Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked - Need Help Please


  • This topic is locked This topic is locked
10 replies to this topic

#1 DDubs151

DDubs151

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 06 December 2009 - 07:32 PM

Hi,

I am running windows XP and recently I have had an issue where mulitple news windows pop-up when I open IE or perform a YAHOO search. Most of the time, a new window is opened to the following link: hxxp://auto.search.msn.com/response.asp?MT=%C5%BE%C2%A4i%C3%86%C3%A9%E2%80%A6&srch=3&prov=gogl&utf8

But also when I perform a search in Yahoo and click on a link, I am redirected to a totally different site rather than the one I originally searched. I have listed below my HJT log. I would really appreciate anyone's help to decipher and fix.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:56 PM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [agent.exe] C:\Documents and Settings\Dan\Application Data\PC\agent.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10029 bytes

Edited by Orange Blossom, 06 December 2009 - 08:13 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:08 PM

Posted 07 December 2009 - 08:31 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 DDubs151

DDubs151
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 07 December 2009 - 01:28 PM

Hi Buckeye ... thanks for taking the time to help. And congrats to your Buckeyes for making the Rose Bowl. I was there to support Illinois two years ago. Hopefully the Bucks will fare much better against the Ducks.

I wanted to let you know that I ran Malwarebytes-AntiMaware last night and removed some files. As a result (I think), I am no longer getting the auto.search.msn.com pop-up windows. However, I am still being redirected (on a totally random basis) to random pages when I click on various search results from Yahoo. Sometimes I click on a link that takes me to the correct search page, other times I am redirected to an entirely different page. FYI - I have Prevx 3.0 and McAfee as my virus and malware protection.

I have attached the OTL log as well as the Extras log.

I will send the scan results shortly.

Thanks!


OTL logfile created on: 12/7/2009 8:02:46 AM - Run 1
OTL by OldTimer - Version 3.1.11.8 Folder = C:\Documents and Settings\Dan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.70 Gb Total Space | 443.84 Gb Free Space | 95.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.83 Gb Total Space | 141.11 Gb Free Space | 60.61% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOMEOFFICE
Current User Name: Dan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/07 07:56:11 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTL.exe
PRC - [2009/12/03 17:56:47 | 06,221,824 | ---- | M] (Prevx) -- C:\Program Files\Prevx\prevx.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/01/28 23:11:22 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/01/06 13:06:36 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/12/09 00:03:44 | 00,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/10/04 13:58:04 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/10/04 13:58:02 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/10/03 10:19:00 | 01,742,064 | ---- | M] () -- C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
PRC - [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/06/10 04:27:03 | 00,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
PRC - [2008/04/13 18:12:22 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/07/16 19:48:52 | 16,132,608 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2007/07/16 19:45:24 | 00,252,696 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2007/07/16 19:45:14 | 00,138,008 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2007/07/16 19:45:12 | 00,162,584 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2006/11/03 18:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/05/22 22:38:26 | 00,106,496 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2003/03/13 20:38:12 | 00,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2003/02/08 16:54:48 | 00,073,806 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
PRC - [2003/02/08 16:42:38 | 00,086,102 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
PRC - [2003/02/06 14:37:52 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2003/02/06 02:26:18 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE


========== Modules (SafeList) ==========

MOD - [2009/12/07 07:56:11 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/03 17:56:47 | 06,221,824 | ---- | M] (Prevx) -- C:\Program Files\Prevx\prevx.exe -- (CSIScanner)
SRV - [2009/11/02 14:14:39 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 19:22:22 | 00,068,112 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/01/28 23:11:22 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/12/18 04:25:12 | 29,181,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/12/09 00:08:43 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/12/09 00:03:44 | 00,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-092308-165331)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/04 13:58:04 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2008/03/24 07:35:22 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2008/01/23 12:32:16 | 00,162,872 | ---- | M] (Prevx) -- C:\Program Files\Prevx2\PXAgent.exe -- (PREVXAgent)
SRV - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/02/10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/10/14 02:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2003/05/22 22:38:26 | 00,106,496 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2003/02/06 14:37:52 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-187928318-484162174-3393145187-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081209
IE - HKU\S-1-5-21-187928318-484162174-3393145187-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us
IE - HKU\S-1-5-21-187928318-484162174-3393145187-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-187928318-484162174-3393145187-1008\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-187928318-484162174-3393145187-1008\S-1-5-21-187928318-484162174-3393145187-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-187928318-484162174-3393145187-1008\S-1-5-21-187928318-484162174-3393145187-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (URLDetector Class) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (Prevx Ltd.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-187928318-484162174-3393145187-1008\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Dell AIO Printer A940] C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe (Dell Computer Corporation)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe ()
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PrevxOne] C:\Program Files\Prevx2\PXConsole.exe (Prevx Ltd.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-187928318-484162174-3393145187-1008..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-187928318-484162174-3393145187-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-187928318-484162174-3393145187-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-187928318-484162174-3393145187-1008 Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/08/08 09:59:46 | 00,000,000 | ---D | M] - E:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 17:02:12 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17454897414799360)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/07 07:56:04 | 00,537,088 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTL.exe
[2009/12/06 22:00:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Security
[2009/12/06 18:44:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Application Data\Malwarebytes
[2009/12/06 18:44:15 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/06 18:44:13 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/06 18:44:13 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/06 18:44:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/06 17:06:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/12/06 14:42:10 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/06 14:42:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/12/06 10:17:48 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/03 17:56:49 | 00,053,136 | ---- | C] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll
[2009/12/03 17:56:48 | 00,047,152 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2009/12/03 17:56:48 | 00,030,280 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxscan.sys
[2009/12/03 17:56:47 | 00,024,496 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxkbf.sys
[2009/12/03 17:56:46 | 00,000,000 | ---D | C] -- C:\Program Files\Prevx
[2009/12/03 17:56:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2009/12/03 17:06:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Application Data\PC
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/07 07:56:11 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTL.exe
[2009/12/06 22:01:15 | 00,014,657 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/06 22:01:08 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/06 22:00:30 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/12/06 22:00:16 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/06 22:00:15 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/06 22:00:13 | 32,098,71360 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/06 21:59:15 | 04,194,304 | -H-- | M] () -- C:\Documents and Settings\Dan\NTUSER.DAT
[2009/12/06 21:59:15 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Dan\ntuser.ini
[2009/12/06 21:40:09 | 00,375,296 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\2009 Without A Hitch Financial Plan.xls
[2009/12/06 21:11:24 | 00,000,576 | ---- | M] () -- C:\WINDOWS\DELLSTAT.INI
[2009/12/06 18:44:19 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/06 14:42:14 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\Spybot - Search & Destroy.lnk
[2009/12/06 10:17:48 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\HijackThis.lnk
[2009/12/05 10:39:59 | 00,415,179 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\MRP.xlsx
[2009/12/03 19:52:18 | 05,461,590 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\Warren Security Agreement.pdf
[2009/12/03 19:51:52 | 05,461,590 | ---- | M] () -- C:\Documents and Settings\Dan\My Documents\12-03-2009 07;51;48PM.PDF
[2009/12/03 18:24:05 | 00,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Prevx 3.0.lnk
[2009/12/03 17:56:49 | 00,053,136 | ---- | M] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll
[2009/12/03 17:56:48 | 00,047,152 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2009/12/03 17:56:48 | 00,030,280 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxscan.sys
[2009/12/03 17:56:47 | 00,024,496 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxkbf.sys
[2009/12/03 17:56:40 | 00,000,046 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/01 01:00:06 | 00,000,328 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/11/30 09:18:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/29 13:25:46 | 05,721,599 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\Annelise Letter to Santa (2009).pdf
[2009/11/29 13:25:12 | 05,721,599 | ---- | M] () -- C:\Documents and Settings\Dan\My Documents\11-29-2009 01;25;11PM.PDF
[2009/11/29 10:28:50 | 00,076,288 | ---- | M] () -- C:\Documents and Settings\Dan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/26 07:44:37 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/06 18:44:19 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/06 14:42:14 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\Spybot - Search & Destroy.lnk
[2009/12/06 10:17:48 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\HijackThis.lnk
[2009/12/03 19:52:18 | 05,461,590 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\Warren Security Agreement.pdf
[2009/12/03 19:51:52 | 05,461,590 | ---- | C] () -- C:\Documents and Settings\Dan\My Documents\12-03-2009 07;51;48PM.PDF
[2009/12/03 18:24:05 | 00,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Prevx 3.0.lnk
[2009/12/03 17:56:40 | 00,000,046 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/11/29 13:25:45 | 05,721,599 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\Annelise Letter to Santa (2009).pdf
[2009/11/29 13:25:12 | 05,721,599 | ---- | C] () -- C:\Documents and Settings\Dan\My Documents\11-29-2009 01;25;11PM.PDF
[2008/12/14 11:13:20 | 00,000,576 | ---- | C] () -- C:\WINDOWS\DELLSTAT.INI
[2008/12/12 20:11:06 | 00,076,288 | ---- | C] () -- C:\Documents and Settings\Dan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/09 00:18:40 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/12/08 23:29:55 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/12/08 23:28:26 | 00,001,120 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/11 17:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2002/11/13 14:40:22 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbavs.dll
[2002/10/08 15:24:44 | 00,000,177 | ---- | C] () -- C:\WINDOWS\System32\dlbacoin.ini

