Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32 Trojan - Redirects Browsers hard 2 clean


  • This topic is locked This topic is locked
34 replies to this topic

#1 FAB1

FAB1

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 13 December 2009 - 03:27 PM

Superantispy and Vundofix could not clean this out completely, returns on reboot
and is very pesky and is scaring my wife - gotta get it out.
so here is my HJT log - thnks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:42 PM, on 12/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Office_07\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snip.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\OFFICE~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTtrayp] VTtrayp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Office_07\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Office_07\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickScan (OpticFilm 7200).lnk = C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by138fd.bay138.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1180561501906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\OFFICE~1\Office12\GR99D3~1.DLL
O18 - Filter hijack: text/html - {fdf86322-e43f-4c67-b4ee-f8ef6c5b7fec} - C:\WINDOWS\system32\mst122.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: 5cfc6e294dee45cfe4caf62ae26efe2d (cfcdbefddfacd) - Unknown owner - C:\WINDOWS\cfcdbefddfacd.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:50 AM

Posted 14 December 2009 - 09:00 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 FAB1

FAB1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 14 December 2009 - 08:14 PM

Hi Sam from Ohio!

My OS is XP home SP2 - other than the redirects it is running rather sluggishly. :(
Here are the logs you requested.

OTL logfile created on: 12/14/2009 6:02:12 PM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Granny\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.48 Mb Total Physical Memory | 200.18 Mb Available Physical Memory | 44.74% Memory free
1.03 Gb Paging File | 0.63 Gb Available in Paging File | 61.63% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.60 Gb Total Space | 10.12 Gb Free Space | 28.43% Space Free | Partition Type: FAT32
Drive D: | 35.98 Gb Total Space | 3.02 Gb Free Space | 8.40% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER2
Current User Name: Granny
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/14 18:01:22 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Granny\Desktop\OTL.exe
PRC - [2009/11/23 08:43:26 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/10/11 04:17:36 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/05/15 19:19:32 | 00,079,224 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2008/05/15 19:19:24 | 00,144,760 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2008/05/15 19:19:00 | 00,247,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2008/05/15 19:17:00 | 00,349,560 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2008/05/15 19:06:58 | 00,017,272 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2007/06/08 13:30:48 | 00,290,816 | ---- | M] () -- C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
PRC - [2006/10/27 00:47:42 | 00,031,016 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Office_07\Office12\GrooveMonitor.exe
PRC - [2005/06/20 09:03:24 | 00,352,256 | ---- | M] (acer Inc.) -- C:\Program Files\acer\eRecovery\Monitor.exe
PRC - [2005/06/08 08:31:32 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/05/13 12:57:00 | 00,143,360 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\VTTrayp.exe
PRC - [2005/05/13 12:57:00 | 00,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2005/03/17 11:10:32 | 00,536,576 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
PRC - [2004/08/04 05:00:00 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 05:00:00 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2004/07/21 16:28:02 | 00,413,807 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
PRC - [2004/07/21 16:26:36 | 00,176,241 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PRC - [2004/07/15 01:07:56 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2003/06/04 03:00:00 | 00,099,840 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE


========== Modules (SafeList) ==========

MOD - [2009/12/14 18:01:22 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Granny\Desktop\OTL.exe
MOD - [2006/08/25 11:45:56 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2005/03/10 16:33:48 | 00,053,248 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\XAHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (cfcdbefddfacd)
SRV - [2009/10/11 04:17:36 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/07/06 12:38:20 | 00,085,096 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/05/15 19:19:24 | 00,144,760 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2008/05/15 19:19:00 | 00,247,160 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2008/05/15 19:17:00 | 00,349,560 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2008/05/15 19:06:58 | 00,017,272 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Office_07\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/03/23 19:55:00 | 00,360,448 | ---- | M] (ATI Technologies Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2004/07/21 16:26:36 | 00,176,241 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2783849547-1727397312-1731493430-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.snip.pl/
IE - HKU\S-1-5-21-2783849547-1727397312-1731493430-1007\S-1-5-21-2783849547-1727397312-1731493430-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: {ba2430e0-5b72-4cac-bc9e-7d1aaca75d3d}:1.5.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/17 23:43:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/17 23:43:18 | 00,000,000 | ---D | M]

