Google Search Redirect, Firefox only

Hello Everyone,

My computer has picked up some piece of malware of some sort. It all started about 3 weeks ago when I noticed that firefox was reopening itself
without being initiated. My computer is running Small Business Server 2003, I keep it patched and have kept up with all the updates. I am running
ClamWin Antivirus, which I also keep up to date. I know it's not the best, but Avast Free edition (which I run on all my other family computers) does
not offer a free edition for the server 2003 group. For antimalware/trojans, I run A squared Free, and when I ran that scan, I found a number of infections,
which I cleaned up using it. I restarted the computer and performed another scan, and found it clean. But, when I launched Firefox, I noticed that I was
being redirected after performing a search to various sites, some questionable security sites, and other general "we'll find what you're looking for sites"
that were not a part of the Google results. I searched using other browsers, and IE8 would not even start up, or would Chrome.Error was "unable to load
page". FYI, my home page is deliberately set to "about: blank" on all my browsers. Found this site, and started reading about redirect exploits, and that
led me to install MalwareBytes AntiMalware, which found more infections, and subsequently fixed them. I also ran "Sophos AntiRoot Kit" which found nothing
except two hidden files located in the Macromedia "flash" directory, an .ocx file, and another I can't recall. I figured those two were harmless.
That's all water under the bridge, because that fixed the Firefox issue of opening up by itself, and also restored the operations of the other browsers. I thought
I was virus/trojan free-but, I was wrong. A squared free found nothing. AntiMalware found nothing. I also ran TrendMicro's "Housecall" with no results.
Now, only in Firefox, my Google searches are still being redirected to either what I believe are fake security sites, or to the bogus search sites. I have some
examples of what sites it tries to load:

Tries to open, but with no success: 66.154.9.30
(Pages never load) 64.111.196.114

Has loaded these pages:
software-scaner(sic)-online.biz (produces popup, "computer infected, scan now")
Information Getter
LowPrice$hopper.com

When it tries to load these sites, or a popup appears to load some scan or software, I use "Task Manager" to close the browser so nothing gets loaded on the
computer.
IE8 now works normally, and so does Chrome, which to me is surprising, as I thought that Chrome used the Firefox engine.
Any information or help you could give would be greatly appreciated. I am naturally very uneasy about having this crap on my computer, and who knows
what else may be running in the background without my knowledge? Hope I've described it well enough for someone to help.
Many thanks in advance....

Welcome to BC



Update mbam and run a FULL scan
Please post the results

=============


We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
• Open on your desktop.
• Click the tab.
• Click the button.
• Check all seven boxes:
• Push Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

============================


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

• This tool will create a diagnostic report
• Double-click on Win32kDiag.exe to run and let it finish.
• When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
• A file called Win32kDiag.txt should be created on your Desktop.
• Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

--------------------------------------


Go to > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

Hi Garmanma,

This reply contains the MBAM log you requested. MBAM did not find anything. I did update MBAM before going for the Full Scan.
I will follow the rest of the instructions you provided and post as results become available.

Malwarebytes' Anti-Malware 1.42
Database version: 3340
Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

12/10/2009 12:41:46 PM
mbam-log-2009-12-10 (12-41-46).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 242611
Time elapsed: 1 hour(s), 57 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again for your help!

Techboy5

Hi Garmanma,

Here is the second scan you requested using Root Repeal.
You're the expert here, but I think it may have found something.
One more task to go to complete what you asked me to do...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/10 12:52
Program Version: Version 1.3.5.0
Windows Version: Windows Server 2003 SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF55CA000 Size: 118784 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF6AC7000 Size: 36864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9E3D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\LB24.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\LB25.tmp
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\etilqs_pl8rujos9jyv8n3dgelg
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\etilqs_ryvd6zwiahodmnfo8ao9
Status: Allocation size mismatch (API: 32768, Raw: 0)

Hidden Services
-------------------
Service Name: SBCore
Image Path: %SystemRoot%\System32\sbscrexe.exe

==EOF==

Any idea why Sophos AntiRoot Kit didn't find anything?
Next task on its way to you soon...

Techboy5

Me again, Garmanma,

Here are the results of the command line executable you had me run:
FYI Win32kDiag.exe is still running....

