Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys infected by TDSS rootkit


  • Please log in to reply
53 replies to this topic

#1 luffydude

luffydude

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 11 April 2010 - 01:17 PM

Hey BC staff, I hope I don't take you too much time but I really need help!

My computer's been having the following problems:

- I've been getting lots of bogus people adding me on MSN... I always block them off
- My browser's been redirecting to some add sites for the last week
- Internet Explorer stopped working (not that I care that much because i prefer firefox but whatever)

I had Avast installed but after these events I decided to uninstall it and get Kaspersky instead.

By scanning it cleaned lots of stuff but the major problem seems that I get a virus that it is unable to get rid. In Kaspersky it appears as Rootkit.Win32.TDSS.d it prompts me to reboot my computer but when I scan again, it still detects the same virus and prompts me again. I did some searching and found something called TDSSKiller, but it doesn't solve my problem, here is the log from it:

QUOTE
11:15:02:343 2684 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
11:15:02:343 2684 ================================================================================
11:15:02:343 2684 SystemInfo:

11:15:02:343 2684 OS Version: 5.1.2600 ServicePack: 3.0
11:15:02:343 2684 Product type: Workstation
11:15:02:343 2684 ComputerName: UTILIZAD-628614
11:15:02:484 2684 UserName: Utilizador
11:15:02:484 2684 Windows directory: C:\WINDOWS
11:15:02:484 2684 Processor architecture: Intel x86
11:15:02:484 2684 Number of processors: 2
11:15:02:484 2684 Page size: 0x1000
11:15:02:578 2684 Boot type: Normal boot
11:15:02:578 2684 ================================================================================
11:15:02:640 2684 UnloadDriverW: NtUnloadDriver error 2
11:15:02:640 2684 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:15:03:859 2684 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:15:03:859 2684 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:15:03:859 2684 wfopen_ex: Trying to KLMD file open
11:15:03:859 2684 wfopen_ex: File opened ok (Flags 2)
11:15:03:859 2684 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:15:03:859 2684 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:15:03:859 2684 wfopen_ex: Trying to KLMD file open
11:15:03:859 2684 wfopen_ex: File opened ok (Flags 2)
11:15:03:859 2684 Initialize success
11:15:03:859 2684
11:15:03:859 2684 Scanning Services ...
11:15:04:234 2684 Raw services enum returned 338 services
11:15:04:265 2684
11:15:04:265 2684 Scanning Kernel memory ...
11:15:04:265 2684 Devices to scan: 3
11:15:04:265 2684
11:15:04:265 2684 Driver Name: Disk
11:15:04:265 2684 IRP_MJ_CREATE : F763DBB0
11:15:04:265 2684 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:15:04:265 2684 IRP_MJ_CLOSE : F763DBB0
11:15:04:265 2684 IRP_MJ_READ : F7637D1F
11:15:04:265 2684 IRP_MJ_WRITE : F7637D1F
11:15:04:265 2684 IRP_MJ_QUERY_INFORMATION : 804F9739
11:15:04:265 2684 IRP_MJ_SET_INFORMATION : 804F9739
11:15:04:265 2684 IRP_MJ_QUERY_EA : 804F9739
11:15:04:265 2684 IRP_MJ_SET_EA : 804F9739
11:15:04:265 2684 IRP_MJ_FLUSH_BUFFERS : F76382E2
11:15:04:265 2684 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:15:04:265 2684 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:15:04:265 2684 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:15:04:265 2684 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:15:04:265 2684 IRP_MJ_DEVICE_CONTROL : F76383BB
11:15:04:265 2684 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
11:15:04:265 2684 IRP_MJ_SHUTDOWN : F76382E2
11:15:04:265 2684 IRP_MJ_LOCK_CONTROL : 804F9739
11:15:04:265 2684 IRP_MJ_CLEANUP : 804F9739
11:15:04:265 2684 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:15:04:265 2684 IRP_MJ_QUERY_SECURITY : 804F9739
11:15:04:265 2684 IRP_MJ_SET_SECURITY : 804F9739
11:15:04:265 2684 IRP_MJ_POWER : F7639C82
11:15:04:265 2684 IRP_MJ_SYSTEM_CONTROL : F763E99E
11:15:04:265 2684 IRP_MJ_DEVICE_CHANGE : 804F9739
11:15:04:265 2684 IRP_MJ_QUERY_QUOTA : 804F9739
11:15:04:265 2684 IRP_MJ_SET_QUOTA : 804F9739
11:15:04:296 2684 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:15:04:296 2684
11:15:04:296 2684 Driver Name: Disk
11:15:04:296 2684 IRP_MJ_CREATE : F763DBB0
11:15:04:296 2684 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:15:04:296 2684 IRP_MJ_CLOSE : F763DBB0
11:15:04:296 2684 IRP_MJ_READ : F7637D1F
11:15:04:296 2684 IRP_MJ_WRITE : F7637D1F
11:15:04:296 2684 IRP_MJ_QUERY_INFORMATION : 804F9739
11:15:04:296 2684 IRP_MJ_SET_INFORMATION : 804F9739
11:15:04:296 2684 IRP_MJ_QUERY_EA : 804F9739
11:15:04:296 2684 IRP_MJ_SET_EA : 804F9739
11:15:04:296 2684 IRP_MJ_FLUSH_BUFFERS : F76382E2
11:15:04:296 2684 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:15:04:296 2684 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:15:04:296 2684 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:15:04:296 2684 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:15:04:296 2684 IRP_MJ_DEVICE_CONTROL : F76383BB
11:15:04:296 2684 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
11:15:04:296 2684 IRP_MJ_SHUTDOWN : F76382E2
11:15:04:296 2684 IRP_MJ_LOCK_CONTROL : 804F9739
11:15:04:296 2684 IRP_MJ_CLEANUP : 804F9739
11:15:04:296 2684 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:15:04:296 2684 IRP_MJ_QUERY_SECURITY : 804F9739
11:15:04:296 2684 IRP_MJ_SET_SECURITY : 804F9739
11:15:04:296 2684 IRP_MJ_POWER : F7639C82
11:15:04:296 2684 IRP_MJ_SYSTEM_CONTROL : F763E99E
11:15:04:296 2684 IRP_MJ_DEVICE_CHANGE : 804F9739
11:15:04:296 2684 IRP_MJ_QUERY_QUOTA : 804F9739
11:15:04:296 2684 IRP_MJ_SET_QUOTA : 804F9739
11:15:04:312 2684 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:15:04:312 2684
11:15:04:312 2684 Driver Name: atapi
11:15:04:312 2684 IRP_MJ_CREATE : 893DDAC8
11:15:04:312 2684 IRP_MJ_CREATE_NAMED_PIPE : 893DDAC8
11:15:04:312 2684 IRP_MJ_CLOSE : 893DDAC8
11:15:04:312 2684 IRP_MJ_READ : 893DDAC8
11:15:04:312 2684 IRP_MJ_WRITE : 893DDAC8
11:15:04:312 2684 IRP_MJ_QUERY_INFORMATION : 893DDAC8
11:15:04:312 2684 IRP_MJ_SET_INFORMATION : 893DDAC8
11:15:04:312 2684 IRP_MJ_QUERY_EA : 893DDAC8
11:15:04:312 2684 IRP_MJ_SET_EA : 893DDAC8
11:15:04:312 2684 IRP_MJ_FLUSH_BUFFERS : 893DDAC8
11:15:04:312 2684 IRP_MJ_QUERY_VOLUME_INFORMATION : 893DDAC8
11:15:04:312 2684 IRP_MJ_SET_VOLUME_INFORMATION : 893DDAC8
11:15:04:312 2684 IRP_MJ_DIRECTORY_CONTROL : 893DDAC8
11:15:04:312 2684 IRP_MJ_FILE_SYSTEM_CONTROL : 893DDAC8
11:15:04:312 2684 IRP_MJ_DEVICE_CONTROL : 893DDAC8
11:15:04:312 2684 IRP_MJ_INTERNAL_DEVICE_CONTROL : 893DDAC8
11:15:04:312 2684 IRP_MJ_SHUTDOWN : 893DDAC8
11:15:04:312 2684 IRP_MJ_LOCK_CONTROL : 893DDAC8
11:15:04:312 2684 IRP_MJ_CLEANUP : 893DDAC8
11:15:04:312 2684 IRP_MJ_CREATE_MAILSLOT : 893DDAC8
11:15:04:312 2684 IRP_MJ_QUERY_SECURITY : 893DDAC8
11:15:04:312 2684 IRP_MJ_SET_SECURITY : 893DDAC8
11:15:04:312 2684 IRP_MJ_POWER : 893DDAC8
11:15:04:312 2684 IRP_MJ_SYSTEM_CONTROL : 893DDAC8
11:15:04:312 2684 IRP_MJ_DEVICE_CHANGE : 893DDAC8
11:15:04:312 2684 IRP_MJ_QUERY_QUOTA : 893DDAC8
11:15:04:312 2684 IRP_MJ_SET_QUOTA : 893DDAC8
11:15:04:312 2684 Driver "atapi" infected by TDSS rootkit!
11:15:04:343 2684 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
11:15:04:343 2684 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 11:15:04:343 2684 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
11:15:04:343 2684 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
11:15:04:781 2684 vfvi6
11:15:04:890 2684 !dsvbh1
11:15:05:500 2684 dsvbh2
11:15:05:500 2684 fdfb2
11:15:05:500 2684 Backup copy found, using it..
11:15:05:984 2684 will be cured on next reboot
11:15:05:984 2684 Reboot required for cure complete..
11:15:06:312 2684 Cure on reboot scheduled successfully
11:15:06:312 2684
11:15:06:312 2684 Completed
11:15:06:312 2684
11:15:06:312 2684 Results:
11:15:06:312 2684 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
11:15:06:312 2684 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:15:06:312 2684 File objects infected / cured / cured on reboot: 1 / 0 / 1
11:15:06:312 2684
11:15:06:312 2684 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:15:06:312 2684 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:15:06:312 2684 UnloadDriverW: NtUnloadDriver error 1
11:15:06:312 2684 KLMD(ARK) unloaded successfully




