
18:2:41:187 600 TDL3_FileDetect: Processing driver: Disk
18:2:41:187 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
18:2:41:187 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
18:2:41:187 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
18:2:41:187 600 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 86F83AB8
18:2:41:187 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F83AB8
18:2:41:187 600 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 86F85D98
18:2:41:187 600 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F85D98
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x86F85D98[0x38]
18:2:41:187 600 DetectCureTDL3: DRIVER_OBJECT addr: 86F6F810
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x86F6F810[0xA8]
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x86F73B00[0x38]
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x86FD5B30[0xA8]
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0xE10132E8[0x208]
18:2:41:187 600 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
18:2:41:187 600 DetectCureTDL3: IrpHandler (0) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (1) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (2) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (3) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (4) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (5) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (6) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (7) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (8) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (9) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (10) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (11) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (12) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (13) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (14) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (15) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (16) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (17) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (18) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (19) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (20) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (21) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (22) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (23) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (24) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (25) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: IrpHandler (26) addr: 86F30369
18:2:41:187 600 DetectCureTDL3: All IRP handlers pointed to one addr: 86F30369
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0x86F30369[0x400]
18:2:41:187 600 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
18:2:41:187 600 Driver "atapi" Irp handler infected by TDSS rootkit ... 18:2:41:187 600 KLMD_WriteMem: Trying to WriteMemory 0x86F303CE[0xD]
18:2:41:187 600 cured
18:2:41:187 600 KLMD_ReadMem: Trying to ReadMemory 0xF73BC864[0x400]
18:2:41:187 600 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
18:2:41:187 600 TDL3_FileDetect: Processing driver: atapi
18:2:41:187 600 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
18:2:41:187 600 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
18:2:41:187 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
18:2:41:218 600 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 18:2:41:218 600 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
18:2:41:218 600 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
18:2:41:218 600 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_atapi.sys
18:2:41:359 600 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
18:2:41:359 600 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_atapi.sys, C:\WINDOWS\system32\drivers\atapi.sys) success
18:2:41:359 600 will be cured on next reboot
18:2:41:375 600
Completed

Results:
18:2:41:375 600 Infected objects in memory: 1
18:2:41:375 600 Cured objects in memory: 1
18:2:41:375 600 Infected objects on disk: 1
18:2:41:375 600 Objects on disk cured on reboot: 1
18:2:41:375 600 Objects on disk deleted on reboot: 0
18:2:41:375 600 Registry nodes deleted on reboot: 0
18:2:41:375 600




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users