Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Internet Security 2010, now Google redirects, windows installer service errors, Generic Host Process errors


  • Please log in to reply
19 replies to this topic

#1 himan

himan

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 26 January 2010 - 10:51 PM

I have had two different instances of Internet Security 2010 over the past month and I have been able to remove that, but now I think I have a nasty rootkit that is affecting my windows installer package and Generic Host Process for Win32 services. Also when browsing the web my search results are redirected usign searchsite.com and other websurvey related sites.

I ran the DDS scan and have posted the log, but the RootRepeal crashes and does not finish. Thank you for the help, if possible.


DDS (Ver_09-12-01.01) - NTFSx86
Run by AK at 19:25:09.20 on Tue 01/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
AV: PC Tools AntiVirus 5.0.0.22 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [seten] c:\windows\system32\mxyjybcv.exe
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [AS00_WN311B] c:\program files\netgear\wn311b\utility\WN311B.exe -hide
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\108mbp~1.lnk - c:\program files\108mbps wireless lan adapter\WLANPRO.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\reg.lnk - c:\program files\108mbps wireless lan adapter\Reg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: beatport.com
Trusted Zone: beatport.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ak\applic~1\mozilla\firefox\profiles\h5fq7gj0.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 19:26:34.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 27 January 2010 - 07:31 AM

Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP HERE! if you can't complete this step.. Tell me more about it..



NEXT


Please download OTL by OldTimer and save it to your desktop.

Under the Custom Scans/Fixes box paste this in

CODE
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles


Don't change any setting... Just click on the Run Scan button.. Let it scan till finish..

Then a log will pop-up at your Desktop. Post the content of the log here



NEXT


We need to scan for Rootkits with GMER
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Close any and all open programs, as this process may crash your computer.
  3. Double click or on your desktop.
  4. Allow the gmer.sys driver to load if asked.
  5. You may see this window. If you do, click No.
  6. Click on and wait for the scan to finish.
  7. If you see a rootkit warning window, click OK.
  8. Push and save the logfile to your desktop.
  9. Copy and Paste the contents of that file in your next post.



Post me these logs in your next reply.. Post each log in separate post..

1. OTL
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 27 January 2010 - 09:11 PM

Hello and thanks for the quick responde. The Comedian finished but before the last step I got a "Windows Script Host" error so I have attached a screenshot of what that looked like. Should I proceed with OTL ?
Attached File  cpu_ERROR.JPG   51.12KB   11 downloads

Edited by himan, 27 January 2010 - 09:25 PM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 28 January 2010 - 07:19 AM

Do this first and then proceed with the next steps..

please create a Restore Point via System Restore.. Here's the link on how to do it..

http://www.bleepingcomputer.com/tutorials/...l56.html#manual

After you successfully do these steps, please proceed with the next step as per above smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 28 January 2010 - 10:22 AM

OTL logfile created on: 1/28/2010 7:14:11 AM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\AK\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 389.16 Gb Free Space | 83.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 298.09 Gb Total Space | 210.02 Gb Free Space | 70.46% Space Free | Partition Type: NTFS

Computer Name: ANDREW
Current User Name: AK
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/28 07:13:17 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AK\Desktop\OTL.exe
PRC - [2009/11/29 01:09:33 | 03,055,616 | ---- | M] (Crawler.com) -- C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
PRC - [2009/11/29 01:09:33 | 00,488,960 | ---- | M] (Crawler.com) -- C:\Program Files\Spyware Terminator\sp_rsser.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/09/18 09:14:10 | 00,880,640 | ---- | M] (brother) -- C:\Program Files\Brownie\BrStsWnd.exe
PRC - [2008/07/31 14:05:30 | 16,806,912 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2008/06/18 17:01:56 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SoundMan.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 12:54:44 | 00,090,112 | ---- | M] (brother) -- C:\Program Files\Brownie\brpjp04a.exe
PRC - [2007/10/04 16:14:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/06/06 10:10:02 | 00,394,856 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2007/04/04 14:41:38 | 02,002,944 | ---- | M] ( ) -- C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
PRC - [2005/06/20 09:31:34 | 00,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2005/05/11 16:50:48 | 02,678,784 | ---- | M] () -- C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe


========== Modules (SafeList) ==========

MOD - [2010/01/28 07:13:17 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AK\Desktop\OTL.exe
MOD - [2009/11/21 07:51:04 | 00,471,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\aclayers.dll
MOD - [2008/04/13 16:12:05 | 00,065,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shimeng.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Pml Driver HPZ12)
SRV - File not found [Auto | Stopped] -- -- (JavaQuickStarterService)
SRV - [2009/12/10 18:28:57 | 00,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/11/29 01:09:33 | 00,488,960 | ---- | M] (Crawler.com) [Auto | Running] -- C:\Program Files\Spyware Terminator\sp_rsser.exe -- (sp_rssrv)
SRV - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/04/01 20:38:26 | 00,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/01 08:37:24 | 00,658,432 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/09/23 18:21:50 | 00,995,520 | ---- | M] (PC Tools Research Pty Ltd) [Auto | Stopped] -- C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe -- (PCTAVSvc)
SRV - [2007/10/04 16:14:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/11/14 00:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/06/20 09:31:34 | 00,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/01/27 18:08:50 | 00,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/01/26 17:37:15 | 00,105,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2009/11/29 01:09:33 | 00,142,592 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sp_rsdrv2.sys -- (sp_rsdrv2)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/05/11 09:12:24 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/08/18 21:27:35 | 00,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2008/08/18 21:10:21 | 00,017,801 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2008/08/06 16:12:10 | 04,755,968 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/13 10:46:22 | 00,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2008/04/13 08:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/12 11:44:10 | 00,021,904 | ---- | M] (PC Tools Research Pty Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AVFilter.sys -- (AVFilter)
DRV - [2007/12/06 16:51:44 | 00,028,568 | ---- | M] (PC Tools Research Pty Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVHook.sys -- (AVHook)
DRV - [2007/12/06 16:51:44 | 00,021,912 | ---- | M] (PC Tools Research Pty Ltd ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVRec.sys -- (AVRec)
DRV - [2007/10/04 16:14:00 | 06,854,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/06/11 12:49:22 | 00,968,064 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2007/02/20 14:01:56 | 00,618,880 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wn311b.sys -- (BCM43XX)
DRV - [2006/11/02 16:57:04 | 00,036,624 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/07/11 19:38:30 | 00,020,480 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/07/11 19:38:28 | 00,057,856 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/02/28 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2005/10/27 17:24:30 | 00,021,568 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2005/10/27 17:24:29 | 00,016,496 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2005/10/27 17:24:28 | 00,049,664 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2005/01/21 10:19:28 | 00,411,680 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2002/04/11 17:43:44 | 00,016,194 | ---- | M] (AMBIT Microsystems Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\AWINDIS5.SYS -- (AWINDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "yahoo.com"
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/26 17:36:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/26 18:03:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/25 19:53:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/09/25 19:53:59 | 00,000,000 | ---D | M]