And I ran it 3 times and the problem still persists


So I tried searching and found this site, in lots of cases you guys said to run ComboFix. However, after runing it multiple times (disabling AV protection and firewall and changing it's name), my CF never gets to the point to recomend me the system restore, so probably there is something preventing me to run it (maybe the internet explorer being disabled).

I don't think I hae other infections because I ran the full scan from Kaspersky, then full scan from Malwarebytes AntiMalware, so maybe a clean atapi.sys to replace mine that has the damn rootkit probably is a good solution but it's up to you guys! Thanks in advance!

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 13 April 2010 - 07:58 PM

Hello luffydude

Welcome to the Bleeping Computer Malware Removal Forum


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.







Go HERE and download FileLister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Note: Leave the FileLister.vbe file in the folder and run it from there.
  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • When the program is fnished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 19 April 2010 - 07:43 PM



Thread reopened

Edited by ken545, 20 April 2010 - 02:02 PM.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#4 luffydude

luffydude
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 20 April 2010 - 04:01 PM

the gmer log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 21:39:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\UTILIZ~1\DEFINI~1\Temp\kgryrfob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB1FE558C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xB1FE5E0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xB1FE6922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xB1FE6E94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xB1FE60EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xB1FE4436]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xB1FE6D6C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xB1FE5192]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xB1FE6C28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xB1FE534E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xB1FE6FC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB1FE8C08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xB1FE5AAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xB1FE6CCA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xB1FE85FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xB1FE49FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xB1FE4D88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xB1FE6576]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xB1FE95CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xB1FE4ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB1FE4F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xB1FE6382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xB1FE868C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xB1FE4412]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xB1FE4424]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xB1FE8CBC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xB1FE50C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xB1FE6F36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xB1FE5E8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xB1FE45DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xB1FE6E04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xB1FE5792]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xB1FE8C32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xB1FE7068]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xB1FE56B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xB1FE501E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xB1FE4C46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xB1FE8FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xB1FE4896]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xB1FE8922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xB1FE4B0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xB1FE42B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xB1FE73F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xB1FE72B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xB1FE839A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xB1FEBE2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xB1FE94AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xB1FE4248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xB1FE665C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xB1FE5CC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xB1FE7C4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xB1FE8786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xB1FE9114]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xB1FE471E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xB1FE91F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xB1FE9320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xB1FE8526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xB1FE590A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xB1FE5860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xB1FE8E8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xB1FE59EA]

