Kirja Posted February 19, 2010 ID:202415 Share Posted February 19, 2010 Hi , i am new here and i need help. Yestarday i found out that my pc has some kind of Antivirus Called Paladin, wich instals on its own. I was using AVG antyvirus wich didn't help and stop working after short time at all with few other programs like PowerIS. All night i was trying new softwares to get ride of it , but most of them didn't even open after instalation or failed to fix the problem.If u could help me would be Great Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:44:40 AM, on 2/19/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exeC:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\RocketDock\RocketDock.exeC:\DOCUME~1\Kirja\LOCALS~1\Temp\eventcreatexp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Hawking\HWU54D\HWU54D.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXEC:\Program Files\OpenOffice.org 3\program\soffice.binC:\WINDOWS\ALCFDRTM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Opera\opera.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Internet Explorer\iexplore.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O1 - Hosts: 64.16.193.26 l2authd.lineage2.comO1 - Hosts: 216.107.250.194 update.nprotect.comO1 - Hosts: 216.107.250.194 nprotect.lineage2.comO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)O2 - BHO: (no name) - {53FE12C2-4429-488F-847B-7B285F8F6778} - (no file)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: (no name) - {F92AE24D-2C39-4C17-8324-E93E9E0A37A2} - (no file)O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"O4 - HKCU\..\Run: [eventcreatexp.exe] C:\DOCUME~1\Kirja\LOCALS~1\Temp\eventcreatexp.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Paladin Antivirus] "C:\Program Files\Paladin Antivirus\pav.exe" -noscanO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU54D\HWU54D.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htmO8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htmO8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htmO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cabO16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...347/mcfscan.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe--End of file - 7720 bytes Link to post Share on other sites More sharing options...
deltalima Posted February 19, 2010 ID:202421 Share Posted February 19, 2010 Hi Kirja,Welcome to the forum.My nickname is deltalima and I will be helping you with your computer problems.The logs can take some time to research, so please be patient with me.Please note the following:I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.The fixes are specific to your problem and should only be used for this issue on this machine.Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one. It's often worth reading through these instructions and printing them for ease of reference.If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.Please reply to this thread. Do not start a new topic.RkillPlease download Rkill from one of the following links and save to your Desktop:One, Two,Three or FourDouble click on Rkill.A command window will open then disappear upon completion, this is normal.A notepad windows will open, please post the contents in your next replyThis log can also be found at C:\rkill.logPlease leave Rkill on the Desktop until otherwise advised.Note: If your security software warns about Rkill, please ignore and allow the download to continue.Download and run OTLDownload OTL by Old Timer and save it to your Desktop.Double click on OTL.exe to run it.Under Output, ensure that Minimal Output is selected.Under Extra Registry section, select Use SafeList.Click the Scan All Users checkbox.Click on Run Scan at the top left hand corner.When done, two Notepad files will open.OTL.txt <-- Will be openedExtras.txt <-- Will be minimized[*]Please post the contents of these 2 Notepad files in your next reply.Please download GMER Rootkit Scanner from here.Double click the .exe file. If asked to allow gmer.sys driver to load, please consentIf it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.Run Gmer again and click on the Rootkit tab.Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".Click on the "Scan" and wait for the scan to finish.Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.Note: If you have any problems, try running GMER in SAFE MODEImportant! Please do not select the "Show all" checkbox during the scan..Please post the GMER log and rkill.log along with OTL.txt and Extras.txt from the OTL scan into your next reply. Link to post Share on other sites More sharing options...