[2008/08/19 18:47:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AK\Application Data\Mozilla\Extensions
[2010/01/26 18:48:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AK\Application Data\Mozilla\Firefox\Profiles\h5fq7gj0.default\extensions
[2009/02/09 17:02:07 | 00,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\AK\Application Data\Mozilla\Firefox\Profiles\h5fq7gj0.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/01/26 18:48:05 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/05/22 13:38:44 | 00,102,400 | ---- | M] (ESRI ) -- C:\Program Files\Mozilla Firefox\plugins\NPE2Host.dll
[2008/12/16 04:32:42 | 04,796,416 | ---- | M] (Lizardtech Software) -- C:\Program Files\Mozilla Firefox\plugins\npexview.dll
[2008/06/30 22:02:00 | 00,663,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll

O1 HOSTS File: ([2010/01/22 20:42:58 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\alcwzrd.exe (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [AS00_WN311B] C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe ( )
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe (brother)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PCTAVApp] C:\Program Files\PC Tools AntiVirus\PCTAV.exe (PC Tools Research Pty Ltd)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [seten] C:\WINDOWS\System32\mxyjybcv.exe File not found
O4 - HKCU..\Run: [SpywareTerminatorUpdate] C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe (Crawler.com)
O4 - Startup: C:\Documents and Settings\AK\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\108Mbps Wireless LAN Adapter Configuration Utility.lnk = C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reg.lnk = C:\Program Files\108Mbps Wireless LAN Adapter\Reg.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O15 - HKCU\..Trusted Domains: beatport.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: beatport.com ([www] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O18 - Protocol\Handler\jpip {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll (Lizardtech Software)
O18 - Protocol\Handler\sidlet {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll (Lizardtech Software)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\AK\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\AK\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/18 21:04:12 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0e3d8cfd-f5a1-11dd-9b1c-00223f70de60}\Shell\open\command - "" = C:\WINDOWS\Explorer.exe -- [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{45158cd5-789f-11dd-ae35-001bb987d448}\Shell - "" = AutoRun
O33 - MountPoints2\{45158cd5-789f-11dd-ae35-001bb987d448}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{45158cd5-789f-11dd-ae35-001bb987d448}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
O33 - MountPoints2\{6fe7c838-2ad0-11de-9b45-00223f70de60}\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\F\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\M\Shell - "" = AutoRun
O33 - MountPoints2\M\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\M\Shell\AutoRun\command - "" = M:\ONSPCLCK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/08/18 13:44:44 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (51231838785503232)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/28 07:13:09 | 00,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\AK\Desktop\OTL.exe
[2010/01/27 17:41:16 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/26 19:25:00 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\AK\Desktop\RootRepeal.exe
[2010/01/26 18:07:21 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/01/26 18:07:21 | 00,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/01/26 18:07:21 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/01/26 18:07:21 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/01/26 18:07:20 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/01/26 17:44:01 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/26 17:39:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AK\Desktop\Unused Desktop Shortcuts
[2010/01/26 17:37:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AK\Desktop\new x
[2010/01/26 17:36:07 | 00,000,000 | ---D | C] -- C:\Program Files\NETGEAR
[2010/01/26 17:35:28 | 00,000,000 | ---D | C] -- C:\Program Files\PC Tools AntiVirus
[2010/01/26 17:35:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/01/26 17:35:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AK\Application Data\PC Tools
[2010/01/26 17:35:21 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2010/01/26 17:35:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AK\Local Settings\Application Data\ewhwlv
[2010/01/26 17:35:16 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/25 20:43:03 | 00,000,000 | ---D | C] -- C:\Program Files\Wise Registry Cleaner
[2010/01/25 18:32:59 | 00,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2010/01/24 21:30:11 | 00,000,000 | ---D | C] -- C:\RECYCLER(2)
[2010/01/22 20:57:06 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/01/22 20:57:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/01/22 20:48:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/01/22 20:28:15 | 00,000,000 | ---D | C] -- C:\Qoobox(2)
[2010/01/22 17:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/20 21:23:11 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/19 17:41:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AK\Application Data\AbleFaxTifView
[2010/01/19 17:41:05 | 00,000,000 | ---D | C] -- C:\Program Files\AbleFaxTifView
[2010/01/18 12:53:15 | 00,000,000 | ---D | C] -- C:\Program Files\NETGEAR(2)
[2010/01/17 23:32:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/10 18:34:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/10 18:29:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/11/30 17:35:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/11/30 17:33:05 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/11/30 17:33:05 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/11/30 17:33:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/11/02 23:07:15 | 00,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/28 07:14:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/28 07:13:17 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AK\Desktop\OTL.exe
[2010/01/28 07:08:45 | 00,000,313 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2010/01/28 07:08:23 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/01/28 07:08:18 | 00,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/28 07:08:16 | 00,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/28 07:08:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/27 19:33:43 | 07,593,984 | ---- | M] () -- C:\Documents and Settings\AK\NTUSER.DAT
[2010/01/27 18:13:51 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\AK\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/01/27 18:13:49 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\NTREGOPT.lnk
[2010/01/27 18:13:49 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\ERUNT.lnk
[2010/01/27 18:08:50 | 00,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/01/27 18:05:25 | 00,052,343 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\cpu ERROR.JPG
[2010/01/27 17:59:26 | 01,187,898 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\cpu ERROR.bmp
[2010/01/27 17:34:35 | 00,794,112 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\The_Comedian.exe
[2010/01/27 17:34:00 | 00,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/27 17:33:30 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/27 17:33:06 | 00,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/01/26 19:27:52 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\settings.dat
[2010/01/26 19:25:04 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\AK\settings.dat
[2010/01/26 19:22:54 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\AK\Desktop\RootRepeal.exe
[2010/01/26 19:21:26 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\dds(2).scr
[2010/01/26 19:01:34 | 00,274,168 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/26 18:33:08 | 00,004,400 | ---- | M] () -- C:\WINDOWS\System32\SKYNETjkcvvkay.dat
[2010/01/26 18:07:41 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/26 17:40:35 | 00,435,568 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/26 17:40:35 | 00,068,272 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/26 17:37:15 | 00,105,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvata.sys
[2010/01/25 18:19:16 | 00,000,834 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/25 18:19:16 | 00,000,253 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/22 20:42:58 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/20 20:03:49 | 00,053,608 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\restarted error.JPG
[2010/01/20 19:36:51 | 00,049,793 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\restarted then showed these.JPG
[2010/01/19 19:16:43 | 00,072,616 | ---- | M] () -- C:\Documents and Settings\AK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/19 18:35:23 | 72,727,830 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\tif sc 1869 CHS2010.tif
[2010/01/15 11:00:38 | 14,544,1416 | ---- | M] () -- C:\Documents and Settings\AK\Desktop\CHS2010.bak
[2009/12/30 12:15:32 | 24,249,4464 | ---- | M] () -- C:\Timmy Regisford - Live @ Candy Bar, 6-28-09.mp3
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/27 17:59:37 | 00,052,343 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\cpu ERROR.JPG
[2010/01/27 17:59:26 | 01,187,898 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\cpu ERROR.bmp
[2010/01/27 17:41:21 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\AK\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/01/27 17:41:16 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\NTREGOPT.lnk
[2010/01/27 17:41:16 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\ERUNT.lnk
[2010/01/27 17:36:42 | 00,794,112 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\The_Comedian.exe
[2010/01/26 19:27:52 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\settings.dat
[2010/01/26 19:25:04 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\AK\settings.dat
[2010/01/26 19:25:00 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\dds(2).scr
[2010/01/26 18:07:41 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/26 17:38:39 | 00,004,400 | ---- | C] () -- C:\WINDOWS\System32\SKYNETjkcvvkay.dat
[2010/01/20 20:03:49 | 00,053,608 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\restarted error.JPG
[2010/01/20 19:36:51 | 00,049,793 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\restarted then showed these.JPG
[2010/01/19 18:35:19 | 72,727,830 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\tif sc 1869 CHS2010.tif
[2010/01/19 17:41:39 | 14,544,1416 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\CHS2010.bak
[2010/01/19 17:40:56 | 00,000,922 | ---- | C] () -- C:\Documents and Settings\AK\Desktop\file_id.diz
[2010/01/19 17:20:38 | 00,163,288 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/12/30 19:47:10 | 24,249,4464 | ---- | C] () -- C:\Timmy Regisford - Live @ Candy Bar, 6-28-09.mp3
[2009/12/11 16:40:27 | 00,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/12/10 18:19:03 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\SKYNETaitbxdcp.dll
[2009/11/29 01:09:33 | 00,142,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
[2009/03/16 22:20:53 | 00,000,485 | ---- | C] () -- C:\WINDOWS\IfoEdit.INI
[2009/03/06 22:41:38 | 00,000,107 | ---- | C] () -- C:\WINDOWS\VobEdit.INI
[2009/03/05 21:15:19 | 00,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2009/03/05 21:15:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/03/05 21:15:06 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2009/03/05 21:15:05 | 00,009,853 | ---- | C] () -- C:\WINDOWS\HL-2140.INI
[2009/03/05 21:15:02 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/03/05 21:12:33 | 00,000,313 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/01/27 18:02:33 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\ASupplicant.dll
[2008/11/17 18:52:29 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/11 21:27:45 | 00,010,568 | ---- | C] () -- C:\Documents and Settings\AK\Application Data\docXConverter (3).ini
[2008/11/11 18:21:21 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/30 18:04:36 | 00,000,207 | ---- | C] () -- C:\WINDOWS\MP3 Recorder.INI
[2008/09/22 20:36:05 | 00,022,447 | ---- | C] () -- C:\Documents and Settings\AK\Application Data\Comma Separated Values (Windows).ADR
[2008/09/09 17:47:17 | 00,000,247 | ---- | C] () -- C:\WINDOWS\phedit.ini
[2008/09/07 20:10:37 | 00,000,134 | ---- | C] () -- C:\WINDOWS\REDEMUNINS.INI
[2008/09/01 18:00:46 | 00,000,219 | ---- | C] () -- C:\WINDOWS\smrpro.INI
[2008/09/01 18:00:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ae_mini.INI
[2008/08/28 21:57:45 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2008/08/19 22:10:07 | 00,000,378 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/08/19 22:09:47 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2008/08/19 22:03:42 | 00,155,136 | ---- | C] () -- C:\Documents and Settings\AK\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/18 21:27:24 | 00,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2008/08/18 21:27:24 | 00,411,680 | ---- | C] () -- C:\WINDOWS\System32\drivers\ar5211.sys
[2008/08/18 21:27:24 | 00,400,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\ar52119x.sys
[2008/08/18 21:27:24 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2007/10/04 16:14:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/10/04 16:14:00 | 01,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/10/04 16:14:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/10/04 16:14:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/10/04 16:14:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/07/21 17:50:34 | 00,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll
[2006/02/28 04:00:00 | 00,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2006/02/28 04:00:00 | 00,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2006/02/28 04:00:00 | 00,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2006/02/28 04:00:00 | 00,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2006/02/28 04:00:00 | 00,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2004/09/28 05:38:30 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\wmatimer.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/11/03 23:11:18 | 01,552,896 | ---- | M] () -- C:\Shp2kml.exe


