Infected with Rootkit.Agent/tdlcmd.dll/Win32.TDSS.z --!!??

[Iosif]

Hello,

and thanks in advance for any help I might get with regard to this...

Primary symptom as far as I can make out is the redirection of search links

[Iosif]

Hello all,

I'm going to bump this as it has been a week since I first posted.

I hope I'm not seeming to be impolite or impatient!

At any rate, the search redirects are still going strong...

Would really appreciate some help.

-- Iosif

[Maurice Naggar]

Hello IOsif.

It appears your post was overlooked. Perhaps because you had posted a 2nd post before any helper responded to you.

Please re-confirm that you still have the same issue and need help.

Otherwise, let me know if this was resolved elsewhere.

If you wish guided help, start with the following.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Iosif and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Please start with the following:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Next,

Download this >> file << & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller:

----

Start NOTEPAD and copy/paste the text in the quotebox below into it:

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this:

Double click on fix.bat & allow it to run.

Step 4

Next Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Close all open windows on the Task Bar.
  
• Please double-click OTL.exe to run it.
  
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  
• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  
• Exit OTL by clicking the X at top right.
  

Step 5

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
  

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Step 6

Then copy/paste the following into your post (in order):

• the contents of Logit.txt
  
• OTL.txt
  
• Extras.txt
  
• checkup.txt
  

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[Iosif]

O.k. I've gone through steps 1-5 and here are the logs.

One problem, though: OTL hangs up at "HKEY_CURRENT_USER\Uninstall List" and so I haven't been able to get an Extras.txt log...

Logit.txt:

22:13:28:46 3848 ForceUnloadDriver: NtUnloadDriver error 2

22:13:28:46 3848 ForceUnloadDriver: NtUnloadDriver error 2

22:13:28:46 3848 ForceUnloadDriver: NtUnloadDriver error 2

22:13:28:46 3848 main: Driver KLMD successfully dropped

22:13:28:203 3848 main: Driver KLMD successfully loaded

22:13:28:203 3848

Scanning Registry ...

22:13:28:203 3848 ScanServices: Searching service UACd.sys

22:13:28:203 3848 ScanServices: Open/Create key error 2

22:13:28:203 3848 ScanServices: Searching service TDSSserv.sys

22:13:28:203 3848 ScanServices: Open/Create key error 2

22:13:28:203 3848 ScanServices: Searching service gaopdxserv.sys

22:13:28:203 3848 ScanServices: Open/Create key error 2

22:13:28:203 3848 ScanServices: Searching service gxvxcserv.sys

22:13:28:203 3848 ScanServices: Open/Create key error 2

22:13:28:203 3848 ScanServices: Searching service MSIVXserv.sys

22:13:28:203 3848 ScanServices: Open/Create key error 2

22:13:28:203 3848 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000

22:13:28:500 3848 UnhookRegistry: Kernel local addr: CB0000

22:13:28:500 3848 UnhookRegistry: KeServiceDescriptorTable addr: D33220

22:13:28:546 3848 UnhookRegistry: KiServiceTable addr: CBB6A8

22:13:28:546 3848 UnhookRegistry: NtEnumerateKey service number (local): 47

22:13:28:546 3848 UnhookRegistry: NtEnumerateKey local addr: D4C5A4

22:13:28:562 3848 KLMD_OpenDevice: Trying to open KLMD device

22:13:28:562 3848 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey

22:13:28:562 3848 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey

22:13:28:562 3848 KLMD_ReadMem: Trying to ReadMemory 0x804DCC49[0x4]

22:13:28:562 3848 UnhookRegistry: NtEnumerateKey service number (kernel): 47

22:13:28:562 3848 KLMD_ReadMem: Trying to ReadMemory 0x804E27C4[0x4]

22:13:28:562 3848 UnhookRegistry: NtEnumerateKey real addr: 805735A4

22:13:28:562 3848 UnhookRegistry: NtEnumerateKey calc addr: 805735A4

22:13:28:562 3848 UnhookRegistry: No SDT hooks found on NtEnumerateKey

22:13:28:562 3848 KLMD_ReadMem: Trying to ReadMemory 0x805735A4[0xA]

22:13:28:562 3848 UnhookRegistry: No splicing found on NtEnumerateKey

22:13:28:578 3848

Scanning Kernel memory ...

22:13:28:578 3848 KLMD_OpenDevice: Trying to open KLMD device

22:13:28:578 3848 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk

22:13:28:578 3848 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

22:13:28:578 3848 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82F928A0

22:13:28:578 3848 DetectCureTDL3: KLMD_GetDeviceObjectList returned 12 DevObjects

22:13:28:578 3848 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 82AA6030

22:13:28:578 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AA6030

22:13:28:578 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AA6030[0x38]

22:13:28:578 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82F928A0

22:13:28:578 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F928A0[0xA8]

22:13:28:578 3848 KLMD_ReadMem: Trying to ReadMemory 0xE100D210[0x208]

22:13:28:578 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

22:13:28:578 3848 DetectCureTDL3: IrpHandler (0) addr: F853BBB0

22:13:28:578 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (2) addr: F853BBB0

22:13:28:578 3848 DetectCureTDL3: IrpHandler (3) addr: F8535D1F

22:13:28:578 3848 DetectCureTDL3: IrpHandler (4) addr: F8535D1F

22:13:28:578 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (9) addr: F85362E2

22:13:28:578 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (14) addr: F85363BB

22:13:28:578 3848 DetectCureTDL3: IrpHandler (15) addr: F8539F28

22:13:28:578 3848 DetectCureTDL3: IrpHandler (16) addr: F85362E2

22:13:28:578 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (22) addr: F8537C82

22:13:28:578 3848 DetectCureTDL3: IrpHandler (23) addr: F853C99E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:578 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:578 3848 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

22:13:28:578 3848 KLMD_ReadMem: DeviceIoControl error 1

22:13:28:578 3848 TDL3_StartIoHookDetect: Unable to get StartIo handler code

22:13:28:578 3848 TDL3_FileDetect: Processing driver: Disk

22:13:28:578 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

22:13:28:578 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

22:13:28:578 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

22:13:28:609 3848 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 82AF3C68

22:13:28:609 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AF3C68

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AF3C68[0x38]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82F928A0

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F928A0[0xA8]

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0xE100D210[0x208]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

22:13:28:609 3848 DetectCureTDL3: IrpHandler (0) addr: F853BBB0

22:13:28:609 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (2) addr: F853BBB0

22:13:28:609 3848 DetectCureTDL3: IrpHandler (3) addr: F8535D1F

22:13:28:609 3848 DetectCureTDL3: IrpHandler (4) addr: F8535D1F

22:13:28:609 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (9) addr: F85362E2