Volume in drive C has no label.
Volume Serial Number is 5CF6-83FB

Directory of C:\WINDOWS\$hf_mig$\KB835732\RTMQFE

03/15/2004 06:09 PM 64,000 eventlog.dll
1 File(s) 64,000 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

03/25/2003 12:14 PM 183,808 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

03/25/2003 12:14 PM 418,816 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/18/2004 06:12 AM 64,000 eventlog.dll
3 File(s) 666,624 bytes

Directory of C:\WINDOWS\SDold\Download\7c205249e4e58548a01567c8dc12d1b5

02/17/2007 06:03 AM 188,928 scecli.dll

Directory of C:\WINDOWS\SDold\Download\7c205249e4e58548a01567c8dc12d1b5

02/17/2007 06:03 AM 430,592 netlogon.dll

Directory of C:\WINDOWS\SDold\Download\7c205249e4e58548a01567c8dc12d1b5

02/17/2007 06:02 AM 68,608 eventlog.dll
3 File(s) 688,128 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

02/17/2007 02:58 AM 188,928 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

02/17/2007 02:38 AM 430,592 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

02/17/2007 01:58 AM 68,608 eventlog.dll
3 File(s) 688,128 bytes

Directory of C:\WINDOWS\system32

02/17/2007 02:58 AM 188,928 scecli.dll

Directory of C:\WINDOWS\system32

02/17/2007 02:38 AM 430,592 netlogon.dll

Directory of C:\WINDOWS\system32

02/17/2007 01:58 AM 68,608 eventlog.dll
3 File(s) 688,128 bytes

Total Files Listed:
13 File(s) 2,795,008 bytes
0 Dir(s) 30,702,465,024 bytes free

As soon as Win32kDiag finishes, I'll post the result. I have to leave for work in about an hour
so I hope it finishes before then....

Techboy5

Garmanma,

Here is the results of the Win32kdiag scan:


Running from: C:\Documents and Settings\Administrator\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\Temp\LB24.tmp

[1] 2009-12-10 08:48:37 262144 C:\WINDOWS\Temp\LB24.tmp ()



Cannot access: C:\WINDOWS\Temp\LB25.tmp

[1] 2009-12-10 08:48:37 262144 C:\WINDOWS\Temp\LB25.tmp ()





Finished!

Those same 2 files in the Temp directory were found once again.
Sending the results to you now...and eagerly awaiting your reply.
Hope this gives you everything you need....

Techboy5

only in Firefox, my Google searches are still being redirected

If you use any add-ons, disable them for now

Submit those two temp files for a Jotti scan
http://virusscan.jotti.org/en
and/or
http://www.virustotal.com/


Then run
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.[/list]
After that please do another Root Repeal scan

Hello Garmanma,

Followed all your instructions- Jotti and Viruscan said the file had been scanned before as LB31
on 11/04/2009, and did not register positive on any of the 41 tests it ran.
VirusTotal gave the same result- 0 out of 41 tests positive for malware.

Ran TFC.exe, and shutdown the computer because it was late.

Started it up this morning and reran RootRepeal. Text of log is below.
It looks like other than the 2 new LB.tmp files, it didn't find anything.
Thanks for your help!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/11 12:05
Program Version: Version 1.3.5.0
Windows Version: Windows Server 2003 SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5928000 Size: 118784 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7687000 Size: 36864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA115000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\LB4.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\LB5.tmp
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\application data\microsoft\feeds\feedsstore.feedsdb-ms
Status: Size mismatch (API: 7168, Raw: 7680)

Hidden Services
-------------------
Service Name: SBCore
Image Path: %SystemRoot%\System32\sbscrexe.exe

==EOF==

Waiting for your reply...


Techboy5

Unless I'm overlooking something, I'm running out of ideas
I would delete the 2 temp folders. If they prove stubborn to delete, you can use File Assassin that is included in Malwarebytes
Meanwhile. I'm going to ask someone else to have a look at this, for any suggestions



MBAM has a built-in File Assassin feature for removing stubborn malware or other malicious files that it did not detect.

• Go to the "More Tools" tab and click on the "Run Tool" button
• Browse to the location of the file (C:\xxxx.exe) to remove using the drop down box next to "Look in:" at the top.
• When you find the file(s), click "Open".
• You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
• If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.

If the file returns, then you probably still have malware on your system which is protecting or regenerating it.