========== LOP Check ==========

[2008/12/14 11:13:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2008/12/09 00:11:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2008/12/09 00:11:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/11/25 05:44:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prevx
[2009/12/06 18:18:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2008/12/09 00:11:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2008/12/09 00:08:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2009/01/25 12:03:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/09/28 15:53:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Annelise\Application Data\Prevx
[2009/04/21 18:10:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Leadertech
[2009/12/06 20:24:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\PC
[2009/02/10 01:44:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Prevx
[2009/01/20 16:36:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mara\Application Data\Prevx
[2009/11/15 01:18:24 | 00,000,336 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/12/01 01:00:06 | 00,000,328 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/12/06 22:00:30 | 00,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/08/28 02:02:10 | 00,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\i386\atapi.sys
[2006/08/27 21:02:10 | 00,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/08/27 21:02:10 | 00,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2006/08/27 21:02:10 | 00,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2009/12/05 00:13:55 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/05 00:13:55 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 05:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/19 18:26:24 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\drivers\storage\R158515\iastor.sys
[2007/07/19 18:26:24 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\i386\iastor.sys
[2007/07/19 18:26:24 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\drivers\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 05:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

Attached Files


Edited by Buckeye_Sam, 07 December 2009 - 07:25 PM.


#4 DDubs151

DDubs151
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 07 December 2009 - 03:04 PM

Buckeye,

Here is the output of the GMER scan. Please let me know your thoughts.


Thanks.

Attached Files



#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:08 PM

Posted 07 December 2009 - 07:26 PM

Yes, I hope so too. :(


Please do not attach log files unless specifically requested to do. Just copy the text in the log and then paste it directly into your reply.
It makes it much easier for me to review the information if I can see it all in one place.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 DDubs151

DDubs151
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 07 December 2009 - 08:57 PM

Here are the results:


