Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010 created browser redirects to random search directories


  • This topic is locked This topic is locked
16 replies to this topic

#1 brada220

brada220

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 14 February 2010 - 03:09 PM

Computer became infected with Internet Security 2010 software. I took steps to remove the infection. I am unable to locate any remnant of infection. However, my browsers IE explorer and Firefox are redirected to random search directories (No porn sites), such as a yellow page directory, Hot Jobs and the like. I did a HijackThis scan and I have removed what I thought was suspicious. Still the browser redirects continue.


DDS (Ver_09-12-01.01) - NTFSx86
Run by William at 14:21:26.23 on Sun 02/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1385 [GMT -5:00]

AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
N:\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\3.8.0.41\IPSBHO.DLL
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\3.8.0.41\coIEPlg.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [OpAgent] "OpAgent.exe" /agent
mRun: [IObit Security 360] "g:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
IE: Copy to &Lightning Note - g:\program files\corel\wordperfect office x4\wordperfect lightning\programs\WPLightningCopyToNote.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360 premier edition\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - g:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-11 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-11 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-11 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100210.001\IDSXpx86.sys [2010-2-12 329592]
R1 SASDIFSV;SASDIFSV;g:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;g:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 74480]
R2 FFilter;FFilter;g:\program files\iobit\file protection\ffilter.sys [2009-11-27 128016]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-3 54752]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-2-10 10384]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\3.8.0.41\ccSvcHst.exe [2010-2-11 117640]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-2-11 582992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-11 102448]
R3 FIXUSTOR;FIXUSTOR;c:\windows\system32\drivers\fixustor.sys [2006-11-7 12672]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100214.004\NAVENG.SYS [2010-2-14 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100214.004\NAVEX15.SYS [2010-2-14 1324720]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-2-11 206608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S2 IS360service;IS360service;g:\program files\iobit\iobit security 360\is360srv.exe [2010-2-11 311568]
S2 TCAITDI;TCAITDI Protocol; [x]
S3 ASUSHWIO;ASUSHWIO; [x]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\william\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\william\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-2-11 24416]
S3 SASENUM;SASENUM;g:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-2-11 206608]