For antimalware/trojans, I run A squared Free, and when I ran that scan, I found a number of infections,

a-squared products are prone to "false positives" and they even acknowledge this.

...Sometimes security software falsely identifies important crucial system components as a threat (hence the term False Positives - FP).

Removing/deleting critical system files, even temporarily, can make a system crash. Sometimes the system will recover after a reboot, and sometimes it will not. Therefore, you may not be able to start your system. Special system restore measures may be needed, or even a full system re-installation.

...If detections are FP's, you run the risk of rendering your system inoperable...

a-squared HiJackFree: Using security Software to scan data
a-squared Anti-Malware: Using security Software to scan data
a-squared Free: Using security Software to scan data

...the a-squared Scanner looks for files, folders, registry entries and Tracking Cookies that are typically created by Spyware programs. Traces are exactly these trails that Spyware leaves behind.

This approach has both advantages and disadvantages for Malware recognition...The negative side is that it provides a relatively inexact, or insufficiently differentiated to be more precise, Malware recognition. Benign software can be falsely recognized, for example, if it uses the same file name or folder as a dangerous Spyware program.

Software discovered via Traces should therefore first be double-checked to see if it is actually Malware before it is finally deleted...

Spyware Traces in Detail

Please download TDSSKiller.zip and save it to your Desktop.
Be sure to print out and follow the instructions provided on that same page for performing a scan.

• Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. (click here if you're not sure how to do this. Vista users refer to these instructions.)
• Go to > Run..., , then type or copy and paste everything in the code box below into the Open dialogue box:
  

  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

• Click OK.
• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
• After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
• A log file named report.txtt should have been created and saved to the root directory (usually C:\report.txt).
• Copy and paste the contents of that report in your next reply.

Please download the Kaspersky Virus Removal Tool save to your Desktop.
Be sure to print out and read the instructions provided in How to use Kaspersky virus removal tool.

• Double-click the setup file (i.e. setup_7.0.0.290_24.06.2009_12-58.exe) to install the utility.
• If using Vista, right-click on it and Run As Administrator.
  If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button..
• Click Next to continue.
• It will install by default to your desktop folder. Click Next.
• Click Ok at the prompt for scanning in Safe Mode if you booted into safe mode.
• A box will open with a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.
• System Memory
• Startup Objects
• Disk Boot Sectors
• My Computer
• Any other drives (except CD-ROM drives)

• Click on the Scan button.
• If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
• After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
• In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
• If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
• In the Scan window click the Reports button, name the report AVPT.txt and select Save to file.
• This tool should uninstall when you close it so please save the report log before closing.
• When done, close the Kaspersky Virus Removal Tool.
• You will be prompted if you want to uninstall the program. Click Yes.
• You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
• Copy and paste only the first part of the report (Detected) in your next reply. Do not include the longer list marked Events.

-- If you cannot run the Kaspersky AVP Removal Tool in normal mode, then try using it in "safe mode".

Dear Quietman7,

Thanks for your assistance. I didn't want you to think that I wasn't following through on your requests.
Downloaded and ran TDSSKiller.exe and it ran properly. I apologize for not attaching the report, but
I can tell you it didn't find anything, and did not ask me to reboot the system (I did, anyway). I will
attach my next reply, as I am at work, and not in front of the troubled system.
But, I did want you to know that I am not having any luck getting the Kaspersky Virus Removal Tool
to run to completion. I have tried running it twice in standard windows mode, and twice in Safe mode,
each time, it installs, starts to run, and the first time it ran, it ran to 81%. I finally had to abort the run
after no file update in the window for about 3 1/2 hours. Uninstalled, then re-ran again. This time, it only
ran to 3% before stalling again. The following times I ran it in safe mode, and again, it would only run to
3% until stalling again. The last three times it stalled looking at an OpenOffice Linux download I took down
about 3 or 4 years ago. When the system last stalled, I used Explorer file manager to remove that older
file from the drive. I have not yet restarted the system since then. It will be interesting to see what happens
when I start the Kaspersky tool once again.
The first time Kaspersky ran, the only thing on the report was that a file, realalt175.exe (which is a replacement
for those of us who don't like real audio) was password protected when Kaspersky tried to scan it. That file is
probably from 2007, and is a legitimate file. I've used that application for well over a year. Anyway, I deleted it
with no problem. It certainly didn't ask me for a password when I deleted it. No other threats were detected up
to the stall point.
I'll give Kaspersky one more try tonight when I get home, and we'll see how far the scan goes this time.
Sorry I can't give you better info at this time.