< MD5 for: AGP440.SYS >
[2006/02/28 04:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/19 21:29:28 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/19 21:29:28 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 04:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/19 21:29:28 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/19 21:29:28 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2006/02/28 04:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/08/14 12:51:28 | 00,105,344 | ---- | M] (NVIDIA Corporation) MD5=947C4A0E7B25BCECC3B40F0F1070378B -- C:\NVIDIA\nForceWinXP\11.09\MCP61\IDE\Win2K\sata_ide\nvata.sys
[2006/08/14 12:51:28 | 00,105,344 | ---- | M] (NVIDIA Corporation) MD5=947C4A0E7B25BCECC3B40F0F1070378B -- C:\NVIDIA\nForceWinXP\11.09\MCP61\IDE\WinXP\sata_ide\nvata.sys
[2010/01/26 17:37:15 | 00,105,344 | ---- | M] (NVIDIA Corporation) MD5=947C4A0E7B25BCECC3B40F0F1070378B -- C:\WINDOWS\system32\drivers\nvata.sys
[2006/04/24 16:52:28 | 00,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\NVIDIA\nForceWinXP\11.09\MCP51\IDE\Win2K\sata_ide\nvata.sys
[2006/04/24 16:52:28 | 00,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\NVIDIA\nForceWinXP\11.09\MCP51\IDE\WinXP\sata_ide\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/08/14 12:51:28 | 00,105,344 | ---- | M] (NVIDIA Corporation) MD5=947C4A0E7B25BCECC3B40F0F1070378B -- C:\NVIDIA\nForceWinXP\11.09\MCP61\IDE\Win2K\sataraid\nvatabus.sys
[2006/08/14 12:51:28 | 00,105,344 | ---- | M] (NVIDIA Corporation) MD5=947C4A0E7B25BCECC3B40F0F1070378B -- C:\NVIDIA\nForceWinXP\11.09\MCP61\IDE\WinXP\sataraid\nvatabus.sys
[2006/04/24 16:52:28 | 00,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\NVIDIA\nForceWinXP\11.09\MCP51\IDE\Win2K\sataraid\nvatabus.sys
[2006/04/24 16:52:28 | 00,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\NVIDIA\nForceWinXP\11.09\MCP51\IDE\WinXP\sataraid\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2006/02/28 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 282 bytes -> C:\WINDOWS\System32\drivers\jkyglgbm.sys:changelist
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
< End of report >


OTL Extras logfile created on: 1/28/2010 7:14:12 AM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\AK\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 389.16 Gb Free Space | 83.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 298.09 Gb Total Space | 210.02 Gb Free Space | 70.46% Space Free | Partition Type: NTFS