crack645 Posted February 19, 2010 ID:202449 Share Posted February 19, 2010 Unauthorized posting removed by the moderator. Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:202774 Share Posted February 20, 2010 Hi deltalima and thank you, i was trying to dl Rkill and OTL how ever i was not able to open page i get error , i am still looking for it but no luck so far. How ever here is gmer with wich i had no problem dling it.GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-02-19 19:56:02Windows 5.1.2600 Service Pack 2Running: t5y68r8f.exe; Driver: C:\DOCUME~1\Kirja\LOCALS~1\Temp\pwlcrpob.sys---- System - GMER 1.0.15 ----INT 0x63 ? 8AE9FBF8INT 0x63 ? 8AE9FBF8INT 0x63 ? 8AE9FBF8INT 0x63 ? 8AE9FBF8INT 0x63 ? 8AC49BF8INT 0x63 ? 8AC49BF8INT 0x63 ? 8AE9FBF8INT 0x83 ? 8AEA2BF8INT 0x83 ? 8AC49BF8INT 0x83 ? 8AEA2BF8INT 0x94 ? 8AC49BF8INT 0xA4 ? 8AC49BF8INT 0xA4 ? 8AC49BF8Code 89DDD420 ZwEnumerateKeyCode 89DE1610 ZwFlushInstructionCacheCode 89DDFCBE IofCallDriverCode 89E51236 IofCompleteRequest---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!IofCallDriver 804EF09C 5 Bytes JMP 89DDFCC3 .text ntkrnlpa.exe!IofCompleteRequest 804EF12C 5 Bytes JMP 89E5123B PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B527E 5 Bytes JMP 89DE1614 PAGE ntkrnlpa.exe!ZwEnumerateKey 80622944 5 Bytes JMP 89DDD424 ? spmn.sys The system cannot find the file specified. !.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9035360, 0x372FAD, 0xE8000020].text USBPORT.SYS!DllUnload B901662C 5 Bytes JMP 8AC491D8 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB462F300, 0x3ACC8, 0xE8000020].text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBAC58300, 0x1B7E, 0xE8000020]---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 00C1000A .text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpOpenRequestA 78064341 5 Bytes JMP 00D7000A .text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!InternetConnectA 7806499A 5 Bytes JMP 00D9000A .text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!InternetConnectW 78065B88 5 Bytes JMP 00D8000A .text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpOpenRequestW 78065D62 5 Bytes JMP 00D6000A .text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpAddRequestHeadersW 780CCF4D 5 Bytes JMP 00D5000A ---- Kernel IAT/EAT - GMER 1.0.15 ----IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [bA6AC040] spmn.sysIAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [bA6AC13C] spmn.sysIAT atapi.sys[HAL.dll!READ_PORT_USHORT] [bA6AC0BE] spmn.sysIAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [bA6AC7FC] spmn.sysIAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [bA6AC6D2] spmn.sys---- Devices - GMER 1.0.15 ----Device \FileSystem\Ntfs \Ntfs 8AEFC1F8Device \Driver\NetBT \Device\NetBT_Tcpip_{3721098D-45A7-4DFC-B113-2D11A402896F} 89D84500Device \Driver\usbuhci \Device\USBPDO-0 8AC48500Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AEFE1F8Device \Driver\dmio \Device\DmControl\DmConfig 8AEFE1F8Device \Driver\dmio \Device\DmControl\DmPnP 8AEFE1F8Device \Driver\dmio \Device\DmControl\DmInfo 8AEFE1F8Device \Driver\usbuhci \Device\USBPDO-1 8AC48500Device \Driver\NetBT \Device\NetBT_Tcpip_{F72FE336-72EE-4474-8C17-3ACCD5E3A233} 89D84500Device \Driver\usbuhci \Device\USBPDO-2 8AC48500Device \Driver\usbehci \Device\USBPDO-3 8AC4A500Device \Driver\usbehci \Device\USBPDO-4 8AC4A500Device \Driver\usbuhci \Device\USBPDO-5 8AC48500Device \Driver\usbuhci \Device\USBPDO-6 8AC48500Device \Driver\Ftdisk \Device\HarddiskVolume1 8AEA01F8Device \Driver\usbuhci \Device\USBPDO-7 8AC48500Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12 8AE9F1F8Device \Driver\atapi \Device\Ide\IdePort0 8AE9F1F8Device \Driver\atapi \Device\Ide\IdePort1 8AE9F1F8Device \Driver\atapi \Device\Ide\IdePort2 8AE9F1F8Device \Driver\atapi \Device\Ide\IdePort3 8AE9F1F8Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 8AE9F1F8Device \Driver\NetBT \Device\NetBt_Wins_Export 89D84500Device \Driver\NetBT \Device\NetbiosSmb 89D84500Device \Driver\usbuhci \Device\USBFDO-0 8AC48500Device \Driver\usbuhci \Device\USBFDO-1 8AC48500Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89CC61F8Device \Driver\usbuhci \Device\USBFDO-2 8AC48500Device \Driver\NetBT \Device\NetBT_Tcpip_{3A8B549D-1029-48F7-B9E4-4D0BEC5F4A43} 89D84500Device \FileSystem\MRxSmb \Device\LanmanRedirector 89CC61F8Device \Driver\usbehci \Device\USBFDO-3 8AC4A500Device \Driver\usbuhci \Device\USBFDO-4 8AC48500Device \Driver\Ftdisk \Device\FtControl 8AEA01F8Device \Driver\usbuhci \Device\USBFDO-5 8AC48500Device \Driver\usbuhci \Device\USBFDO-6 8AC48500Device \Driver\usbehci \Device\USBFDO-7 8AC4A500Device \Driver\JRAID \Device\Scsi\JRAID1 8AEFD1F8Device \FileSystem\Cdfs \Cdfs 89EE9500---- Modules - GMER 1.0.15 ----Module \systemroot\system32\drivers\_VOIDyoulhyprqh.sys (*** hidden *** ) B6891000-B68AF000 (122880 bytes) ---- Services - GMER 1.0.15 ----Service C:\WINDOWS\system32\drivers\_VOIDyoulhyprqh.sys (*** hidden *** ) [sYSTEM] _VOIDd.sys <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0xE6 0xBA 0xB9 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDyoulhyprqh.sysReg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDyoulhyprqh.sysReg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDdlypxumltk.dllReg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDmtvaoppjdx.datReg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDlhbqoiqaim.dllReg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDmlguwybomf.dllReg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDerrors \\?