Techboy5

If you cannot run the Kaspersky AVP Removal Tool to completion do this instead.

Please perform a scan with Kaspersky Online Virus Scanner.
(Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.)

• Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator from the context menu.
• Before starting your scan, disable
• Read the "Advantages - Requirements and Limitations" then press the ACCEPT... button.
• You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
• When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the SETTINGS... button.
• Make sure these boxes are checked. By default, they should be. If not, please check them and click on the SAVE... button afterwards:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases:
• Click on My Computer under the Scan section. OK any warnings from your protection programs.
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
• Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
• Click on Save Report As... and change the Files of type to Text file (.txt)
• Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
• Copy and paste the contents of that file in your next reply.

-- Note: This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.

-- Note: Some online scanners will detect existing anti-virus software and they may interfere or stop the scan. If that occurs, disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Quietman7

I am attempting to run the Kaspersky Online Virus Scanner.
At this point, it is still updating the database. In the meantime, here is the report.txt that was created by
TDSSKiller.exe running. As I told you, it found nothing, but maybe there's something in there that I missed.
Thanks again for all your help!

Host Name: RICHS64SCREAMER
OS Name: Microsoft® Windows® Server 2003 for Small Business Server
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Uniprocessor Free
Registered Owner: Richard J. Viglienzoni
Registered Organization:
Product ID: 74995-066-1670106-42514
Original Install Date: 4/25/2005, 3:48:16 PM
System Up Time: 0 Days, 1 Hours, 15 Minutes, 33 Seconds
System Manufacturer: VIAK8M
System Model: AWRDACPI
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 12 Stepping 0 AuthenticAMD ~1999 Mhz
BIOS Version: VIAK8M - 42302e31
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 1,022 MB
Available Physical Memory: 301 MB
Page File: Max Size: 1,701 MB
Page File: Available: 751 MB
Page File: In Use: 950 MB
Page File Location(s): C:\pagefile.sys
Domain: Viglienzoni.local
Logon Server: \\RICHS64SCREAMER
Hotfix(s): 292 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: File 1
[100]: File 1
[101]: File 1
[102]: File 1
[103]: File 1
[104]: File 1
[105]: File 1
[106]: File 1
[107]: File 1
[108]: File 1
[109]: File 1
[110]: File 1
[111]: File 1
[112]: File 1
[113]: File 1
[114]: File 1
[115]: File 1
[116]: File 1
[117]: File 1
[118]: File 1
[119]: File 1
[120]: File 1
[121]: File 1
[122]: File 1
[123]: File 1
[124]: File 1
[125]: File 1
[126]: File 1
[127]: File 1
[128]: File 1
[129]: File 1
[130]: File 1
[131]: File 1
[132]: File 1
[133]: File 1
[134]: File 1
[135]: File 1
[136]: Q147222
[137]: KB867460 - QFE
[138]: KB886903 - QFE
[139]: KB933854 - QFE
[140]: KB953298 - QFE
[141]: SP1 - SP
[142]: KB870669
[143]: Q832483
[144]: Q927978
[145]: Q936181
[146]: Q954430
[147]: Q973688
[148]: IDNMitigationAPIs - Update
[149]: NLSDownlevelMapping - Update
[150]: Q828026
[151]: Q828026 - Update
[152]: KB925398_WMP64
[153]: KB917734_WMP9
[154]: KB885492 - Update
[155]: KB938127-IE7 - Update
[156]: KB942615-IE7 - Update
[157]: KB944533-IE7 - Update
[158]: KB947864-IE7 - Update
[159]: KB950759-IE7 - Update
[160]: KB953838-IE7 - Update
[161]: KB968220-IE8 - Update
[162]: KB969897-IE8 - Update
[163]: KB971961-IE8 - Update
[164]: KB972260-IE8 - Update
[165]: KB974455-IE8 - Update
[166]: KB976325-IE8 - Update
[167]: KB976749-IE8 - Update
[168]: KB914961 - Service Pack
[169]: KB923561 - Update
[170]: KB925876 - Update
[171]: KB925902 - Update
[172]: KB927891 - Update
[173]: KB929123 - Update
[174]: KB930178 - Update
[175]: KB931784 - Update
[176]: KB931836 - Update
[177]: KB932168 - Update
[178]: KB933729 - Update
[179]: KB933854 - Update
[180]: KB935839 - Update
[181]: KB935840 - Update
[182]: KB936021 - Update
[183]: KB936782 - Update
[184]: KB938127 - Update
[185]: KB938464 - Update
[186]: KB941202 - Update
[187]: KB941568 - Update
[188]: KB941569 - Update
[189]: KB941644 - Update
[190]: KB941672 - Update
[191]: KB941693 - Update
[192]: KB942763 - Update
[193]: KB942830 - Update
[194]: KB942831 - Update
[195]: KB942840 - Update
[196]: KB943055 - Update
[197]: KB943460 - Update
[198]: KB943484 - Update
[199]: KB943485 - Update
[200]: KB944533 - Update
[201]: KB944653 - Update
[202]: KB945553 - Update
[203]: KB946026 - Update
[204]: KB948496 - Update
[205]: KB948590 - Update
[206]: KB948745 - Update
[207]: KB948881 - Update
[208]: KB949014 - Update
[209]: KB950760 - Update
[210]: KB950762 - Update
[211]: KB950974 - Update
[212]: KB951066 - Update
[213]: KB951072-v2 - Update
[214]: KB951698 - Update
[215]: KB951746 - Update
[216]: KB951748 - Update
[217]: KB952004 - Update
[218]: KB952069 - Update
[219]: KB952954 - Update
[220]: KB953298 - Update
[221]: KB953839 - Update
[222]: KB954155 - Update
[223]: KB954211 - Update
[224]: KB954600 - Update
[225]: KB955069 - Update
[226]: KB955839 - Update