[2009/08/17 23:44:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Mozilla\Extensions
[2009/08/17 23:44:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Mozilla\Firefox\Profiles\bkxy2luo.default\extensions
[2009/10/06 00:52:40 | 00,000,000 | ---D | M] () -- C:\Documents and Settings\Granny\Application Data\Mozilla\Firefox\Profiles\bkxy2luo.default\extensions\{ba2430e0-5b72-4cac-bc9e-7d1aaca75d3d}
[2009/08/17 23:43:18 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/10 23:34:44 | 00,119,312 | ---- | M] (none) -- C:\Program Files\Mozilla Firefox\components\cfeadfeaebbbceb.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Office_07\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-2783849547-1727397312-1731493430-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [AGRSMMSG] File not found
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [eRecoveryService] C:\Program Files\acer\eRecovery\Monitor.exe (acer Inc.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Office_07\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe ()
O4 - HKLM..\Run: [PD0620 STISvc] C:\WINDOWS\System32\P0620Pin.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTtrayp] C:\WINDOWS\System32\VTTrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKU\S-1-5-21-2783849547-1727397312-1731493430-1007..\Run: [PopUpStopperFreeEdition] C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe (Panicware, Inc.)
O4 - HKU\S-1-5-21-2783849547-1727397312-1731493430-1007..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickScan (OpticFilm 7200).lnk = C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O4 - Startup: C:\Documents and Settings\Granny\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Office_07\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Granny\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2783849547-1727397312-1731493430-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Office_07\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Office_07\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Office_07\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Office_07\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2783849547-1727397312-1731493430-1007\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab (Citrix ICA Client)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by138fd.bay138.hotmail.msn.com/resources/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1180561501906 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Office_07\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Office_07\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/17 14:03:44 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/10/17 13:40:32 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/14 18:01:20 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Granny\Desktop\OTL.exe
[2009/12/13 11:49:00 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/12 16:45:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/12/12 16:45:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Granny\Application Data\SUPERAntiSpyware.com
[2009/12/12 16:45:18 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/12 01:57:08 | 00,000,000 | ---D | C] -- C:\Program Files\Axon Data
[2009/12/10 23:15:12 | 00,000,000 | -HSD | C] -- C:\FOUND.002
[2005/10/17 13:54:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2005/10/17 13:54:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/10/17 13:44:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/10/17 13:44:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/14 18:24:28 | 00,292,864 | ---- | M] () -- C:\Documents and Settings\Granny\Desktop\l3l3mywd.exe
[2009/12/14 18:01:22 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Granny\Desktop\OTL.exe
[2009/12/13 19:29:40 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2009/12/13 19:28:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/13 19:28:44 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/13 19:28:42 | 46,929,1008 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/13 11:53:36 | 00,097,280 | ---- | M] () -- C:\Documents and Settings\Granny\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/13 11:49:02 | 00,001,682 | ---- | M] () -- C:\Documents and Settings\Granny\Desktop\HijackThis.lnk
[2009/12/13 11:22:24 | 07,340,032 | -H-- | M] () -- C:\Documents and Settings\Granny\NTUSER.DAT
[2009/12/13 11:22:00 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Granny\ntuser.ini
[2009/12/12 19:26:10 | 00,278,016 | ---- | M] () -- C:\Documents and Settings\Granny\My Documents\VL_sales_09.xls
[2009/12/12 16:45:26 | 00,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/12 16:36:00 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\Granny\Desktop\rkill.com
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/13 11:49:00 | 00,001,682 | ---- | C] () -- C:\Documents and Settings\Granny\Desktop\HijackThis.lnk
[2009/12/12 16:45:25 | 00,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/12 16:42:21 | 46,929,1008 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/12 16:35:52 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\Granny\Desktop\rkill.com
[2009/02/24 19:46:11 | 18,087,936 | ---- | C] () -- C:\Program Files\FLV PlayerRCSetup.exe
[2008/12/07 09:52:29 | 00,000,104 | ---- | C] () -- C:\WINDOWS\mfpd.ini
[2008/07/06 12:35:08 | 00,485,600 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2008/07/03 18:37:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Aeditor.INI
[2008/07/03 18:36:59 | 00,000,299 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2008/03/24 17:44:38 | 00,020,531 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\W77X4
[2008/03/24 17:16:45 | 00,001,809 | ---- | C] () -- C:\WINDOWS\if42le.ini
[2008/03/24 17:16:45 | 00,000,299 | ---- | C] () -- C:\WINDOWS\Pexplore.ini
[2008/03/24 17:15:58 | 00,000,118 | ---- | C] () -- C:\WINDOWS\A15U.INI
[2008/03/24 17:12:33 | 00,015,360 | R--- | C] () -- C:\WINDOWS\System32\GetInst32.dll
[2008/01/07 00:26:09 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/01/06 22:22:50 | 00,000,129 | ---- | C] () -- C:\Documents and Settings\Granny\Local Settings\Application Data\fusioncache.dat
[2007/10/13 11:27:01 | 00,000,264 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2007/09/06 16:38:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Dvm.INI
[2007/08/11 01:11:18 | 00,000,172 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007/06/26 16:23:02 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/06/26 16:23:02 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/06/12 21:53:21 | 00,025,713 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2007/06/04 16:14:08 | 00,000,203 | ---- | C] () -- C:\WINDOWS\QScreenCapt.ini
[2007/06/03 12:55:11 | 00,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2007/06/01 19:48:24 | 00,000,014 | ---- | C] () -- C:\WINDOWS\dswplug.ini
[2007/05/31 18:23:39 | 00,000,723 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/31 18:23:39 | 00,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2007/05/31 16:38:47 | 00,097,280 | ---- | C] () -- C:\Documents and Settings\Granny\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/29 23:35:22 | 00,000,093 | ---- | C] () -- C:\WINDOWS\R300.ini
[2007/05/29 20:51:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2005/11/11 06:43:28 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\libssl32.dll
[2005/11/11 06:43:24 | 00,887,296 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/10/17 14:29:06 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/10/17 13:59:18 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2005/10/17 13:59:16 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/10/17 13:54:34 | 00,008,073 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/10/17 13:48:30 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/10/17 13:39:10 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2005/10/17 13:39:02 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/12/17 17:14:44 | 00,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2001/12/26 16:12:30 | 00,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[2001/07/13 07:04:00 | 00,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[1997/07/11 00:00:00 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/07/11 00:00:00 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1980/01/01 00:00:00 | 00,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini

========== LOP Check ==========

[2007/06/01 19:47:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2008/03/24 17:16:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Newsoft
[2008/07/06 12:36:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2009/08/22 20:53:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2009/11/26 10:19:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2007/05/29 23:40:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Leadertech
[2007/05/31 21:52:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Canon
[2007/06/24 11:40:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\uTorrent
[2007/09/30 08:44:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\ICAClient
[2008/01/06 09:19:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Ulead Systems
[2008/03/05 00:09:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Jasc
[2008/03/23 11:02:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\com.codeode
[2008/03/24 17:44:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Lasersoft Imaging
[2008/07/06 12:36:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Autodesk
[2008/10/12 16:15:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\foobar2000
[2009/11/26 10:19:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Granny\Application Data\Multi File Downloader
[2007/06/03 12:21:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Pappy\Application Data\uTorrent
[2007/06/03 12:52:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Pappy\Application Data\Ulead Systems

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/03 22:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 05:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004/08/03 22:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 22:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 05:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >



Report # 2


OTL Extras logfile created on: 12/14/2009 6:02:13 PM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Granny\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.48 Mb Total Physical Memory | 200.18 Mb Available Physical Memory | 44.74% Memory free
1.03 Gb Paging File | 0.63 Gb Available in Paging File | 61.63% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.60 Gb Total Space | 10.12 Gb Free Space | 28.43% Space Free | Partition Type: FAT32
Drive D: | 35.98 Gb Total Space | 3.02 Gb Free Space | 8.40% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER2
Current User Name: Granny
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2783849547-1727397312-1731493430-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Office_07\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Office_07\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\OFFICE~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"4274:UDP" = 4274:UDP:*:Enabled:Windows Media Format SDK (IEXPLORE.EXE)
"4275:UDP" = 4275:UDP:*:Enabled:Windows Media Format SDK (IEXPLORE.EXE)
"4278:UDP" = 4278:UDP:*:Enabled:Windows Media Format SDK (IEXPLORE.EXE)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"D:\VLegacy\download\utorrent.exe" = D:\VLegacy\download\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Acer\Acer eConsole\MediaServerService.exe" = C:\Program Files\Acer\Acer eConsole\MediaServerService.exe:LocalSubNet:Disabled:Acer Media Server -- File not found
"C:\Program Files\Acer\Acer eConsole\eConsole.exe" = C:\Program Files\Acer\Acer eConsole\eConsole.exe:LocalSubNet:Disabled:eConsole -- File not found
"C:\Program Files\Acer\Acer eConsole\MediaSync.exe" = C:\Program Files\Acer\Acer eConsole\MediaSync.exe:LocalSubNet:Disabled:Media Synchoronizer -- File not found
"C:\Program Files\Office_07\Office12\groove.exe" = C:\Program Files\Office_07\Office12\groove.exe:*:Disabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Office_07\Office12\ONENOTE.EXE" = C:\Program Files\Office_07\Office12\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\SAGENT4.EXE" = C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\SAGENT4.EXE:*:Disabled:SAgent4 -- (SEIKO EPSON CORPORATION)
"C:\Program Files\Multi File Downloader\MultiFileDownloader.exe" = C:\Program Files\Multi File Downloader\MultiFileDownloader.exe:*:Disabled:Multi File Downloader -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03F1CC67-5BD8-4C36-8394-76311B2AE69A}" = ArcSoft PhotoStudio 5
"{109D28C7-FB38-483A-9C91-001CB59E2699}" = EPSON CardMonitor
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{5783F2D7-7009-0409-0002-0060B0CE6BBA}" = AutoCAD LT 2009 - English
"{5983C895-DDA4-45D9-A8D1-877D5DE7693E}" = EPSON PhotoStarter3.0
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{783033B0-D8E6-11D5-9293-0050BA073EEC}" = Presto! ImageFolio 4
"{7B478ACE-8512-4A46-ACB2-69D83DF2F6C7}" = Digital Voice Recorder
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{88F93347-0F9B-4FED-BA71-6C2A4CDFE61D}" = Ulead DVD MovieFactory 2
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9E6D338B-7D32-469F-A8D8-1F279885CEB3}" = OpticFilm 7200
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B8A6F713-D72D-47AD-A92D-B5C0E13F98C1}" = NTI HomeVideo-Maker
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CEC336A0-86C7-40CA-838D-C11DC0AEC09E}" = Cactus Spam Filter
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"7-Zip" = 7-Zip 4.42
"Acoustica Premium Edition_is1" = Acoustica Premium Edition 4.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems Usb 2.0 Soft Modem
"Applian FLV Player2.0.24" = Applian FLV Player
"ATI Display Driver" = ATI Display Driver
"AutoCAD LT 2009 - English" = AutoCAD LT 2009 - English
"avast!" = avast! Antivirus
"AxCrypt" = AxCrypt (Remove Only)
"Citrix ICA Web Client" = MetaFrame Presentation Server Web Client for Win32
"Creative PD0620" = Creative WebCam Instant Driver (1.03.02.0425)
"Creative WebCam Center" = Creative WebCam Center
"DeliPlayer2" = DeliPlayer 2
"DVDFab Decrypter_is1" = DVDFab Decrypter 3.0.5.0
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Printer and Utilities" = EPSON Printer Software
"ffdshow_is1" = ffdshow [rev 1058+] [2007-03-22]
"Get Yahoo! Messenger" = Get Yahoo! Messenger
"HaaliMkx" = Haali Media Splitter
"HijackThis" = HijackThis 2.0.2
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"MagicDisc 2.5.79" = MagicDisc 2.5.79
"MediaMonkey_is1" = MediaMonkey 2.5
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"MSNINST" = MSN
"Office8.0" = Microsoft Office 97, Professional Edition
"Outlook Express Backup Wizard_is1" = Outlook Express Backup Wizard version 1.1
"PeerGuardian_is1" = PeerGuardian 2.0
"Pop-Up Stopper Free Edition" = Pop-Up Stopper Free Edition
"Replay Video Capture4.1" = Replay Video Capture
"Revo Uninstaller" = Revo Uninstaller 1.83
"Silent Package Run-Time Sample" = EPSON SPR300 Reference Guide
"SilverFast UScan-SE" = SilverFast UScan-SE 6.5.5r2
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SSC Service Utility_is1" = SSC Service Utility v4.30
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebCam Instant Product Registration" = WebCam Instant Product Registration
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! SiteBuilder" = Yahoo! SiteBuilder
"Yahoo! SiteBuilder2.6-J" = Yahoo! SiteBuilder2.6-J
"ZoomPlayer" = Zoom Player (remove only)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2783849547-1727397312-1731493430-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"foobar2000" = foobar2000 v0.9.5.6
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/25/2008 5:16:20 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 6/25/2008 5:58:00 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 6/26/2008 4:03:21 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 6/26/2008 11:41:41 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 6/26/2008 11:46:08 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 7/9/2008 11:46:00 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 7/9/2008 11:46:02 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 7/9/2008 11:46:09 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 7/9/2008 11:46:14 PM | Computer Name = ACER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 7/26/2008 4:51:14 PM | Computer Name = ACER2 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module flash9c.ocx, version 9.0.45.0, fault address 0x0008ddd5.