\globalroot\systemroot\system32\_VOIDegobaeouft.logReg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0xE6 0xBA 0xB9 ...Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@start 1Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@type 1Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDyoulhyprqh.sysReg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@group file systemReg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDyoulhyprqh.sysReg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDdlypxumltk.dllReg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDmtvaoppjdx.datReg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDlhbqoiqaim.dllReg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDmlguwybomf.dllReg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDerrors \\?\globalroot\systemroot\system32\_VOIDegobaeouft.log---- Files - GMER 1.0.15 ----File C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll 1580 bytesFile C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll 10764 bytesFile C:\Documents and Settings\Kirja\Local Settings\Temp\_VOIDa1e5.tmp 343040 bytes executableFile C:\Program Files\Common Files\Sony Shared\OpenMG\OmgMp4LibWrapper.dll (size mismatch) 135168/434176 bytes executableFile C:\Program Files\Common Files\System\msadc\msdfmap.dll (size mismatch) 16384/36864 bytes executableFile C:\Program Files\Messenger\logowin.gif (size mismatch) 28672/4821 bytes executableFile C:\WINDOWS\$hf_mig$\KB887472\spuninst.exe (size mismatch) 7168/169984 bytes executableFile C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll (size mismatch) 151583/60192 bytes executableFile C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\inseng.dll (size mismatch) 251904/96256 bytes executableFile C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msisip.dll (size mismatch) 884736/44032 bytes executableFile C:\WINDOWS\system32\dllcache\atmepvc.sys (size mismatch) 59904/31360 bytes executableFile C:\WINDOWS\system32\dllcache\dxgthk.sys (size mismatch) 2113536/3328 bytes executableFile C:\WINDOWS\system32\dllcache\fxsevent.dll (size mismatch) 27136/55296 bytes executable---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:202938 Share Posted February 20, 2010 Hi again, i found Rkill but it didn't work for me , i tryed to run it in safe mode but it happened i am not even able to start my pc in safe mode , f8 doesn't work and when i actualy get to the point where i chose how i want pc to run my arrow keys are frozen and it starts in normal mode, tryed running as administrator but still didn't work think malware blocks it but idk. As for OTL i am still looking for avalible link wich i will be abble to open no luck so far. Link to post Share on other sites More sharing options...
deltalima Posted February 20, 2010 ID:203109 Share Posted February 20, 2010 Hi Kirja,Please try the OTL download link again, it should work now.Please delete your copy of RKill and download a new copy. Next reboot your computer and then run RKill and then OTL then post the logs back here.If you still have problems with OTL then Download DDSPlease download DDS by sUBs from one of the links below and save it to your desktop:Download DDS and save it to your desktopLink1Link2Link3Please disable any anti-malware program that will block scripts from running before running DDS.Double-Click on dds.scr and a command window will appear. This is normal.Shortly after two logs will appear: DDS.txt Attach.txt[*]A window will open instructing you save & post the logs[*]Save the logs to a convenient place such as your desktop[*]Copy the contents of both logs & post in your next reply Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:203264 Share Posted February 20, 2010 Hi OTL and Rkill still did not work for me, i will try dl it from clean PC to night.Here is DDS:DDS (Ver_09-12-01.01) - NTFSx86 Run by Kirja at 16:29:36.70 on Sat 02/20/2010Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2561 [GMT -5:00]AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exeC:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\RocketDock\RocketDock.exeC:\DOCUME~1\Kirja\LOCALS~1\Temp\eventcreatexp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Hawking\HWU54D\HWU54D.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXEC:\WINDOWS\ALCFDRTM.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\WINDOWS\system32\msiexec.exeC:\Program Files\Opera\opera.