22:13:28:609 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (14) addr: F85363BB

22:13:28:609 3848 DetectCureTDL3: IrpHandler (15) addr: F8539F28

22:13:28:609 3848 DetectCureTDL3: IrpHandler (16) addr: F85362E2

22:13:28:609 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (22) addr: F8537C82

22:13:28:609 3848 DetectCureTDL3: IrpHandler (23) addr: F853C99E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

22:13:28:609 3848 KLMD_ReadMem: DeviceIoControl error 1

22:13:28:609 3848 TDL3_StartIoHookDetect: Unable to get StartIo handler code

22:13:28:609 3848 TDL3_FileDetect: Processing driver: Disk

22:13:28:609 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

22:13:28:609 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

22:13:28:609 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

22:13:28:609 3848 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 82B1AC68

22:13:28:609 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B1AC68

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82B1AC68[0x38]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82F928A0

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F928A0[0xA8]

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0xE100D210[0x208]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

22:13:28:609 3848 DetectCureTDL3: IrpHandler (0) addr: F853BBB0

22:13:28:609 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (2) addr: F853BBB0

22:13:28:609 3848 DetectCureTDL3: IrpHandler (3) addr: F8535D1F

22:13:28:609 3848 DetectCureTDL3: IrpHandler (4) addr: F8535D1F

22:13:28:609 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (9) addr: F85362E2

22:13:28:609 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (14) addr: F85363BB

22:13:28:609 3848 DetectCureTDL3: IrpHandler (15) addr: F8539F28

22:13:28:609 3848 DetectCureTDL3: IrpHandler (16) addr: F85362E2

22:13:28:609 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (22) addr: F8537C82

22:13:28:609 3848 DetectCureTDL3: IrpHandler (23) addr: F853C99E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

22:13:28:609 3848 KLMD_ReadMem: DeviceIoControl error 1

22:13:28:609 3848 TDL3_StartIoHookDetect: Unable to get StartIo handler code

22:13:28:609 3848 TDL3_FileDetect: Processing driver: Disk

22:13:28:609 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

22:13:28:609 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

22:13:28:609 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

22:13:28:609 3848 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 82AB95D8

22:13:28:609 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AB95D8

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AB95D8[0x38]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82F928A0

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F928A0[0xA8]

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0xE100D210[0x208]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

22:13:28:609 3848 DetectCureTDL3: IrpHandler (0) addr: F853BBB0

22:13:28:609 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (2) addr: F853BBB0

22:13:28:609 3848 DetectCureTDL3: IrpHandler (3) addr: F8535D1F

22:13:28:609 3848 DetectCureTDL3: IrpHandler (4) addr: F8535D1F

22:13:28:609 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (9) addr: F85362E2

22:13:28:609 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (14) addr: F85363BB

22:13:28:609 3848 DetectCureTDL3: IrpHandler (15) addr: F8539F28

22:13:28:609 3848 DetectCureTDL3: IrpHandler (16) addr: F85362E2

22:13:28:609 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (22) addr: F8537C82

22:13:28:609 3848 DetectCureTDL3: IrpHandler (23) addr: F853C99E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

22:13:28:609 3848 KLMD_ReadMem: DeviceIoControl error 1

22:13:28:609 3848 TDL3_StartIoHookDetect: Unable to get StartIo handler code

22:13:28:609 3848 TDL3_FileDetect: Processing driver: Disk

22:13:28:609 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

22:13:28:609 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

22:13:28:609 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

22:13:28:609 3848 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 82AD62C0

22:13:28:609 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AD62C0

22:13:28:609 3848 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 82AF3030

22:13:28:609 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AF3030

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AF3030[0x38]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82AF33F8

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AF33F8[0xA8]

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0xE19E9420[0x208]

22:13:28:609 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

22:13:28:609 3848 DetectCureTDL3: IrpHandler (0) addr: F88DA218

22:13:28:609 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (2) addr: F88DA218

22:13:28:609 3848 DetectCureTDL3: IrpHandler (3) addr: F88DA23C

22:13:28:609 3848 DetectCureTDL3: IrpHandler (4) addr: F88DA23C

22:13:28:609 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (14) addr: F88DA180

22:13:28:609 3848 DetectCureTDL3: IrpHandler (15) addr: F88D59E6

22:13:28:609 3848 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (22) addr: F88D95F0

22:13:28:609 3848 DetectCureTDL3: IrpHandler (23) addr: F88D7A6E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:609 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:609 3848 KLMD_ReadMem: Trying to ReadMemory 0xF88D6F26[0x400]

22:13:28:609 3848 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

22:13:28:609 3848 TDL3_FileDetect: Processing driver: usbstor

22:13:28:609 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys

22:13:28:609 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:609 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:640 3848 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 82B74508

22:13:28:640 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B74508

22:13:28:640 3848 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 82AAA030

22:13:28:640 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AAA030

22:13:28:640 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AAA030[0x38]

22:13:28:640 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82AF33F8

22:13:28:640 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AF33F8[0xA8]

22:13:28:640 3848 KLMD_ReadMem: Trying to ReadMemory 0xE19E9420[0x208]

22:13:28:640 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

22:13:28:640 3848 DetectCureTDL3: IrpHandler (0) addr: F88DA218

22:13:28:640 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (2) addr: F88DA218

22:13:28:640 3848 DetectCureTDL3: IrpHandler (3) addr: F88DA23C

22:13:28:640 3848 DetectCureTDL3: IrpHandler (4) addr: F88DA23C

22:13:28:640 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (14) addr: F88DA180

22:13:28:640 3848 DetectCureTDL3: IrpHandler (15) addr: F88D59E6

22:13:28:640 3848 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (22) addr: F88D95F0

22:13:28:640 3848 DetectCureTDL3: IrpHandler (23) addr: F88D7A6E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:640 3848 KLMD_ReadMem: Trying to ReadMemory 0xF88D6F26[0x400]

22:13:28:640 3848 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

22:13:28:640 3848 TDL3_FileDetect: Processing driver: usbstor

22:13:28:640 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys

22:13:28:640 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:640 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:640 3848 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 82AF13A0

22:13:28:640 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AF13A0

22:13:28:640 3848 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 82AE59C0

22:13:28:640 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AE59C0

22:13:28:640 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AE59C0[0x38]

22:13:28:640 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82AF33F8

22:13:28:640 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AF33F8[0xA8]

22:13:28:640 3848 KLMD_ReadMem: Trying to ReadMemory 0xE19E9420[0x208]

22:13:28:640 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

22:13:28:640 3848 DetectCureTDL3: IrpHandler (0) addr: F88DA218

22:13:28:640 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (2) addr: F88DA218

