Jump to content

Malwarebytes won't run, here's my log


Malello

Recommended Posts

Hi Folks,

Please, I need your help!

Here it is, I've got some malware on my other laptop. I cannot connect to the internet, Norton 360 is blocked and my attempts to add software to combat the issue have been fruitless. I got Malwarebytes to install by changing the name, but I cannot get it to run.

Here is my Hijack Log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:09:39 PM, on 12/19/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\User 1\Desktop\HiJackThis.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Gone\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210922474672

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240024110815

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe

O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

If you can't download from this pc, use another system to do downloads, and then burn to CD/DVD or place on clean/unused USB flash drive.

You may opt to reboot/Restart system. Tap & re-tap F8, then select Safe Mode with Networking if Normal Windows mode is not usable.

Step 1

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 2

Download and Save to the DESKTOP Win32kDiag from any of the following locations and save it to your Desktop.

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 3

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

Step 4

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Step 5

Reply with copy of Win32kdiag.txt

Gmer.txt

Log.txt

Info.txt

Do NOT use the attachment option to place logs. For each log, Copy & Paste into the main body of reply box.

As we do not work malware removals in the General forum, I will be moving your topic to the Malware removal sub-forum.

Link to post
Share on other sites

I've attached (#1) the Gmer, as it would not allow me to reply.

Here is (#2) the Log,....

Logfile of random's system information tool 1.06 (written by random/random)

Run by Joel at 2009-12-19 19:53:42

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 46 GB (81%) free of 57 GB

Total RAM: 1262 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:53:45 PM, on 12/19/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Documents and Settings\Joel\Desktop\gr.exe

C:\Documents and Settings\Joel\Desktop\RT.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Documents and Settings\Joel\Desktop\Joel.exe

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210922474672

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240024110815

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe

O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: WLANKEEPER - Intel

Gmer.txt

Link to post
Share on other sites

Here is (#3) the info,...

info.txt logfile of random's system information tool 1.06 2009-12-19 19:53:46

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Alt-Tab Task Switcher Powertoy for Windows XP-->MsiExec.exe /I{A7050037-F0EA-4BAB-BCD5-FC05507D6147}

Broadcom 440x 10/100 Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033

Broadcom Management Programs-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2A6282FF-B75B-463F-90F5-0A43732F690D} /l1033

C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly

Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"

Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}

GearDrvs-->MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}

GearDrvs-->MsiExec.exe /I{CB84F0F2-927B-458D-9DC5-87832E3DC653}

HijackThis 2.0.2-->"C:\Documents and Settings\Joel\Desktop\HijackThis.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"

Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582

Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe

Malwarebytes' Anti-Malware-->"C:\Program Files\Gone\unins000.exe"

mCore-->MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}

mDriver-->MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}

mDrWiFi-->MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}

mHlpDell-->MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}

Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}

Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}

Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}

mIWCA-->MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}

mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}

mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}

Mozilla Firefox (3.0.15)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}

mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}

mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}

mSSO-->MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}

mToolkit-->MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}

mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}

mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}

mZConfig-->MsiExec.exe /I{7CD7A451-7224-49C8-95EF-9A1859C66607}

Norton 360-->C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360\562C4DD5\3.5.2.11\InstStub.exe /X

Norton PC Checkup-->C:\Program Files\NortonInstaller\{170fa89a-6886-4c9e-b17b-12bccdd80788}\NortonPCCheckup\LicenseType\2.0.2.506\InstStub.exe /X

RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf

Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"

Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"

Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall

Texas Instruments PCIxx20 drivers.-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6F30B469-5ED7-4734-8252-B9BC962A2AB3} /l1033

Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""

Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"

Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"

Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"

Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"

Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"

Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"

Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"

Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"

Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"

Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"

Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"

Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT

Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"

Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab [2009-12-19]

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab [2009-12-19]

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) [2009-12-19]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-12-19]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-12-19]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-12-19]

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-12-19]

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-12-19]

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-12-19]

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab [2009-12-19]

======Security center information======

AV: Norton 360

FW: Norton 360

======System event log======

Computer Name: 700M

Event Code: 11

Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 31935

Source Name: Disk

Time Written: 20091219071105.000000-300

Event Type: error

User:

Computer Name: 700M

Event Code: 11

Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 31934

Source Name: Disk

Time Written: 20091219071105.000000-300

Event Type: error

User:

Computer Name: 700M

Event Code: 11

Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 31933

Source Name: Disk

Time Written: 20091219071104.000000-300

Event Type: error

User:

Computer Name: 700M

Event Code: 11

Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 31932

Source Name: Disk

Time Written: 20091219071104.000000-300

Event Type: error

User:

Computer Name: 700M

Event Code: 11

Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 31931

Source Name: Disk

Time Written: 20091219071104.000000-300

Event Type: error

User:

=====Application event log=====

Computer Name: 700M

Event Code: 4356

Message: The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 8007041F.