[227]: KB956391 - Update
[228]:
Network Card(s): 2 NIC(s) Installed.
[01]: Realtek RTL8139/810x Family Fast Ethernet NIC
Connection Name: Server Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.0.1
IP address(es)
[01]: 192.168.0.201
[02]: 1394 Net Adapter
Connection Name: 1394 Connection
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
12:7:52:765 2388 ForceUnloadDriver: NtUnloadDriver error 2
12:7:52:765 2388 ForceUnloadDriver: NtUnloadDriver error 2
12:7:52:765 2388 ForceUnloadDriver: NtUnloadDriver error 2
12:7:52:765 2388 main: Driver KLMD successfully dropped
12:7:53:78 2388 main: Driver KLMD successfully loaded
12:7:53:78 2388
Scanning Registry ...
12:7:53:156 2388 ScanServices: Searching service UACd.sys
12:7:53:156 2388 ScanServices: Open/Create key error 2
12:7:53:156 2388 ScanServices: Searching service TDSSserv.sys
12:7:53:156 2388 ScanServices: Open/Create key error 2
12:7:53:156 2388 ScanServices: Searching service gaopdxserv.sys
12:7:53:156 2388 ScanServices: Open/Create key error 2
12:7:53:156 2388 ScanServices: Searching service gxvxcserv.sys
12:7:53:156 2388 ScanServices: Open/Create key error 2
12:7:53:156 2388 ScanServices: Searching service MSIVXserv.sys
12:7:53:156 2388 ScanServices: Open/Create key error 2
12:7:53:156 2388 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 80800000
12:7:53:187 2388 UnhookRegistry: Kernel local addr: A40000
12:7:53:187 2388 UnhookRegistry: KeServiceDescriptorTable addr: ADF460
12:7:53:281 2388 UnhookRegistry: KiServiceTable addr: A70F78
12:7:53:281 2388 UnhookRegistry: NtEnumerateKey service number (local): 4B
12:7:53:281 2388 UnhookRegistry: NtEnumerateKey local addr: AF2154
12:7:53:296 2388 KLMD_OpenDevice: Trying to open KLMD device
12:7:53:296 2388 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
12:7:53:296 2388 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
12:7:53:296 2388 KLMD_ReadMem: Trying to ReadMemory 0x8082CCAD[0x4]
12:7:53:296 2388 UnhookRegistry: NtEnumerateKey service number (kernel): 4B
12:7:53:296 2388 KLMD_ReadMem: Trying to ReadMemory 0x808310A4[0x4]
12:7:53:296 2388 UnhookRegistry: NtEnumerateKey real addr: 808B2154
12:7:53:296 2388 UnhookRegistry: NtEnumerateKey calc addr: 808B2154
12:7:53:296 2388 UnhookRegistry: No SDT hooks found on NtEnumerateKey
12:7:53:296 2388 KLMD_ReadMem: Trying to ReadMemory 0x808B2154[0xA]
12:7:53:296 2388 UnhookRegistry: No splicing found on NtEnumerateKey
12:7:53:296 2388
Scanning Kernel memory ...
12:7:53:296 2388 KLMD_OpenDevice: Trying to open KLMD device
12:7:53:296 2388 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
12:7:53:296 2388 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:7:53:296 2388 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 869A5E40
12:7:53:296 2388 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
12:7:53:296 2388 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86942030
12:7:53:296 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86942030
12:7:53:296 2388 KLMD_ReadMem: Trying to ReadMemory 0x86942030[0x38]
12:7:53:296 2388 DetectCureTDL3: DRIVER_OBJECT addr: 869A5E40
12:7:53:296 2388 KLMD_ReadMem: Trying to ReadMemory 0x869A5E40[0xA8]
12:7:53:296 2388 KLMD_ReadMem: Trying to ReadMemory 0xE18FD788[0x208]
12:7:53:296 2388 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:53:296 2388 DetectCureTDL3: IrpHandler (0) addr: F727A1E0
12:7:53:296 2388 DetectCureTDL3: IrpHandler (1) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (2) addr: F727A1E0
12:7:53:296 2388 DetectCureTDL3: IrpHandler (3) addr: F7271485
12:7:53:296 2388 DetectCureTDL3: IrpHandler (4) addr: F7271485
12:7:53:296 2388 DetectCureTDL3: IrpHandler (5) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (6) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (7) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (8) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (9) addr: F7271E9A
12:7:53:296 2388 DetectCureTDL3: IrpHandler (10) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (11) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (12) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (13) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (14) addr: F7272208
12:7:53:296 2388 DetectCureTDL3: IrpHandler (15) addr: F72764C1
12:7:53:296 2388 DetectCureTDL3: IrpHandler (16) addr: F7271E9A
12:7:53:296 2388 DetectCureTDL3: IrpHandler (17) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (18) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (19) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (20) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (21) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (22) addr: F7273D14
12:7:53:296 2388 DetectCureTDL3: IrpHandler (23) addr: F727C264
12:7:53:296 2388 DetectCureTDL3: IrpHandler (24) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (25) addr: 8082063E
12:7:53:296 2388 DetectCureTDL3: IrpHandler (26) addr: 8082063E
12:7:53:296 2388 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
12:7:53:296 2388 KLMD_ReadMem: DeviceIoControl error 1
12:7:53:296 2388 TDL3_StartIoHookDetect: Unable to get StartIo handler code
12:7:53:296 2388 TDL3_FileDetect: Processing driver: Disk
12:7:53:296 2388 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
12:7:53:296 2388 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
12:7:53:296 2388 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