22:13:28:640 3848 DetectCureTDL3: IrpHandler (3) addr: F88DA23C

22:13:28:640 3848 DetectCureTDL3: IrpHandler (4) addr: F88DA23C

22:13:28:640 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:640 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (14) addr: F88DA180

22:13:28:656 3848 DetectCureTDL3: IrpHandler (15) addr: F88D59E6

22:13:28:656 3848 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (22) addr: F88D95F0

22:13:28:656 3848 DetectCureTDL3: IrpHandler (23) addr: F88D7A6E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:656 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:656 3848 KLMD_ReadMem: Trying to ReadMemory 0xF88D6F26[0x400]

22:13:28:656 3848 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

22:13:28:656 3848 TDL3_FileDetect: Processing driver: usbstor

22:13:28:656 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys

22:13:28:656 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:656 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:718 3848 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 82AF8638

22:13:28:718 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82AF8638

22:13:28:718 3848 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 82B17CC0

22:13:28:718 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B17CC0

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x82B17CC0[0x38]

22:13:28:718 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82AF33F8

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x82AF33F8[0xA8]

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0xE19E9420[0x208]

22:13:28:718 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

22:13:28:718 3848 DetectCureTDL3: IrpHandler (0) addr: F88DA218

22:13:28:718 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (2) addr: F88DA218

22:13:28:718 3848 DetectCureTDL3: IrpHandler (3) addr: F88DA23C

22:13:28:718 3848 DetectCureTDL3: IrpHandler (4) addr: F88DA23C

22:13:28:718 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (14) addr: F88DA180

22:13:28:718 3848 DetectCureTDL3: IrpHandler (15) addr: F88D59E6

22:13:28:718 3848 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (22) addr: F88D95F0

22:13:28:718 3848 DetectCureTDL3: IrpHandler (23) addr: F88D7A6E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0xF88D6F26[0x400]

22:13:28:718 3848 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

22:13:28:718 3848 TDL3_FileDetect: Processing driver: usbstor

22:13:28:718 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\tsk_usbstor.sys

22:13:28:718 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:718 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

22:13:28:718 3848 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 82FCDC68

22:13:28:718 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCDC68

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x82FCDC68[0x38]

22:13:28:718 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82F928A0

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F928A0[0xA8]

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0xE100D210[0x208]

22:13:28:718 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

22:13:28:718 3848 DetectCureTDL3: IrpHandler (0) addr: F853BBB0

22:13:28:718 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (2) addr: F853BBB0

22:13:28:718 3848 DetectCureTDL3: IrpHandler (3) addr: F8535D1F

22:13:28:718 3848 DetectCureTDL3: IrpHandler (4) addr: F8535D1F

22:13:28:718 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (9) addr: F85362E2

22:13:28:718 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (14) addr: F85363BB

22:13:28:718 3848 DetectCureTDL3: IrpHandler (15) addr: F8539F28

22:13:28:718 3848 DetectCureTDL3: IrpHandler (16) addr: F85362E2

22:13:28:718 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (22) addr: F8537C82

22:13:28:718 3848 DetectCureTDL3: IrpHandler (23) addr: F853C99E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

22:13:28:718 3848 KLMD_ReadMem: DeviceIoControl error 1

22:13:28:718 3848 TDL3_StartIoHookDetect: Unable to get StartIo handler code

22:13:28:718 3848 TDL3_FileDetect: Processing driver: Disk

22:13:28:718 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

22:13:28:718 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

22:13:28:718 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

22:13:28:718 3848 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 82FCF9F0

22:13:28:718 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCF9F0

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x82FCF9F0[0x38]

22:13:28:718 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82F928A0

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F928A0[0xA8]

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0xE100D210[0x208]

22:13:28:718 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

22:13:28:718 3848 DetectCureTDL3: IrpHandler (0) addr: F853BBB0

22:13:28:718 3848 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (2) addr: F853BBB0

22:13:28:718 3848 DetectCureTDL3: IrpHandler (3) addr: F8535D1F

22:13:28:718 3848 DetectCureTDL3: IrpHandler (4) addr: F8535D1F

22:13:28:718 3848 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (9) addr: F85362E2

22:13:28:718 3848 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (14) addr: F85363BB

22:13:28:718 3848 DetectCureTDL3: IrpHandler (15) addr: F8539F28

22:13:28:718 3848 DetectCureTDL3: IrpHandler (16) addr: F85362E2

22:13:28:718 3848 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (22) addr: F8537C82

22:13:28:718 3848 DetectCureTDL3: IrpHandler (23) addr: F853C99E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

22:13:28:718 3848 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

22:13:28:718 3848 KLMD_ReadMem: DeviceIoControl error 1

22:13:28:718 3848 TDL3_StartIoHookDetect: Unable to get StartIo handler code

22:13:28:718 3848 TDL3_FileDetect: Processing driver: Disk

22:13:28:718 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

22:13:28:718 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

22:13:28:718 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

22:13:28:718 3848 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 82F99030

22:13:28:718 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F99030

22:13:28:718 3848 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 82FCF3B8

22:13:28:718 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCF3B8

22:13:28:718 3848 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 82FCED98

22:13:28:718 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCED98

22:13:28:718 3848 KLMD_ReadMem: Trying to ReadMemory 0x82FCED98[0x38]

22:13:28:734 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82FDFC28

22:13:28:734 3848 KLMD_ReadMem: Trying to ReadMemory 0x82FDFC28[0xA8]

22:13:28:734 3848 KLMD_ReadMem: Trying to ReadMemory 0xE101BAF0[0x208]

22:13:28:734 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

22:13:28:734 3848 DetectCureTDL3: IrpHandler (0) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (1) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (2) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (3) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (4) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (5) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (6) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (7) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (8) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (9) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (10) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (11) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (12) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (13) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (14) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (15) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (16) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (17) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (18) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (19) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (20) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (21) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (22) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (23) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (24) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (25) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: IrpHandler (26) addr: F8467B3A

22:13:28:734 3848 DetectCureTDL3: All IRP handlers pointed to one addr: F8467B3A

22:13:28:734 3848 KLMD_ReadMem: Trying to ReadMemory 0xF8467B3A[0x400]

22:13:28:734 3848 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr

22:13:28:734 3848 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]

22:13:28:734 3848 KLMD_ReadMem: Trying to ReadMemory 0x82FDF5F4[0x4]

22:13:28:734 3848 TDL3_IrpHookDetect: New IrpHandler addr: 82F7FF61

22:13:28:734 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F7FF61[0x400]

22:13:28:734 3848 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120

22:13:28:734 3848 Driver "atapi" Irp handler infected by TDSS rootkit ... 22:13:28:734 3848 KLMD_WriteMem: Trying to WriteMemory 0x82F7FFE7[0xD]