=============== Created Last 30 ================

2010-02-14 19:20:47 0 ----a-w- c:\documents and settings\william\defogger_reenable
2010-02-13 21:36:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 21:36:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-13 19:53:10 1140 ----a-w- c:\windows\system32\tmp.reg
2010-02-13 19:30:42 98816 ----a-w- c:\windows\sed.exe
2010-02-13 19:30:42 77312 ----a-w- c:\windows\MBR.exe
2010-02-13 19:30:42 261632 ----a-w- c:\windows\PEV.exe
2010-02-13 19:30:42 161792 ----a-w- c:\windows\SWREG.exe
2010-02-13 16:22:59 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-02-12 04:55:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-02-12 02:40:09 835 ----a-w- c:\windows\system32\windmvs32.ini
2010-02-12 02:39:07 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-02-11 22:20:05 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-11 22:20:01 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-11 22:20:01 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-11 22:20:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-11 22:20:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-11 22:20:01 0 d-----w- c:\program files\Symantec
2010-02-11 22:20:01 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-11 22:19:27 0 d-----w- c:\windows\system32\drivers\N360
2010-02-11 22:19:24 0 d-----w- c:\program files\Norton 360 Premier Edition
2010-02-11 22:19:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-11 22:19:09 0 d-----w- c:\program files\NortonInstaller
2010-02-11 21:36:42 0 dc-h--w- c:\windows\ie8
2010-02-11 17:02:34 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-02-11 17:02:34 0 d-----w- c:\program files\Trend Micro
2010-02-11 05:57:44 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-02-11 05:51:37 2 --shatr- c:\windows\winstart.bat
2010-02-11 05:51:10 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-02-11 05:13:48 0 d-----w- c:\docume~1\william\applic~1\Malwarebytes
2010-02-11 04:40:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-11 04:00:41 0 d-----w- c:\program files\Security Task Manager
2010-02-11 01:14:39 0 d-----w- c:\windows\system32\log
2010-02-11 01:10:40 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-02-11 01:10:40 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-11 01:10:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2010-02-10 22:10:45 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-10 22:10:39 0 d-----w- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2010-02-10 20:18:01 0 d-----w- c:\program files\Microsoft
2010-02-10 20:08:39 98304 ----a-w- c:\windows\system32\TwcToolbarBho.dll
2010-02-10 20:08:39 331776 ----a-w- c:\windows\system32\TwcToolbarIe7.dll
2010-02-10 20:08:39 25600 ----a-w- c:\windows\system32\TwcToolInstDll.dll
2010-02-10 20:07:22 0 d-----w- c:\program files\The Weather Channel Toolbar
2010-02-10 18:38:13 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-02-10 18:37:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-02-10 18:37:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-02-10 18:37:47 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-02-10 18:36:32 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-02-10 18:36:25 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-02-10 18:36:25 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-02-10 18:36:25 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-02-10 18:36:25 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-02-10 18:11:15 55824 ----a-w- c:\windows\KHALMNPR.Exe
2010-02-10 18:11:15 37392 ----a-w- c:\windows\system32\drivers\LMouFilt.Sys
2010-02-10 18:11:15 35472 ----a-w- c:\windows\system32\drivers\LHidFilt.Sys
2010-02-10 18:11:15 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2010-02-09 15:47:15 0 d-----w- c:\docume~1\william\applic~1\Nuance
2010-02-09 15:44:52 0 d-----w- c:\program files\common files\Nuance
2010-02-09 15:44:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Nuance
2010-02-07 00:52:45 89 ----a-w- c:\windows\bi_group.ini
2010-01-26 00:54:31 0 d-----w- c:\docume~1\william\applic~1\Office Genuine Advantage
2010-01-22 16:51:25 3251 ----a-w- c:\windows\system32\wbem\Outlook_01ca9b83223ad042.mof
2010-01-17 03:16:51 0 d-----w- c:\docume~1\william\applic~1\Digital Support
2010-01-17 03:16:46 0 d-----w- c:\program files\Digital Support

==================== Find3M ====================

2010-02-13 21:10:19 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-02-11 22:19:54 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-09 16:07:29 1994 ----a-w- c:\docume~1\william\applic~1\SAS7_000.DAT
2010-02-06 23:22:02 3662 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 06:51:26 12128 ----a-w- C:\BdUninstallTool2009.11.27-01.50.16.reg
2009-11-26 01:55:57 112191 ----a-w- C:\BdUninstallTool2009.11.25-08.54.44.reg

============= FINISH: 14:21:51.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:50 AM

Posted 18 February 2010 - 12:52 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 18 February 2010 - 07:05 PM

QUOTE(m0le @ Feb 18 2010, 12:52 PM) View Post
Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif


At the computer now - 7:05 pm EST

#4 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 18 February 2010 - 07:37 PM

Hello Mole

Thanks for assisting - Anytime you want to begin

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:50 AM

Posted 18 February 2010 - 08:14 PM

Okay, we have the TDSS rootkit here. We should be able to replace the problem with Combofix, but first let's try and kill the bad processes which protect the whole thing.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Finally, Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#6 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 18 February 2010 - 09:29 PM

Here are the logs as requested.


exeHelper by Raktor
Build 20091220
Run at 20:43:39 on 02/18/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as William on 02/18/2010 at 20:46:41.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\William\Desktop\rkill.pif


Rkill completed on 02/18/2010 at 20:46:45.


#7 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 18 February 2010 - 09:42 PM

I thought I had attached the Combofix log in my earlier entry - I didn't see it so I am sending again.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:50 AM

Posted 19 February 2010 - 04:17 AM

Are you still getting redirects?
Posted Image
m0le is a proud member of UNITE

#9 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 19 February 2010 - 07:53 AM

Yes I am Unfortuanately -

I need to go off to work - I should be back at 7 pm EST

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:50 AM

Posted 19 February 2010 - 09:17 AM

Let's use TDSSKiller to replace the infected file
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#11 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 19 February 2010 - 06:20 PM

Here is the requested file - I still have the program open.