Computer Name: ANDREW
Current User Name: AK
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\SoulseekNS\slsk.exe" = C:\Program Files\SoulseekNS\slsk.exe:*:Enabled:SoulSeek -- ()
"C:\Program Files\Miranda IM\miranda32.exe" = C:\Program Files\Miranda IM\miranda32.exe:*:Enabled:Miranda IM -- ( )
"C:\Program Files\TeamViewer\Version4\TeamViewer.exe" = C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe" = C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe:*:Disabled:Crawler Spyware Terminator -- (Crawler.com)
"C:\DOCUME~1\AK\LOCALS~1\Temp\nsxD8.tmp\srchost.exe" = C:\DOCUME~1\AK\LOCALS~1\Temp\nsxD8.tmp\srchost.exe:*:Enabled:@xpsp2res.dll,-22019 -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{1047106F-3AED-4661-B919-6D377BF641CF}" = RangeMax™ NEXT Wireless Adapter WN311B
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 10
"{27555031-A116-4EC6-9991-7B400142A936}" = HP PSC & OfficeJet 6.1.A
"{2FA32F90-7970-4B9C-BEF4-AA0B81BD5325}" = Brother HL-2140
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42EB8886-33DE-4040-94DF-27AC323D2FFD}_is1" = Shape2Earth 1.45.02
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{51C48D1F-9BBF-450A-BBCE-1D775AB94B15}" = FileMaker Pro 9
"{5E09E82C-004D-4F08-B051-46DE6D79F71A}" = Microsoft Visual C++ Redist - ENU
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B18E7E2-AFCA-4CBE-8CD5-3613315AB262}" = ArcGIS Explorer
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9074AFC0-CFDA-11DE-B484-005056806466}" = Google Earth
"{94E4FBD6-540C-4DB6-A469-B1FA248DA33E}" = 108Mbps Wireless LAN Adapter
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9CD8FC8E-A1CA-4634-96BC-CD6B2D4797CC}" = Lizardtech Express View Browser Plug-in
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP Professional 2007
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6812939-B117-48E6-A3BA-1709C14A3C8C}" = Scan
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CDex" = CDex extraction audio
"Color Correction Wizard_is1" = Color Correction Wizard 1.1
"Cool Edit Pro 2.0" = Cool Edit Pro 2.0
"Easy RM to MP3 Converter_is1" = Easy RM to MP3 Converter 1.59.20
"ERUNT_is1" = ERUNT 1.1j
"exPressit S.E. 2.2" = exPressit S.E. 2.2
"GOM Player" = GOM Player
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Kingdia Video to AVI DIVX WMV DVD MOV ASF MPEG F~648C5368_is1" = Kingdia Video to AVI DIVX WMV DVD MOV ASF MPEG FLV Converter V3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapWindow GIS_is1" = MapWindow GIS
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Miranda IM" = Miranda IM 0.7.13
"Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
"Mozilla Thunderbird (2.0.0.17)" = Mozilla Thunderbird (2.0.0.17)
"MPEG2 Codec(libmpeg2/mad)" = MPEG2 Codec(libmpeg2/mad)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PC Tools AntiVirus_is1" = PC Tools AntiVirus 5.0
"PhotoKit Sharpener Plug-in Module" = PhotoKit Sharpener Plug-in Module
"Soulseek2" = SoulSeek 157 NS 13c
"Spyware Terminator_is1" = Spyware Terminator
"TeamViewer 4" = TeamViewer 4
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ArcView GIS 3.2" = ArcView GIS 3.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/27/2010 10:11:45 PM | Computer Name = ANDREW | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/27/2010 10:11:45 PM | Computer Name = ANDREW | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 1/27/2010 11:22:24 PM | Computer Name = ANDREW | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/27/2010 11:27:52 PM | Computer Name = ANDREW | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/27/2010 11:28:54 PM | Computer Name = ANDREW | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/27/2010 11:28:54 PM | Computer Name = ANDREW | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 1/28/2010 11:08:32 AM | Computer Name = ANDREW | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/28/2010 11:14:46 AM | Computer Name = ANDREW | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/28/2010 11:15:48 AM | Computer Name = ANDREW | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/28/2010 11:15:48 AM | Computer Name = ANDREW | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

[ System Events ]
Error - 1/27/2010 9:35:07 PM | Computer Name = ANDREW | Source = Service Control Manager | ID = 7034
Description = The PC Tools AntiVirus Engine service terminated unexpectedly. It
has done this 1 time(s).

Error - 1/27/2010 11:22:01 PM | Computer Name = ANDREW | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%2

Error - 1/27/2010 11:22:01 PM | Computer Name = ANDREW | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 1/27/2010 11:22:05 PM | Computer Name = ANDREW | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/27/2010 11:22:05 PM | Computer Name = ANDREW | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/28/2010 11:08:13 AM | Computer Name = ANDREW | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%2

Error - 1/28/2010 11:08:13 AM | Computer Name = ANDREW | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 1/28/2010 11:08:18 AM | Computer Name = ANDREW | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/28/2010 11:08:18 AM | Computer Name = ANDREW | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/28/2010 11:13:44 AM | Computer Name = ANDREW | Source = Service Control Manager | ID = 7034
Description = The PC Tools AntiVirus Engine service terminated unexpectedly. It
has done this 1 time(s).


< End of report >


#6 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 28 January 2010 - 10:45 AM

Gomer crashed and my PC restarted about 5 minutes into the scan. I ran it again, but saved the log before it crashed. Here is what I have:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-28 07:41:04
Windows 5.1.2600 Service Pack 3
Running: celerddr.exe; Driver: C:\DOCUME~1\AK\LOCALS~1\Temp\uwtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT BAF7A706 ZwCreateKey
SSDT BAF7A6FC ZwCreateThread
SSDT BAF7A70B ZwDeleteKey
SSDT BAF7A715 ZwDeleteValueKey
SSDT BAF7A71A ZwLoadKey
SSDT BAF7A6E8 ZwOpenProcess
SSDT BAF7A6ED ZwOpenThread
SSDT BAF7A724 ZwReplaceKey
SSDT BAF7A71F ZwRestoreKey
SSDT BAF7A710 ZwSetValueKey
SSDT BAF7A6F7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DAC 80504648 4 Bytes CALL B10B3DF3
.rsrc C:\WINDOWS\system32\drivers\nvata.sys entry point in ".rsrc" section [0xBA708E24]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8CDC360, 0x307F47, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVHook.sys (PC Tools Filter Driver for Windows 2000/XP/PC Tools Research Pty Ltd.)

Device -> \Driver\nvata \Device\Harddisk0\DR0 8A27C618

---- Services - GMER 1.0.15 ----

Service system32\drivers\SKYNETomykrewt.sys (*** hidden *** ) [SYSTEM] SKYNETxdjbpfbc <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc@imagepath \systemroot\system32\drivers\SKYNETomykrewt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\main@aid 10093
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETomykrewt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\modules@SKYNETcmd.dll \systemroot\system32\SKYNETaitbxdcp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\modules@SKYNETlog.dat \systemroot\system32\SKYNETjkcvvkay.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\modules@SKYNETwsp.dll \systemroot\system32\SKYNETlmyeytvr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETxdjbpfbc\modules@SKYNET.dat \systemroot\system32\SKYNETddtfqxso.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc@imagepath \systemroot\system32\drivers\SKYNETomykrewt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\main@aid 10093
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETomykrewt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\modules@SKYNETcmd.dll \systemroot\system32\SKYNETaitbxdcp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\modules@SKYNETlog.dat \systemroot\system32\SKYNETjkcvvkay.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\modules@SKYNETwsp.dll \systemroot\system32\SKYNETlmyeytvr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETxdjbpfbc\modules@SKYNET.dat \systemroot\system32\SKYNETddtfqxso.dat


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 28 January 2010 - 01:44 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 28 January 2010 - 07:01 PM

Here you go:

ComboFix 10-01-28.04 - AK 01/28/2010 15:43:53.1.2 - x86
Running from: c:\documents and settings\AK\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SKYNETaitbxdcp.dll
c:\windows\system32\SKYNETjkcvvkay.dat
c:\windows\system32\win32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETxdjbpfbc
-------\Service_SKYNETxdjbpfbc