Record Number: 8570

Source Name: EventSystem

Time Written: 20090308172912.000000-300

Event Type: warning

User:

Computer Name: 700M

Event Code: 4353

Message: The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Record Number: 8416

Source Name: EventSystem

Time Written: 20090304205254.000000-300

Event Type: warning

User:

Computer Name: 700M

Event Code: 4356

Message: The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 8007041F.

Record Number: 8415

Source Name: EventSystem

Time Written: 20090304205254.000000-300

Event Type: warning

User:

Computer Name: 700M

Event Code: 1002

Message: Hanging application iexplore.exe, version 7.0.6000.16791, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 8392

Source Name: Application Hang

Time Written: 20090302214956.000000-300

Event Type: error

User:

Computer Name: 700M

Event Code: 1002

Message: Hanging application iexplore.exe, version 7.0.6000.16791, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 8353

Source Name: Application Hang

Time Written: 20090302171707.000000-300

Event Type: error

User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel

"PROCESSOR_REVISION"=0d06

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Link to post
Share on other sites

As much as possible, continue to run the following tools in Normal mode.

If and only IF Normal Windows mode is not usable, Tap & re-tap F8 function when you restart the pc, then select Safe Mode with Networking .

nuke.gif This system has a rootkit infection. The following procedure is intended to remove it.

For the duration and while we are still trying to remove malwares, do NOT surf the internet. Only go to this forum and just the sites I guide you to for removal tools.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not Malello and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Drivers to disable:
    H8SRTd
    H8SRTd.sys

    Drivers to delete:
    H8SRTd
    H8SRTd.sys
    pxtdapoc

    Files to delete:
    C:\WINDOWS\system32\drivers\H8SRTwqqftavhel.sys
    C:\Documents and Settings\Joel\Local Settings\Temp\H8SRT9bd6.tmp
    C:\WINDOWS\system32\H8SRTbcrsswviju.dll
    C:\WINDOWS\system32\H8SRTexturrvkop.dll
    C:\WINDOWS\system32\H8SRTsppxrcdxum.dat
    C:\WINDOWS\system32\krl32mainweq.dll
    C:\Documents and Settings\Joel\Local Settings\Temp\richtx64.exe
    C:\Documents and Settings\Joel\Local Settings\Temp\pxtdapoc.sys

    Registry keys to delete:
    HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
    HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • icon_exclaim.gifMake sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

Step 2

Download this file & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller:

----

Start NOTEPAD and copy/paste the text in the quotebox below into it:

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this: batchfileimage.jpg

Double click on fix.bat & allow it to run.

Please post back with the result.

Step 3

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 3396 and the latest program version is 1.42.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of C:\Avenger.txt

Logit.txt

the latest MBAM scan log

Link to post
Share on other sites

First off, thank you for taking your time to help Maurice! :D

Now, I've run Avenger as directed, upon the reboot the the Avenger text came up and I have saved a copy. In addition to the text I have a pop up error message

In blue it says, "Windows - No Disk"

Underneath in grey it says, "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b67c

"cancel" button "Try Again" button "Continue" button

I have stopped here, waiting to hear back on what I should do. Should I click any of those option, close the box or leave the box open and ignore it?

Here is the Avenger text,...

Logfile of The Avenger Version 2.0,

Edited by Maurice Naggar
Edited to remove quote block on Avenger log
Link to post
Share on other sites

Hello,

Do what you must to restart the pc and restart Windows. Either CTRL+ALT+DEL or hardware-button restart or shutdown -wait a minute or so, then power up again. Let me know when you get to a clear normal desktop.

I'll be monitoring for your next reply.

Link to post
Share on other sites

I rebooted and the error message didn't come back.

Moved on to step 2

TDSSKiller Results

Infected objects in memory 0

Cured objects in memory 0

Infected objects on disk 0

Objects on disk cured on reboot 0

Objects on disk deleted on reboot 0

Registry node deleted on reboot 0

Here's the log that came up,...

18:0:28:964 2152 ForceUnloadDriver: NtUnloadDriver error 2

18:0:29:4 2152 ForceUnloadDriver: NtUnloadDriver error 2

18:0:29:4 2152 ForceUnloadDriver: NtUnloadDriver error 2

18:0:29:34 2152 main: Driver KLMD successfully dropped

18:0:29:485 2152 main: Driver KLMD successfully loaded

18:0:29:485 2152

Scanning Registry ...