[ System Events ]
Error - 12/13/2009 10:14:43 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:43 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:43 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:43 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:44 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:44 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:44 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:44 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:44 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/13/2009 10:14:44 AM | Computer Name = ACER2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >


Report # 3

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 20:12:23
Windows 5.1.2600 Service Pack 2
Running: l3l3mywd.exe; Driver: C:\DOCUME~1\Granny\LOCALS~1\Temp\pgldrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF1B5E588]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF1B5E444]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF1B5E922]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF1B5E01C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF1B5E51E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF1B5DF5C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF1B5DFC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF1B5E63E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF1B5E5FE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF1B5E77E]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF1C590B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2430 80501300 4 Bytes JMP 55E104BA

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[508] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[508] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:50 AM

Posted 15 December 2009 - 07:50 AM

We need to run this special tool next.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 FAB1

FAB1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 15 December 2009 - 07:26 PM

Here ya go Sam - as for PC symptoms, Mozilla seems to have the redirect problem more than IE so I have been using IE
during the last couple of days and not Mozilla. Also Firefox takes a long time to load. thanks.


19:23:38:406 3620 ForceUnloadDriver: NtUnloadDriver error 2
19:23:38:406 3620 ForceUnloadDriver: NtUnloadDriver error 2
19:23:38:406 3620 ForceUnloadDriver: NtUnloadDriver error 2
19:23:38:406 3620 main: Driver KLMD successfully dropped
19:23:38:515 3620 main: Driver KLMD successfully loaded
19:23:38:515 3620
Scanning Registry ...
19:23:38:531 3620 ScanServices: Searching service UACd.sys
19:23:38:531 3620 ScanServices: Open/Create key error 2
19:23:38:531 3620 ScanServices: Searching service TDSSserv.sys
19:23:38:531 3620 ScanServices: Open/Create key error 2
19:23:38:531 3620 ScanServices: Searching service gaopdxserv.sys
19:23:38:531 3620 ScanServices: Open/Create key error 2
19:23:38:531 3620 ScanServices: Searching service gxvxcserv.sys
19:23:38:531 3620 ScanServices: Open/Create key error 2
19:23:38:531 3620 ScanServices: Searching service MSIVXserv.sys
19:23:38:531 3620 ScanServices: Open/Create key error 2
19:23:38:531 3620 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
19:23:38:906 3620 UnhookRegistry: Kernel local addr: 9F0000
19:23:38:953 3620 UnhookRegistry: KeServiceDescriptorTable addr: A6B380
19:23:39:0 3620 UnhookRegistry: KiServiceTable addr: A1A1FC
19:23:39:0 3620 UnhookRegistry: NtEnumerateKey service number (local): 47
19:23:39:0 3620 UnhookRegistry: NtEnumerateKey local addr: B326C6
19:23:39:0 3620 KLMD_OpenDevice: Trying to open KLMD device
19:23:39:0 3620 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
19:23:39:0 3620 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
19:23:39:0 3620 KLMD_ReadMem: Trying to ReadMemory 0x804FD9CD[0x4]
19:23:39:0 3620 UnhookRegistry: NtEnumerateKey service number (kernel): 47
19:23:39:0 3620 KLMD_ReadMem: Trying to ReadMemory 0x80501318[0x4]
19:23:39:0 3620 UnhookRegistry: NtEnumerateKey real addr: 806196C6
19:23:39:0 3620 UnhookRegistry: NtEnumerateKey calc addr: 806196C6
19:23:39:15 3620 UnhookRegistry: No SDT hooks found on NtEnumerateKey
19:23:39:15 3620 KLMD_ReadMem: Trying to ReadMemory 0x806196C6[0xA]
19:23:39:15 3620 UnhookRegistry: No splicing found on NtEnumerateKey
19:23:39:15 3620
Scanning Kernel memory ...
19:23:39:15 3620 KLMD_OpenDevice: Trying to open KLMD device
19:23:39:15 3620 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
19:23:39:15 3620 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:23:39:15 3620 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84D86918
19:23:39:15 3620 DetectCureTDL3: KLMD_GetDeviceObjectList returned 12 DevObjects
19:23:39:15 3620 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 84A2E6A0
19:23:39:15 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84A2E6A0
19:23:39:15 3620 KLMD_ReadMem: Trying to ReadMemory 0x84A2E6A0[0x38]
19:23:39:15 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D86918
19:23:39:15 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D86918[0xA8]
19:23:39:15 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F1C80[0x208]
19:23:39:15 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:23:39:15 3620 DetectCureTDL3: IrpHandler (0) addr: F767CC30
19:23:39:15 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (2) addr: F767CC30
19:23:39:15 3620 DetectCureTDL3: IrpHandler (3) addr: F7676D9B
19:23:39:15 3620 DetectCureTDL3: IrpHandler (4) addr: F7676D9B
19:23:39:15 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (9) addr: F7677366
19:23:39:15 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (14) addr: F767744D
19:23:39:15 3620 DetectCureTDL3: IrpHandler (15) addr: F767AFC3
19:23:39:15 3620 DetectCureTDL3: IrpHandler (16) addr: F7677366
19:23:39:15 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (22) addr: F7678EF3
19:23:39:15 3620 DetectCureTDL3: IrpHandler (23) addr: F767DA24
19:23:39:15 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:15 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:15 3620 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:23:39:15 3620 KLMD_ReadMem: DeviceIoControl error 1
19:23:39:15 3620 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:23:39:15 3620 TDL3_FileDetect: Processing driver: Disk
19:23:39:15 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:23:39:15 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:23:39:15 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:23:39:31 3620 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 84CE78E8
19:23:39:31 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84CE78E8
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84CE78E8[0x38]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D86918
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D86918[0xA8]
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F1C80[0x208]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:23:39:31 3620 DetectCureTDL3: IrpHandler (0) addr: F767CC30
19:23:39:31 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (2) addr: F767CC30
19:23:39:31 3620 DetectCureTDL3: IrpHandler (3) addr: F7676D9B
19:23:39:31 3620 DetectCureTDL3: IrpHandler (4) addr: F7676D9B
19:23:39:31 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (9) addr: F7677366
19:23:39:31 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (14) addr: F767744D
19:23:39:31 3620 DetectCureTDL3: IrpHandler (15) addr: F767AFC3
19:23:39:31 3620 DetectCureTDL3: IrpHandler (16) addr: F7677366
19:23:39:31 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (22) addr: F7678EF3
19:23:39:31 3620 DetectCureTDL3: IrpHandler (23) addr: F767DA24
19:23:39:31 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:23:39:31 3620 KLMD_ReadMem: DeviceIoControl error 1
19:23:39:31 3620 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:23:39:31 3620 TDL3_FileDetect: Processing driver: Disk
19:23:39:31 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:23:39:31 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:23:39:31 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:23:39:31 3620 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 84B9D030
19:23:39:31 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B9D030
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84B9D030[0x38]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D86918
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D86918[0xA8]
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F1C80[0x208]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:23:39:31 3620 DetectCureTDL3: IrpHandler (0) addr: F767CC30