12:7:53:343 2388 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 869A6C68
12:7:53:343 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 869A6C68
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x869A6C68[0x38]
12:7:53:343 2388 DetectCureTDL3: DRIVER_OBJECT addr: 869A5E40
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x869A5E40[0xA8]
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0xE18FD788[0x208]
12:7:53:343 2388 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:53:343 2388 DetectCureTDL3: IrpHandler (0) addr: F727A1E0
12:7:53:343 2388 DetectCureTDL3: IrpHandler (1) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (2) addr: F727A1E0
12:7:53:343 2388 DetectCureTDL3: IrpHandler (3) addr: F7271485
12:7:53:343 2388 DetectCureTDL3: IrpHandler (4) addr: F7271485
12:7:53:343 2388 DetectCureTDL3: IrpHandler (5) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (6) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (7) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (8) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (9) addr: F7271E9A
12:7:53:343 2388 DetectCureTDL3: IrpHandler (10) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (11) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (12) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (13) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (14) addr: F7272208
12:7:53:343 2388 DetectCureTDL3: IrpHandler (15) addr: F72764C1
12:7:53:343 2388 DetectCureTDL3: IrpHandler (16) addr: F7271E9A
12:7:53:343 2388 DetectCureTDL3: IrpHandler (17) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (18) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (19) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (20) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (21) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (22) addr: F7273D14
12:7:53:343 2388 DetectCureTDL3: IrpHandler (23) addr: F727C264
12:7:53:343 2388 DetectCureTDL3: IrpHandler (24) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (25) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (26) addr: 8082063E
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
12:7:53:343 2388 KLMD_ReadMem: DeviceIoControl error 1
12:7:53:343 2388 TDL3_StartIoHookDetect: Unable to get StartIo handler code
12:7:53:343 2388 TDL3_FileDetect: Processing driver: Disk
12:7:53:343 2388 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
12:7:53:343 2388 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
12:7:53:343 2388 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
12:7:53:343 2388 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 869A6030
12:7:53:343 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 869A6030
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x869A6030[0x38]
12:7:53:343 2388 DetectCureTDL3: DRIVER_OBJECT addr: 869A5E40
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x869A5E40[0xA8]
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0xE18FD788[0x208]
12:7:53:343 2388 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:53:343 2388 DetectCureTDL3: IrpHandler (0) addr: F727A1E0
12:7:53:343 2388 DetectCureTDL3: IrpHandler (1) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (2) addr: F727A1E0
12:7:53:343 2388 DetectCureTDL3: IrpHandler (3) addr: F7271485
12:7:53:343 2388 DetectCureTDL3: IrpHandler (4) addr: F7271485
12:7:53:343 2388 DetectCureTDL3: IrpHandler (5) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (6) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (7) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (8) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (9) addr: F7271E9A
12:7:53:343 2388 DetectCureTDL3: IrpHandler (10) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (11) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (12) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (13) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (14) addr: F7272208
12:7:53:343 2388 DetectCureTDL3: IrpHandler (15) addr: F72764C1
12:7:53:343 2388 DetectCureTDL3: IrpHandler (16) addr: F7271E9A
12:7:53:343 2388 DetectCureTDL3: IrpHandler (17) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (18) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (19) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (20) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (21) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (22) addr: F7273D14
12:7:53:343 2388 DetectCureTDL3: IrpHandler (23) addr: F727C264
12:7:53:343 2388 DetectCureTDL3: IrpHandler (24) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (25) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (26) addr: 8082063E
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
12:7:53:343 2388 KLMD_ReadMem: DeviceIoControl error 1
12:7:53:343 2388 TDL3_StartIoHookDetect: Unable to get StartIo handler code
12:7:53:343 2388 TDL3_FileDetect: Processing driver: Disk
12:7:53:343 2388 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
12:7:53:343 2388 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
12:7:53:343 2388 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
12:7:53:343 2388 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8696B030
12:7:53:343 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8696B030
12:7:53:343 2388 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 869269E8