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-28 01:41 . 2010-01-28 02:13 -------- d-----w- c:\program files\ERUNT
2010-01-27 03:25 . 2010-01-27 03:25 0 ----a-w- c:\documents and settings\AK\settings.dat
2010-01-27 03:06 . 2010-01-27 03:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-27 02:07 . 2010-01-28 02:08 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-27 02:07 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-27 02:07 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-27 02:07 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-27 01:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-27 01:37 . 2010-01-27 01:37 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-27 01:36 . 2010-01-27 01:36 -------- d-----w- c:\program files\NETGEAR
2010-01-21 05:23 . 2010-01-21 05:23 -------- d-----w- c:\program files\TrendMicro
2010-01-20 01:41 . 2010-01-20 01:41 -------- d-----w- c:\documents and settings\AK\Application Data\AbleFaxTifView
2010-01-20 01:41 . 2010-01-27 01:35 -------- d-----w- c:\program files\AbleFaxTifView
2010-01-20 01:20 . 2010-01-20 01:20 163288 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-18 20:53 . 2010-01-27 01:36 -------- d-----w- c:\program files\NETGEAR(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 23:54 . 2008-12-01 01:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-28 23:53 . 2010-01-27 01:35 -------- d-----w- c:\program files\PC Tools AntiVirus
2010-01-28 15:23 . 2009-11-29 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-01-27 02:03 . 2008-08-19 05:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 01:40 . 2010-01-27 01:40 4706 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-01-27 01:37 . 2006-08-14 20:51 105344 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-01-27 01:37 . 2009-12-22 05:52 -------- d-----w- c:\program files\FLV Player
2010-01-27 01:36 . 2008-12-17 02:58 -------- d-----w- c:\program files\Google
2010-01-27 01:36 . 2009-11-29 08:12 -------- d-----w- c:\program files\Spyware Terminator
2010-01-27 01:36 . 2008-08-19 05:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-27 01:35 . 2010-01-27 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-27 01:35 . 2010-01-27 01:35 -------- d-----w- c:\documents and settings\AK\Application Data\PC Tools
2010-01-27 01:34 . 2010-01-26 02:32 -------- d-----w- c:\program files\YouTube Downloader
2010-01-27 01:34 . 2010-01-26 04:43 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-01-23 04:57 . 2010-01-23 04:57 -------- d-----w- c:\program files\Avira
2010-01-23 04:57 . 2010-01-23 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-23 02:27 . 2009-11-29 09:09 -------- d-----w- c:\documents and settings\AK\Application Data\Spyware Terminator
2010-01-20 03:16 . 2008-08-20 01:56 72616 ----a-w- c:\documents and settings\AK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-02 04:10 . 2008-08-20 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-12-29 08:04 . 2008-08-20 05:20 -------- d-----w- c:\documents and settings\AK\Application Data\AdobeUM
2009-12-26 19:00 . 2009-12-26 19:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 19:14 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-12 00:40 . 2009-12-12 00:40 30784 ----a-w- c:\windows\system32\drivers\jkyglgbm.sys
2009-12-11 01:54 . 2008-12-26 01:41 -------- d-----w- c:\program files\TrackMaker
2009-11-29 09:09 . 2009-11-29 09:09 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-11-29 09:09 . 2009-11-29 09:09 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-11-29 09:09 . 2009-11-29 09:09 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-28 01:32 . 2009-11-25 17:41 79488 ----a-w- c:\documents and settings\AK\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-11-29 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8491008]
"nwiz"="nwiz.exe" [2007-10-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"SoundMan"="SOUNDMAN.EXE" [2008-06-19 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-09-25 1370000]
"AS00_WN311B"="c:\program files\NETGEAR\WN311B\Utility\WN311B.exe" [2007-04-04 2002944]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\AK\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
108Mbps Wireless LAN Adapter Configuration Utility.lnk - c:\program files\108Mbps Wireless LAN Adapter\WLANPRO.exe [2008-8-18 2678784]
Reg.lnk - c:\program files\108Mbps Wireless LAN Adapter\Reg.exe [2008-8-18 24576]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-6-6 394856]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 135664]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-06-11 968064]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-11-29 142592]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2002-04-12 16194]

.
Contents of the 'Scheduled Tasks' folder

2010-01-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-17 04:38]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:28]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: beatport.com
Trusted Zone: beatport.com\www
FF - ProfilePath - c:\documents and settings\AK\Application Data\Mozilla\Firefox\Profiles\h5fq7gj0.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPE2Host.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-seten - c:\windows\system32\mxyjybcv.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 15:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89C7D618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: RangeMax™ NEXT Wireless Adapter WN311B -> SendCompleteHandler -> NDIS.sys @ 0xba603bb0
PacketIndicateHandler -> NDIS.sys @ 0xba610a21
SendHandler -> NDIS.sys @ 0xba5ee87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-01-28 15:58:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-28 23:58
ComboFix2.txt 2010-01-23 04:48

Pre-Run: 417,668,116,480 bytes free
Post-Run: 417,668,952,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E8E0FB8EC879C2D9D62F03E3E322797A


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 29 January 2010 - 05:39 AM

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)








1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

Driver::
jkyglgbm

Rootkit::
c:\windows\system32\drivers\jkyglgbm.sys


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 29 January 2010 - 08:35 PM

TDSS LOG:

16:59:52:390 3172 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:59:52:390 3172 ================================================================================
16:59:52:390 3172 SystemInfo:

16:59:52:390 3172 OS Version: 5.1.2600 ServicePack: 3.0
16:59:52:390 3172 Product type: Workstation
16:59:52:390 3172 ComputerName: ANDREW
16:59:52:390 3172 UserName: AK
16:59:52:390 3172 Windows directory: C:\WINDOWS
16:59:52:390 3172 Processor architecture: Intel x86
16:59:52:390 3172 Number of processors: 2
16:59:52:390 3172 Page size: 0x1000
16:59:52:390 3172 Boot type: Normal boot
16:59:52:390 3172 ================================================================================
16:59:52:390 3172 UnloadDriverW: NtUnloadDriver error 2
16:59:52:390 3172 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:59:52:421 3172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:59:52:421 3172 UtilityInit: KLMD drop and load success
16:59:52:421 3172 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:59:52:421 3172 UtilityInit: KLMD open success
16:59:52:421 3172 UtilityInit: Initialize success
16:59:52:421 3172
16:59:52:421 3172 Scanning Services ...
16:59:52:421 3172 CreateRegParser: Registry parser init started
16:59:52:421 3172 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:59:52:421 3172 CreateRegParser: DisableWow64Redirection error
16:59:52:421 3172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:59:52:421 3172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:59:52:421 3172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:59:52:421 3172 wfopen_ex: Trying to KLMD file open
16:59:52:421 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:59:52:421 3172 wfopen_ex: File opened ok (Flags 2)
16:59:52:421 3172 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 284920
16:59:52:421 3172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:59:52:421 3172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:59:52:421 3172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:59:52:421 3172 wfopen_ex: Trying to KLMD file open
16:59:52:421 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:59:52:421 3172 wfopen_ex: File opened ok (Flags 2)
16:59:52:421 3172 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 2849C8
16:59:52:421 3172 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:59:52:421 3172 CreateRegParser: EnableWow64Redirection error
16:59:52:421 3172 CreateRegParser: RegParser init completed
16:59:52:484 3172 GetAdvancedServicesInfo: Raw services enum returned 350 services
16:59:52:484 3172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:59:52:484 3172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:59:52:484 3172
16:59:52:484 3172 Scanning Kernel memory ...
16:59:52:484 3172 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:59:52:484 3172 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A299E18
16:59:52:484 3172 DetectCureTDL3: KLMD_GetDeviceObjectList returned 12 DevObjects
16:59:52:484 3172
16:59:52:484 3172 DetectCureTDL3: DEVICE_OBJECT: 890D8458
16:59:52:484 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 890D8458
16:59:52:484 3172 KLMD_ReadMem: Trying to ReadMemory 0x890D8458[0x38]
16:59:52:484 3172 DetectCureTDL3: DRIVER_OBJECT: 8A299E18
16:59:52:484 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A299E18[0xA8]
16:59:52:484 3172 KLMD_ReadMem: Trying to ReadMemory 0xE15FD6D0[0x18]
16:59:52:484 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:59:52:484 3172 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
16:59:52:484 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
16:59:52:484 3172 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
16:59:52:484 3172 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
16:59:52:484 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
16:59:52:484 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
16:59:52:484 3172 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
16:59:52:484 3172 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
16:59:52:484 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
16:59:52:484 3172 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
16:59:52:484 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:484 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:484 3172 TDL3_FileDetect: Processing driver: Disk
16:59:52:484 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:484 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:546 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:59:52:546 3172
16:59:52:546 3172 DetectCureTDL3: DEVICE_OBJECT: 890D9458
16:59:52:546 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 890D9458
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x890D9458[0x38]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT: 8A299E18
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A299E18[0xA8]
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0xE15FD6D0[0x18]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:59:52:546 3172 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
16:59:52:546 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
16:59:52:546 3172 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
16:59:52:546 3172 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
16:59:52:546 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
16:59:52:546 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
16:59:52:546 3172 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
16:59:52:546 3172 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
16:59:52:546 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
16:59:52:546 3172 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
16:59:52:546 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:546 3172 TDL3_FileDetect: Processing driver: Disk
16:59:52:546 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:546 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:546 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:59:52:546 3172
16:59:52:546 3172 DetectCureTDL3: DEVICE_OBJECT: 890DE458
16:59:52:546 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 890DE458
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x890DE458[0x38]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT: 8A299E18
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A299E18[0xA8]
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0xE15FD6D0[0x18]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:59:52:546 3172 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
16:59:52:546 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
16:59:52:546 3172 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
16:59:52:546 3172 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
16:59:52:546 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
16:59:52:546 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
16:59:52:546 3172 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
16:59:52:546 3172 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
16:59:52:546 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
16:59:52:546 3172 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
16:59:52:546 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:546 3172 TDL3_FileDetect: Processing driver: Disk
16:59:52:546 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:546 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:546 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:59:52:546 3172
16:59:52:546 3172 DetectCureTDL3: DEVICE_OBJECT: 890E5458
16:59:52:546 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 890E5458
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x890E5458[0x38]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT: 8A299E18
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A299E18[0xA8]
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0xE15FD6D0[0x18]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:59:52:546 3172 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
16:59:52:546 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
16:59:52:546 3172 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
16:59:52:546 3172 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
16:59:52:546 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
16:59:52:546 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
16:59:52:546 3172 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
16:59:52:546 3172 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
16:59:52:546 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
16:59:52:546 3172 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
16:59:52:546 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:546 3172 TDL3_FileDetect: Processing driver: Disk
16:59:52:546 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:546 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:546 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:59:52:546 3172
16:59:52:546 3172 DetectCureTDL3: DEVICE_OBJECT: 89EF12E0
16:59:52:546 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89EF12E0
16:59:52:546 3172 DetectCureTDL3: DEVICE_OBJECT: 89F60460
16:59:52:546 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89F60460
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x89F60460[0x38]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT: 89F61390
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0x89F61390[0xA8]
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0xE1B40710[0x1E]
16:59:52:546 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
16:59:52:546 3172 DetectCureTDL3: IrpHandler (0) addr: ADED4218
16:59:52:546 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (2) addr: ADED4218
16:59:52:546 3172 DetectCureTDL3: IrpHandler (3) addr: ADED423C
16:59:52:546 3172 DetectCureTDL3: IrpHandler (4) addr: ADED423C
16:59:52:546 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (14) addr: ADED4180
16:59:52:546 3172 DetectCureTDL3: IrpHandler (15) addr: ADECF9E6
16:59:52:546 3172 DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (22) addr: ADED35F0
16:59:52:546 3172 DetectCureTDL3: IrpHandler (23) addr: ADED1A6E
16:59:52:546 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:546 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:546 3172 KLMD_ReadMem: Trying to ReadMemory 0xADED0F26[0x400]
16:59:52:546 3172 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:59:52:546 3172 TDL3_FileDetect: Processing driver: usbstor
16:59:52:546 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:546 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:578 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
16:59:52:578 3172
16:59:52:578 3172 DetectCureTDL3: DEVICE_OBJECT: 89E5A030
16:59:52:578 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89E5A030
16:59:52:578 3172 DetectCureTDL3: DEVICE_OBJECT: 89DDA278
16:59:52:578 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89DDA278
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0x89DDA278[0x38]
16:59:52:578 3172 DetectCureTDL3: DRIVER_OBJECT: 89F61390
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0x89F61390[0xA8]
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0xE1B40710[0x1E]
16:59:52:578 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
16:59:52:578 3172 DetectCureTDL3: IrpHandler (0) addr: ADED4218
16:59:52:578 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (2) addr: ADED4218
16:59:52:578 3172 DetectCureTDL3: IrpHandler (3) addr: ADED423C
16:59:52:578 3172 DetectCureTDL3: IrpHandler (4) addr: ADED423C
16:59:52:578 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (14) addr: ADED4180
16:59:52:578 3172 DetectCureTDL3: IrpHandler (15) addr: ADECF9E6
16:59:52:578 3172 DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (22) addr: ADED35F0
16:59:52:578 3172 DetectCureTDL3: IrpHandler (23) addr: ADED1A6E
16:59:52:578 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0xADED0F26[0x400]
16:59:52:578 3172 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:59:52:578 3172 TDL3_FileDetect: Processing driver: usbstor
16:59:52:578 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:578 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:578 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
16:59:52:578 3172
16:59:52:578 3172 DetectCureTDL3: DEVICE_OBJECT: 88FBA030
16:59:52:578 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88FBA030
16:59:52:578 3172 DetectCureTDL3: DEVICE_OBJECT: 89E4CD08
16:59:52:578 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89E4CD08
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0x89E4CD08[0x38]
16:59:52:578 3172 DetectCureTDL3: DRIVER_OBJECT: 89F61390
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0x89F61390[0xA8]
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0xE1B40710[0x1E]
16:59:52:578 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
16:59:52:578 3172 DetectCureTDL3: IrpHandler (0) addr: ADED4218
16:59:52:578 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (2) addr: ADED4218
16:59:52:578 3172 DetectCureTDL3: IrpHandler (3) addr: ADED423C
16:59:52:578 3172 DetectCureTDL3: IrpHandler (4) addr: ADED423C
16:59:52:578 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (14) addr: ADED4180
16:59:52:578 3172 DetectCureTDL3: IrpHandler (15) addr: ADECF9E6
16:59:52:578 3172 DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (22) addr: ADED35F0