22:13:28:734 3848 cured

22:13:28:734 3848 KLMD_ReadMem: Trying to ReadMemory 0xF8465864[0x400]

22:13:28:734 3848 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0

22:13:28:734 3848 TDL3_FileDetect: Processing driver: atapi

22:13:28:734 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys

22:13:28:734 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys

22:13:28:734 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys

22:13:28:765 3848 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 22:13:28:765 3848 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys

22:13:28:765 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys

22:13:28:765 3848 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_atapi.sys

22:13:28:812 3848 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)

22:13:28:812 3848 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_atapi.sys, C:\WINDOWS\system32\drivers\atapi.sys) success

22:13:28:812 3848 will be cured on next reboot

22:13:28:812 3848 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 82F90030

22:13:28:812 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F90030

22:13:28:812 3848 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 82FDF198

22:13:28:812 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FDF198

22:13:28:812 3848 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 82F90D98

22:13:28:812 3848 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F90D98

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F90D98[0x38]

22:13:28:812 3848 DetectCureTDL3: DRIVER_OBJECT addr: 82FDFC28

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0x82FDFC28[0xA8]

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0xE101BAF0[0x208]

22:13:28:812 3848 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

22:13:28:812 3848 DetectCureTDL3: IrpHandler (0) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (1) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (2) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (3) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (4) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (5) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (6) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (7) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (8) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (9) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (10) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (11) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (12) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (13) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (14) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (15) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (16) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (17) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (18) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (19) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (20) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (21) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (22) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (23) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (24) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (25) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: IrpHandler (26) addr: F8467B3A

22:13:28:812 3848 DetectCureTDL3: All IRP handlers pointed to one addr: F8467B3A

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0xF8467B3A[0x400]

22:13:28:812 3848 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0x82FDF5F4[0x4]

22:13:28:812 3848 TDL3_IrpHookDetect: New IrpHandler addr: 82F7FF61

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0x82F7FF61[0x400]

22:13:28:812 3848 TDL3_IrpHookDetect: TDL3 is already cured

22:13:28:812 3848 KLMD_ReadMem: Trying to ReadMemory 0xF8465864[0x400]

22:13:28:812 3848 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0

22:13:28:812 3848 TDL3_FileDetect: Processing driver: atapi

22:13:28:812 3848 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\tsk_atapi.sys, C:\WINDOWS\system32\Drivers\tsk_tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_tsk_atapi.sys

22:13:28:812 3848 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk_atapi.sys

22:13:28:812 3848 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk_atapi.sys

22:13:28:812 3848

Completed

Results:

22:13:28:812 3848 Infected objects in memory: 1

22:13:28:812 3848 Cured objects in memory: 1

22:13:28:812 3848 Infected objects on disk: 1

22:13:28:812 3848 Objects on disk cured on reboot: 1

22:13:28:812 3848 Objects on disk deleted on reboot: 0

22:13:28:812 3848 Registry nodes deleted on reboot: 0

22:13:28:828 3848

OTL.txt:

OTL logfile created on: 12/9/2009 10:47:00 PM - Run 1

OTL by OldTimer - Version 3.1.14.0 Folder = C:\Documents and Settings\Olijnyk\Desktop\OTL

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 196.08 Mb Available Physical Memory | 38.33% Memory free

1.22 Gb Paging File | 0.96 Gb Available in Paging File | 78.75% Paging File free

Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.04 Gb Total Space | 39.80 Gb Free Space | 26.71% Space Free | Partition Type: NTFS

Drive D: | 19.01 Gb Total Space | 16.28 Gb Free Space | 85.62% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: KOMPUTOR

Current User Name: Olijnyk

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/09 22:03:06 | 00,537,600 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Olijnyk\Desktop\OTL\OTL.exe

PRC - [2009/11/25 13:05:17 | 02,029,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe

PRC - [2009/11/24 17:01:39 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe

PRC - [2009/08/17 23:58:12 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

PRC - [2009/08/17 23:58:11 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe

PRC - [2009/08/17 23:58:08 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe

PRC - [2009/08/17 23:58:05 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe

PRC - [2009/08/17 23:57:45 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/06/29 16:54:23 | 00,187,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamSvc.exe

PRC - [2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

PRC - [2003/05/14 08:40:58 | 00,040,960 | ---- | M] () -- C:\WINDOWS\shicoxp.exe

PRC - [2003/02/17 16:25:16 | 00,053,248 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe

PRC - [1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE

========== Modules (SafeList) ==========

MOD - [2009/12/09 22:03:06 | 00,537,600 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Olijnyk\Desktop\OTL\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 17:01:39 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2009/11/06 09:18:50 | 00,051,168 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®

SRV - [2009/08/17 23:58:05 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)

SRV - [2009/08/17 23:57:45 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

SRV - [2006/06/29 16:54:23 | 00,187,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamSvc.exe -- (MSCamSvc)

SRV - [2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

SRV - [2003/09/12 20:10:00 | 00,114,688 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)

SRV - [2003/09/12 07:33:38 | 00,376,832 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)

SRV - [1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)

========== Driver Services (SafeList) ==========

DRV - [2009/12/09 22:13:28 | 00,096,512 | ---- | M] () -- C:\WINDOWS\system32\Drivers\tsk_atapi.sys -- (atapi)

DRV - [2009/08/17 23:58:11 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)

DRV - [2009/08/17 23:58:11 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)

DRV - [2009/06/23 21:56:38 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)

DRV - [2009/06/18 13:19:11 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)

DRV - [2008/07/09 04:05:48 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)

DRV - [2008/04/13 11:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)

DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 11:40:50 | 00,149,376 | ---- | M] (M-Systems) -- C:\WINDOWS\system32\DRIVERS\tffsport.sys -- (tffsport)

DRV - [2007/11/13 01:47:45 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)

DRV - [2006/06/29 16:42:59 | 01,965,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)

DRV - [2006/04/26 14:46:20 | 00,428,064 | ---- | M] (AVerMedia TECHNOLOGIES, Inc.) -- C:\WINDOWS\system32\drivers\Cap7134.sys -- (Cap7134)

DRV - [2005/06/10 08:39:20 | 01,694,592 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\sbusb.sys -- (sbusb)

DRV - [2005/04/20 08:44:08 | 00,138,752 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)

DRV - [2005/04/20 08:44:06 | 00,106,496 | R--- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)

DRV - [2005/03/24 16:21:22 | 00,038,937 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C)

DRV - [2004/12/16 12:36:30 | 00,042,496 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FETND5BV)

DRV - [2004/08/03 22:29:26 | 00,701,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2003/12/05 03:46:36 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)

DRV - [2003/07/16 13:58:30 | 00,013,056 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd)