19:23:39:31 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (2) addr: F767CC30
19:23:39:31 3620 DetectCureTDL3: IrpHandler (3) addr: F7676D9B
19:23:39:31 3620 DetectCureTDL3: IrpHandler (4) addr: F7676D9B
19:23:39:31 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (9) addr: F7677366
19:23:39:31 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (14) addr: F767744D
19:23:39:31 3620 DetectCureTDL3: IrpHandler (15) addr: F767AFC3
19:23:39:31 3620 DetectCureTDL3: IrpHandler (16) addr: F7677366
19:23:39:31 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (22) addr: F7678EF3
19:23:39:31 3620 DetectCureTDL3: IrpHandler (23) addr: F767DA24
19:23:39:31 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:23:39:31 3620 KLMD_ReadMem: DeviceIoControl error 1
19:23:39:31 3620 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:23:39:31 3620 TDL3_FileDetect: Processing driver: Disk
19:23:39:31 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:23:39:31 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:23:39:31 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:23:39:31 3620 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 84A9CC68
19:23:39:31 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84A9CC68
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84A9CC68[0x38]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D86918
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D86918[0xA8]
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F1C80[0x208]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:23:39:31 3620 DetectCureTDL3: IrpHandler (0) addr: F767CC30
19:23:39:31 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (2) addr: F767CC30
19:23:39:31 3620 DetectCureTDL3: IrpHandler (3) addr: F7676D9B
19:23:39:31 3620 DetectCureTDL3: IrpHandler (4) addr: F7676D9B
19:23:39:31 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (9) addr: F7677366
19:23:39:31 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (14) addr: F767744D
19:23:39:31 3620 DetectCureTDL3: IrpHandler (15) addr: F767AFC3
19:23:39:31 3620 DetectCureTDL3: IrpHandler (16) addr: F7677366
19:23:39:31 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (22) addr: F7678EF3
19:23:39:31 3620 DetectCureTDL3: IrpHandler (23) addr: F767DA24
19:23:39:31 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:23:39:31 3620 KLMD_ReadMem: DeviceIoControl error 1
19:23:39:31 3620 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:23:39:31 3620 TDL3_FileDetect: Processing driver: Disk
19:23:39:31 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:23:39:31 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:23:39:31 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:23:39:31 3620 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 84B8A698
19:23:39:31 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B8A698
19:23:39:31 3620 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 84B1EEA0
19:23:39:31 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B1EEA0
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84B1EEA0[0x38]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84B2CA20
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0x84B2CA20[0xA8]
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0xE1A8B1E0[0x208]
19:23:39:31 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:23:39:31 3620 DetectCureTDL3: IrpHandler (0) addr: F7983218
19:23:39:31 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (2) addr: F7983218
19:23:39:31 3620 DetectCureTDL3: IrpHandler (3) addr: F798323C
19:23:39:31 3620 DetectCureTDL3: IrpHandler (4) addr: F798323C
19:23:39:31 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (9) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (14) addr: F7983180
19:23:39:31 3620 DetectCureTDL3: IrpHandler (15) addr: F797E9E6
19:23:39:31 3620 DetectCureTDL3: IrpHandler (16) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (22) addr: F79825F0
19:23:39:31 3620 DetectCureTDL3: IrpHandler (23) addr: F7980A6E
19:23:39:31 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:31 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:31 3620 KLMD_ReadMem: Trying to ReadMemory 0xF797FF26[0x400]
19:23:39:31 3620 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:23:39:31 3620 TDL3_FileDetect: Processing driver: USBSTOR
19:23:39:31 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
19:23:39:31 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:31 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:46 3620 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 84B6A9F8
19:23:39:46 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B6A9F8
19:23:39:46 3620 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 84A23EA0
19:23:39:46 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84A23EA0
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0x84A23EA0[0x38]
19:23:39:46 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84B2CA20
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0x84B2CA20[0xA8]
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0xE1A8B1E0[0x208]
19:23:39:46 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:23:39:46 3620 DetectCureTDL3: IrpHandler (0) addr: F7983218
19:23:39:46 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (2) addr: F7983218
19:23:39:46 3620 DetectCureTDL3: IrpHandler (3) addr: F798323C
19:23:39:46 3620 DetectCureTDL3: IrpHandler (4) addr: F798323C
19:23:39:46 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (9) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (14) addr: F7983180
19:23:39:46 3620 DetectCureTDL3: IrpHandler (15) addr: F797E9E6
19:23:39:46 3620 DetectCureTDL3: IrpHandler (16) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (22) addr: F79825F0
19:23:39:46 3620 DetectCureTDL3: IrpHandler (23) addr: F7980A6E
19:23:39:46 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0xF797FF26[0x400]
19:23:39:46 3620 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:23:39:46 3620 TDL3_FileDetect: Processing driver: USBSTOR
19:23:39:46 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
19:23:39:46 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:46 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:46 3620 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 84A65030
19:23:39:46 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84A65030
19:23:39:46 3620 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 84B1BEA0
19:23:39:46 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B1BEA0
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0x84B1BEA0[0x38]
19:23:39:46 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84B2CA20
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0x84B2CA20[0xA8]
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0xE1A8B1E0[0x208]
19:23:39:46 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:23:39:46 3620 DetectCureTDL3: IrpHandler (0) addr: F7983218
19:23:39:46 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (2) addr: F7983218
19:23:39:46 3620 DetectCureTDL3: IrpHandler (3) addr: F798323C
19:23:39:46 3620 DetectCureTDL3: IrpHandler (4) addr: F798323C
19:23:39:46 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (9) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (14) addr: F7983180
19:23:39:46 3620 DetectCureTDL3: IrpHandler (15) addr: F797E9E6
19:23:39:46 3620 DetectCureTDL3: IrpHandler (16) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (22) addr: F79825F0
19:23:39:46 3620 DetectCureTDL3: IrpHandler (23) addr: F7980A6E
19:23:39:46 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0xF797FF26[0x400]
19:23:39:46 3620 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:23:39:46 3620 TDL3_FileDetect: Processing driver: USBSTOR
19:23:39:46 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
19:23:39:46 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:46 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:46 3620 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 84A334A8
19:23:39:46 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84A334A8
19:23:39:46 3620 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 84A2EAF0
19:23:39:46 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84A2EAF0
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0x84A2EAF0[0x38]
19:23:39:46 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84B2CA20
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0x84B2CA20[0xA8]
19:23:39:46 3620 KLMD_ReadMem: Trying to ReadMemory 0xE1A8B1E0[0x208]
19:23:39:46 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:23:39:46 3620 DetectCureTDL3: IrpHandler (0) addr: F7983218
19:23:39:46 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (2) addr: F7983218