18:0:29:485 2152 ScanServices: Searching service UACd.sys

18:0:29:485 2152 ScanServices: Open/Create key error 2

18:0:29:485 2152 ScanServices: Searching service TDSSserv.sys

18:0:29:485 2152 ScanServices: Open/Create key error 2

18:0:29:485 2152 ScanServices: Searching service gaopdxserv.sys

18:0:29:485 2152 ScanServices: Open/Create key error 2

18:0:29:495 2152 ScanServices: Searching service gxvxcserv.sys

18:0:29:495 2152 ScanServices: Open/Create key error 2

18:0:29:495 2152 ScanServices: Searching service MSIVXserv.sys

18:0:29:495 2152 ScanServices: Open/Create key error 2

18:0:29:655 2152 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000

18:0:29:655 2152 UnhookRegistry: Kernel local addr: A40000

18:0:29:675 2152 UnhookRegistry: KeServiceDescriptorTable addr: AC3220

18:0:31:347 2152 UnhookRegistry: KiServiceTable addr: A4B6A8

18:0:31:347 2152 UnhookRegistry: NtEnumerateKey service number (local): 47

18:0:31:347 2152 UnhookRegistry: NtEnumerateKey local addr: ADC5A4

18:0:31:438 2152 KLMD_OpenDevice: Trying to open KLMD device

18:0:31:438 2152 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey

18:0:31:438 2152 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey

18:0:31:438 2152 KLMD_ReadMem: Trying to ReadMemory 0x804DCC49[0x4]

18:0:31:438 2152 UnhookRegistry: NtEnumerateKey service number (kernel): 47

18:0:31:438 2152 KLMD_ReadMem: Trying to ReadMemory 0x804E27C4[0x4]

18:0:31:438 2152 UnhookRegistry: NtEnumerateKey real addr: 805735A4

18:0:31:438 2152 UnhookRegistry: NtEnumerateKey calc addr: 805735A4

18:0:31:438 2152 UnhookRegistry: No SDT hooks found on NtEnumerateKey

18:0:31:438 2152 KLMD_ReadMem: Trying to ReadMemory 0x805735A4[0xA]

18:0:31:438 2152 UnhookRegistry: No splicing found on NtEnumerateKey

18:0:31:448 2152

Scanning Kernel memory ...

18:0:31:448 2152 KLMD_OpenDevice: Trying to open KLMD device

18:0:31:448 2152 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk

18:0:31:448 2152 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

18:0:31:448 2152 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A10A910

18:0:31:448 2152 DetectCureTDL3: KLMD_GetDeviceObjectList returned 10 DevObjects

18:0:31:448 2152 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 885F6330

18:0:31:448 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F6330

18:0:31:448 2152 KLMD_ReadMem: Trying to ReadMemory 0x885F6330[0x38]

18:0:31:448 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8A10A910

18:0:31:448 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A10A910[0xA8]

18:0:31:448 2152 KLMD_ReadMem: Trying to ReadMemory 0xE17C2DA0[0x208]

18:0:31:448 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

18:0:31:448 2152 DetectCureTDL3: IrpHandler (0) addr: F765DBB0

18:0:31:448 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (2) addr: F765DBB0

18:0:31:448 2152 DetectCureTDL3: IrpHandler (3) addr: F7657D1F

18:0:31:448 2152 DetectCureTDL3: IrpHandler (4) addr: F7657D1F

18:0:31:448 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (9) addr: F76582E2

18:0:31:448 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (14) addr: F76583BB

18:0:31:448 2152 DetectCureTDL3: IrpHandler (15) addr: F765BF28

18:0:31:448 2152 DetectCureTDL3: IrpHandler (16) addr: F76582E2

18:0:31:448 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (22) addr: F7659C82

18:0:31:448 2152 DetectCureTDL3: IrpHandler (23) addr: F765E99E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:448 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:448 2152 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

18:0:31:448 2152 KLMD_ReadMem: DeviceIoControl error 1

18:0:31:448 2152 TDL3_StartIoHookDetect: Unable to get StartIo handler code

18:0:31:448 2152 TDL3_FileDetect: Processing driver: Disk

18:0:31:448 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

18:0:31:448 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

18:0:31:448 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

18:0:31:518 2152 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 885FC6A0

18:0:31:518 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885FC6A0

18:0:31:518 2152 KLMD_ReadMem: Trying to ReadMemory 0x885FC6A0[0x38]

18:0:31:518 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8A10A910

18:0:31:518 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A10A910[0xA8]

18:0:31:528 2152 KLMD_ReadMem: Trying to ReadMemory 0xE17C2DA0[0x208]

18:0:31:528 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

18:0:31:528 2152 DetectCureTDL3: IrpHandler (0) addr: F765DBB0

18:0:31:528 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (2) addr: F765DBB0

18:0:31:528 2152 DetectCureTDL3: IrpHandler (3) addr: F7657D1F

18:0:31:528 2152 DetectCureTDL3: IrpHandler (4) addr: F7657D1F

18:0:31:528 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (9) addr: F76582E2

18:0:31:528 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (14) addr: F76583BB

18:0:31:528 2152 DetectCureTDL3: IrpHandler (15) addr: F765BF28

18:0:31:528 2152 DetectCureTDL3: IrpHandler (16) addr: F76582E2

18:0:31:528 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (22) addr: F7659C82

18:0:31:528 2152 DetectCureTDL3: IrpHandler (23) addr: F765E99E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:528 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:528 2152 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