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\avastUI.exeC:\DOCUME~1\Kirja\LOCALS~1\Temp\fmkgesng.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Kirja\Desktop\dds.pif============== Pseudo HJT Report ===============uStart Page = hxxp://google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/keyword/%smSearchAssistant = hxxp://www.google.com/ieBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: {53FE12C2-4429-488F-847B-7B285F8F6778} - No FileBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: {F92AE24D-2C39-4C17-8324-E93E9E0A37A2} - No FileTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileuRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"uRun: [eventcreatexp.exe] c:\docume~1\kirja\locals~1\temp\eventcreatexp.exeuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Paladin Antivirus] "c:\program files\paladin antivirus\pav.exe" -noscanmRun: [skyTel] SkyTel.EXEmRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exemRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEmRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe bootmRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /noguiStartupFolder: c:\docume~1\kirja\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hawkin~1.lnk - c:\program files\hawking\hwu54d\HWU54D.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exeIE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htmIE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htmIE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htmIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cabDPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cabDPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5347/mcfscan.cabHandler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - SEH: {53FE12C2-4429-488F-847B-7B285F8F6778} - No FileLSA: Authentication Packages = msv1_0 c:\windows\system32\iifdEWmnHosts: 64.16.193.26 l2authd.lineage2.comHosts: 216.107.250.194 update.nprotect.comHosts: 216.107.250.194 nprotect.lineage2.com============= SERVICES / DRIVERS ===============R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-20 162512]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-20 19024]R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-20 40384]R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-20 40384]R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-20 40384]R3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [2009-4-12 273408]S3 aaudstum;aaudstum;\??\c:\docume~1\kirja\locals~1\temp\aaudstum.sys --> c:\docume~1\kirja\locals~1\temp\aaudstum.sys [?]S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-18 30104]S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-18 30104]S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2009-4-12 19200]=============== Created Last 30 ================2010-02-20 08:11:15 73728 ----a-w- c:\windows\ALCFDRTM.EXE2010-02-20 07:59:06 69632 ----a-w- c:\windows\Alcmtr.exe2010-02-20 07:58:11 0 d-----w- C:\Intel2010-02-20 07:47:51 0 d-----w- c:\program files\Paladin Antivirus2010-02-19 11:19:11 0 d-----w- c:\program files\Trend Micro2010-02-19 08:27:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2010-02-19 07:11:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software2010-02-19 04:36:04 0 d-----w- c:\docume~1\alluse~1\applic~1\ZILLAbar2010-02-19 03:50:16 0 d-----w- c:\docume~1\kirja\applic~1\STOPzilla!2010-02-19 03:18:14 976 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg2010-02-19 03:03:50 496 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg2010-02-19 02:52:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard2010-02-19 02:51:42 0 d-----w- c:\program files\common files\iS32010-02-19 02:51:42 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!2010-02-19 02:34:06 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys2010-02-19 02:34:06 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat2010-02-19 02:34:06 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat2010-02-19 02:34:06 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys2010-02-19 02:34:04 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat2010-02-19 02:34:04 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys2010-02-19 02:33:52 0 d-----w- c:\program files\common files\PC Tools2010-02-19 02:33:52 0 d-----w- c:\docume~1\kirja\applic~1\PC Tools2010-02-19 02:33:52 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools2010-02-19 02:06:49 0 d-----w- c:\docume~1\alluse~1\applic~1\avg92010-02-19 01:28:45 50968 ----a-w- c:\windows\system32\avgfwdx.dll2010-02-19 01:28:45 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys2010-02-19 01:13:18 0 d-----w- c:\docume~1\kirja\applic~1\AVG82010-02-18 23:12:24 18864 ----a-w- c:\docume~1\alluse~1\applic~1\fiosejgfse.dll2010-02-18 22:59:02 9 ----a-w- c:\docume~1\alluse~1\applic~1\mswintmp.dat==================== Find3M ====================2010-01-23 17:15:52 80248 ----a-w- c:\windows\War3Unin.dat2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr2008-06-28 13:45:12 657319 --sha-w- c:\windows\system32\nmWEdfii.ini22008-10-16 11:10:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat============= FINISH: 16:30:04.42 ===============DDS ATTACH:DDS (Ver_09-12-01.01)Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 6/6/2008 11:10:00 PMSystem Uptime: 2/20/2010 4:20:38 PM (0 hours ago)Motherboard: http://www.abit.com.tw/ | | IP35 PRO(P35+ICH9R)Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2447/272mhzProcessor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2448/272mhzProcessor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2448/272mhzProcessor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2448/272mhz==== Disk Partitions =========================A: is RemovableC: is FIXED (NTFS) - 140 GiB total, 20.624 GiB free.D: is CDROM (CDFS)==== Disabled Device Manager Items =============Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}Description: Device ID: ACPI\ABT2005\3&2411E6FE&0Manufacturer: Name: PNP Device ID: ACPI\ABT2005\3&2411E6FE&0Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}Description: AVG miniport driverDevice ID: ROOT\GR_AVGFWMP\0002Manufacturer: AVG TechnologiesName: AVG miniport driver #3PNP Device ID: ROOT\GR_AVGFWMP\0002Service: Avgfwdx==== System Restore Points ===================No restore point in system.==== Installed Programs ======================AAC DecoderAdobe Flash Player 10 ActiveXAdobe Reader 8.1.0AutoUpdateavast! Free AntivirusBitComet 1.06CDDRV_InstallerDivX CodecDivX ConverterDivX PlayerDivX Plus DirectShow FiltersDivX Version CheckerDivX Web PlayerEasy Avi/Divx/Xvid to DVD Burner 2.5.1H.264 DecoderHawking Technologies HWU54D Hi-Gain Wireless-G USB AdapterHeroes of Might and Magic V Collector EditionHeroes of Might and Magic Link to post Share on other sites More sharing options...
deltalima Posted February 20, 2010 ID:203275 Share Posted February 20, 2010 Hi Kirja,TDSSKillerDownload the file TDSSKiller.zip and save it on your desktopExtract the file tdskiller.zip, it will create a folder named tdsskiller on your desktopNext double-click the tdsskiller Folder on your desktop.Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.Highlight and copy the text in the codebox below."%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"Click Start, click Run... and paste the text above into the Open: line and click OK.Wait for the scan and disinfection process to be over.Open tdskiller.txt on your desktop and post the contents in your next reply Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:203293 Share Posted February 20, 2010 9:859 3288 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:3117:20:19:859 3288 ================================================================================17:20:19:859 3288 SystemInfo:17:20:19:859 3288 OS Version: 5.1.2600 ServicePack: 2.017:20:19:859 3288 Product type: Workstation17:20:19:859 3288 ComputerName: BEELZEBUB17:20:19:859 3288 UserName: Kirja17:20:19:859 3288 Windows directory: C:\WINDOWS17:20:19:859 3288 Processor architecture: Intel x8617:20:19:859 3288 Number of processors: 417:20:19:859 3288 Page size: 0x100017:20:19:859 3288 Boot type: Normal boot17:20:19:859 3288 ================================================================================17:20:19:859 3288 UnloadDriverW: NtUnloadDriver error 217:20:19:859 3288 ForceUnloadDriverW: UnloadDriverW(klmd21) error 217:20:19:859 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 0000000017:20:19:859 3288 UtilityInit: KLMD drop and load success17:20:19:859 3288 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)17:20:19:859 3288 UtilityInit: KLMD open success17:20:19:859 3288 UtilityInit: Initialize success17:20:19:859 3288 17:20:19:859 3288 Scanning Services ...17:20:19:859 3288 CreateRegParser: Registry parser init started17:20:19:859 3288 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 12717:20:19:859 3288 CreateRegParser: DisableWow64Redirection error17:20:19:859 3288 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system17:20:19:859 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C000004317:20:19:859 3288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)17:20:19:859 3288 wfopen_ex: Trying to KLMD file open17:20:19:859 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system17:20:19:859 3288 wfopen_ex: File opened ok (Flags 2)17:20:19:859 3288 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: B84C3017:20:19:859 3288 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software17:20:19:859 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C000004317:20:19:859 3288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)17:20:19:859 3288 wfopen_ex: Trying to KLMD file open17:20:19:859 