19:23:39:46 3620 DetectCureTDL3: IrpHandler (3) addr: F798323C
19:23:39:46 3620 DetectCureTDL3: IrpHandler (4) addr: F798323C
19:23:39:46 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (9) addr: 804F33F8
19:23:39:46 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (14) addr: F7983180
19:23:39:62 3620 DetectCureTDL3: IrpHandler (15) addr: F797E9E6
19:23:39:62 3620 DetectCureTDL3: IrpHandler (16) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (22) addr: F79825F0
19:23:39:62 3620 DetectCureTDL3: IrpHandler (23) addr: F7980A6E
19:23:39:62 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0xF797FF26[0x400]
19:23:39:62 3620 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
19:23:39:62 3620 TDL3_FileDetect: Processing driver: USBSTOR
19:23:39:62 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
19:23:39:62 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:62 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
19:23:39:62 3620 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 84D82C68
19:23:39:62 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84D82C68
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D82C68[0x38]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D86918
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D86918[0xA8]
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F1C80[0x208]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:23:39:62 3620 DetectCureTDL3: IrpHandler (0) addr: F767CC30
19:23:39:62 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (2) addr: F767CC30
19:23:39:62 3620 DetectCureTDL3: IrpHandler (3) addr: F7676D9B
19:23:39:62 3620 DetectCureTDL3: IrpHandler (4) addr: F7676D9B
19:23:39:62 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (9) addr: F7677366
19:23:39:62 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (14) addr: F767744D
19:23:39:62 3620 DetectCureTDL3: IrpHandler (15) addr: F767AFC3
19:23:39:62 3620 DetectCureTDL3: IrpHandler (16) addr: F7677366
19:23:39:62 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (22) addr: F7678EF3
19:23:39:62 3620 DetectCureTDL3: IrpHandler (23) addr: F767DA24
19:23:39:62 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:23:39:62 3620 KLMD_ReadMem: DeviceIoControl error 1
19:23:39:62 3620 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:23:39:62 3620 TDL3_FileDetect: Processing driver: Disk
19:23:39:62 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:23:39:62 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:23:39:62 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:23:39:62 3620 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 84DD3BB0
19:23:39:62 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84DD3BB0
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84DD3BB0[0x38]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D86918
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D86918[0xA8]
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F1C80[0x208]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:23:39:62 3620 DetectCureTDL3: IrpHandler (0) addr: F767CC30
19:23:39:62 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (2) addr: F767CC30
19:23:39:62 3620 DetectCureTDL3: IrpHandler (3) addr: F7676D9B
19:23:39:62 3620 DetectCureTDL3: IrpHandler (4) addr: F7676D9B
19:23:39:62 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (9) addr: F7677366
19:23:39:62 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (14) addr: F767744D
19:23:39:62 3620 DetectCureTDL3: IrpHandler (15) addr: F767AFC3
19:23:39:62 3620 DetectCureTDL3: IrpHandler (16) addr: F7677366
19:23:39:62 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (22) addr: F7678EF3
19:23:39:62 3620 DetectCureTDL3: IrpHandler (23) addr: F767DA24
19:23:39:62 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:23:39:62 3620 KLMD_ReadMem: DeviceIoControl error 1
19:23:39:62 3620 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:23:39:62 3620 TDL3_FileDetect: Processing driver: Disk
19:23:39:62 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:23:39:62 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:23:39:62 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:23:39:62 3620 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 84D3D5D8
19:23:39:62 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84D3D5D8
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D3D5D8[0x38]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D86918
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D86918[0xA8]
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F1C80[0x208]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:23:39:62 3620 DetectCureTDL3: IrpHandler (0) addr: F767CC30
19:23:39:62 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (2) addr: F767CC30
19:23:39:62 3620 DetectCureTDL3: IrpHandler (3) addr: F7676D9B
19:23:39:62 3620 DetectCureTDL3: IrpHandler (4) addr: F7676D9B
19:23:39:62 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (9) addr: F7677366
19:23:39:62 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (14) addr: F767744D
19:23:39:62 3620 DetectCureTDL3: IrpHandler (15) addr: F767AFC3
19:23:39:62 3620 DetectCureTDL3: IrpHandler (16) addr: F7677366
19:23:39:62 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (22) addr: F7678EF3
19:23:39:62 3620 DetectCureTDL3: IrpHandler (23) addr: F767DA24
19:23:39:62 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:23:39:62 3620 KLMD_ReadMem: DeviceIoControl error 1
19:23:39:62 3620 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:23:39:62 3620 TDL3_FileDetect: Processing driver: Disk
19:23:39:62 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:23:39:62 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:23:39:62 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:23:39:62 3620 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 84D3D030
19:23:39:62 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84D3D030
19:23:39:62 3620 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 84D85650
19:23:39:62 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84D85650
19:23:39:62 3620 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 84D85030
19:23:39:62 3620 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84D85030
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D85030[0x38]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT addr: 84D44270
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0x84D44270[0xA8]
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0xE17F8BC0[0x208]
19:23:39:62 3620 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:23:39:62 3620 DetectCureTDL3: IrpHandler (0) addr: F74C9572
19:23:39:62 3620 DetectCureTDL3: IrpHandler (1) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (2) addr: F74C9572
19:23:39:62 3620 DetectCureTDL3: IrpHandler (3) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (4) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (5) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (6) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (7) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (8) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (9) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (10) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (11) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (12) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (13) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (14) addr: F74C9592
19:23:39:62 3620 DetectCureTDL3: IrpHandler (15) addr: F74C57B4
19:23:39:62 3620 DetectCureTDL3: IrpHandler (16) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (17) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (18) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (19) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (20) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (21) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (22) addr: F74C95BC
19:23:39:62 3620 DetectCureTDL3: IrpHandler (23) addr: F74D0164
19:23:39:62 3620 DetectCureTDL3: IrpHandler (24) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (25) addr: 804F33F8
19:23:39:62 3620 DetectCureTDL3: IrpHandler (26) addr: 804F33F8
19:23:39:62 3620 KLMD_ReadMem: Trying to ReadMemory 0xF74C67C6[0x400]
19:23:39:62 3620 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 229, 0
19:23:39:62 3620 TDL3_FileDetect: Processing driver: atapi
19:23:39:62 3620 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
19:23:39:62 3620 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
19:23:39:62 3620 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
19:23:39:78 3620
Completed