DRV - [2003/03/05 11:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\pfmodnt.sys -- (PfModNT)

DRV - [2002/08/29 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)

DRV - [2002/07/17 09:05:10 | 00,016,512 | ---- | M] (Adaptec) -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)

DRV - [2002/02/01 09:29:36 | 00,015,300 | ---- | M] (CANON INC.) -- C:\BJPrinter\CNMWINDOWS\Canon i450 Installer\Inst2\cnmpar21.sys -- (cnmpar21)

DRV - [2001/08/17 12:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)

DRV - [2001/08/17 06:28:02 | 00,907,456 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ukrainian/index.shtml

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://news.bbc.co.uk/sport"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.18

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/29 15:00:23 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/24 16:51:06 | 00,000,000 | ---D | M]

[2009/07/31 08:53:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\Mozilla\Extensions

[2009/12/09 13:11:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\Mozilla\Firefox\Profiles\mo456j00.default\extensions

[2009/11/28 10:45:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\Mozilla\Firefox\Profiles\mo456j00.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

[2009/12/09 13:11:11 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (22 bytes) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)

O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [sbUsb AudCtrl] C:\WINDOWS\System32\sbusbdll.dll (Creative Technology Ltd)

O4 - HKLM..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe ()

O4 - HKLM..\Run: [updReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Plugin Control)

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15015/CTSUEng.cab (Creative Software AutoUpdate)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15021/CTPID.cab (Creative Software AutoUpdate Support Package)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.154.132.68 75.154.132.100

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/04/26 12:11:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{14df8d58-c6dd-11dd-a271-00112f6b10a8}\Shell\Shell00\Command - "" = K:\Start.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/09 22:13:28 | 00,016,904 | ---- | C] (Kaspersky Lab, Parshin Yury) -- C:\WINDOWS\System32\drivers\KLMD.sys

[2009/12/09 22:10:24 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2009/12/09 22:02:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\Desktop\Security Check

[2009/12/09 21:56:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\Desktop\OTL

[2009/12/09 21:55:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\Desktop\ERUNT

[2009/12/09 21:55:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\Desktop\TDSSKiller

[2009/12/09 20:38:17 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Olijnyk\Recent

[2009/12/03 00:12:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\Application Data\REAPER

[2009/12/03 00:11:51 | 00,000,000 | ---D | C] -- C:\Program Files\REAPER

[2009/11/29 00:53:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\My Documents\Squarepusher-Hello_Everything-2006-FWYH

[2009/11/29 00:53:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\My Documents\Squarepusher - Just A Souvenir

[2009/11/28 22:48:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\My Documents\Swervedriver-Raise-(Remastered)-2009-FNT

[2009/11/28 21:51:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\My Documents\Velvet Crush - In The Presence Of Greatness (1991)

[2009/11/28 20:10:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\My Documents\New Folder (2)

[2009/11/27 21:44:05 | 00,000,000 | ---D | C] -- C:\Program Files\RootRepeal

[2009/11/27 00:45:22 | 01,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Program Files\WinsockxpFix.exe

[2009/11/24 17:01:52 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2009/11/24 17:01:52 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2009/11/24 17:01:52 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2009/11/24 17:01:52 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2009/11/24 17:01:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee

[2009/11/24 16:50:02 | 00,000,000 | -HSD | C] -- C:\Config.Msi

[2009/11/24 16:47:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR

[2009/11/24 16:42:55 | 00,000,000 | ---D | C] -- C:\Program Files\NOS

[2009/11/24 16:42:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS

[2009/11/21 18:42:30 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2009/11/21 15:12:24 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos

[2009/11/19 13:21:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\Desktop\Stock Photography

[2009/11/19 00:47:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/11/18 18:44:41 | 00,068,168 | ---- | C] (jpshortstuff) -- C:\Program Files\GooredFix.exe

[2009/11/17 21:42:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Olijnyk\Desktop\Sept 2009

[2009/08/18 00:17:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/08/18 00:17:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2009/08/18 00:17:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/08/18 00:16:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/06/23 21:56:38 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Olijnyk\Application Data\pcouffin.sys

[2008/12/09 15:10:33 | 04,411,392 | ---- | C] (Gabest) -- C:\Program Files\mplayerc.exe

[2008/05/29 09:09:36 | 03,276,800 | ---- | C] (Nero AG) -- C:\Program Files\DiscSpeed.exe

[2006/05/26 11:48:58 | 00,059,392 | R--- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/09 22:45:39 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2009/12/09 22:45:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009/12/09 22:44:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2009/12/09 22:44:03 | 18,087,936 | ---- | M] () -- C:\Documents and Settings\Olijnyk\NTUSER.DAT

[2009/12/09 22:44:03 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Olijnyk\ntuser.ini

[2009/12/09 22:15:16 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapi.sys

[2009/12/09 22:13:28 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys

[2009/12/09 22:13:28 | 00,016,904 | ---- | M] (Kaspersky Lab, Parshin Yury) -- C:\WINDOWS\System32\drivers\KLMD.sys

[2009/12/09 20:27:41 | 00,204,288 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/12/09 11:19:14 | 46,405,649 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2009/12/09 11:19:14 | 00,122,177 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg

[2009/12/08 23:50:19 | 00,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2009/12/08 23:50:19 | 00,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2009/12/08 23:50:19 | 00,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2009/12/08 12:34:37 | 00,022,804 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Desktop\Coumadin-e.pdf

[2009/12/06 18:11:56 | 00,115,224 | ---- | M] () -- C:\img2-001.raw

[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009/12/01 16:21:36 | 00,000,709 | ---- | M] () -- C:\WINDOWS\win.ini

[2009/11/27 00:45:24 | 01,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Program Files\WinsockxpFix.exe

[2009/11/26 11:45:40 | 00,035,262 | ---- | M] () -- C:\WINDOWS\SYSTEM.acl

[2009/11/24 20:24:34 | 00,087,608 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Application Data\inst.exe

[2009/11/24 20:24:34 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Olijnyk\Application Data\pcouffin.sys

[2009/11/24 20:24:34 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Application Data\pcouffin.cat

[2009/11/24 20:24:34 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Application Data\pcouffin.inf

[2009/11/24 17:01:39 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2009/11/24 17:01:39 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2009/11/24 17:01:39 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2009/11/24 17:01:39 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2009/11/24 17:01:38 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2009/11/23 13:32:55 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

[2009/11/19 23:49:18 | 03,050,203 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Desktop\TIO[1].pdf

[2009/11/18 18:44:42 | 00,068,168 | ---- | M] (jpshortstuff) -- C:\Program Files\GooredFix.exe

[2009/11/15 16:03:39 | 00,000,964 | ---- | M] () -- C:\Documents and Settings\Olijnyk\My Documents\Chukotka.rtf