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software17:20:19:859 3288 wfopen_ex: File opened ok (Flags 2)17:20:19:859 3288 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: B84CD817:20:19:859 3288 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 12717:20:19:859 3288 CreateRegParser: EnableWow64Redirection error17:20:19:859 3288 CreateRegParser: RegParser init completed17:20:20:109 3288 GetAdvancedServicesInfo: Raw services enum returned 323 services17:20:20:109 3288 ScanTDL2Services: Heur detect _VOIDd.sys17:20:20:109 3288 RegNode HKLM\SYSTEM\ControlSet001\services\_VOIDd.sys infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 DeleteTDL2Service: SafeBoot Minimal doesn't infected17:20:20:109 3288 DeleteTDL2Service: SafeBoot Network doesn't infected17:20:20:109 3288 RegNode HKLM\SYSTEM\ControlSet002\services\_VOIDd.sys infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 DeleteTDL2Service: SafeBoot Minimal doesn't infected17:20:20:109 3288 DeleteTDL2Service: SafeBoot Network doesn't infected17:20:20:109 3288 File C:\WINDOWS\system32\drivers\_VOIDyoulhyprqh.sys infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDd. Type: 117:20:20:109 3288 DeleteTDL2Service: Module clone ImagePath, skipping17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDc. Type: 117:20:20:109 3288 File C:\WINDOWS\system32\_VOIDdlypxumltk.dll infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDsrcr. Type: 117:20:20:109 3288 File C:\WINDOWS\system32\_VOIDmtvaoppjdx.dat infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _voidserf. Type: 117:20:20:109 3288 File C:\WINDOWS\system32\_VOIDlhbqoiqaim.dll infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _voidbbr. Type: 117:20:20:109 3288 File C:\WINDOWS\system32\_VOIDmlguwybomf.dll infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDerrors. Type: 117:20:20:109 3288 File C:\WINDOWS\system32\_VOIDegobaeouft.log infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot17:20:20:109 3288 ScanTDL2Services: DeleteEvilService(_VOIDd.sys) success17:20:20:109 3288 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system17:20:20:109 3288 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software17:20:20:109 3288 17:20:20:109 3288 Scanning Kernel memory ...17:20:20:109 3288 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk17:20:20:109 3288 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AEF621817:20:20:109 3288 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects17:20:20:109 3288 17:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8AE7A5E817:20:20:109 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE7A5E817:20:20:109 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AE7A5E8[0x38]17:20:20:109 3288 DetectCureTDL3: DRIVER_OBJECT: 8AEF621817:20:20:109 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AEF6218[0xA8]17:20:20:109 3288 KLMD_ReadMem: Trying to ReadMemory 0xE1623120[0x18]17:20:20:109 3288 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk17:20:20:109 3288 DetectCureTDL3: IRP_MJ_CREATE : BA91EC3017:20:20:109 3288 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_CLOSE : BA91EC3017:20:20:109 3288 DetectCureTDL3: IRP_MJ_READ : BA918D9B17:20:20:109 3288 DetectCureTDL3: IRP_MJ_WRITE : BA918D9B17:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_EA : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA91936617:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA91944D17:20:20:109 3288 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC317:20:20:109 3288 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA91936617:20:20:109 3288 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_CLEANUP : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_POWER : BA91AEF317:20:20:109 3288 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA91FA2417:20:20:109 3288 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F445617:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F445617:20:20:109 3288 TDL3_FileDetect: Processing driver: Disk17:20:20:109 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys17:20:20:109 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys17:20:20:109 3288 TDL3_FileDetect: Processing driver: Disk17:20:20:109 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys17:20:20:109 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys17:20:20:109 3288 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean17:20:20:109 3288 17:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8ADFAAB817:20:20:109 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADFAAB817:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8AE649E817:20:20:109 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE649E817:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8AE6394017:20:20:125 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE6394017:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AE63940[0x38]17:20:20:125 