18:0:31:528 2152 KLMD_ReadMem: DeviceIoControl error 1

18:0:31:528 2152 TDL3_StartIoHookDetect: Unable to get StartIo handler code

18:0:31:528 2152 TDL3_FileDetect: Processing driver: Disk

18:0:31:528 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

18:0:31:528 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

18:0:31:528 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

18:0:31:548 2152 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 885EDC68

18:0:31:548 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885EDC68

18:0:31:548 2152 KLMD_ReadMem: Trying to ReadMemory 0x885EDC68[0x38]

18:0:31:548 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8A10A910

18:0:31:548 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A10A910[0xA8]

18:0:31:548 2152 KLMD_ReadMem: Trying to ReadMemory 0xE17C2DA0[0x208]

18:0:31:548 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

18:0:31:548 2152 DetectCureTDL3: IrpHandler (0) addr: F765DBB0

18:0:31:548 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (2) addr: F765DBB0

18:0:31:548 2152 DetectCureTDL3: IrpHandler (3) addr: F7657D1F

18:0:31:548 2152 DetectCureTDL3: IrpHandler (4) addr: F7657D1F

18:0:31:548 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (9) addr: F76582E2

18:0:31:548 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (14) addr: F76583BB

18:0:31:548 2152 DetectCureTDL3: IrpHandler (15) addr: F765BF28

18:0:31:548 2152 DetectCureTDL3: IrpHandler (16) addr: F76582E2

18:0:31:548 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (22) addr: F7659C82

18:0:31:548 2152 DetectCureTDL3: IrpHandler (23) addr: F765E99E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:548 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:548 2152 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

18:0:31:548 2152 KLMD_ReadMem: DeviceIoControl error 1

18:0:31:548 2152 TDL3_StartIoHookDetect: Unable to get StartIo handler code

18:0:31:548 2152 TDL3_FileDetect: Processing driver: Disk

18:0:31:548 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

18:0:31:548 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

18:0:31:548 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

18:0:31:568 2152 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 885F3808

18:0:31:568 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F3808

18:0:31:568 2152 KLMD_ReadMem: Trying to ReadMemory 0x885F3808[0x38]

18:0:31:568 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8A10A910

18:0:31:568 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A10A910[0xA8]

18:0:31:568 2152 KLMD_ReadMem: Trying to ReadMemory 0xE17C2DA0[0x208]

18:0:31:568 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

18:0:31:568 2152 DetectCureTDL3: IrpHandler (0) addr: F765DBB0

18:0:31:568 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (2) addr: F765DBB0

18:0:31:568 2152 DetectCureTDL3: IrpHandler (3) addr: F7657D1F

18:0:31:568 2152 DetectCureTDL3: IrpHandler (4) addr: F7657D1F

18:0:31:568 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (9) addr: F76582E2

18:0:31:568 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (14) addr: F76583BB

18:0:31:568 2152 DetectCureTDL3: IrpHandler (15) addr: F765BF28

18:0:31:568 2152 DetectCureTDL3: IrpHandler (16) addr: F76582E2

18:0:31:568 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:568 2152 DetectCureTDL3: IrpHandler (22) addr: F7659C82

18:0:31:568 2152 DetectCureTDL3: IrpHandler (23) addr: F765E99E

18:0:31:578 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:578 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:578 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:578 2152 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

18:0:31:578 2152 KLMD_ReadMem: DeviceIoControl error 1

18:0:31:578 2152 TDL3_StartIoHookDetect: Unable to get StartIo handler code

18:0:31:578 2152 TDL3_FileDetect: Processing driver: Disk

18:0:31:578 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

18:0:31:578 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

18:0:31:578 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

18:0:31:588 2152 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 885F5030

18:0:31:598 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F5030

18:0:31:598 2152 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 885F66E8

18:0:31:598 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F66E8

18:0:31:598 2152 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 885F2250

18:0:31:598 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F2250

18:0:31:598 2152 KLMD_ReadMem: Trying to ReadMemory 0x885F2250[0x38]

18:0:31:598 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8877F738

18:0:31:598 2152 KLMD_ReadMem: Trying to ReadMemory 0x8877F738[0xA8]

18:0:31:598 2152 KLMD_ReadMem: Trying to ReadMemory 0xE101FE08[0x208]

18:0:31:598 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

18:0:31:598 2152 DetectCureTDL3: IrpHandler (0) addr: F7734218

18:0:31:598 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:598 2152 DetectCureTDL3: IrpHandler (2) addr: F7734218

18:0:31:598 2152 DetectCureTDL3: IrpHandler (3) addr: F773423C

18:0:31:598 2152 DetectCureTDL3: IrpHandler (4) addr: F773423C

18:0:31:598 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:598 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:598 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:598 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (14) addr: F7734180

18:0:31:608 2152 DetectCureTDL3: IrpHandler (15) addr: F772F9E6

18:0:31:608 2152 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (22) addr: F77335F0