INT 0x62 ? 89796BF8
INT 0x63 ? 896D1F00
INT 0x82 ? 89796BF8
INT 0x83 ? 896D1F00
INT 0x83 ? 896D1F00
INT 0xA4 ? 896D1F00
INT 0xB4 ? 896D1F00

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 13E 804E4978 16 Bytes [4E, 53, FE, B1, C6, 6F, FE, ...]
.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A34 12 Bytes [8C, 86, FE, B1, 12, 44, FE, ...]
.text ntoskrnl.exe!ZwYieldExecution + 376 804E4BB0 16 Bytes [0E, 4B, FE, B1, B0, 42, FE, ...]
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CA4 12 Bytes [F8, 91, FE, B1, 20, 93, FE, ...]
.text ntoskrnl.exe!ZwYieldExecution + 4CA 804E4D04 4 Bytes JMP 6AB1FE59
.text ntoskrnl.exe!IoIsOperationSynchronous 804EAFAE 5 Bytes JMP B1FDA8B6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F4593 5 Bytes JMP B1FDA4DC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
? spgv.sys O sistema não conseguiu localizar o ficheiro especificado. !
.text USBPORT.SYS!DllUnload BA5338AC 5 Bytes JMP 896D14E0
.rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF7561F94]
.text a8d61n0k.SYS BA1FC386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a8d61n0k.SYS BA1FC3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a8d61n0k.SYS BA1FC3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a8d61n0k.SYS BA1FC3C9 1 Byte [30]
.text a8d61n0k.SYS BA1FC3C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\Explorer.EXE[1344] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1344] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1344] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00B5000C
? C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1748] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1748] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[1748] USER32.dll!AlignRects + FFFA5598 7E392A78 4 Bytes [70, 11, 33, 6D]
? C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3368] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3368] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe[3368] USER32.dll!AlignRects + FFFA5598 7E392A78 4 Bytes [70, 11, 33, 6D]
.text C:\Programas\Windows Live\Messenger\MsnMsgr.Exe[3448] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Programas\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Programas\Windows Live\Messenger\MsnMsgr.Exe[3448] ole32.dll!CoInitializeEx 774CEF7B 5 Bytes JMP 28002260 C:\Programas\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 897951F8

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBPDO-0 8958E500
Device \Driver\PCI_PNP2100 \Device\00000044 spgv.sys
Device \Driver\usbuhci \Device\USBPDO-1 8958E500
Device \Driver\usbuhci \Device\USBPDO-2 8958E500
Device \Driver\usbuhci \Device\USBPDO-3 8958E500
Device \Driver\usbehci \Device\USBPDO-4 895BB1F8

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Ftdisk \Device\HarddiskVolume1 897271F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{05FDE481-B293-424E-B30B-6B7B778AF7BD} 891C11F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 897271F8
Device \Driver\Cdrom \Device\CdRom0 894FE1F8
Device \Driver\Cdrom \Device\CdRom1 894FE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F783AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F783AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F783AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F783AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom2 894FE1F8
Device \Driver\sptd \Device\3447272100 spgv.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 891C11F8
Device \Driver\NetBT \Device\NetbiosSmb 891C11F8

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBFDO-0 8958E500
Device \Driver\usbuhci \Device\USBFDO-1 8958E500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8919D1F8
Device \Driver\usbuhci \Device\USBFDO-2 8958E500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8919D1F8
Device \Driver\usbuhci \Device\USBFDO-3 8958E500
Device \Driver\usbehci \Device\USBFDO-4 895BB1F8
Device \Driver\Ftdisk \Device\FtControl 897271F8
Device \Driver\a8d61n0k \Device\Scsi\a8d61n0k1Port2Path0Target0Lun0 894FD1F8
Device \Driver\a8d61n0k \Device\Scsi\a8d61n0k1 894FD1F8
Device \FileSystem\Cdfs \Cdfs 891341F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 89496AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programas\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0x15 0x61 0x04 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x59 0x41 0x1F 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3D 0xA8 0x9C 0x39 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programas\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0x15 0x61 0x04 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x59 0x41 0x1F 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3D 0xA8 0x9C 0x39 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----









+++++++++++++++++++++++++++
+ File Lister Version 1.1.4 +
+ +
+ By bamajim / SpywareHammer.com +
+++++++++++++++++++++++++++

Report ran on --->>> 20-04-2010 21:52:10

====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programas\Ficheiros comuns\Java\Java Update\jusched.exe
C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Media Player\wmplayer.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\WScript.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE

====== BHO's ======
BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll

BHO: (NO NAME) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll

BHO: (NO NAME) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: (NO NAME) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll

BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

====== System Keys (some whitelisted items will not be shown)======

Winlogon\Userinit = C:\WINDOWS\system32\userinit.exe,
Winlogon\Shell = Explorer.exe rundll32.exe bnis.mxo yfklng

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[RemoteControl] = C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
[NeroFilterCheck] = C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe
[SecurDisc] = C:\Programas\Nero\Nero 7\InCD\NBHGui.exe
[InCD] = C:\Programas\Nero\Nero 7\InCD\InCD.exe
[Cmaudio] = RunDll32 cmicnfg.cpl,CMICtrlWnd
[Adobe Reader Speed Launcher] = "C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[SunJavaUpdateSched] = "C:\Programas\Ficheiros comuns\Java\Java Update\jusched.exe"
[SpeedTouch USB Diagnostics] = "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
[AdobeCS4ServiceManager] = "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
[HP Component Manager] = "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
[HPDJ Taskbar Utility] = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
[AVP] = "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"

====== HKCU\~\Run Keys ======

[CTFMON.EXE] = C:\WINDOWS\system32\ctfmon.exe
[msnmsgr] = "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
[DAEMON Tools Lite] = "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun

====== DNS Info (List may be empty) ======

HKEY_LOCAL_MACHINE\CCS\~\{2A41F98F-285F-41B7-AFB1-91064AD4976C}\ NameServer= 195.23.129.126 194.79.69.222
HKEY_LOCAL_MACHINE\CCS\~\{A6923F47-7F19-459D-AF2C-87A9FFA088D0}\ NameServer= 195.23.129.126 194.79.69.222

HKEY_LOCAL_MACHINE\CS001\~\{2A41F98F-285F-41B7-AFB1-91064AD4976C}\ NameServer= 195.23.129.126 194.79.69.222

HKEY_LOCAL_MACHINE\CS001\~\{A6923F47-7F19-459D-AF2C-87A9FFA088D0}\ NameServer= 195.23.129.126 194.79.69.222

HKEY_LOCAL_MACHINE\CS003\~\{2A41F98F-285F-41B7-AFB1-91064AD4976C}\ NameServer= 195.23.129.126 194.79.69.222

HKEY_LOCAL_MACHINE\CS003\~\{A6923F47-7F19-459D-AF2C-87A9FFA088D0}\ NameServer= 195.23.129.126 194.79.69.222

NV Hostname = utilizad-628614
DataBasePath = %SystemRoot%\System32\drivers\etc
ForwardBroadcasts = 0
IPEnableRouter = 0
Hostname = utilizad-628614
UseDomainNameDevolution = 1
EnableICMPRedirect = 1
DeadGWDetectDefault = 1
DontAddDefaultGatewayDefault = 0
EnableSecurityFilters = 0

====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

11-04-2010 18:01:20 8391515 C:\32788R22FWJFW
11-04-2010 18:01:25 0 C:\32788R22FWJFW\EN-US
11-04-2010 18:01:20 416976 C:\32788R22FWJFW\License
11-04-2010 18:01:47 2021 C:\32788R22FWJFW\N_
11-04-2010 18:01:53 0 C:\Qoobox
11-04-2010 18:01:53 0 C:\Qoobox\Quarantine
11-04-2010 18:01:53 0 C:\Qoobox\Quarantine\Registry_backups
09-04-2010 11:15:02 17140 32 C:\TDSSKiller.2.2.8.1_09.04.2010_11.15.02_log.txt
09-04-2010 14:34:08 17140 32 C:\TDSSKiller.2.2.8.1_09.04.2010_14.34.08_log.txt
09-04-2010 14:36:45 17140 32 C:\TDSSKiller.2.2.8.1_09.04.2010_14.36.45_log.txt
28-03-2010 14:28:14 98304 C:\WINDOWS\Minidump
08-04-2010 19:40:58 12 32 C:\WINDOWS\srun.log
20-04-2010 21:41:38 19968 32 C:\WINDOWS\system32\bnis.mxo
08-04-2010 19:53:00 44544 34 C:\WINDOWS\system32\calcplay.dll
08-04-2010 19:58:29 145184 32 C:\WINDOWS\system32\java.exe
08-04-2010 19:58:29 145184 32 C:\WINDOWS\system32\javaw.exe
08-04-2010 19:58:29 153376 32 C:\WINDOWS\system32\javaws.exe
08-04-2010 19:57:34 4382 32 C:\WINDOWS\system32\jupdate-1.6.0_19-b04.log

====== "\Administrator & All Users\Startup" Last 60 Days======





====== "\Program Files" Last 60 Days======



======"Drivers" Modified Last 60 Days======

04-08-2004 13:00:00 96512 32 C:\WINDOWS\system32\drivers\atapi.sys
09-04-2010 0:46:33 95259 32 C:\WINDOWS\system32\drivers\klick.dat
09-04-2010 0:44:19 315408 32 C:\WINDOWS\system32\drivers\klif.sys
09-04-2010 0:46:33 108059 32 C:\WINDOWS\system32\drivers\klin.dat
11-04-2010 18:31:18 20824 32 C:\WINDOWS\system32\drivers\mbam.sys
11-04-2010 18:31:22 38224 32 C:\WINDOWS\system32\drivers\mbamswissarmy.sys
23-09-2009 16:54:08 58752 32 C:\WINDOWS\system32\drivers\redbook.sys
23-03-2010 23:22:04 95024 32 C:\WINDOWS\system32\drivers\SBREDrv.sys