18:15:21:984 57700 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
18:15:21:984 57700 ================================================================================
18:15:21:984 57700 SystemInfo:

18:15:21:984 57700 OS Version: 5.1.2600 ServicePack: 3.0
18:15:21:984 57700 Product type: Workstation
18:15:21:984 57700 ComputerName: RADA-665551
18:15:21:984 57700 UserName: William
18:15:21:984 57700 Windows directory: C:\WINDOWS
18:15:21:984 57700 Processor architecture: Intel x86
18:15:21:984 57700 Number of processors: 1
18:15:21:984 57700 Page size: 0x1000
18:15:21:984 57700 Boot type: Normal boot
18:15:21:984 57700 ================================================================================
18:15:22:000 57700 UnloadDriverW: NtUnloadDriver error 2
18:15:22:000 57700 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:15:22:000 57700 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:15:22:000 57700 UtilityInit: KLMD drop and load success
18:15:22:000 57700 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
18:15:22:000 57700 UtilityInit: KLMD open success
18:15:22:000 57700 UtilityInit: Initialize success
18:15:22:000 57700
18:15:22:000 57700 Scanning Services ...
18:15:22:000 57700 CreateRegParser: Registry parser init started
18:15:22:000 57700 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
18:15:22:000 57700 CreateRegParser: DisableWow64Redirection error
18:15:22:000 57700 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:15:22:015 57700 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
18:15:22:015 57700 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:15:22:015 57700 wfopen_ex: Trying to KLMD file open
18:15:22:015 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
18:15:22:015 57700 wfopen_ex: File opened ok (Flags 2)
18:15:22:015 57700 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384BC8
18:15:22:015 57700 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:15:22:015 57700 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
18:15:22:015 57700 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:15:22:015 57700 wfopen_ex: Trying to KLMD file open
18:15:22:015 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
18:15:22:015 57700 wfopen_ex: File opened ok (Flags 2)
18:15:22:015 57700 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384AB8
18:15:22:015 57700 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
18:15:22:015 57700 CreateRegParser: EnableWow64Redirection error
18:15:22:015 57700 CreateRegParser: RegParser init completed
18:15:22:312 57700 GetAdvancedServicesInfo: Raw services enum returned 411 services
18:15:22:312 57700 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:15:22:312 57700 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:15:22:312 57700
18:15:22:312 57700 Scanning Kernel memory ...
18:15:22:312 57700 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:15:22:312 57700 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AB3A5D8
18:15:22:312 57700 DetectCureTDL3: KLMD_GetDeviceObjectList returned 17 DevObjects
18:15:22:312 57700
18:15:22:312 57700 DetectCureTDL3: DEVICE_OBJECT: 89A6CC68
18:15:22:312 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A6CC68
18:15:22:312 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A6CC68[0x38]
18:15:22:312 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:312 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:312 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:312 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:312 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:312 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:312 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:312 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:328 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:328 57700
18:15:22:328 57700 DetectCureTDL3: DEVICE_OBJECT: 8A8A8030
18:15:22:328 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8A8030
18:15:22:328 57700 KLMD_ReadMem: Trying to ReadMemory 0x8A8A8030[0x38]
18:15:22:328 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:328 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:328 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:328 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:328 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:328 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:328 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:328 57700
18:15:22:328 57700 DetectCureTDL3: DEVICE_OBJECT: 89A63C68
18:15:22:328 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A63C68
18:15:22:328 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A63C68[0x38]
18:15:22:328 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:328 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:328 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:328 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:328 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:328 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:328 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:328 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:328 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:343 57700
18:15:22:343 57700 DetectCureTDL3: DEVICE_OBJECT: 89A4A5D8
18:15:22:343 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A4A5D8
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A4A5D8[0x38]
18:15:22:343 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:343 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:343 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:343 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:343 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:343 57700
18:15:22:343 57700 DetectCureTDL3: DEVICE_OBJECT: 89A6EC68
18:15:22:343 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A6EC68
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A6EC68[0x38]
18:15:22:343 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:343 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:343 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:343 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:343 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:343 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:343 57700