Results:
19:23:39:78 3620 Infected objects in memory: 0
19:23:39:78 3620 Cured objects in memory: 0
19:23:39:78 3620 Infected objects on disk: 0
19:23:39:78 3620 Objects on disk cured on reboot: 0
19:23:39:78 3620 Objects on disk deleted on reboot: 0
19:23:39:78 3620 Registry nodes deleted on reboot: 0
19:23:39:78 3620

Edited by FAB1, 15 December 2009 - 07:30 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:50 AM

Posted 16 December 2009 - 08:10 AM

Open Firefox and click Tools -> Add-ons
Select the Extensions tab at the top.

Look to see if you have this extension installed.

XUL Cache 1.0

If so, disable it.
Now restart Firefox and see if you are still being redirected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 FAB1

FAB1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 16 December 2009 - 06:42 PM

Sam - I dont see that extension/add-on in Firefox, but let me surf the net a while and
will report back I just got home.

WAIT - Everything seemed fine until I went to Ebay - I logged in and was at MY eBay and when
I clicked an Auction Link I got redirected and also alerted by AVAST which reported:

JS:FakeAV-CN [Trj]

A fake message came up, with options for OK or Cancel - I killed the connection at the power strip.

In my History dr.php occured a couple of times - I have seen this before.
So something is still lurking in the PC - or eBay has become a risky place to be???

Have you seen any sign of a Keylogger on this machine? Let me know.

Standing by.

Edited by FAB1, 16 December 2009 - 07:25 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:50 AM

Posted 17 December 2009 - 08:49 AM

No signs of a keylogger that I see.

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please look again at the Firefox extensions you have installed and list them for me.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 FAB1

FAB1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 18 December 2009 - 06:18 PM

Ran the tool it did reboot.

Only two things in there:

Java Quick Starter 1.0

and

ebayitemdescriptionsaveenlargedp

I added this plug-in to save some pictures from ebay descriptions

My wife was home today surfing the net and told me the redirects are still happening
I can see them in the Firefox History.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:50 AM

Posted 18 December 2009 - 07:25 PM

Please download ComboFix from this link:

Combofix

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 FAB1

FAB1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 19 December 2009 - 05:50 PM

Got a message when I ran the .exe that the program was Corrupted - I cant delete or shred it and just sitting
there now with a little progress box that says ComboFix.

Not sure if I should dl this again or not. ??

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:50 AM

Posted 20 December 2009 - 08:17 AM

Download it again from one of these links.

Link 1
Link 2
Link 3
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 FAB1

FAB1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 20 December 2009 - 08:55 AM

Okay I worked out the bad install

HERE is the LOG - Hope the CF worked out the bugs...