====== Files Deleted under "%Temp%" ======

65 Files deleted

======"All Users\Application Data" Last 60 Days======

09-04-2010 0:44:49 298830806 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
09-04-2010 0:44:49 298830806 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9
12-04-2010 13:53:14 567 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\AVZData
09-04-2010 0:44:49 239289396 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases
09-04-2010 0:44:49 170663560 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Cache
09-04-2010 0:45:21 120 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Stat
09-04-2010 0:44:49 40047925 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data
09-04-2010 0:50:44 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Cert
09-04-2010 0:45:22 2389 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\en
09-04-2010 0:44:49 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Rdisk
09-04-2010 0:44:49 41946 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\stat
09-04-2010 0:59:25 37430823 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater
09-04-2010 0:59:25 37430823 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files
09-04-2010 1:06:37 4414282 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback
19-04-2010 19:51:52 1293537 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general
19-04-2010 19:51:52 1283447 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases
19-04-2010 19:51:53 240650 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\apu
19-04-2010 19:51:53 987854 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\av
19-04-2010 19:51:53 336970 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\av\emu
19-04-2010 19:51:53 330476 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\av\emu\i386
19-04-2010 19:51:53 650884 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\av\kdb
19-04-2010 19:51:53 650884 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\av\kdb\i386
19-04-2010 19:51:53 9401 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\info
19-04-2010 19:51:53 45542 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\bases\vlns
19-04-2010 19:51:52 10090 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\general\index
09-04-2010 1:06:39 3120745 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch
09-04-2010 1:06:39 3120745 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches
09-04-2010 1:06:39 3120745 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec
09-04-2010 1:06:39 3113600 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736
09-04-2010 1:06:39 315408 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys
09-04-2010 1:06:39 315408 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386
09-04-2010 1:06:39 315408 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1
09-04-2010 0:59:25 33016541 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder
09-04-2010 1:00:07 3132620 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches
09-04-2010 1:00:07 3132620 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec
09-04-2010 1:06:33 3113600 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736
09-04-2010 1:06:33 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\ForDiff
09-04-2010 1:06:33 315408 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys
09-04-2010 1:06:33 315408 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386
09-04-2010 1:06:33 315408 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1
09-04-2010 1:06:33 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\ForDiff
09-04-2010 1:00:07 251 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\ForDiff
09-04-2010 0:59:29 29871457 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases
09-04-2010 0:59:56 242662 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\apu
09-04-2010 0:59:56 787 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff
09-04-2010 0:59:29 27395503 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av
09-04-2010 0:59:56 112110 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\ark
09-04-2010 0:59:56 1188 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\ark\ForDiff
09-04-2010 1:05:40 107525 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\ark\i386
09-04-2010 1:05:40 107525 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\ark\i386\win
09-04-2010 1:05:40 60 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\ark\i386\win\ForDiff
09-04-2010 0:59:57 3231557 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\emu
09-04-2010 0:59:57 667 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\emu\ForDiff
09-04-2010 1:05:41 3222600 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\emu\i386
09-04-2010 1:06:01 20 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\emu\i386\ForDiff
09-04-2010 1:05:41 2866976 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\emu\i386\win
09-04-2010 1:05:41 40 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\emu\i386\win\ForDiff
09-04-2010 0:59:29 23665732 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb
09-04-2010 0:59:29 23665732 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb\i386
09-04-2010 0:59:29 1325 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb\i386\ForDiff
09-04-2010 1:00:14 116886 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb\i386\win
09-04-2010 1:00:14 20 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb\i386\win\ForDiff
09-04-2010 0:59:58 386104 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\qscan
09-04-2010 0:59:58 686 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\qscan\ForDiff
09-04-2010 1:06:05 381747 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\qscan\i386
09-04-2010 1:06:05 381747 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\qscan\i386\win
09-04-2010 1:06:05 100 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\av\qscan\i386\win\ForDiff
09-04-2010 0:59:59 379756 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\blst
09-04-2010 0:59:59 808 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\blst\ForDiff
09-04-2010 1:00:00 36770 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\bss
09-04-2010 1:00:00 1165 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\bss\ForDiff
09-04-2010 1:00:01 654963 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ids
09-04-2010 1:00:01 673 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ids\ForDiff
09-04-2010 1:06:10 648008 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ids\i386
09-04-2010 1:06:10 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ids\i386\ForDiff
09-04-2010 1:00:01 11646 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\info
09-04-2010 1:06:16 16 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\info\en
09-04-2010 1:00:01 1058 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\info\ForDiff
09-04-2010 1:00:02 8403 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ksn
09-04-2010 1:00:02 555 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ksn\ForDiff
09-04-2010 1:00:03 48856 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\pdm
09-04-2010 1:00:03 708 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\pdm\ForDiff
09-04-2010 1:00:04 101770 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ssa
09-04-2010 1:00:04 1298 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\ssa\ForDiff
09-04-2010 1:00:05 4855 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\upd
09-04-2010 1:00:05 1202 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\upd\ForDiff
09-04-2010 1:00:05 213151 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\vlns
09-04-2010 1:00:05 1017 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\vlns\ForDiff
09-04-2010 1:00:06 773122 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\wmuf
09-04-2010 1:00:06 1079 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\wmuf\ForDiff
09-04-2010 0:59:25 12464 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\index
09-04-2010 0:59:25 324 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\index\ForDiff
09-04-2010 0:45:22 143503 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Dskm
09-04-2010 0:44:49 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\PdmHist
09-04-2010 0:44:49 10326734 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\QB
09-04-2010 0:44:49 9022681 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report
09-04-2010 0:46:57 1080 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\00
09-04-2010 0:46:57 1406183 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\01
09-04-2010 0:46:57 813036 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\02
09-04-2010 0:46:57 1009537 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\03
09-04-2010 0:46:57 9624 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\04
09-04-2010 0:46:57 682311 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\05
09-04-2010 0:46:57 1080 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\06
09-04-2010 0:46:57 9384 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\07
09-04-2010 0:46:57 6260 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\08
09-04-2010 0:46:58 9624 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\09
09-04-2010 0:46:58 9624 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\0A
09-04-2010 0:47:03 19516 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report\0C
09-04-2010 0:44:49 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Temp
09-04-2010 0:44:49 0 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Update distribution
09-04-2010 0:36:19 69430856 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
09-04-2010 0:36:19 69430856 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736
09-04-2010 0:36:19 69430856 C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English
23-03-2010 23:18:23 0 C:\Documents and Settings\All Users\Application Data\Lavasoft
23-03-2010 23:22:07 0 C:\Documents and Settings\All Users\Application Data\Lavasoft\License
11-04-2010 18:31:19 4603495 C:\Documents and Settings\All Users\Application Data\Malwarebytes
11-04-2010 18:31:19 4603495 C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
23-03-2010 17:04:52 22019 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
23-03-2010 17:05:22 0 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups
23-03-2010 17:04:52 144 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes
23-03-2010 17:46:20 13007 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
23-03-2010 17:05:22 4097 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
08-04-2010 19:58:48 119 C:\Documents and Settings\All Users\Application Data\Sun
08-04-2010 19:58:48 119 C:\Documents and Settings\All Users\Application Data\Sun\Java
08-04-2010 19:58:48 119 C:\Documents and Settings\All Users\Application Data\Sun\Java\Java Update

====== HKLM\~\ShellServiceObjectDelayLoad======

PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll

CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll

SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll


====== HKLM\~\SharedTaskScheduler======

Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\system32\browseui.dll

Daemon da cache de categorias dos componentes - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\