18:0:31:608 2152 DetectCureTDL3: IrpHandler (23) addr: F7731A6E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:608 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:608 2152 KLMD_ReadMem: Trying to ReadMemory 0xF7730F26[0x400]

18:0:31:618 2152 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

18:0:31:618 2152 TDL3_FileDetect: Processing driver: USBSTOR

18:0:31:618 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys

18:0:31:618 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:618 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:668 2152 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 885F48A0

18:0:31:668 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F48A0

18:0:31:668 2152 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 885FE958

18:0:31:668 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885FE958

18:0:31:668 2152 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 885F6C00

18:0:31:668 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F6C00

18:0:31:668 2152 KLMD_ReadMem: Trying to ReadMemory 0x885F6C00[0x38]

18:0:31:668 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8877F738

18:0:31:678 2152 KLMD_ReadMem: Trying to ReadMemory 0x8877F738[0xA8]

18:0:31:678 2152 KLMD_ReadMem: Trying to ReadMemory 0xE101FE08[0x208]

18:0:31:678 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

18:0:31:678 2152 DetectCureTDL3: IrpHandler (0) addr: F7734218

18:0:31:678 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (2) addr: F7734218

18:0:31:678 2152 DetectCureTDL3: IrpHandler (3) addr: F773423C

18:0:31:678 2152 DetectCureTDL3: IrpHandler (4) addr: F773423C

18:0:31:678 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (14) addr: F7734180

18:0:31:678 2152 DetectCureTDL3: IrpHandler (15) addr: F772F9E6

18:0:31:678 2152 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (22) addr: F77335F0

18:0:31:678 2152 DetectCureTDL3: IrpHandler (23) addr: F7731A6E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:678 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:678 2152 KLMD_ReadMem: Trying to ReadMemory 0xF7730F26[0x400]

18:0:31:678 2152 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

18:0:31:678 2152 TDL3_FileDetect: Processing driver: USBSTOR

18:0:31:678 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys

18:0:31:678 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:678 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:688 2152 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 885FEAB8

18:0:31:688 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885FEAB8

18:0:31:688 2152 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 885FD620

18:0:31:688 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885FD620

18:0:31:688 2152 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 88779CF0

18:0:31:688 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88779CF0

18:0:31:688 2152 KLMD_ReadMem: Trying to ReadMemory 0x88779CF0[0x38]

18:0:31:688 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8877F738

18:0:31:688 2152 KLMD_ReadMem: Trying to ReadMemory 0x8877F738[0xA8]

18:0:31:688 2152 KLMD_ReadMem: Trying to ReadMemory 0xE101FE08[0x208]

18:0:31:688 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

18:0:31:688 2152 DetectCureTDL3: IrpHandler (0) addr: F7734218

18:0:31:698 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (2) addr: F7734218

18:0:31:698 2152 DetectCureTDL3: IrpHandler (3) addr: F773423C

18:0:31:698 2152 DetectCureTDL3: IrpHandler (4) addr: F773423C

18:0:31:698 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (14) addr: F7734180

18:0:31:698 2152 DetectCureTDL3: IrpHandler (15) addr: F772F9E6

18:0:31:698 2152 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:698 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:708 2152 DetectCureTDL3: IrpHandler (22) addr: F77335F0

18:0:31:708 2152 DetectCureTDL3: IrpHandler (23) addr: F7731A6E

18:0:31:708 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:708 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:708 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:708 2152 KLMD_ReadMem: Trying to ReadMemory 0xF7730F26[0x400]

18:0:31:708 2152 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

18:0:31:708 2152 TDL3_FileDetect: Processing driver: USBSTOR

18:0:31:708 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys

18:0:31:708 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:708 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:718 2152 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 885F8030

18:0:31:718 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885F8030

18:0:31:718 2152 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 885FD988

18:0:31:718 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 885FD988

18:0:31:718 2152 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 88610A60

18:0:31:718 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88610A60

18:0:31:718 2152 KLMD_ReadMem: Trying to ReadMemory 0x88610A60[0x38]

18:0:31:718 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8877F738

18:0:31:718 2152 KLMD_ReadMem: Trying to ReadMemory 0x8877F738[0xA8]

18:0:31:718 2152 KLMD_ReadMem: Trying to ReadMemory 0xE101FE08[0x208]

18:0:31:718 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

18:0:31:728 2152 DetectCureTDL3: IrpHandler (0) addr: F7734218

18:0:31:728 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (2) addr: F7734218

18:0:31:728 2152 DetectCureTDL3: IrpHandler (3) addr: F773423C

18:0:31:728 2152 DetectCureTDL3: IrpHandler (4) addr: F773423C

18:0:31:728 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (14) addr: F7734180

18:0:31:728 2152 DetectCureTDL3: IrpHandler (15) addr: F772F9E6

18:0:31:728 2152 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (22) addr: F77335F0

18:0:31:728 2152 DetectCureTDL3: IrpHandler (23) addr: F7731A6E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:728 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:728 2152 KLMD_ReadMem: Trying to ReadMemory 0xF7730F26[0x400]