ComboFix 09-12-19.03 - Granny 12/20/2009 9:20.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.94 [GMT -5:00]
Running from: c:\documents and settings\Granny\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 091211-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Common\_helper.sig
c:\program files\Common\helper.sig
c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-13 16:49 . 2009-12-13 16:49 -------- d-----w- c:\program files\Trend Micro
2009-12-12 22:35 . 2009-12-12 22:36 152576 ----a-w- c:\documents and settings\Granny\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-12 22:35 . 2009-12-12 22:35 79488 ----a-w- c:\documents and settings\Granny\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-12 21:45 . 2009-12-12 21:53 117760 ----a-w- c:\documents and settings\Granny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-12 21:45 . 2009-12-12 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-12 21:45 . 2009-12-12 21:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 21:45 . 2009-12-12 21:45 -------- d-----w- c:\documents and settings\Granny\Application Data\SUPERAntiSpyware.com
2009-12-12 06:57 . 2009-12-12 06:57 -------- d-----w- c:\program files\Axon Data
2009-12-11 04:15 . 2009-12-11 04:15 -------- d-----w- C:\FOUND.002
2009-11-26 15:27 . 2009-11-26 15:27 -------- d-----w- c:\program files\VS Revo Group
2009-11-26 15:19 . 2009-11-26 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2009-11-26 15:19 . 2009-11-26 15:19 -------- d-----w- c:\documents and settings\Granny\Application Data\Multi File Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 05:12 . 2009-11-14 05:12 -------- d-----w- c:\program files\Replay Video Capture
2009-10-15 21:43 . 2007-08-31 20:18 145352 ----a-w- c:\documents and settings\Granny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-04-28 18:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-02-25 01:04 . 2009-02-25 00:46 18087936 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2009-12-11 04:34 . 2009-12-11 04:34 119312 ----a-w- c:\program files\mozilla firefox\components\cfeadfeaebbbceb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFREE.EXE" [2005-03-17 536576]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SoundMan"="SOUNDMAN.EXE" [2005-06-08 77824]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\program files\Acer\eRecovery\Monitor.exe" [2005-06-20 352256]
"VTTimer"="VTTimer.exe" [2005-05-13 53248]
"VTtrayp"="VTtrayp.exe" [2005-05-13 143360]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
"GrooveMonitor"="c:\program files\Office_07\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-07 286720]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Granny\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Office_07\Office12\ONENOTEM.EXE [2006-10-26 98632]
OneNote Table Of Contents.onetoc2 [2008-9-14 3656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-3-24 290816]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-3-17 221295]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\VLegacy\\download\\utorrent.exe"=
"c:\\Program Files\\Office_07\\Office12\\groove.exe"=
"c:\\Program Files\\Office_07\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4274:UDP"= 4274:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"4275:UDP"= 4275:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"4278:UDP"= 4278:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/22/2008 10:29 PM 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2008 10:29 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.snip.pl/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
IE: E&xport to Microsoft Excel - c:\progra~1\OFFICE~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Granny\Application Data\Mozilla\Firefox\Profiles\bkxy2luo.default\
FF - component: c:\program files\Mozilla Firefox\components\cfeadfeaebbbceb.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AGRSMMSG - AGRSMMSG.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 09:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-20 09:49:41
ComboFix-quarantined-files.txt 2009-12-20 14:49

Pre-Run: 11,377,147,904 bytes free
Post-Run: 11,346,182,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 16B0A76305155FF471BCA9CBA4F8D5BB

Edited by FAB1, 20 December 2009 - 12:35 PM.


#14 FAB1

FAB1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 20 December 2009 - 12:39 PM

Sam - here is it I worked out the bad install and reinstalled CF


ComboFix 09-12-19.03 - Granny 12/20/2009 9:20.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.94 [GMT -5:00]
Running from: c:\documents and settings\Granny\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 091211-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Common\_helper.sig
c:\program files\Common\helper.sig
c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-13 16:49 . 2009-12-13 16:49 -------- d-----w- c:\program files\Trend Micro
2009-12-12 22:35 . 2009-12-12 22:36 152576 ----a-w- c:\documents and settings\Granny\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-12 22:35 . 2009-12-12 22:35 79488 ----a-w- c:\documents and settings\Granny\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-12 21:45 . 2009-12-12 21:53 117760 ----a-w- c:\documents and settings\Granny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-12 21:45 . 2009-12-12 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-12 21:45 . 2009-12-12 21:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 21:45 . 2009-12-12 21:45 -------- d-----w- c:\documents and settings\Granny\Application Data\SUPERAntiSpyware.com
2009-12-12 06:57 . 2009-12-12 06:57 -------- d-----w- c:\program files\Axon Data
2009-12-11 04:15 . 2009-12-11 04:15 -------- d-----w- C:\FOUND.002
2009-11-26 15:27 . 2009-11-26 15:27 -------- d-----w- c:\program files\VS Revo Group
2009-11-26 15:19 . 2009-11-26 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2009-11-26 15:19 . 2009-11-26 15:19 -------- d-----w- c:\documents and settings\Granny\Application Data\Multi File Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 05:12 . 2009-11-14 05:12 -------- d-----w- c:\program files\Replay Video Capture
2009-10-15 21:43 . 2007-08-31 20:18 145352 ----a-w- c:\documents and settings\Granny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-04-28 18:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-02-25 01:04 . 2009-02-25 00:46 18087936 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2009-12-11 04:34 . 2009-12-11 04:34 119312 ----a-w- c:\program files\mozilla firefox\components\cfeadfeaebbbceb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFREE.EXE" [2005-03-17 536576]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SoundMan"="SOUNDMAN.EXE" [2005-06-08 77824]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\program files\Acer\eRecovery\Monitor.exe" [2005-06-20 352256]
"VTTimer"="VTTimer.exe" [2005-05-13 53248]
"VTtrayp"="VTtrayp.exe" [2005-05-13 143360]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
"GrooveMonitor"="c:\program files\Office_07\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-07 286720]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Granny\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Office_07\Office12\ONENOTEM.EXE [2006-10-26 98632]
OneNote Table Of Contents.onetoc2 [2008-9-14 3656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-3-24 290816]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-3-17 221295]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\VLegacy\\download\\utorrent.exe"=
"c:\\Program Files\\Office_07\\Office12\\groove.exe"=
"c:\\Program Files\\Office_07\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4274:UDP"= 4274:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"4275:UDP"= 4275:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"4278:UDP"= 4278:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/22/2008 10:29 PM 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2008 10:29 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.snip.pl/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
IE: E&xport to Microsoft Excel - c:\progra~1\OFFICE~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Granny\Application Data\Mozilla\Firefox\Profiles\bkxy2luo.default\
FF - component: c:\program files\Mozilla Firefox\components\cfeadfeaebbbceb.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AGRSMMSG - AGRSMMSG.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 09:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-20 09:49:41
ComboFix-quarantined-files.txt 2009-12-20 14:49

Pre-Run: 11,377,147,904 bytes free
Post-Run: 11,346,182,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 16B0A76305155FF471BCA9CBA4F8D5BB

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:50 AM

Posted 21 December 2009 - 07:39 AM

That log looks good to me. In fact, very clean.
How is your computer behaving now? What issues are you still having?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users