====== Services ( Services that are Whitelisted are not shown) ======

alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN))- C:\WINDOWS\system32\DRIVERS\alcan5wn.sys - Manual/Running
alcaudsl (SpeedTouch ADSL Modem ATM Transport)- C:\WINDOWS\system32\DRIVERS\alcaudsl.sys - Manual/Running
cmuda (C-Media WDM Audio Interface)- C:\WINDOWS\system32\drivers\cmuda.sys - Manual/Running
irda (Protocolo IrDA)- C:\WINDOWS\system32\DRIVERS\irda.sys - Auto/Running
irsir (Controlador de infravermelhos série da Microsoft)- C:\WINDOWS\system32\DRIVERS\irsir.sys - Manual/Running
klbg (Kaspersky Lab Boot Guard Driver)- C:\WINDOWS\system32\drivers\klbg.sys - Boot/Running
klim5 (Kaspersky Anti-Virus NDIS Filter)- C:\WINDOWS\system32\DRIVERS\klim5.sys - Manual/Running
klmouflt (Kaspersky Lab KLMOUFLT)- C:\WINDOWS\system32\DRIVERS\klmouflt.sys - Manual/Running
Mtlmnt5 (Mtlmnt5)- C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys - Manual/Running
Mtlstrm (Mtlstrm)- C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys - Manual/Stopped
NtMtlFax (NtMtlFax)- C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys - Manual/Stopped
pavboot (pavboot)- C:\WINDOWS\system32\drivers\pavboot.sys - Boot/Running
Rasirda (Miniport WAN (IrDA))- C:\WINDOWS\system32\DRIVERS\rasirda.sys - Manual/Running
RecAgent (RecAgent)- C:\WINDOWS\system32\DRIVERS\RecAgent.sys - Boot/Running
RTL8023xp (Realtek 10/100/1000 NIC Family all in one NDIS XP Driver)- C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys - Manual/Running
Slntamr (Smart Link 56K Modem Driver)- C:\WINDOWS\system32\DRIVERS\slntamr.sys - Manual/Running
SlNtHal (SlNtHal)- C:\WINDOWS\system32\DRIVERS\Slnthal.sys - Manual/Stopped
SlWdmSup (SlWdmSup)- C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys - Manual/Running
XDva296 (XDva296)- \??\C:\WINDOWS\system32\XDva296.sys - Manual/Stopped

====== Uninstall List ======

A file named 'UNI.txt' was created and saved to
FileListers default location. Post the results if requested.

======== Other Info ========

TOTAL PHYSICAL RAM: 1341 MB

Boot Info

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

OS Type: Microsoft Windows XP Home Edition
Build: 5.1.2600
Service Pack: 3.0

====== Files with Hidden Attributes======

A file named 'Hidden.txt' was created and saved to
FileListers default location. Post the results if requested.

==End of Report==






#5 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 20 April 2010 - 05:15 PM

Hi,

Glad your back, your infected with the latest version of the TDSS Rootkit

What I need you to do is to download Combofix, but don't run it yet as we are going to add a script to it to clean this infection.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2







* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.



Now that CF is downloaded to your desktop and all AV has been disabled, do this


Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above TDL::


CODE
TDL::
C:\WINDOWS\system32\DRIVERS\redbook.sys


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix . After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.






mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#6 luffydude

luffydude
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 21 April 2010 - 08:24 AM

Hey !

Glad that my virus is up to date (not wacko.gif )

Well, as I said before, I'm having trouble running Combo-fix even after following the steps

- I changed name before downloading to desktop
- I copy pasted the entire script and created the CFScript with notepad
- Disabled Kaspersky AV and windows firewall
- I dragged the script to Combo-Fix

1st and 2nd time the program didn't start and nothing ever happened
the 3rd time, the combo fix load-bar appears but I get the error that shows up in attachment
the 4th time, the load bar appears again but I got the attached message

so I reboot and try again

this time the load bar appears but then my computer makes 2 weird bleeps and I get a warning screen that do says somthing like "do not download combofix from theses sites..." I click ok and wait 2 minutes... nothing happens and pc's thinking light isn't even blinking

Attached Files



#7 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 21 April 2010 - 09:51 AM

Hi,

Lets do this.

Please download and run the following tool to help allow other programs to run. (Thanks to Grinler of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
You will know it ran as a window will open and close real quick

Rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif



Drag Combofix to the trash and redownload a fresh copy and see if it will run without the script, we can do that later. Still rename it.


If no luck than try running it in Safemode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#8 luffydude

luffydude
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 21 April 2010 - 10:56 AM

Well, I tried rkill.exe and it said it was terminating malware processes but it only ended rkill.exe

Ran combofix afterwards and still nothing.

Then I tried running it in safe mode, I waited like 2 minutes, then I opened task manager and saw the same 2 processes everytime I try combo fix (in attached image)

Attached Files



#9 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 21 April 2010 - 11:20 AM

Try running this one and then try CF

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#10 luffydude

luffydude
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 21 April 2010 - 12:00 PM

It just seems like Combo Fix doesn't like my computer because again it didn't work

here is the exe helper log

exeHelper by Raktor
Build 20100414
Run at 17:54:31 on 04/21/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



#11 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 21 April 2010 - 12:05 PM

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#12 luffydude

luffydude
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 21 April 2010 - 01:42 PM

OTL logfile created on: 21-04-2010 18:40:22 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 55,00% Memory free
3,00 Gb Paging File | 3,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
Drive C: | 24,34 Gb Total Space | 3,97 Gb Free Space | 16,30% Space Free | Partition Type: NTFS
Drive D: | 50,14 Gb Total Space | 1,56 Gb Free Space | 3,10% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: UTILIZAD-628614
Current User Name: Utilizador
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe (OldTimer Tools)
PRC - C:\Programas\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programas\Ficheiros comuns\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe (Kaspersky Lab)
PRC - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe (Kaspersky Lab)
PRC - C:\WINDOWS\system32\slserv.exe (Smart Link)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programas\Windows Media Player\wmplayer.exe (Microsoft Corporation)
PRC - C:\Programas\Thomson\SpeedTouch USB\dragdiag.exe (THOMSON Telecom Belgium)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\calcplay.dll ()