18:15:22:343 57700 DetectCureTDL3: DEVICE_OBJECT: 89A58AB8
18:15:22:343 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A58AB8
18:15:22:343 57700 DetectCureTDL3: DEVICE_OBJECT: 89A63810
18:15:22:343 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A63810
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A63810[0x38]
18:15:22:343 57700 DetectCureTDL3: DRIVER_OBJECT: 8A833DA0
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0x8A833DA0[0xA8]
18:15:22:343 57700 KLMD_ReadMem: Trying to ReadMemory 0xE1EF41F0[0x1E]
18:15:22:343 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE : B8244218
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CLOSE : B8244218
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_READ : B824423C
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_WRITE : B824423C
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B8244180
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B823F9E6
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_POWER : B82435F0
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B8241A6E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:343 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:343 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:343 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:343 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:359 57700 KLMD_ReadMem: Trying to ReadMemory 0xB8240F26[0x400]
18:15:22:359 57700 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:15:22:359 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:359 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:359 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:359 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:15:22:359 57700
18:15:22:359 57700 DetectCureTDL3: DEVICE_OBJECT: 89A59328
18:15:22:359 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A59328
18:15:22:359 57700 DetectCureTDL3: DEVICE_OBJECT: 89A77668
18:15:22:359 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A77668
18:15:22:359 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A77668[0x38]
18:15:22:359 57700 DetectCureTDL3: DRIVER_OBJECT: 8A833DA0
18:15:22:359 57700 KLMD_ReadMem: Trying to ReadMemory 0x8A833DA0[0xA8]
18:15:22:359 57700 KLMD_ReadMem: Trying to ReadMemory 0xE1EF41F0[0x1E]
18:15:22:359 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_CREATE : B8244218
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_CLOSE : B8244218
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_READ : B824423C
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_WRITE : B824423C
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B8244180
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B823F9E6
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_POWER : B82435F0
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B8241A6E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:359 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:359 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:359 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:359 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:359 57700 KLMD_ReadMem: Trying to ReadMemory 0xB8240F26[0x400]
18:15:22:359 57700 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:15:22:359 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:359 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:359 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:359 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:15:22:359 57700
18:15:22:359 57700 DetectCureTDL3: DEVICE_OBJECT: 89A59AB8
18:15:22:359 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A59AB8
18:15:22:359 57700 DetectCureTDL3: DEVICE_OBJECT: 89A5F260
18:15:22:359 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A5F260
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A5F260[0x38]
18:15:22:375 57700 DetectCureTDL3: DRIVER_OBJECT: 8A833DA0
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0x8A833DA0[0xA8]
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0xE1EF41F0[0x1E]
18:15:22:375 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE : B8244218
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CLOSE : B8244218
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_READ : B824423C
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_WRITE : B824423C
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B8244180
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B823F9E6
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_POWER : B82435F0
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B8241A6E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:375 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:375 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0xB8240F26[0x400]
18:15:22:375 57700 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:15:22:375 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:375 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:15:22:375 57700
18:15:22:375 57700 DetectCureTDL3: DEVICE_OBJECT: 89A5A2D8
18:15:22:375 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A5A2D8
18:15:22:375 57700 DetectCureTDL3: DEVICE_OBJECT: 89A6E8A0
18:15:22:375 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A6E8A0
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A6E8A0[0x38]
18:15:22:375 57700 DetectCureTDL3: DRIVER_OBJECT: 8A833DA0
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0x8A833DA0[0xA8]
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0xE1EF41F0[0x1E]
18:15:22:375 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE : B8244218
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CLOSE : B8244218
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_READ : B824423C
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_WRITE : B824423C
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B8244180
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B823F9E6
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_POWER : B82435F0
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B8241A6E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:375 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:375 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0xB8240F26[0x400]