16:59:52:578 3172 DetectCureTDL3: IrpHandler (23) addr: ADED1A6E
16:59:52:578 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:578 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0xADED0F26[0x400]
16:59:52:578 3172 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:59:52:578 3172 TDL3_FileDetect: Processing driver: usbstor
16:59:52:578 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:578 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:578 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
16:59:52:578 3172
16:59:52:578 3172 DetectCureTDL3: DEVICE_OBJECT: 89D7B030
16:59:52:578 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D7B030
16:59:52:578 3172 DetectCureTDL3: DEVICE_OBJECT: 89F64EA0
16:59:52:578 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89F64EA0
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0x89F64EA0[0x38]
16:59:52:578 3172 DetectCureTDL3: DRIVER_OBJECT: 89F61390
16:59:52:578 3172 KLMD_ReadMem: Trying to ReadMemory 0x89F61390[0xA8]
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0xE1B40710[0x1E]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
16:59:52:593 3172 DetectCureTDL3: IrpHandler (0) addr: ADED4218
16:59:52:593 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (2) addr: ADED4218
16:59:52:593 3172 DetectCureTDL3: IrpHandler (3) addr: ADED423C
16:59:52:593 3172 DetectCureTDL3: IrpHandler (4) addr: ADED423C
16:59:52:593 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (14) addr: ADED4180
16:59:52:593 3172 DetectCureTDL3: IrpHandler (15) addr: ADECF9E6
16:59:52:593 3172 DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (22) addr: ADED35F0
16:59:52:593 3172 DetectCureTDL3: IrpHandler (23) addr: ADED1A6E
16:59:52:593 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0xADED0F26[0x400]
16:59:52:593 3172 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:59:52:593 3172 TDL3_FileDetect: Processing driver: usbstor
16:59:52:593 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:593 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:59:52:593 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
16:59:52:593 3172
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A2807E8
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A2807E8
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A2807E8[0x38]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT: 8A299E18
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A299E18[0xA8]
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0xE15FD6D0[0x18]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:59:52:593 3172 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
16:59:52:593 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
16:59:52:593 3172 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
16:59:52:593 3172 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
16:59:52:593 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
16:59:52:593 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
16:59:52:593 3172 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
16:59:52:593 3172 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
16:59:52:593 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
16:59:52:593 3172 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
16:59:52:593 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:593 3172 TDL3_FileDetect: Processing driver: Disk
16:59:52:593 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:593 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:593 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:59:52:593 3172
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A1BFC68
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A1BFC68
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A1BFC68[0x38]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT: 8A299E18
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A299E18[0xA8]
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0xE15FD6D0[0x18]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:59:52:593 3172 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
16:59:52:593 3172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
16:59:52:593 3172 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
16:59:52:593 3172 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
16:59:52:593 3172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
16:59:52:593 3172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
16:59:52:593 3172 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
16:59:52:593 3172 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
16:59:52:593 3172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
16:59:52:593 3172 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
16:59:52:593 3172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:59:52:593 3172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:59:52:593 3172 TDL3_FileDetect: Processing driver: Disk
16:59:52:593 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:593 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:59:52:593 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:59:52:593 3172
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A22AAB8
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A22AAB8
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A19EF18
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A19EF18
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A22A030
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A22A030
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A22A030[0x38]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT: 8A2F6D58
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A2F6D58[0xA8]
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0xE100B3F8[0x1A]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata
16:59:52:593 3172 DetectCureTDL3: IrpHandler (0) addr: BA6F1894
16:59:52:593 3172 DetectCureTDL3: IrpHandler (1) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (2) addr: BA6F1894
16:59:52:593 3172 DetectCureTDL3: IrpHandler (3) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (4) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (5) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (6) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (7) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (8) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (9) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (10) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (11) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (12) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (13) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (14) addr: BA6F18AE
16:59:52:593 3172 DetectCureTDL3: IrpHandler (15) addr: BA6F1D6E
16:59:52:593 3172 DetectCureTDL3: IrpHandler (16) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (17) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (18) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (19) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (20) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (21) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (22) addr: BA6F1D0E
16:59:52:593 3172 DetectCureTDL3: IrpHandler (23) addr: BA6F1A9C
16:59:52:593 3172 DetectCureTDL3: IrpHandler (24) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (25) addr: BA6F1874
16:59:52:593 3172 DetectCureTDL3: IrpHandler (26) addr: BA6F1874
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A1C84BF[0x400]
16:59:52:593 3172 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
16:59:52:593 3172 Driver "nvata" StartIo handler infected by TDSS rootkit ... 16:59:52:593 3172 TDL3_StartIoHookCure: Number of patches 1
16:59:52:593 3172 KLMD_WriteMem: Trying to WriteMemory 0x8A1C85B6[0x6]
16:59:52:593 3172 cured
16:59:52:593 3172 TDL3_FileDetect: Processing driver: nvata
16:59:52:593 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
16:59:52:593 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\nvata.sys
16:59:52:593 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Clean
16:59:52:593 3172
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A281AB8
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A281AB8
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A22BF18
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A22BF18
16:59:52:593 3172 DetectCureTDL3: DEVICE_OBJECT: 8A281030
16:59:52:593 3172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A281030
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A281030[0x38]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT: 8A19BF38
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A19BF38[0xA8]
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A299030[0x38]
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A2F6D58[0xA8]
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0xE100B3F8[0x1A]
16:59:52:593 3172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata
16:59:52:593 3172 DetectCureTDL3: IrpHandler (0) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (1) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (2) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (3) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (4) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (5) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (6) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (7) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (8) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (9) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (10) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (11) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (12) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (13) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (14) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (15) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (16) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (17) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (18) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (19) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (20) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (21) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (22) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (23) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (24) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (25) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: IrpHandler (26) addr: 8A1C8618
16:59:52:593 3172 DetectCureTDL3: All IRP handlers pointed to one addr: 8A1C8618
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A1C8618[0x400]
16:59:52:593 3172 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
16:59:52:593 3172 Driver "nvata" Irp handler infected by TDSS rootkit ... 16:59:52:593 3172 KLMD_WriteMem: Trying to WriteMemory 0x8A1C867D[0xD]
16:59:52:593 3172 cured
16:59:52:593 3172 KLMD_ReadMem: Trying to ReadMemory 0x8A1C84BF[0x400]
16:59:52:593 3172 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
16:59:52:593 3172 TDL3_FileDetect: Processing driver: nvata
16:59:52:593 3172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
16:59:52:593 3172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\nvata.sys
16:59:52:640 3172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Infected
16:59:52:640 3172 File C:\WINDOWS\system32\DRIVERS\nvata.sys infected by TDSS rootkit ... 16:59:52:640 3172 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
16:59:52:640 3172 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
16:59:52:640 3172 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
16:59:52:703 3172 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
16:59:52:750 3172 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
16:59:52:765 3172 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
16:59:53:015 3172 TDL3_FileCure: Backup copy not found, trying to cure infected file..
16:59:53:015 3172 TDL3_FileCure: Cure success, using it..
16:59:53:015 3172 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk4.tmp
16:59:53:015 3172 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk4.tmp, system32\drivers\nvata.sys)
16:59:53:015 3172 TDL3_FileCure: KLMD jobs schedule success
16:59:53:015 3172 will be cured on next reboot
16:59:53:015 3172 UtilityBootReinit: Reboot required for cure complete..
16:59:53:015 3172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
16:59:53:015 3172 UtilityBootReinit: KLMD drop success
16:59:53:015 3172 KLMD_ApplyPendList: Pending buffer(3BD3_1B2D, 600) dropped successfully
16:59:53:015 3172 UtilityBootReinit: Cure on reboot scheduled successfully
16:59:53:015 3172
16:59:53:015 3172 Completed
16:59:53:015 3172
16:59:53:015 3172 Results:
16:59:53:015 3172 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
16:59:53:015 3172 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:59:53:015 3172 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:59:53:015 3172
16:59:53:015 3172 UnloadDriverW: NtUnloadDriver error 1
16:59:53:015 3172 KLMD_Unload: UnloadDriverW(klmd21) error 1
16:59:53:015 3172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:59:53:015 3172 UtilityDeinit: KLMD(ARK) unloaded successfully