========== Win32 Services (SafeList) ==========

SRV - (AVP) -- C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe (Kaspersky Lab)
SRV - (FLEXnet Licensing Service) -- C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (SLService) -- C:\WINDOWS\System32\slserv.exe (Smart Link)
SRV - (InCDsrv) -- C:\Programas\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
SRV - (WLSetupSvc) -- C:\Programas\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (usnjsvc) -- C:\Programas\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (NMIndexingService) -- C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (ose) -- C:\Programas\Ficheiros comuns\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (KLIF) -- C:\WINDOWS\system32\drivers\klif.sys (Kaspersky Lab)
DRV - (klbg) -- C:\WINDOWS\system32\drivers\klbg.sys (Kaspersky Lab)
DRV - (klmouflt) -- C:\WINDOWS\system32\drivers\klmouflt.sys (Kaspersky Lab)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (klim5) -- C:\WINDOWS\system32\drivers\klim5.sys (Kaspersky Lab)
DRV - (kl1) -- C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Lab)
DRV - (pavboot) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDRm.sys (Nero AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDPass.sys (Nero AG)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\InCDfs.sys (Nero AG)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )
DRV - (SlNtHal) -- C:\WINDOWS\system32\drivers\slnthal.sys (Smart Link)
DRV - (SlWdmSup) -- C:\WINDOWS\system32\drivers\slwdmsup.sys (Smart Link)
DRV - (Slntamr) -- C:\WINDOWS\system32\drivers\slntamr.sys (Smart Link)
DRV - (NtMtlFax) -- C:\WINDOWS\system32\drivers\ntmtlfax.sys (Smart Link)
DRV - (Mtlmnt5) -- C:\WINDOWS\system32\drivers\mtlmnt5.sys (Smart Link)
DRV - (RecAgent) -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys (Smart Link)
DRV - (Mtlstrm) -- C:\WINDOWS\system32\drivers\mtlstrm.sys (Smart Link)
DRV - (rtl8139) Controlador NT de placa Fast Ethernet baseada na Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN) -- C:\WINDOWS\system32\drivers\alcan5wn.sys (THOMSON)
DRV - (alcaudsl) -- C:\WINDOWS\system32\drivers\alcaudsl.sys (THOMSON)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.736
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 9666
FF - prefs.js..network.proxy.socks: "localhost"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 9666

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Programas\Mozilla Firefox\components [2010-04-03 13:46:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Programas\Mozilla Firefox\plugins [2010-04-08 19:58:29 | 000,000,000 | ---D | M]

[2009-09-24 16:29:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\mozilla\Extensions
[2010-04-21 17:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\mozilla\Firefox\Profiles\rztpqamj.default\extensions
[2009-09-24 16:49:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Utilizador\Application Data\mozilla\Firefox\Profiles\rztpqamj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-04-21 17:02:52 | 000,000,000 | ---D | M] -- C:\Programas\Mozilla Firefox\extensions
[2010-04-09 00:47:00 | 000,000,000 | ---D | M] -- C:\Programas\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2009-09-25 07:02:40 | 000,098,304 | ---- | M] (OGPlanet Inc.) -- C:\Programas\Mozilla Firefox\plugins\npOGPPlugin.dll

O1 HOSTS File: ([2009-10-17 11:57:32 | 000,001,290 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Programa Auxiliar de Início de Sessão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVP] C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [InCD] C:\Programas\Nero

Edited by luffydude, 21 April 2010 - 01:51 PM.


#13 luffydude

luffydude
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 21 April 2010 - 01:43 PM

OTL Extras logfile created on: 21-04-2010 18:40:22 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 55,00% Memory free
3,00 Gb Paging File | 3,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
Drive C: | 24,34 Gb Total Space | 3,97 Gb Free Space | 16,30% Space Free | Partition Type: NTFS
Drive D: | 50,14 Gb Total Space | 1,56 Gb Free Space | 3,10% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: UTILIZAD-628614
Current User Name: Utilizador
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programas\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Programas\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programas\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Programas\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Programas\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"8394:TCP" = 8394:TCP:*:Enabled:League of Legends Launcher
"8394:UDP" = 8394:UDP:*:Enabled:League of Legends Launcher
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programas\Windows Live\Messenger\livecall.exe" = C:\Programas\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\CDS\Nero\Installation\SetupX.exe" = E:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup -- File not found
"C:\Programas\uTorrent\uTorrent.exe" = C:\Programas\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Programas\Windows Live\Messenger\livecall.exe" = C:\Programas\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Programas\fraps\SopCast\adv\SopAdver.exe" = C:\Programas\fraps\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Programas\fraps\SopCast\SopCast.exe" = C:\Programas\fraps\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)
"C:\Programas\League of Legends\Air\LolClient.exe" = C:\Programas\League of Legends\Air\LolClient.exe:*:Enabled:League of Legends Lobby -- File not found
"C:\Programas\League of Legends\Game\League of Legends.exe" = C:\Programas\League of Legends\Game\League of Legends.exe:*:Enabled:League of Legends Game Client -- File not found
"C:\Programas\Heroes of Might and Magic III Complete\Heroes3.exe" = C:\Programas\Heroes of Might and Magic III Complete\Heroes3.exe:*:Enabled:Heroes of Might and Magic® III -- File not found
"C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Programas\Mozilla Firefox\firefox.exe" = C:\Programas\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Programas\OGPlanet\LostSaga\autoupgrade.exe" = C:\Programas\OGPlanet\LostSaga\autoupgrade.exe:*:Enabled:LostSaga(upgrade) -- File not found
"C:\Programas\OGPlanet\LostSaga\lostsaga.exe" = C:\Programas\OGPlanet\LostSaga\lostsaga.exe:*:Enabled:LostSaga(client) -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0D70FCFE-2102-4951-A56E-22DD07DFA5B6}" = Microsoft .NET Framework 1.1 Portuguese Language Pack
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1596098A-FCEC-48F0-B7C7-08A31B772070}" = Nero 7 Essentials
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Ferramenta de Carregamento do Windows Live
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 19
"{28DA1AA2-07F2-4451-A28B-A6A01A9CE8E9}" = Assistente de Início de Sessão do Windows Live
"{350C9816-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85B1BEF2-2357-4C27-ABBE-15A1AE3AF78D}" = HP Deskjet 5700
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120816-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9509674F-3972-11DE-806D-005056806466}" = Google Earth
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1046-7B44-A91000000001}" = Adobe Reader 9.1 - Português
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}" = SpeedTouch USB Software
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"All ATI Software" = ATI - Software Uninstall Utility
"ASIO4ALL" = ASIO4ALL
"ATI Display Driver" = ATI Display Driver
"Bowlfish" = Bowlfish
"C-Media Audio" = C-Media 3D Audio
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"DotAzilla" = DotAzilla
"FL Studio 9" = FL Studio 9
"Free MP3 Converter_is1" = Free MP3 Converter 2.0
"Hardcore" = Hardcore
"HP Deskjet 5700 Series_Driver" = HP Deskjet 5700 Series
"ie8" = Windows Internet Explorer 8
"IL Download Manager" = IL Download Manager
"InstallWIX_{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2007a" = MATLAB R2007a
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Native Instruments Traktor DJ Studio 3" = Native Instruments Traktor DJ Studio 3
"OGPlanet Game Launcher US" = OGPlanet Game Launcher
"PoiZone" = PoiZone
"PokerStars" = PokerStars
"Sawer" = Sawer
"SopCast" = SopCast 3.2.4
"Toxic Biohazard" = Toxic Biohazard
"uTorrent" = µTorrent
"Veetle TV" = Veetle TV 0.9.16
"VLC media player" = VLC media player 1.0.2
"Warkeys" = Warkeys 1.14.1.0b
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 13-04-2010 6:53:15 | Computer Name = UTILIZAD-628614 | Source = Application Error | ID = 1000
Description = Aplicação em falha rundll32.exe, versão 5.1.2600.5512, módulo em falha
unknown, versão 0.0.0.0, endereço em falha 0x7c9e02b0.