18:15:22:375 57700 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:15:22:375 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:375 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:15:22:375 57700
18:15:22:375 57700 DetectCureTDL3: DEVICE_OBJECT: 89A7B848
18:15:22:375 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A7B848
18:15:22:375 57700 DetectCureTDL3: DEVICE_OBJECT: 89A6E318
18:15:22:375 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A6E318
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0x89A6E318[0x38]
18:15:22:375 57700 DetectCureTDL3: DRIVER_OBJECT: 8A833DA0
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0x8A833DA0[0xA8]
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0xE1EF41F0[0x1E]
18:15:22:375 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE : B8244218
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CLOSE : B8244218
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_READ : B824423C
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_WRITE : B824423C
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B8244180
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B823F9E6
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_POWER : B82435F0
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B8241A6E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:375 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:375 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:375 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:375 57700 KLMD_ReadMem: Trying to ReadMemory 0xB8240F26[0x400]
18:15:22:375 57700 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:15:22:390 57700 TDL3_FileDetect: Processing driver: USBSTOR
18:15:22:390 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:390 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:15:22:390 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:15:22:390 57700
18:15:22:390 57700 DetectCureTDL3: DEVICE_OBJECT: 8ABC0C68
18:15:22:390 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ABC0C68
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0x8ABC0C68[0x38]
18:15:22:390 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:390 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:390 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:390 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:390 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:390 57700
18:15:22:390 57700 DetectCureTDL3: DEVICE_OBJECT: 8ABC2C68
18:15:22:390 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ABC2C68
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0x8ABC2C68[0x38]
18:15:22:390 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:390 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:390 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:390 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:390 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:390 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:390 57700
18:15:22:390 57700 DetectCureTDL3: DEVICE_OBJECT: 8AB38C68
18:15:22:390 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB38C68
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB38C68[0x38]
18:15:22:390 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:390 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:390 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:390 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:406 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:406 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:406 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:406 57700
18:15:22:406 57700 DetectCureTDL3: DEVICE_OBJECT: 8AB59C68
18:15:22:406 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB59C68
18:15:22:406 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB59C68[0x38]
18:15:22:406 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:406 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:406 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:406 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:406 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:406 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:406 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:406 57700
18:15:22:406 57700 DetectCureTDL3: DEVICE_OBJECT: 8AB28C68
18:15:22:406 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB28C68
18:15:22:406 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB28C68[0x38]
18:15:22:406 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:406 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:406 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:406 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:406 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:406 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:406 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:406 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:406 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:421 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:421 57700
18:15:22:421 57700 DetectCureTDL3: DEVICE_OBJECT: 8AB57C68
18:15:22:421 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB57C68
18:15:22:421 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB57C68[0x38]
18:15:22:421 57700 DetectCureTDL3: DRIVER_OBJECT: 8AB3A5D8
18:15:22:421 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A5D8[0xA8]
18:15:22:421 57700 KLMD_ReadMem: Trying to ReadMemory 0xE10162D0[0x18]
18:15:22:421 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_READ : F7637D1F
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_POWER : F7639C82
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
18:15:22:421 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:421 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:421 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:421 57700 TDL3_FileDetect: Processing driver: Disk
18:15:22:421 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:421 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:15:22:421 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:15:22:421 57700
18:15:22:421 57700 DetectCureTDL3: DEVICE_OBJECT: 8ABC1AB8