18:0:31:728 2152 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0

18:0:31:728 2152 TDL3_FileDetect: Processing driver: USBSTOR

18:0:31:728 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys

18:0:31:728 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:728 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys

18:0:31:748 2152 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A0C8C68

18:0:31:748 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A0C8C68

18:0:31:748 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A0C8C68[0x38]

18:0:31:748 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8A10A910

18:0:31:748 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A10A910[0xA8]

18:0:31:748 2152 KLMD_ReadMem: Trying to ReadMemory 0xE17C2DA0[0x208]

18:0:31:748 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

18:0:31:748 2152 DetectCureTDL3: IrpHandler (0) addr: F765DBB0

18:0:31:748 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (2) addr: F765DBB0

18:0:31:748 2152 DetectCureTDL3: IrpHandler (3) addr: F7657D1F

18:0:31:748 2152 DetectCureTDL3: IrpHandler (4) addr: F7657D1F

18:0:31:748 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (9) addr: F76582E2

18:0:31:748 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:748 2152 DetectCureTDL3: IrpHandler (14) addr: F76583BB

18:0:31:748 2152 DetectCureTDL3: IrpHandler (15) addr: F765BF28

18:0:31:758 2152 DetectCureTDL3: IrpHandler (16) addr: F76582E2

18:0:31:758 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (22) addr: F7659C82

18:0:31:758 2152 DetectCureTDL3: IrpHandler (23) addr: F765E99E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:758 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:758 2152 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

18:0:31:758 2152 KLMD_ReadMem: DeviceIoControl error 1

18:0:31:758 2152 TDL3_StartIoHookDetect: Unable to get StartIo handler code

18:0:31:758 2152 TDL3_FileDetect: Processing driver: Disk

18:0:31:758 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

18:0:31:758 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys

18:0:31:758 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys

18:0:31:778 2152 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8A0C9AB8

18:0:31:778 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A0C9AB8

18:0:31:778 2152 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8A05C288

18:0:31:778 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A05C288

18:0:31:778 2152 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8A0E3D98

18:0:31:778 2152 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A0E3D98

18:0:31:778 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A0E3D98[0x38]

18:0:31:778 2152 DetectCureTDL3: DRIVER_OBJECT addr: 8A0D0760

18:0:31:778 2152 KLMD_ReadMem: Trying to ReadMemory 0x8A0D0760[0xA8]

18:0:31:778 2152 KLMD_ReadMem: Trying to ReadMemory 0xE100BF20[0x208]

18:0:31:778 2152 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

18:0:31:778 2152 DetectCureTDL3: IrpHandler (0) addr: F74AC6F2

18:0:31:778 2152 DetectCureTDL3: IrpHandler (1) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (2) addr: F74AC6F2

18:0:31:778 2152 DetectCureTDL3: IrpHandler (3) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (4) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (5) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (6) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (7) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (8) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (9) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (10) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (11) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (12) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (13) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (14) addr: F74AC712

18:0:31:778 2152 DetectCureTDL3: IrpHandler (15) addr: F74A8852

18:0:31:778 2152 DetectCureTDL3: IrpHandler (16) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (17) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (18) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (19) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (20) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (21) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (22) addr: F74AC73C

18:0:31:778 2152 DetectCureTDL3: IrpHandler (23) addr: F74B3336

18:0:31:778 2152 DetectCureTDL3: IrpHandler (24) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (25) addr: 804FA87E

18:0:31:778 2152 DetectCureTDL3: IrpHandler (26) addr: 804FA87E

18:0:31:778 2152 KLMD_ReadMem: Trying to ReadMemory 0xF74A9864[0x400]

18:0:31:778 2152 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0

18:0:31:778 2152 TDL3_FileDetect: Processing driver: atapi

18:0:31:778 2152 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys

18:0:31:778 2152 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys

18:0:31:788 2152 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys

18:0:31:818 2152

Completed

Results:

18:0:31:818 2152 Infected objects in memory: 0

18:0:31:818 2152 Cured objects in memory: 0

18:0:31:818 2152 Infected objects on disk: 0

18:0:31:818 2152 Objects on disk cured on reboot: 0

18:0:31:818 2152 Objects on disk deleted on reboot: 0

18:0:31:818 2152 Registry nodes deleted on reboot: 0

18:0:31:818 2152

Step 3

Malwarebytes is open and running

Link to post
Share on other sites

Here are the two logs from the Malwarebytes scan

After removal

Malwarebytes' Anti-Malware 1.42

Database version: 3399

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/20/2009 6:21:35 PM

mbam-log-2009-12-20 (18-21-35).txt

Scan type: Quick Scan

Objects scanned: 106740

Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.Malware Defense) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Joel\Local Settings\Temp\Installer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Joel\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Are there more steps I should be taking at this point?