Error - 13-04-2010 10:55:43 | Computer Name = UTILIZAD-628614 | Source = Application Error | ID = 1000
Description = Aplicação em falha rundll32.exe, versão 5.1.2600.5512, módulo em falha
unknown, versão 0.0.0.0, endereço em falha 0x7c9e02b0.

Error - 13-04-2010 10:57:17 | Computer Name = UTILIZAD-628614 | Source = Application Error | ID = 1000
Description = Aplicação em falha rundll32.exe, versão 5.1.2600.5512, módulo em falha
, versão 0.0.0.0, endereço em falha 0x00000000.

Error - 14-04-2010 8:44:06 | Computer Name = UTILIZAD-628614 | Source = Google Update | ID = 20
Description =

Error - 15-04-2010 6:44:17 | Computer Name = UTILIZAD-628614 | Source = Google Update | ID = 20
Description =

Error - 15-04-2010 9:15:07 | Computer Name = UTILIZAD-628614 | Source = Application Error | ID = 1000
Description = Aplicação em falha rundll32.exe, versão 5.1.2600.5512, módulo em falha
unknown, versão 0.0.0.0, endereço em falha 0x7c9e02b0.

Error - 15-04-2010 12:44:06 | Computer Name = UTILIZAD-628614 | Source = Google Update | ID = 20
Description =

Error - 15-04-2010 13:44:05 | Computer Name = UTILIZAD-628614 | Source = Google Update | ID = 20
Description =

Error - 15-04-2010 14:44:05 | Computer Name = UTILIZAD-628614 | Source = Google Update | ID = 20
Description =

Error - 15-04-2010 15:44:05 | Computer Name = UTILIZAD-628614 | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 21-04-2010 11:50:54 | Computer Name = UTILIZAD-628614 | Source = Service Control Manager | ID = 7026
Description = Falhou o carregamento dos seguintes controladores de início de arranque
ou de início do sistema: PCIIde

Error - 21-04-2010 11:51:11 | Computer Name = UTILIZAD-628614 | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1058" ao tentar iniciar o serviço WSearch com
os argumentos "" de forma a executar o servidor: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error - 21-04-2010 11:51:20 | Computer Name = UTILIZAD-628614 | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1058" ao tentar iniciar o serviço WSearch com
os argumentos "" de forma a executar o servidor: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error - 21-04-2010 11:51:38 | Computer Name = UTILIZAD-628614 | Source = Service Control Manager | ID = 7034
Description = O serviço Windows Image Acquisition (WIA) terminou inesperadamente.
Isto aconteceu 1 vez(es).

Error - 21-04-2010 11:51:41 | Computer Name = UTILIZAD-628614 | Source = Service Control Manager | ID = 7034
Description = O serviço Serviço de gateway de camada de aplicação terminou inesperadamente.
Isto aconteceu 1 vez(es).

Error - 21-04-2010 11:51:42 | Computer Name = UTILIZAD-628614 | Source = Service Control Manager | ID = 7034
Description = O serviço Java Quick Starter terminou inesperadamente. Isto aconteceu
1 vez(es).

Error - 21-04-2010 13:05:14 | Computer Name = UTILIZAD-628614 | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1058" ao tentar iniciar o serviço usnjsvc com
os argumentos "" de forma a executar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 21-04-2010 13:05:24 | Computer Name = UTILIZAD-628614 | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1058" ao tentar iniciar o serviço usnjsvc com
os argumentos "" de forma a executar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 21-04-2010 13:05:35 | Computer Name = UTILIZAD-628614 | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1058" ao tentar iniciar o serviço usnjsvc com
os argumentos "" de forma a executar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 21-04-2010 13:05:45 | Computer Name = UTILIZAD-628614 | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1058" ao tentar iniciar o serviço usnjsvc com
os argumentos "" de forma a executar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}


< End of report >


#14 luffydude

luffydude
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 21 April 2010 - 01:52 PM

here is the 2nd part of the first log (didn't paste all )

O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVP] C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [InCD] C:\Programas\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [SecurDisc] C:\Programas\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe (THOMSON Telecom Belgium)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programas\Ficheiros comuns\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Programas\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Windows Search.lnk = C:\Program

Edited by luffydude, 21 April 2010 - 01:54 PM.


#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 21 April 2010 - 01:54 PM

I don't need you to repost the extras log but about half of the main log is missing,

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users