12:7:53:343 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 869269E8
12:7:53:343 2388 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86926B00
12:7:53:343 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86926B00
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x86926B00[0x38]
12:7:53:343 2388 DetectCureTDL3: DRIVER_OBJECT addr: 86946950
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0x86946950[0xA8]
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0xE18FF2F0[0x208]
12:7:53:343 2388 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
12:7:53:343 2388 DetectCureTDL3: IrpHandler (0) addr: F72ADB88
12:7:53:343 2388 DetectCureTDL3: IrpHandler (1) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (2) addr: F72ADB88
12:7:53:343 2388 DetectCureTDL3: IrpHandler (3) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (4) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (5) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (6) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (7) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (8) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (9) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (10) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (11) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (12) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (13) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (14) addr: F72ADBA8
12:7:53:343 2388 DetectCureTDL3: IrpHandler (15) addr: F72A98E6
12:7:53:343 2388 DetectCureTDL3: IrpHandler (16) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (17) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (18) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (19) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (20) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (21) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (22) addr: F72ADBD2
12:7:53:343 2388 DetectCureTDL3: IrpHandler (23) addr: F72B60A0
12:7:53:343 2388 DetectCureTDL3: IrpHandler (24) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (25) addr: 8082063E
12:7:53:343 2388 DetectCureTDL3: IrpHandler (26) addr: 8082063E
12:7:53:343 2388 KLMD_ReadMem: Trying to ReadMemory 0xF72A9E2E[0x400]
12:7:53:343 2388 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
12:7:53:343 2388 TDL3_FileDetect: Processing driver: atapi
12:7:53:343 2388 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
12:7:53:343 2388 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
12:7:53:343 2388 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
12:7:53:359 2388 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 869A8030
12:7:53:359 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 869A8030
12:7:53:359 2388 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8696CC80
12:7:53:359 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8696CC80
12:7:53:359 2388 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8696C948
12:7:53:359 2388 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8696C948
12:7:53:359 2388 KLMD_ReadMem: Trying to ReadMemory 0x8696C948[0x38]
12:7:53:359 2388 DetectCureTDL3: DRIVER_OBJECT addr: 86946950
12:7:53:359 2388 KLMD_ReadMem: Trying to ReadMemory 0x86946950[0xA8]
12:7:53:359 2388 KLMD_ReadMem: Trying to ReadMemory 0xE18FF2F0[0x208]
12:7:53:359 2388 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
12:7:53:359 2388 DetectCureTDL3: IrpHandler (0) addr: F72ADB88
12:7:53:359 2388 DetectCureTDL3: IrpHandler (1) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (2) addr: F72ADB88
12:7:53:359 2388 DetectCureTDL3: IrpHandler (3) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (4) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (5) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (6) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (7) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (8) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (9) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (10) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (11) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (12) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (13) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (14) addr: F72ADBA8
12:7:53:359 2388 DetectCureTDL3: IrpHandler (15) addr: F72A98E6
12:7:53:359 2388 DetectCureTDL3: IrpHandler (16) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (17) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (18) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (19) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (20) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (21) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (22) addr: F72ADBD2
12:7:53:359 2388 DetectCureTDL3: IrpHandler (23) addr: F72B60A0
12:7:53:359 2388 DetectCureTDL3: IrpHandler (24) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (25) addr: 8082063E
12:7:53:359 2388 DetectCureTDL3: IrpHandler (26) addr: 8082063E
12:7:53:359 2388 KLMD_ReadMem: Trying to ReadMemory 0xF72A9E2E[0x400]
12:7:53:359 2388 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
12:7:53:359 2388 TDL3_FileDetect: Processing driver: atapi
12:7:53:359 2388 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
12:7:53:359 2388 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
12:7:53:359 2388 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
12:7:53:359 2388
Completed