Edited by Maurice Naggar
Removed 1 log for brevity
Link to post
Share on other sites

Kindly do NOT enclose the logs in Quote boxes. Just Copy and Paste into the reply box.

Step 1

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from the link below. You must rename it before saving it. Save it to your Desktop.

Link 1

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Step 2

Start HijackThis. Do a Scan and Save log

Reply with copy of C:\Combofix.txt

and the latest HijackThis log for my review,

and tell me, How is your system now ?

Do not go away, since after I review the logs, we will need to have you de-install/remove some tools.

Link to post
Share on other sites

ComboFix 09-12-19.04 - Joel 12/20/2009 19:08:14.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1262.783 [GMT -5:00]

Running from: c:\documents and settings\Joel\Desktop\Combo-Fix.exe

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\cleanup.exe

c:\windows\system32\srcr.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BHDRVX86

-------\Service_BHDrvx86

((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))

.

2009-12-21 00:13 . 2009-08-22 08:26 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

2009-12-20 23:12 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\CCERASER.DLL

2009-12-20 23:12 . 2009-09-25 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\ECMSVR32.DLL

2009-12-20 23:12 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\EECTRL.SYS

2009-12-20 23:12 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\ERASER.SYS

2009-12-20 23:12 . 2009-08-25 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\NAVENG.SYS

2009-12-20 23:12 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\NAVENG32.DLL

2009-12-20 23:12 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\NAVEX32A.DLL

2009-12-20 23:12 . 2009-08-25 08:00 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091220.004\NAVEX15.SYS

2009-12-20 23:11 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSvix86.sys

2009-12-20 23:11 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSXpx86.sys

2009-12-20 23:11 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\Scxpx86.dll

2009-12-20 23:11 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSxpx86.dll

2009-12-20 23:11 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSviA64.sys

2009-12-20 23:07 . 2009-12-20 23:07 -------- d-----w- c:\documents and settings\Joel\Application Data\Malwarebytes

2009-12-20 22:28 . 2009-12-20 22:28 574 ----a-w- C:\cleanup.bat

2009-12-20 22:28 . 2009-12-20 22:28 135168 ----a-w- C:\zip.exe

2009-12-20 00:53 . 2009-12-20 00:53 -------- d-----w- C:\rsit

2009-12-19 17:26 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-19 17:26 . 2009-12-19 17:26 -------- d-----w- c:\program files\Gone

2009-12-19 17:26 . 2009-12-19 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-19 17:26 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-19 14:45 . 2009-12-19 14:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2009-12-19 11:38 . 2009-12-19 11:38 664 ----a-w- c:\documents and settings\Joel\Local Settings\Application Data\d3d9caps.dat

2009-12-18 20:27 . 2009-12-18 20:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-09 22:58 . 2009-12-16 23:53 -------- d-----w- c:\documents and settings\Joel\Local Settings\Application Data\Tific

2009-12-09 22:58 . 2009-12-09 22:58 -------- d-----w- c:\documents and settings\Joel\Application Data\Tific

2009-12-09 22:57 . 2009-12-09 22:57 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-19 15:24 . 2008-11-19 16:59 -------- d-----w- c:\documents and settings\Joel\Application Data\Amazon

2009-12-19 15:22 . 2008-05-20 03:07 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-19 14:40 . 2009-12-19 14:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel

2009-12-09 22:58 . 2008-08-09 14:20 -------- d-----w- c:\program files\Norton PC Checkup

2009-12-09 22:57 . 2009-03-11 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-12-09 22:57 . 2009-03-11 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-12-09 22:57 . 2009-03-11 18:11 -------- d-----w- c:\program files\NortonInstaller

2009-10-29 07:45 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-10-21 05:38 . 2004-08-04 04:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 04:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2008-05-16 12:35 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 04:56 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-04 04:56 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-04 04:56 79872 ----a-w- c:\windows\system32\raschap.dll

2008-06-30 17:44 . 2008-07-03 01:57 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2005-06-01 02:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]

2002-03-19 21:30 45632 ----a-w- c:\windows\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]

2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2004-11-16 05:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-09-20 13:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-09-20 13:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-09-20 13:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]

2005-06-03 05:31 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]

2005-06-01 02:46 401408 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]

2002-03-29 08:42 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2004-05-14 13:35 536576 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

2004-05-13 23:23 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"xmlprov"=3 (0x3)

"PCCUJobMgr"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [9/8/2009 8:35 PM 310320]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [9/8/2009 8:35 PM 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSXpx86.sys [12/20/2009 6:11 PM 329592]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9/8/2009 8:33 PM 117640]

R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [12/9/2009 5:57 PM 103280]

R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/9/2009 5:57 PM 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 12:10 PM 102448]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?rls=ig

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

Trusted Zone: lcvg.com\www

FF - ProfilePath - c:\documents and settings\Joel\Application Data\Mozilla\Firefox\Profiles\rzvbj5nr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe

MSConfigStartUp-richtx64 - c:\docume~1\Joel\LOCALS~1\Temp\richtx64.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe

AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-20 19:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"

--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCCUJobMgr]

"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1404)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4092)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

.