[2009/11/14 16:01:51 | 00,000,882 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Application Data\AutoGK.ini

[2009/11/13 12:50:29 | 00,000,156 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Desktop\CBC.ca Member Centre.url

[2009/11/12 13:38:13 | 06,158,447 | ---- | M] () -- C:\Documents and Settings\Olijnyk\Desktop\AsideofIranwedontknow.pdf

[2009/11/11 21:21:47 | 00,003,560 | ---- | M] () -- C:\Documents and Settings\Olijnyk\My Documents\Cosmos.rtf

[2009/11/11 20:20:01 | 00,169,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/09 22:13:28 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys

[2009/12/08 12:34:37 | 00,022,804 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Desktop\Coumadin-e.pdf

[2009/11/26 11:45:40 | 00,035,262 | ---- | C] () -- C:\WINDOWS\SYSTEM.acl

[2009/11/19 23:49:18 | 03,050,203 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Desktop\TIO[1].pdf

[2009/11/15 15:56:31 | 00,000,964 | ---- | C] () -- C:\Documents and Settings\Olijnyk\My Documents\Chukotka.rtf

[2009/11/13 12:50:13 | 00,000,156 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Desktop\CBC.ca Member Centre.url

[2009/11/12 13:38:12 | 06,158,447 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Desktop\AsideofIranwedontknow.pdf

[2009/11/11 19:46:09 | 00,003,560 | ---- | C] () -- C:\Documents and Settings\Olijnyk\My Documents\Cosmos.rtf

[2009/10/19 10:49:24 | 00,118,000 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2009/08/18 11:17:41 | 00,003,289 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2009/08/04 08:31:15 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2009/06/29 18:36:29 | 00,003,082 | ---- | C] () -- C:\WINDOWS\System32\affv39738p1now.sys

[2009/06/23 21:57:24 | 00,001,044 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Application Data\vso_ts_preview.xml

[2009/06/23 21:56:57 | 00,000,055 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Application Data\pcouffin.log

[2009/06/23 21:56:38 | 00,087,608 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Application Data\inst.exe

[2009/06/23 21:56:38 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Application Data\pcouffin.cat

[2009/06/23 21:56:38 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Application Data\pcouffin.inf

[2008/09/19 10:53:18 | 00,000,170 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2008/07/02 15:18:49 | 03,293,184 | ---- | C] () -- C:\Program Files\QuEnc.exe

[2008/07/02 15:18:49 | 00,000,468 | ---- | C] () -- C:\Program Files\QuEnc070_diff.txt

[2008/06/26 23:29:47 | 02,387,480 | ---- | C] () -- C:\Program Files\SVGView.exe

[2008/06/19 19:08:51 | 01,391,616 | ---- | C] () -- C:\WINDOWS\System32\ActPDF.dll

[2008/06/19 19:08:51 | 00,880,640 | ---- | C] () -- C:\WINDOWS\System32\SaveTo.dll

[2008/05/29 17:35:34 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2008/05/29 17:35:34 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2008/05/12 18:53:16 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2008/05/12 18:50:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest

[2008/05/12 18:50:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest

[2008/05/12 18:50:08 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\divx_xx0a.dll

[2008/05/12 18:49:02 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll

[2008/03/14 14:33:56 | 00,000,067 | ---- | C] () -- C:\WINDOWS\DVDIdle.INI

[2007/12/17 14:30:20 | 00,007,168 | ---- | C] () -- C:\Program Files\driveinfo22.exe

[2007/06/28 14:41:02 | 00,000,149 | ---- | C] () -- C:\WINDOWS\mp3wavcon.ini

[2007/06/28 14:40:09 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll

[2007/03/17 20:51:13 | 00,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI

[2007/03/04 19:30:09 | 00,008,192 | ---- | C] () -- C:\WINDOWS\System32\KBD1251U.DLL

[2007/01/23 15:03:48 | 00,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI

[2006/10/20 15:52:05 | 00,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2006/08/16 07:13:34 | 01,382,280 | ---- | C] () -- C:\WINDOWS\System32\fftw3.dll

[2006/08/14 09:12:27 | 00,000,077 | ---- | C] () -- C:\WINDOWS\huffyuv.ini

[2006/07/28 12:39:01 | 00,000,120 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Application Data\FixVTS.ini

[2006/07/13 18:21:01 | 00,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFreeLite.INI

[2006/06/08 16:15:03 | 00,000,882 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Application Data\AutoGK.ini

[2006/05/26 11:48:58 | 00,012,043 | ---- | C] () -- C:\WINDOWS\System32\SBUSB.INI

[2006/04/27 03:19:01 | 00,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini

[2006/04/26 14:43:49 | 00,000,192 | ---- | C] () -- C:\WINDOWS\winamp.ini

[2006/04/26 14:21:34 | 00,108,032 | ---- | C] () -- C:\WINDOWS\System32\sh33w32.dll

[2006/04/26 14:12:15 | 00,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe

[2006/04/26 14:04:30 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI

[2006/04/26 14:03:21 | 00,000,072 | ---- | C] () -- C:\WINDOWS\SBWIN.INI

[2006/04/26 13:57:43 | 00,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2006/04/26 13:44:04 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS4w.DLL

[2006/04/26 13:41:31 | 00,204,288 | ---- | C] () -- C:\Documents and Settings\Olijnyk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2006/04/26 13:14:52 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2004/09/17 16:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll

[2003/09/12 07:35:06 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

[2002/10/15 15:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2002/08/29 05:00:00 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys

[2000/07/22 15:49:46 | 00,431,104 | ---- | C] () -- C:\WINDOWS\System32\VFCodec.dll

[1997/07/10 23:00:00 | 00,031,232 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL

[1997/07/10 23:00:00 | 00,025,600 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL

[1997/07/10 23:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL

[1997/07/10 23:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL

========== LOP Check ==========

[2007/04/25 14:46:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon

[2008/06/19 19:11:14 | 00,000,000 | RHSD | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/06/22 00:50:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\avidemux

[2009/08/18 13:00:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\Dr. DivX 2.0 OSS

[2009/06/22 00:55:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\gtk-2.0

[2009/11/29 16:19:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\ImgBurn

[2009/06/21 23:36:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\MuldeR

[2009/12/03 00:30:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\REAPER

[2006/07/28 12:42:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Olijnyk\Application Data\RipIt4Me

========== Purity Check ==========

< End of report >

checkup.txt:

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

AVG Free 8.5

``````````````````````````````

Anti-malware/Other Utilities Check:

Spybot - Search & Destroy

Sophos Anti-Rootkit 1.5.0

HijackThis 2.0.2

CCleaner

Java 6 Update 17

Adobe Flash Player 10

Adobe Reader 9.2

``````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

AVG avgemc.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[Maurice Naggar]

Hello IOsif.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Iosif and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt for review

There will be more to do afterwards.