#11 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 29 January 2010 - 08:37 PM

Here is the ComboFix log" I killed the PC Tools Antivirus process before running Combofix, but according to ComboFix it was still running.....hope it did not hinder any progress.

COMBOFIX:

ComboFix 10-01-28.04 - AK 01/29/2010 17:11:38.2.2 - x86
Running from: c:\documents and settings\AK\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\AK\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: PC Tools AntiVirus 5.0.0.22 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
.

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.

2010-01-28 01:41 . 2010-01-28 02:13 -------- d-----w- c:\program files\ERUNT
2010-01-27 03:25 . 2010-01-27 03:25 0 ----a-w- c:\documents and settings\AK\settings.dat
2010-01-27 03:06 . 2010-01-27 03:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-27 02:07 . 2010-01-28 02:08 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-27 02:07 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-27 02:07 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-27 02:07 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-27 01:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-27 01:37 . 2010-01-27 01:37 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-27 01:36 . 2010-01-27 01:36 -------- d-----w- c:\program files\NETGEAR
2010-01-27 01:35 . 2010-01-30 01:16 -------- d-----w- c:\program files\PC Tools AntiVirus
2010-01-27 01:35 . 2010-01-27 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-27 01:35 . 2010-01-27 01:35 -------- d-----w- c:\documents and settings\AK\Application Data\PC Tools
2010-01-20 01:20 . 2010-01-20 01:20 163288 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-18 20:53 . 2010-01-27 01:36 -------- d-----w- c:\program files\NETGEAR(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 01:17 . 2008-12-01 01:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-30 01:01 . 2006-08-14 20:51 105344 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-01-28 15:23 . 2009-11-29 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-01-27 02:03 . 2008-08-19 05:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 01:37 . 2009-12-22 05:52 -------- d-----w- c:\program files\FLV Player
2010-01-27 01:36 . 2008-12-17 02:58 -------- d-----w- c:\program files\Google
2010-01-27 01:36 . 2009-11-29 08:12 -------- d-----w- c:\program files\Spyware Terminator
2010-01-27 01:36 . 2008-08-19 05:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-27 01:35 . 2010-01-20 01:41 -------- d-----w- c:\program files\AbleFaxTifView
2010-01-27 01:34 . 2010-01-26 02:32 -------- d-----w- c:\program files\YouTube Downloader
2010-01-27 01:34 . 2010-01-26 04:43 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-01-23 04:57 . 2010-01-23 04:57 -------- d-----w- c:\program files\Avira
2010-01-23 04:57 . 2010-01-23 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-23 02:27 . 2009-11-29 09:09 -------- d-----w- c:\documents and settings\AK\Application Data\Spyware Terminator
2010-01-21 05:23 . 2010-01-21 05:23 -------- d-----w- c:\program files\TrendMicro
2010-01-20 03:16 . 2008-08-20 01:56 72616 ----a-w- c:\documents and settings\AK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-20 01:41 . 2010-01-20 01:41 -------- d-----w- c:\documents and settings\AK\Application Data\AbleFaxTifView
2010-01-02 04:10 . 2008-08-20 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-12-29 08:04 . 2008-08-20 05:20 -------- d-----w- c:\documents and settings\AK\Application Data\AdobeUM
2009-12-26 19:00 . 2009-12-26 19:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 19:14 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-11 01:54 . 2008-12-26 01:41 -------- d-----w- c:\program files\TrackMaker
2009-11-29 09:09 . 2009-11-29 09:09 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-11-29 09:09 . 2009-11-29 09:09 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-11-29 09:09 . 2009-11-29 09:09 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-28 01:32 . 2009-11-25 17:41 79488 ----a-w- c:\documents and settings\AK\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-11-29 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8491008]
"nwiz"="nwiz.exe" [2007-10-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"SoundMan"="SOUNDMAN.EXE" [2008-06-19 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-09-25 1370000]
"AS00_WN311B"="c:\program files\NETGEAR\WN311B\Utility\WN311B.exe" [2007-04-04 2002944]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\AK\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
108Mbps Wireless LAN Adapter Configuration Utility.lnk - c:\program files\108Mbps Wireless LAN Adapter\WLANPRO.exe [2008-8-18 2678784]
Reg.lnk - c:\program files\108Mbps Wireless LAN Adapter\Reg.exe [2008-8-18 24576]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-6-6 394856]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 135664]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-06-11 968064]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-11-29 142592]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2002-04-12 16194]

.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-17 04:38]

2010-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:28]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: beatport.com
Trusted Zone: beatport.com\www
FF - ProfilePath - c:\documents and settings\AK\Application Data\Mozilla\Firefox\Profiles\h5fq7gj0.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPE2Host.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-29 17:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(956)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-01-29 17:20:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 01:20
ComboFix2.txt 2010-01-28 23:59
ComboFix3.txt 2010-01-23 04:48

Pre-Run: 417,633,255,424 bytes free
Post-Run: 417,597,972,480 bytes free

- - End Of File - - 798A76EB9E5EC54CD381C3AF82331817


#12 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 29 January 2010 - 08:45 PM

I had a windows installer service error while trying to run the Hijackthis.msi file so I had to run Hijackthis from an .exe.

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:12 PM, on 1/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [AS00_WN311B] C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-21-854245398-1078145449-839522115-1003\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe" (User '?')
O4 - S-1-5-21-854245398-1078145449-839522115-1003 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User '?')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Reg.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.beatport.com
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6709 bytes

Edited by himan, 29 January 2010 - 09:32 PM.


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 29 January 2010 - 10:17 PM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 himan

himan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 30 January 2010 - 01:54 AM

The computer is much better now and the redirects seem to have stopped, but I want to make sure EVERY remaining trace of malware is gone ! While running the ESET online scan, Avira made several notifications stating that a Trojan was found
"TR/Vundo.Gen". Maybe we should do another scan ?

Here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ef5b0527b249554685a1f21edafda1be
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-30 06:46:27
# local_time=2010-01-29 10:46:27 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775125 100 94 0 37371215 0 0
# compatibility_mode=2561 16777173 100 100 0 67760404 0 0
# compatibility_mode=7937 16777213 100 100 0 5449162 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=70828
# found=1
# cleaned=1
# scan_time=2087
J:\Favorites\Online Security Guide.lnk Win32/Adware.SecToolbar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 31 January 2010 - 05:13 AM

Can you post the Avira report please?.. And please run a full scan with Avira to ensure we got them all smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users