**************************************************************************

.

Completion time: 2009-12-20 19:21:06 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-21 00:21

Pre-Run: 48,470,048,768 bytes free

Post-Run: 48,530,120,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6CB31DAC65AFF22A4287C540A7FE5D27

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:34:29 PM, on 12/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Documents and Settings\Joel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210922474672

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240024110815

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe

O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Download icon_arrow.gifSysclean Package

[*]Download icon_arrow.gifVirus Pattern Files that will be a LPTxxx.ZIP file

[*]Download icon_arrow.gifSpyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

Link to post
Share on other sites

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-12-22, 21:17:59, Auto-clean mode specified.

2009-12-22, 21:18:00, Initialized Rootkit Driver version 2.2.0.1004.

2009-12-22, 21:18:00, Running scanner "C:\DCE\TSC.BIN"...

2009-12-22, 21:18:25, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-12-22, 21:18:25, TSC Log:

Link to post
Share on other sites

Look in folder C:\Qoobox for a log file named ComboFix-quarantined-files.txt

Copy and Paste it's contents in your next reply.

I need to see and review it, looking to see if Combofix somehow moved a component of Norton AV.

Except for that, we are almost to the point of wrapping this up. Don't do anything by yourself; wait for my review.

Link to post
Share on other sites

2009-12-21 00:20:36 . 2009-12-21 00:20:36 1,236 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-RealPlayer 6.0.reg.dat

2009-12-21 00:20:36 . 2009-12-21 00:20:36 504 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-RealJukebox 1.0.reg.dat

2009-12-21 00:20:09 . 2009-12-21 00:20:09 658 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-TkBellExe.reg.dat

2009-12-21 00:20:09 . 2009-12-21 00:20:09 636 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SunJavaUpdateSched.reg.dat

2009-12-21 00:20:09 . 2009-12-21 00:20:09 606 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-richtx64.reg.dat

2009-12-21 00:20:09 . 2009-12-21 00:20:09 622 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-QuickTime Task.reg.dat

2009-12-21 00:20:09 . 2009-12-21 00:20:09 606 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MSMSGS.reg.dat

2009-12-21 00:20:08 . 2009-12-21 00:20:08 668 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Reader Speed Launcher.reg.dat

2009-12-21 00:11:08 . 2009-12-21 00:11:08 3,648 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_BHDrvx86.reg.dat

2009-12-21 00:11:08 . 2009-12-21 00:11:08 1,312 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_BHDRVX86.reg.dat

2009-12-21 00:11:01 . 2009-12-21 00:11:01 6,952 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-12-21 00:04:34 . 2009-12-21 00:04:34 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

2009-12-20 22:28:56 . 2009-12-20 22:28:56 19,286 ----a-w- C:\Qoobox\Quarantine\C\cleanup.exe.vir

2009-12-18 20:27:50 . 2009-12-18 20:27:50 203 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\srcr.dat.vir

Link to post
Share on other sites

Hello Malello.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not Malello and have a similar problem, do NOT post here; start your own topic

The procedures used here are only for this system, and no other.

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Regarding the Sysclean log notation on 1 virus: Sysclean was highlighting TDSSKILLER, the tool I had you run. That's a false positive. No reason to be concerned.

Step 1

Combofix removed two service entries for Norton360, which need to be put back. Let's have you do the following:

Start NOTEPAD and then copy and paste all the codebox lines below into it.

@echo off
copy C:\Qoobox\Quarantine\Registry_backups\Service_BHDrvx86.reg.dat c:\documents and settings\Joel\Desktop\Service_BHDrvx86.reg
copy C:\Qoobox\Quarantine\Registry_backups\Legacy_BHDRVX86.reg.dat c:\documents and settings\Joel\Desktop\Legacy_BHDRVX86.reg
del %0

Go to File > save as and name the file fix.bat, change the Save as type to all files and save it to your desktop.

It should look like this: batchfileimage.jpg

Close/exit NOTEPAD.

Double click on fix.bat & allow it to run.

Then next, RIGHT-Click on Service_BHDrvx86.reg on your Desktop, and select Merge

Then next, RIGHT-Click on Legacy_BHDRVX86.reg on your Desktop, and select Merge

If prompted, answer YES to proceed with merge to the registry.

Using Windows START button, select RUN, then type in

CMD

to start a command prompt window.

Then type in

net start BHDrvx86

and press Enter-key

Confirm for me that the above steps have worked.

Exit/close command prompt when done.

Step 2

Next, an update for MBAM, and a full scan of the system:

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 3432 and the latest program version is 1.42.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 3

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

    Step 4

    Reply with your observations on Step 1 (above)

    the latest MBAM scan log

    the ESET online scan log.

    Tell me if your Comodo PRO includes antivirus and if your Norton360 has a current license.

    I have a concern that this may be running more than 1 active antivirus application.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.