Host Name: HOMEOFFICE
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Dan
Registered Organization:
Product ID: 76487-OEM-0011903-00102
Original Install Date: 12/12/2008, 6:31:11 PM
System Up Time: 0 Days, 7 Hours, 18 Minutes, 9 Seconds
System Manufacturer: Dell Inc.
System Model: Inspiron 530s
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2493 Mhz
BIOS Version: DELL - 42302e31
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 3,061 MB
Available Physical Memory: 2,068 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,006 MB
Virtual Memory: In Use: 42 MB
Page File Location(s): C:\pagefile.sys
Domain: MSHOME
Logon Server: \\HOMEOFFICE
Hotfix(s): 177 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: Q147222
[81]: M953297 - Update
[82]: S867460 - Update
[83]: KB923723 - Update
[84]: KB929399
[85]: KB952069_WM9
[86]: KB954155_WM9
[87]: KB968816_WM9
[88]: KB973540_WM9
[89]: KB936782_WMP11
[90]: KB939683
[91]: KB954154_WM11
[92]: KB959772_WM11
[93]: KB925398_WMP64
[94]: KB936782_WMP9
[95]: KB923689
[96]: KB941569
[97]: MSCompPackV1 - Update
[98]: KB936929 - Service Pack
[99]: KB923561 - Update
[100]: KB938464 - Update
[101]: KB938464-v2 - Update
[102]: KB946648 - Update
[103]: KB950762 - Update
[104]: KB950974 - Update
[105]: KB951066 - Update
[106]: KB951376-v2 - Update
[107]: KB951618-v2 - Update
[108]: KB951698 - Update
[109]: KB951748 - Update
[110]: KB951978 - Update
[111]: KB952004 - Update
[112]: KB952287 - Update
[113]: KB952954 - Update
[114]: KB953838 - Update
[115]: KB953839 - Update
[116]: KB953955 - Update
[117]: KB954211 - Update
[118]: KB954459 - Update
[119]: KB954550-v5 - Update
[120]: KB954600 - Update
[121]: KB955069 - Update
[122]: KB955839 - Update
[123]: KB956391 - Update
[124]: KB956572 - Update
[125]: KB956744 - Update
[126]: KB956802 - Update
[127]: KB956803 - Update
[128]: KB956841 - Update
[129]: KB956844 - Update
[130]: KB957095 - Update
[131]: KB957097 - Update
[132]: KB958215 - Update
[133]: KB958644 - Update
[134]: KB958687 - Update
[135]: KB958690 - Update
[136]: KB958869 - Update
[137]: KB959426 - Update
[138]: KB960225 - Update
[139]: KB960714 - Update
[140]: KB960715 - Update
[141]: KB960803 - Update
[142]: KB960859 - Update
[143]: KB961118 - Update
[144]: KB961371 - Update
[145]: KB961373 - Update
[146]: KB961501 - Update
[147]: KB963027 - Update
[148]: KB967715 - Update
[149]: KB968389 - Update
[150]: KB968537 - Update
[151]: KB969059 - Update
[152]: KB969897 - Update
[153]: KB969898 - Update
[154]: KB969947 - Update
[155]: KB970238 - Update
[156]: KB970653-v3 - Update
[157]: KB971486 - Update
[158]: KB971557 - Update
[159]: KB971633 - Update
[160]: KB971657 - Update
[161]: KB971961 - Update
[162]: KB972260 - Update
[163]: KB973346 - Update
[164]: KB973354 - Update
[165]: KB973507 - Update
[166]: KB973525 - Update
[167]: KB973687 - Update
[168]: KB973815 - Update
[169]: KB973869 - Update
[170]: KB974112 - Update
[171]: KB974455 - Update
[172]: KB974571 - Update
[173]: KB975025 - Update
[174]: KB975467 - Update
[175]: KB976098-v2 - Update
[176]: KB976749 - Update
[177]: KB835221WXP - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: Intel® 82562V-2 10/100 Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes

19:52:50:656 1052 ForceUnloadDriver: NtUnloadDriver error 2
19:52:50:656 1052 ForceUnloadDriver: NtUnloadDriver error 2
19:52:50:656 1052 ForceUnloadDriver: NtUnloadDriver error 2
19:52:50:687 1052 main: Driver KLMD successfully dropped
19:52:51:656 1052 main: Driver KLMD successfully loaded
19:52:51:656 1052
Scanning Registry ...
19:52:51:656 1052 ScanServices: Searching service UACd.sys
19:52:51:656 1052 ScanServices: Open/Create key error 2
19:52:51:656 1052 ScanServices: Searching service TDSSserv.sys
19:52:51:656 1052 ScanServices: Open/Create key error 2
19:52:51:656 1052 ScanServices: Searching service gaopdxserv.sys
19:52:51:656 1052 ScanServices: Open/Create key error 2
19:52:51:656 1052 ScanServices: Searching service gxvxcserv.sys
19:52:51:656 1052 ScanServices: Open/Create key error 2
19:52:51:656 1052 ScanServices: Searching service MSIVXserv.sys
19:52:51:656 1052 ScanServices: Open/Create key error 2
19:52:51:671 1052 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
19:52:51:687 1052 UnhookRegistry: Kernel local addr: D40000
19:52:51:687 1052 UnhookRegistry: KeServiceDescriptorTable addr: DC5700
19:52:51:734 1052 UnhookRegistry: KiServiceTable addr: D6D460
19:52:51:734 1052 UnhookRegistry: NtEnumerateKey service number (local): 47
19:52:51:734 1052 UnhookRegistry: NtEnumerateKey local addr: E8CFF2
19:52:51:750 1052 KLMD_OpenDevice: Trying to open KLMD device
19:52:51:750 1052 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
19:52:51:750 1052 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
19:52:51:750 1052 UnhookRegistry: NtEnumerateKey service number (kernel): 47
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
19:52:51:750 1052 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
19:52:51:750 1052 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
19:52:51:750 1052 UnhookRegistry: No SDT hooks found on NtEnumerateKey
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
19:52:51:750 1052 UnhookRegistry: Splicing found on NtEnumerateKey
19:52:51:750 1052 KLMD_WriteMem: Trying to WriteMemory 0x80623FF2[0xA]
19:52:51:750 1052 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully
19:52:51:750 1052
Scanning Kernel memory ...
19:52:51:750 1052 KLMD_OpenDevice: Trying to open KLMD device
19:52:51:750 1052 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
19:52:51:750 1052 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:52:51:750 1052 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B0485E8
19:52:51:750 1052 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
19:52:51:750 1052 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8AD3AC68
19:52:51:750 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD3AC68
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x8AD3AC68[0x38]
19:52:51:750 1052 DetectCureTDL3: DRIVER_OBJECT addr: 8B0485E8
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x8B0485E8[0xA8]
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0xE19798C0[0x208]
19:52:51:750 1052 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:52:51:750 1052 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
19:52:51:750 1052 DetectCureTDL3: IrpHandler (1) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
19:52:51:750 1052 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
19:52:51:750 1052 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
19:52:51:750 1052 DetectCureTDL3: IrpHandler (5) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (6) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (7) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (8) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
19:52:51:750 1052 DetectCureTDL3: IrpHandler (10) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (11) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (12) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (13) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
19:52:51:750 1052 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
19:52:51:750 1052 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
19:52:51:750 1052 DetectCureTDL3: IrpHandler (17) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (18) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (19) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (20) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (21) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
19:52:51:750 1052 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
19:52:51:750 1052 DetectCureTDL3: IrpHandler (24) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (25) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (26) addr: 804F4562
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:52:51:750 1052 KLMD_ReadMem: DeviceIoControl error 1
19:52:51:750 1052 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:52:51:750 1052 TDL3_FileDetect: Processing driver: Disk
19:52:51:750 1052 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:52:51:750 1052 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:52:51:750 1052 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:52:51:750 1052 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A507030
19:52:51:750 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A507030
19:52:51:750 1052 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A821EA0
19:52:51:750 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A821EA0
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x8A821EA0[0x38]
19:52:51:750 1052 DetectCureTDL3: DRIVER_OBJECT addr: 8A867B10
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0x8A867B10[0xA8]
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0xE1FA5FB0[0x208]
19:52:51:750 1052 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:52:51:750 1052 DetectCureTDL3: IrpHandler (0) addr: A5CCE218
19:52:51:750 1052 DetectCureTDL3: IrpHandler (1) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (2) addr: A5CCE218
19:52:51:750 1052 DetectCureTDL3: IrpHandler (3) addr: A5CCE23C
19:52:51:750 1052 DetectCureTDL3: IrpHandler (4) addr: A5CCE23C
19:52:51:750 1052 DetectCureTDL3: IrpHandler (5) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (6) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (7) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (8) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (9) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (10) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (11) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (12) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (13) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (14) addr: A5CCE180
19:52:51:750 1052 DetectCureTDL3: IrpHandler (15) addr: A5CC99E6
19:52:51:750 1052 DetectCureTDL3: IrpHandler (16) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (17) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (18) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (19) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (20) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (21) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (22) addr: A5CCD5F0
19:52:51:750 1052 DetectCureTDL3: IrpHandler (23) addr: A5CCBA6E
19:52:51:750 1052 DetectCureTDL3: IrpHandler (24) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (25) addr: 804F4562
19:52:51:750 1052 DetectCureTDL3: IrpHandler (26) addr: 804F4562
19:52:51:750 1052 KLMD_ReadMem: Trying to ReadMemory 0xA5CCAF26[0x400]
19:52:51:750 1052 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:52:51:750 1052 TDL3_FileDetect: Processing driver: USBSTOR
19:52:51:750 1052 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
19:52:51:750 1052 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:52:51:750 1052 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:52:51:765 1052 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8B004C68
19:52:51:765 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B004C68
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0x8B004C68[0x38]
19:52:51:765 1052 DetectCureTDL3: DRIVER_OBJECT addr: 8B0485E8
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0x8B0485E8[0xA8]
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0xE19798C0[0x208]
19:52:51:765 1052 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:52:51:765 1052 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
19:52:51:765 1052 DetectCureTDL3: IrpHandler (1) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
19:52:51:765 1052 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