[Iosif]

Hi Maurice,

Thanks for your reply.

I've followed your instructions and so here is the log from ComboFix.txt :

ComboFix 09-12-11.05 - Olijnyk 12/12/2009 12:54:06.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.198 [GMT -7:00]

Running from: c:\documents and settings\Olijnyk\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Olijnyk\Application Data\inst.exe

c:\windows\system32\config\systemprofile\Start Menu\Programs\Security Tool.lnk

c:\windows\system32\Data

.

((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))

.

2009-12-10 14:30 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2009-12-10 05:13 . 2009-12-10 05:13 96512 ----a-w- c:\windows\system32\drivers\tsk_atapi.sys

2009-12-10 05:13 . 2009-12-10 05:13 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys

2009-12-10 05:10 . 2009-12-10 05:11 -------- d-----w- c:\program files\ERUNT

2009-12-08 20:12 . 2009-12-08 20:12 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-03 07:12 . 2009-12-03 07:30 -------- d-----w- c:\documents and settings\Olijnyk\Application Data\REAPER

2009-12-03 07:11 . 2009-12-03 07:11 -------- d-----w- c:\program files\REAPER

2009-11-28 04:44 . 2009-11-28 04:44 -------- d-----w- c:\program files\RootRepeal

2009-11-27 07:45 . 2009-11-27 07:45 1445888 ----a-w- c:\program files\WinsockxpFix.exe

2009-11-21 22:12 . 2009-11-21 22:12 -------- d-----w- c:\program files\Sophos

2009-11-19 07:47 . 2009-11-19 07:47 -------- d-----w- c:\program files\Trend Micro

2009-11-19 01:44 . 2009-11-19 01:44 68168 ----a-w- c:\program files\GooredFix.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-12 02:31 . 2008-10-24 23:17 -------- d-----w- c:\documents and settings\Olijnyk\Application Data\Skype

2009-12-12 02:31 . 2008-10-24 23:19 -------- d-----w- c:\documents and settings\Olijnyk\Application Data\skypePM

2009-12-10 05:15 . 2002-08-29 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2009-12-08 20:12 . 2009-10-25 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-03 23:14 . 2009-10-25 18:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 23:13 . 2009-10-25 18:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 23:19 . 2007-02-14 01:01 -------- d-----w- c:\documents and settings\Olijnyk\Application Data\ImgBurn

2009-11-25 03:50 . 2008-02-18 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-25 03:24 . 2009-06-24 04:56 47360 ----a-w- c:\documents and settings\Olijnyk\Application Data\pcouffin.sys

2009-11-25 03:24 . 2009-06-24 04:56 47360 ----a-w- c:\documents and settings\Olijnyk\Application Data\pcouffin.sys

2009-11-25 03:21 . 2006-04-26 21:12 -------- d-----w- c:\program files\CyberLink DVD Solution

2009-11-25 03:17 . 2006-04-26 20:13 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-11-25 03:13 . 2006-06-14 01:13 -------- d-----w- c:\program files\Riva

2009-11-25 00:07 . 2006-04-26 21:29 -------- d-----w- c:\program files\Java

2009-11-25 00:01 . 2009-11-22 01:42 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-11-25 00:01 . 2009-11-25 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-11-25 00:01 . 2009-11-25 00:01 152576 ----a-w- c:\documents and settings\Olijnyk\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-24 23:51 . 2009-11-24 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-11-24 23:51 . 2006-04-26 21:05 -------- d-----w- c:\program files\Common Files\Adobe

2009-11-24 23:47 . 2009-11-24 23:47 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-11-24 23:43 . 2009-11-24 23:43 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-11-24 23:42 . 2009-11-24 23:42 -------- d-----w- c:\program files\NOS

2009-11-21 15:51 . 2002-08-29 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-20 21:46 . 2009-10-19 17:49 118000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-11-20 16:58 . 2009-06-22 07:49 -------- d-----w- c:\program files\Avidemux 2.4

2009-11-19 01:56 . 2006-04-26 20:39 -------- d-----w- c:\program files\CCleaner

2009-11-18 20:17 . 2009-10-25 18:34 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-18 17:59 . 2006-04-26 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-11-18 17:29 . 2008-06-03 02:37 -------- d-----w- c:\documents and settings\Olijnyk\Application Data\dvdcss

2009-11-17 05:16 . 2006-08-21 22:18 -------- d-----w- c:\program files\exPressit S.E. 2.1

2009-11-07 05:34 . 2007-10-15 05:10 -------- d-----w- c:\program files\QuickTime

2009-10-29 05:38 . 2002-08-29 12:00 667136 ----a-w- c:\windows\system32\wininet.dll

2009-10-25 18:52 . 2009-06-12 23:59 -------- d-----w- c:\program files\Citrix

2009-10-25 18:43 . 2009-10-25 18:43 -------- d-----w- c:\documents and settings\Olijnyk\Application Data\Malwarebytes

2009-10-25 18:43 . 2009-10-25 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys

2009-10-19 17:50 . 2008-05-31 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-10-17 16:05 . 2009-10-17 16:04 -------- d-----w- c:\program files\AVStoDVD

2009-10-17 16:05 . 2009-10-17 16:05 -------- d-----w- c:\program files\Haali

2009-10-13 10:30 . 2002-08-29 12:00 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2002-08-29 12:00 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2002-08-29 12:00 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-10 07:07 . 2009-11-24 23:47 38208 ----a-w- c:\documents and settings\Olijnyk\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-10-10 07:07 . 2009-11-24 23:47 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-09-25 05:37 . 2009-07-06 03:38 81920 ----a-w- c:\windows\system32\ieencode.dll

2008-11-16 01:16 . 2008-12-09 22:10 4411392 -c--a-w- c:\program files\mplayerc.exe

2008-06-27 06:29 . 2008-06-27 06:29 2387480 ----a-w- c:\program files\SVGView.exe

2008-04-24 17:25 . 2008-05-29 16:09 3276800 -c--a-w- c:\program files\DiscSpeed.exe

2007-12-17 21:30 . 2007-12-17 21:30 7168 ----a-w- c:\program files\driveinfo22.exe

2006-05-14 03:41 . 2008-07-02 22:18 468 -c--a-w- c:\program files\QuEnc070_diff.txt

2006-05-13 03:47 . 2008-07-02 22:18 3293184 ----a-w- c:\program files\QuEnc.exe

2004-03-11 19:27 . 2006-04-26 21:12 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

------- Sigcheck -------

[-] 2009-12-10 05:15 . A743167B9C03A788E553F61A02E9D83A . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe" [2003-02-17 53248]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"shicoxp"="c:\windows\shicoxp.exe" [2003-05-14 40960]

"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 128000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-18 06:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/31/2008 1:13 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/31/2008 1:13 PM 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 11:16 AM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 11:16 AM 297752]

R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [5/26/2006 11:48 AM 1694592]

S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [8/29/2002 5:00 AM 149376]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/21/2006 4:38 PM 16512]

S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]

S3 BS_DEF;BS_DEF;\??\c:\windows\system32\drivers\BS_DEF.sys --> c:\windows\system32\drivers\BS_DEF.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bbc.co.uk/ukrainian/index.shtml

mWindow Title =

uInternet Connection Wizard,ShellNext = iexplore

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Olijnyk\Application Data\Mozilla\Firefox\Profiles\mo456j00.default\

FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/sport

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-12 12:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\7.tmp"

.