18:15:22:421 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ABC1AB8
18:15:22:421 57700 DetectCureTDL3: DEVICE_OBJECT: 8AB29D98
18:15:22:421 57700 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB29D98
18:15:22:421 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB29D98[0x38]
18:15:22:421 57700 DetectCureTDL3: DRIVER_OBJECT: 8ABC6510
18:15:22:421 57700 KLMD_ReadMem: Trying to ReadMemory 0x8ABC6510[0xA8]
18:15:22:421 57700 KLMD_ReadMem: Trying to ReadMemory 0xE1D128F8[0x1A]
18:15:22:421 57700 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CREATE : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CLOSE : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_READ : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_WRITE : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_INFORMATION : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_EA : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_EA : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SHUTDOWN : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CLEANUP : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_SECURITY : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_POWER : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : F7485B3A
18:15:22:421 57700 DetectCureTDL3: IRP_MJ_SET_QUOTA : F7485B3A
18:15:22:421 57700 TDL3_FileDetect: Processing driver: atapi
18:15:22:421 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:15:22:421 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
18:15:22:437 57700 DetectCureTDL3: All IRP handlers pointed to one addr: F7485B3A
18:15:22:437 57700 KLMD_ReadMem: Trying to ReadMemory 0xF7485B3A[0x400]
18:15:22:437 57700 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
18:15:22:437 57700 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
18:15:22:437 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB4E0B4[0x4]
18:15:22:437 57700 TDL3_IrpHookDetect: New IrpHandler addr: 8AB338C8
18:15:22:437 57700 KLMD_ReadMem: Trying to ReadMemory 0x8AB338C8[0x400]
18:15:22:437 57700 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
18:15:22:437 57700 Driver "atapi" Irp handler infected by TDSS rootkit ... 18:15:22:437 57700 KLMD_WriteMem: Trying to WriteMemory 0x8AB3394E[0xD]
18:15:22:437 57700 cured
18:15:22:437 57700 KLMD_ReadMem: Trying to ReadMemory 0xF7483864[0x400]
18:15:22:437 57700 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:15:22:437 57700 TDL3_FileDetect: Processing driver: atapi
18:15:22:437 57700 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:15:22:437 57700 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
18:15:22:437 57700 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
18:15:22:437 57700 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 18:15:22:437 57700 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:15:22:437 57700 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:15:22:437 57700 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
18:15:22:500 57700 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp1.cab
18:15:22:500 57700 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
18:15:22:515 57700 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
18:15:22:531 57700 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
18:15:22:562 57700 CabinetCallback: File extracted successfully: C:\DOCUME~1\William\LOCALS~1\Temp\bckA28.tmp
18:15:22:562 57700 ValidateDriverFile: Stage 1 passed
18:15:22:562 57700 ValidateDriverFile: Stage 2 passed
18:15:22:640 57700 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
18:15:22:968 57700 DigitalSignVerifyByHandle: Cat DS result: 00000000
18:15:22:968 57700 ValidateDriverFile: Stage 3 passed
18:15:22:968 57700 CabinetCallback: File validated successfully, restore information prepared
18:15:22:968 57700 FindDriverFileBackup: Backup copy found in cab-file
18:15:22:968 57700 TDL3_FileCure: Backup copy found, using it..
18:15:22:984 57700 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskA29.tmp
18:15:23:000 57700 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskA29.tmp, system32\drivers\atapi.sys)
18:15:23:000 57700 TDL3_FileCure: KLMD jobs schedule success
18:15:23:000 57700 will be cured on next reboot
18:15:23:000 57700 UtilityBootReinit: Reboot required for cure complete..
18:15:23:000 57700 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
18:15:23:015 57700 UtilityBootReinit: KLMD drop success
18:15:23:015 57700 KLMD_ApplyPendList: Pending buffer(2589_54EE, 608) dropped successfully
18:15:23:015 57700 UtilityBootReinit: Cure on reboot scheduled successfully
18:15:23:015 57700
18:15:23:015 57700 Completed
18:15:23:015 57700
18:15:23:015 57700 Results:
18:15:23:015 57700 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
18:15:23:015 57700 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:15:23:015 57700 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:15:23:015 57700
18:15:23:015 57700 UnloadDriverW: NtUnloadDriver error 1
18:15:23:015 57700 KLMD_Unload: UnloadDriverW(klmd21) error 1
18:15:23:015 57700 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:15:23:015 57700 UtilityDeinit: KLMD(ARK) unloaded successfully


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:50 AM

Posted 19 February 2010 - 06:39 PM

TDSS was found in the system file atapi.sys.

That should now stop the redirects but let's continue looking for other malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#13 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 19 February 2010 - 07:21 PM

I still have TDSSkiller open - Am I to close program and have program reboot computer - Please advise

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:50 AM

Posted 19 February 2010 - 09:16 PM

Yes, please close the program and let it reboot your PC.
Posted Image
m0le is a proud member of UNITE

#15 brada220

brada220
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:50 PM

Posted 19 February 2010 - 10:36 PM

I ran the two scans you mentioned and both report no malware found.

I also tested the browsers and no directs were done

I guess we are finished

Thank you so much for your help. I am making a donation to the cause. Thanks again for everything.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users