19:52:51:765 1052 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
19:52:51:765 1052 DetectCureTDL3: IrpHandler (5) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (6) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (7) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (8) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
19:52:51:765 1052 DetectCureTDL3: IrpHandler (10) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (11) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (12) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (13) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
19:52:51:765 1052 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
19:52:51:765 1052 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
19:52:51:765 1052 DetectCureTDL3: IrpHandler (17) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (18) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (19) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (20) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (21) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
19:52:51:765 1052 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
19:52:51:765 1052 DetectCureTDL3: IrpHandler (24) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (25) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (26) addr: 804F4562
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:52:51:765 1052 KLMD_ReadMem: DeviceIoControl error 1
19:52:51:765 1052 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:52:51:765 1052 TDL3_FileDetect: Processing driver: Disk
19:52:51:765 1052 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:52:51:765 1052 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:52:51:765 1052 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:52:51:765 1052 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8AF8E9F0
19:52:51:765 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF8E9F0
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0x8AF8E9F0[0x38]
19:52:51:765 1052 DetectCureTDL3: DRIVER_OBJECT addr: 8B0485E8
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0x8B0485E8[0xA8]
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0xE19798C0[0x208]
19:52:51:765 1052 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:52:51:765 1052 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
19:52:51:765 1052 DetectCureTDL3: IrpHandler (1) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
19:52:51:765 1052 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
19:52:51:765 1052 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
19:52:51:765 1052 DetectCureTDL3: IrpHandler (5) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (6) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (7) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (8) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
19:52:51:765 1052 DetectCureTDL3: IrpHandler (10) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (11) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (12) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (13) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
19:52:51:765 1052 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
19:52:51:765 1052 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
19:52:51:765 1052 DetectCureTDL3: IrpHandler (17) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (18) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (19) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (20) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (21) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
19:52:51:765 1052 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
19:52:51:765 1052 DetectCureTDL3: IrpHandler (24) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (25) addr: 804F4562
19:52:51:765 1052 DetectCureTDL3: IrpHandler (26) addr: 804F4562
19:52:51:765 1052 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:52:51:765 1052 KLMD_ReadMem: DeviceIoControl error 1
19:52:51:765 1052 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:52:51:765 1052 TDL3_FileDetect: Processing driver: Disk
19:52:51:765 1052 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:52:51:781 1052 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:52:51:781 1052 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:52:51:781 1052 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8B005AB8
19:52:51:781 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B005AB8
19:52:51:781 1052 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8B04F0C0
19:52:51:781 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B04F0C0
19:52:51:781 1052 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8AFC1D98
19:52:51:781 1052 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFC1D98
19:52:51:781 1052 KLMD_ReadMem: Trying to ReadMemory 0x8AFC1D98[0x38]
19:52:51:781 1052 DetectCureTDL3: DRIVER_OBJECT addr: 8B00E670
19:52:51:781 1052 KLMD_ReadMem: Trying to ReadMemory 0x8B00E670[0xA8]
19:52:51:781 1052 KLMD_ReadMem: Trying to ReadMemory 0x8AF91030[0x38]
19:52:51:781 1052 KLMD_ReadMem: Trying to ReadMemory 0x8B009308[0xA8]
19:52:51:781 1052 KLMD_ReadMem: Trying to ReadMemory 0xE1964C68[0x208]
19:52:51:781 1052 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:52:51:781 1052 DetectCureTDL3: IrpHandler (0) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (1) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (2) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (3) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (4) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (5) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (6) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (7) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (8) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (9) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (10) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (11) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (12) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (13) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (14) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (15) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (16) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (17) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (18) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (19) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (20) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (21) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (22) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (23) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (24) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (25) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: IrpHandler (26) addr: 8AF95618
19:52:51:781 1052 DetectCureTDL3: All IRP handlers pointed to one addr: 8AF95618
19:52:51:781 1052 KLMD_ReadMem: Trying to ReadMemory 0x8AF95618[0x400]
19:52:51:781 1052 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
19:52:51:781 1052 Driver "atapi" Irp handler infected by TDSS rootkit ... 19:52:51:781 1052 KLMD_WriteMem: Trying to WriteMemory 0x8AF9567D[0xD]
19:52:51:781 1052 cured
19:52:51:781 1052 KLMD_ReadMem: Trying to ReadMemory 0x8AF954BF[0x400]
19:52:51:781 1052 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1
19:52:51:781 1052 Driver "atapi" StartIo handler infected by TDSS rootkit ... 19:52:51:781 1052 TDL3_StartIoHookCure: Number of patches 1
19:52:51:781 1052 KLMD_WriteMem: Trying to WriteMemory 0x8AF955B6[0x6]
19:52:51:781 1052 cured
19:52:51:781 1052 TDL3_FileDetect: Processing driver: atapi
19:52:51:781 1052 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
19:52:51:781 1052 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
19:52:51:781 1052 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
19:52:51:796 1052 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 19:52:51:796 1052 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
19:52:51:796 1052 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
19:52:51:796 1052 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_atapi.sys
19:52:51:890 1052 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
19:52:51:890 1052 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_atapi.sys, C:\WINDOWS\system32\drivers\atapi.sys) success
19:52:51:890 1052 will be cured on next reboot
19:52:51:890 1052
Completed