Completion time: 2009-12-12 13:01:11

ComboFix-quarantined-files.txt 2009-12-12 20:01

Pre-Run: 42,494,726,144 bytes free

Post-Run: 42,458,525,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 05C3E04BB52863C43044BBBF192BCB59

[Maurice Naggar]

Step 1

Start NOTEPAD and then copy and paste the codebox lines below into it.

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.

@echo off
c:\windows\$NtServicePackUninstall$\eventlog.dll c:\

Double-click on fixes.bat file to run it.

Step 2

Next, Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to move:
  C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

  
  

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
  

Step 3

De-install the current version of AVG and if you wish to stay with AVG AV, get & install the latest version.

Follow the directions in this AVG forum article http://forums.avg.com/us-en/avg-free-forum...show&id=791

Logoff and restart fresh once that is done.

Step 4

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 3355 and the latest program version is 1.42.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 5

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

• Trend Micro Damage Cleanup Engine
  
• Make sure you read this document to understand how to use the program.
  Trend Micro Sysclean Package README 1st
  
• Basically there are 3 parts that need to be downloaded and SAVED from these links:
  
  • Download Sysclean Package
    
  • Download Virus Pattern Files that will be a LPTxxx.ZIP file
    
  • Download Spyware Pattern Files this is a SSAPIPTNxxx.ZIP
    It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware) – Ssapiptn.Da5"
    

• Create a brand new folder to copy these files to.
  
• As an example: C:\DCE
  
• Then open each of the zipped archive files and copy their contents to C:\DCE
  
• Copy the file sysclean.com to the new folder C:\DCE as well.
  
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Reply with copy of C:\Avenger.txt

the latest MBAM scan log

the SYSCLEAN log

and tell me, How is your system now ?

[Iosif]

Maurice,

I'm stuck at step one.

When I double-click the fixes.bat to run it a window pops up saying

"You are attempting to open a file of type "Application Extension" (.dll) These files are used by the operating system and by various programs. Editing or modifying them could damage your system. If you still want to open the file, click Open With, otherwise, click Cancel."

What to do?

[Maurice Naggar]

Here's another way to run fixes.bat by doing it from within a command prompt window.

From Start menu, select RUN then type in

CMD

Next, type or Copy into the window

c:\documents and settings\Olijnyk\Desktop\fixes.bat

and press Enter-key

That should begin execution of fixes.bat (whose intent is to copy 1 DLL file)

After that is done, proceed with Step 2 and the others.

[Iosif]

Unfortunately the execution of fixes.bat is still a no-go!

When I follow the instructions and try to run fixes.bat via the command prompt window, I still get the same response:

"You are attempting to open a file of type "Application Extension" (.dll) These files are used by the operating system and by various programs. Editing or modifying them could damage your system. If you still want to open the file, click Open With, otherwise, click Cancel."

When I click on open with... I get a window saying

"Windows cannot open this file:

File: eventlog.dll

To open this file windows needs to know what program created it..."

???

[Maurice Naggar]

My apologies, as the case is I put an incomplete instruction in step #1.

Please use the following as Step 1:

Start NOTEPAD and then copy and paste the codebox lines below into it.

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.

@echo off
copy c:\windows\$NtServicePackUninstall$\eventlog.dll c:\

You'll need to reply Yes to overwrite the prior version of fixes.bat, when prompted in NOTEPAD.

Double-click on fixes.bat file to run it.

Then, do Steps 2 thru 5 from my earlier reply.

[Iosif]

Ok, steps 1-5 completed and here are the logs. Everything seems to work as it ought to in the system and the search result redirects don't seem to be occuring anymore...

Avenger.txt:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

MBAM scan log:

Malwarebytes' Anti-Malware 1.42

Database version: 3362

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

12/14/2009 8:29:35 PM

mbam-log-2009-12-14 (20-29-35).txt

Scan type: Quick Scan

Objects scanned: 101061

Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

SYSCLEAN log:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-12-14, 20:35:16, Auto-clean mode specified.

2009-12-14, 20:35:17, Initialized Rootkit Driver version 2.2.0.1004.

2009-12-14, 20:35:17, Running scanner "C:\DCE\TSC.BIN"...

2009-12-14, 20:35:30, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-12-14, 20:35:30, TSC Log:

[Maurice Naggar]

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below.

The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after x and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run.
  In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  

• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  

• Delete the SYSCLEAN downloads and the C:\DCE folder, if present.
  
• The utility ERUNT you should keep, and use it periodically to backup the registry.
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  

We are finished here. Best regards.

[Iosif]

Hi Maurice,

Thanks for all the help and I am glad that all of your help led to a good outcome!

One problem, however: when I type combo-fix /u into the command box and click ok I get this message:

"Windows cannot find "combo-fix". Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I don't understand this, as I haven't touched combo-fix since I saved it as "Combo-Fix.exe" to my Desktop...and I can see the file plain as day sitting on my Desktop... !?

Please advise so that I can get moving on this final cleanup and removal stage.

[Iosif]

Maurice,

I figured out how to get the command box to find and uninstall Combo-fix.

One question. I noticed a folder on C: called Qoobox that did not get deleted by the uninstall and it seems to contain Combo-fix-related files...Is it safe for me to simply delete the Qoobox folder? Are there any other remnants of Combo-fix that I ought to looking for to delete?

Thanks in advance,

[Iosif]

Sorry Maurice,

I've noticed, now that I've done the OTL cleanup that my previous question was a dumb one...

Shall finish removing SYSCLEAN etc. and hopefully all will be done and fine...

[Maurice Naggar]

OTL Cleanup does remove all of Combofix files & folders (if any were left around). OTL Cleanup also removes most other tools used.

[Maurice Naggar]

This is resolved, and topic now closed. The methods & procedures used here were only for this particular system, and no other. If you are having similar issues, please open a new topic.