Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant Issues (Chicago)


  • Please log in to reply
84 replies to this topic

#1 MReyes23

MReyes23

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 19 February 2010 - 01:53 AM

Greetings,

This entry is going to start off like several others. I took on the task of trying to fix a friend’s computer who appeared to have a simple virus/Trojan/malware issue. After trying and failing to talk him through fixing it on his own, I asked that he give me his Dell tower (Windows XP – SP3). Initially, I couldn’t duplicate the errors while using my ISP connection; however, soon enough I started experiencing all the problems he had been describing to me. All of which have appeared in several of the entries posted here:
• Intermittent freezing while surfing (this ranges from 7 to 35 minutes depending on browser);
• Total loss of mouse function after attempting to click on anything;
• HelpAssistant folder appearing after each reboot;
• HelpAssistant user being recreated after each reboot;
• Intermittent BSOD;
• Zero (0) issues detected by Malware Bytes, Avast and Super-Anti Spyware;
• Reactivation of the Remote Desktop function after each reboot;
• Running of FIXMBR and FIXBOOT has not resolved the issues;

There are a few differences that I have experienced that do not appear to be shared by others:
• I can delete/rename/modify the HelpAssistant folder (and its contents);
• I can delete/disable the HelpAssistant user;
• Noted that IE8 (executable and folder) has been removed – not by my hands;
• Attempted to reinstall IE8 and was prompted to reboot to complete the installation. After the reboot IE8 is STILL not there;
• My previously operational Windows XP Installation CD, allows me to get to the menu to select the Recovery Console option (previously ran FIXMBR and FIXBOOT), but now generates an error message that states a bootable device was not detected;
• I can exit out of Recovery Console and boot into Windows with no issues after receiving the error message;

Thanks in advance, this is a great service you guys provide.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Tom XXXXX at 19:14:55.06 on Wed 02/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.611 [GMT -6:00]

AV: avast! antivirus 4.8.1368 [VPS 100210-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Tom Zubik.ZUBIK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mExplorerRun: [Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s] c:\program files\video activex object\isamonitor.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Search - ?p=ZUzeb004NXUS_ZJxdm090LSUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-3 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-3 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-3 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-10-8 30192]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-8-31 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-8-31 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-8-31 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-8-31 40552]
S4 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2006-1-11 202400]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2006-1-11 169632]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]

=============== Created Last 30 ================

2010-02-11 01:02:20 0 ----a-w- c:\documents and settings\tom zubik.zubik\defogger_reenable
2010-02-10 13:58:01 0 d-----w- c:\windows\system32\NtmsData
2010-02-10 05:37:54 0 dc-h--w- c:\windows\ie8
2010-02-09 01:31:59 1355 ----a-w- c:\windows\imsins.BAK
2010-02-09 00:27:55 77312 ----a-w- C:\mbr.exe
2010-02-06 17:58:34 0 d-----w- c:\program files\ESET
2010-02-05 23:48:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-31 06:36:35 0 d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-02-28 16:09:28 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022820090301\index.dat

============= FINISH: 19:15:28.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 19 February 2010 - 11:43 AM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 19 February 2010 - 12:20 PM

Will do, but I wanted you to know that I am at work today. I will post after 5:00PM CST.

Thanks...

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 19 February 2010 - 12:25 PM

Erm.. okay, just to let you know I'm in Malaysia and right now its 1.25 am.. I'm gonna stay late night so if somehow you post when I'm sleep, I can only reply on Saturday night local time (or Sunday morning)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 19 February 2010 - 06:45 PM

As requested....

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 19 February 2010 - 09:29 PM

Please copy/paste below code into Notepad

CODE
@echo off
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete
net user HelpAssistant>"%userprofile%\desktop\ask.txt"
start notepad "%userprofile%\desktop\ask.txt"
cls


After that, go to File >> Save as... >> do below instruction
  • At Save in: choose Desktop
  • At File name: write ask.bat
  • At Save as type: choose All Files
Then press Enter.. A batch file will be created on your Desktop (ask.bat) and it would look like this:

Double-click that file, a new textfile (ask.txt) will be created on your Desktop.. Post the content of that file in your next reply

Edited by fenzodahl512, 19 February 2010 - 09:29 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 19 February 2010 - 11:36 PM

My ask.bat log...

User name HelpAssistant
Full Name HelpAssistant
Comment
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 2/19/2010 10:26 PM
Password expires Never
Password changeable 2/19/2010 10:26 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/19/2010 10:26 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 19 February 2010 - 11:47 PM

Looks good to me.. The account has been deactivated.. Try reboot your computer and verify it.. Place a screenshot here if necessary smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 20 February 2010 - 12:23 AM

WOW!!! Really?!? It was that easy?!

I have rebooted and 10 minutes into the reboot...nothing yet. What I mean is, HelpAssistant is present in my Users/Groups, but is disabled. The HelpAssistant account does not appear in my User Profiles and the HelpAssistant folder (complete with all of the copied folders) is NOT present in my Documents and Settings folder.