Results:
19:52:51:890 1052 Infected objects in memory: 2
19:52:51:890 1052 Cured objects in memory: 2
19:52:51:890 1052 Infected objects on disk: 1
19:52:51:890 1052 Objects on disk cured on reboot: 1
19:52:51:890 1052 Objects on disk deleted on reboot: 0
19:52:51:890 1052 Registry nodes deleted on reboot: 0
19:52:51:890 1052

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:08 PM

Posted 08 December 2009 - 09:43 AM

Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 DDubs151

DDubs151
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 08 December 2009 - 07:13 PM

Here are the results of the scan ... nothing found. My computer is behaving mush better, I think the TDSS Killer did the trick. Since I restarted after I ran that program, I have not been redirected when I click on various search results. Is there anything else I should do to make sure I am clean? Thanks again for your help.

Malwarebytes' Anti-Malware 1.42
Database version: 3325
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/8/2009 6:10:36 PM
mbam-log-2009-12-08 (18-10-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 195805
Time elapsed: 33 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:08 PM

Posted 09 December 2009 - 08:26 AM

Looks good to me! :(

It's time to clean up.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 DDubs151

DDubs151
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 09 December 2009 - 03:38 PM

Buckeye.

I really appreciate your help and thanks for the tips.

Happy Holidays!!

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:08 PM

Posted 09 December 2009 - 06:20 PM

I'm glad I could help you out! :(
Happy Holidays to you as well.


Now that your problem appears to be resolved, this topic will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users