Results:
12:7:53:359 2388 Infected objects in memory: 0
12:7:53:359 2388 Cured objects in memory: 0
12:7:53:359 2388 Infected objects on disk: 0
12:7:53:359 2388 Objects on disk cured on reboot: 0
12:7:53:359 2388 Objects on disk deleted on reboot: 0
12:7:53:359 2388 Registry nodes deleted on reboot: 0
12:7:53:359 2388

Ok. Let me know the results of the online scan.

Quietman7,

I was also unable to run Kaspersky Online Virus Scanner in normal windows mode.
That's why it took so long to get back to you. Would complete about 27% and stop.
Tried three times.
Finally booted into safe mode last night and tried again. When I checked this morning
it had completed the scan...results are below...
Thanks for your hellp...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, December 18, 2009
Operating system: Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, December 18, 2009 05:27:34
Records in database: 3383989
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 131828
Threats found: 5
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 04:53:21


File name / Threat / Threats count
C:\Documents and Settings\Administrator\My Documents\memory-card-data-recovery-demo.exe Infected: not-a-virus:Monitor.Win32.KeyPressHooker.c 1
C:\Documents and Settings\Administrator\Shared\dirtee cash dizzee rascal.mp3 Infected: Trojan-Downloader.WMA.GetCodec.s 1
C:\Documents and Settings\Administrator\Shared\everybody in love jls(1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.s 1
E:\iomegahdpix\Incomplete\T-1395704-Little_Boots_Remedy.wma Infected: Trojan-Downloader.WMA.Wimad.v 1
E:\iomegahdpix\My Documents\surfpics.exe Infected: not-a-virus:AdWare.Win32.Ucmore 2
E:\iomegahdpix\My Documents\surfpics.exe Infected: not-a-virus:AdWare.Win32.Ucmore.a 1

Selected area has been scanned.


FWIW, I have never activated surfpics.exe, just never deleted it. That whole E:\iomegahdpix was from my now defunct old laptop.


Thanks again,


Techboy5