There is one small detail which has remained the same...Remote Desktop was reactivated after my latest reboot. This may be a non-issue, but I just want to ensure I cover all of my bases.

Can't thank you enough for your help. I will be sure to visit the Donate link in your signature.

#10 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 20 February 2010 - 12:30 AM

Looks like I spoke too soon. 30 seconds after posting my last entry, I heard the HD start working feverishly. Checked my Documents and Settings folder and sure enough, there is the HelpAssistant folder with all of its contents.



#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 20 February 2010 - 01:24 AM

Ok, can you delete the HelpAssistant folder and then repeat the batch script that we've just made? (Just double click the ask.bat)

Then please do below.. We want to see more in the computer smile.gif


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
    • Please copy/paste below script into Custom Scans box
      CODE
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 20 February 2010 - 03:35 PM

My apologies for not posting sooner, but I have had a helluva time getting GMER to complete a scan. The scan would crap out about 30 minutes in and I would BSOD with an error message: DRIVER_IRQL_NOT_LESS_OR_EQUAL.

In the end, I stopped the GMER scan just prior to point where it would normally crash and I have attached that log here. Hopefully, it captured enough to help you determine next steps.

Thanks again for your continued help and patience.

Attached Files

  • Attached File  OTS.Txt   180.62KB   16 downloads
  • Attached File  GMER.txt   8.38KB   20 downloads


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 20 February 2010 - 08:48 PM


Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)





Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Edited by fenzodahl512, 20 February 2010 - 08:54 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 20 February 2010 - 09:27 PM

Just a couple of quick things. First, regarding the TDSSKiller log, do you want that attached/pasted in my next entry? I just didn't know if I was running in preparation for the Combo-Fix run or if you wanted to see the log. Next, while reviewing others problems here I noticed several admins have asked that users disable any and all anti-virus prior to running Combo-Fix, but I noticed you didn't specify. Does it matter one way or another?

Thanks...

#15 MReyes23

MReyes23
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 20 February 2010 - 09:31 PM

As requested...

Although not specified, I am including BOTH the TDSSKiller log and the Combo-Fix log.
20:16:51:765 3900 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
20:16:51:765 3900 ================================================================================
20:16:51:765 3900 SystemInfo:

20:16:51:765 3900 OS Version: 5.1.2600 ServicePack: 3.0
20:16:51:765 3900 Product type: Workstation
20:16:51:765 3900 ComputerName: ZUBIK
20:16:51:765 3900 UserName: Tom Zubik
20:16:51:765 3900 Windows directory: C:\WINDOWS
20:16:51:765 3900 Processor architecture: Intel x86
20:16:51:765 3900 Number of processors: 2
20:16:51:765 3900 Page size: 0x1000
20:16:51:765 3900 Boot type: Normal boot
20:16:51:765 3900 ================================================================================
20:16:51:796 3900 UnloadDriverW: NtUnloadDriver error 2
20:16:51:796 3900 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:16:51:796 3900 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:16:51:843 3900 UtilityInit: KLMD drop and load success
20:16:51:843 3900 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
20:16:51:843 3900 UtilityInit: KLMD open success
20:16:51:843 3900 UtilityInit: Initialize success
20:16:51:843 3900
20:16:51:843 3900 Scanning Services ...
20:16:51:843 3900 CreateRegParser: Registry parser init started
20:16:51:843 3900 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
20:16:51:843 3900 CreateRegParser: DisableWow64Redirection error
20:16:51:843 3900 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:16:51:843 3900 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
20:16:51:843 3900 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:16:51:843 3900 wfopen_ex: Trying to KLMD file open
20:16:51:843 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
20:16:51:843 3900 wfopen_ex: File opened ok (Flags 2)
20:16:51:843 3900 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384910
20:16:51:843 3900 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:16:51:843 3900 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
20:16:51:843 3900 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:16:51:843 3900 wfopen_ex: Trying to KLMD file open
20:16:51:843 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
20:16:51:843 3900 wfopen_ex: File opened ok (Flags 2)
20:16:51:843 3900 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3849B8
20:16:51:843 3900 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
20:16:51:843 3900 CreateRegParser: EnableWow64Redirection error
20:16:51:843 3900 CreateRegParser: RegParser init completed
20:16:52:000 3900 GetAdvancedServicesInfo: Raw services enum returned 325 services
20:16:52:015 3900 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:16:52:015 3900 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:16:52:015 3900
20:16:52:015 3900 Scanning Kernel memory ...
20:16:52:015 3900 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:16:52:015 3900 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86A60910
20:16:52:015 3900 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
20:16:52:015 3900
20:16:52:015 3900 DetectCureTDL3: DEVICE_OBJECT: 85F49C68
20:16:52:015 3900 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85F49C68
20:16:52:015 3900 KLMD_ReadMem: Trying to ReadMemory 0x85F49C68[0x38]
20:16:52:015 3900 DetectCureTDL3: DRIVER_OBJECT: 86A60910
20:16:52:015 3900 KLMD_ReadMem: Trying to ReadMemory 0x86A60910[0xA8]
20:16:52:015 3900 KLMD_ReadMem: Trying to ReadMemory 0xE101AD50[0x18]
20:16:52:015 3900 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_CREATE : F7874BB0
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_CLOSE : F7874BB0
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_READ : F786ED1F
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_WRITE : F786ED1F
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_SET_EA : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F786F2E2
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F786F3BB
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7872F28
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_SHUTDOWN : F786F2E2
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_POWER : F7870C82
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F787599E
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9759
20:16:52:015 3900 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9759
20:16:52:015 3900 TDL3_FileDetect: Processing driver: Disk
20:16:52:015 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:015 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:031 3900 TDL3_FileDetect: Processing driver: Disk
20:16:52:031 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:031 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:031 3900 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:16:52:031 3900
20:16:52:031 3900 DetectCureTDL3: DEVICE_OBJECT: 8696FAB8
20:16:52:031 3900 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8696FAB8
20:16:52:031 3900 DetectCureTDL3: DEVICE_OBJECT: 8667DD20
20:16:52:031 3900 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8667DD20
20:16:52:031 3900 KLMD_ReadMem: Trying to ReadMemory 0x8667DD20[0x38]
20:16:52:031 3900 DetectCureTDL3: DRIVER_OBJECT: 865FD530
20:16:52:031 3900 KLMD_ReadMem: Trying to ReadMemory 0x865FD530[0xA8]
20:16:52:031 3900 KLMD_ReadMem: Trying to ReadMemory 0xE29227D8[0x1E]
20:16:52:031 3900 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_CREATE : F7C3B218
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_CLOSE : F7C3B218
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_READ : F7C3B23C
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_WRITE : F7C3B23C
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_SET_EA : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F7C3B180
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7C369E6
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_POWER : F7C3A5F0
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F7C38A6E
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9759
20:16:52:031 3900 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9759
20:16:52:031 3900 TDL3_FileDetect: Processing driver: USBSTOR
20:16:52:031 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:16:52:031 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:16:52:046 3900 KLMD_ReadMem: Trying to ReadMemory 0xF7C37F26[0x400]
20:16:52:046 3900 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
20:16:52:046 3900 TDL3_FileDetect: Processing driver: USBSTOR
20:16:52:046 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:16:52:046 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:16:52:046 3900 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
20:16:52:046 3900
20:16:52:046 3900 DetectCureTDL3: DEVICE_OBJECT: 873679F0
20:16:52:046 3900 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873679F0
20:16:52:046 3900 KLMD_ReadMem: Trying to ReadMemory 0x873679F0[0x38]
20:16:52:046 3900 DetectCureTDL3: DRIVER_OBJECT: 86A60910
20:16:52:046 3900 KLMD_ReadMem: Trying to ReadMemory 0x86A60910[0xA8]
20:16:52:046 3900 KLMD_ReadMem: Trying to ReadMemory 0xE101AD50[0x18]
20:16:52:046 3900 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CREATE : F7874BB0
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CLOSE : F7874BB0
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_READ : F786ED1F
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_WRITE : F786ED1F
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_EA : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F786F2E2
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F786F3BB
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7872F28
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SHUTDOWN : F786F2E2
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_POWER : F7870C82
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F787599E
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9759
20:16:52:046 3900 TDL3_FileDetect: Processing driver: Disk
20:16:52:046 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:046 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:046 3900 TDL3_FileDetect: Processing driver: Disk
20:16:52:046 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:046 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:52:046 3900 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:16:52:046 3900
20:16:52:046 3900 DetectCureTDL3: DEVICE_OBJECT: 87396AB8
20:16:52:046 3900 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87396AB8
20:16:52:046 3900 DetectCureTDL3: DEVICE_OBJECT: 87399030
20:16:52:046 3900 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87399030
20:16:52:046 3900 KLMD_ReadMem: Trying to ReadMemory 0x87399030[0x38]
20:16:52:046 3900 DetectCureTDL3: DRIVER_OBJECT: 8739D8A8
20:16:52:046 3900 KLMD_ReadMem: Trying to ReadMemory 0x8739D8A8[0xA8]
20:16:52:046 3900 KLMD_ReadMem: Trying to ReadMemory 0xE1883510[0x1C]
20:16:52:046 3900 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iastor, Driver Name: iastor
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CREATE : F76C3144
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CLOSE : F76C3144
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_READ : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_WRITE : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_EA : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76C6824
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 86827B80
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_POWER : F76CB87E
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F76CB90A
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9759
20:16:52:046 3900 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9759
20:16:52:046 3900 TDL3_FileDetect: Processing driver: iastor
20:16:52:046 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:16:52:046 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:16:52:109 3900 TDL3_FileDetect: Processing driver: iastor
20:16:52:109 3900 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:16:52:109 3900 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:16:52:140 3900 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: Clean
20:16:52:140 3900
20:16:52:140 3900 Completed
20:16:52:140 3900
20:16:52:140 3900 Results:
20:16:52:140 3900 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:16:52:140 3900 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:16:52:140 3900 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:16:52:140 3900
20:16:52:156 3900 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:16:52:156 3900 UtilityDeinit: KLMD(ARK) unloaded successfully

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users