3288 DetectCureTDL3: DRIVER_OBJECT: 8AE6CB6017:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AE6CB60[0xA8]17:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0xE1629130[0x1A]17:20:20:125 3288 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi17:20:20:125 3288 DetectCureTDL3: IRP_MJ_CREATE : 8AE9F1F817:20:20:125 3288 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_CLOSE : 8AE9F1F817:20:20:125 3288 DetectCureTDL3: IRP_MJ_READ : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_WRITE : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_EA : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 8AE9F1F817:20:20:125 3288 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 8AE9F1F817:20:20:125 3288 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_CLEANUP : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_POWER : 8AE9F1F817:20:20:125 3288 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 8AE9F1F817:20:20:125 3288 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F445617:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F445617:20:20:125 3288 TDL3_FileDetect: Processing driver: atapi17:20:20:125 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys17:20:20:125 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys17:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0xBA5FD7C6[0x400]17:20:20:125 3288 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 017:20:20:125 3288 TDL3_FileDetect: Processing driver: atapi17:20:20:125 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys17:20:20:125 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys17:20:20:125 3288 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean17:20:20:125 3288 UtilityBootReinit: Reboot required for cure complete..17:20:20:125 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 0000000017:20:20:125 3288 UtilityBootReinit: KLMD drop success17:20:20:125 3288 KLMD_ApplyPendList: Pending buffer(5458_7DEF, 1032) dropped successfully17:20:20:125 3288 UtilityBootReinit: Cure on reboot scheduled successfully17:20:20:125 3288 17:20:20:125 3288 Completed17:20:20:125 3288 17:20:20:125 3288 Results:17:20:20:125 3288 Memory objects infected / cured / cured on reboot: 0 / 0 / 017:20:20:125 3288 Registry objects infected / cured / cured on reboot: 2 / 0 / 217:20:20:125 3288 File objects infected / cured / cured on reboot: 6 / 0 / 617:20:20:125 3288 17:20:20:984 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 0000000017:20:20:984 3288 UtilityDeinit: KLMD(ARK) unloaded successfully Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:203295 Share Posted February 20, 2010 Hi Deltalima, thank you again for helping me out and sharing ur knowledge about malwares, i havew to go atm i will try dling programs i failed to dl will be back 5 hours from now on Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:203299 Share Posted February 20, 2010 still here for next 10-15 minets Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:203300 Share Posted February 20, 2010 PC just restarted on its own, no trace of paladin , avast blocked trojan. Link to post Share on other sites More sharing options...
deltalima Posted February 20, 2010 ID:203306 Share Posted February 20, 2010 Hi Kirja,Please reboot your computer.Now please run RKill one more time.Malwarebytes Anti-Malware:Please download Malwarebytes' Anti-Malware to your desktop.Double-click mbam-setup.exe and select then follow the prompts to install the program.At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select Perform quick scan, then click Scan.When the scan is complete, click OK, then Show Results to view the results.Be sure that everything is checked, and click Remove Selected.When completed, a log will open in Notepad. Please post that log in your next reply.The log can also be found here:Launch Malwarebytes' Anti-MalwareClick on the Logs radio tab.Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.Please post the Malwarebytes log and the Rkill log in your next reply and let me know how the computer is running now. Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:203310 Share Posted February 20, 2010 18:01:20:453 1516 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:3118:01:20:453 1516 ================================================================================18:01:20:453 1516 SystemInfo:18:01:20:453 1516 OS Version: 5.1.2600 ServicePack: 2.018:01:20:453 1516 Product type: Workstation18:01:20:453 1516 ComputerName: BEELZEBUB18:01:20:453 1516 UserName: Kirja18:01:20:453 1516 Windows directory: C:\WINDOWS18:01:20:453 1516 Processor architecture: Intel x8618:01:20:453 1516 Number of processors: 418:01:20:453 1516 Page size: 0x100018:01:20:453 1516 Boot type: Normal boot18:01:20:453 1516 ================================================================================18:01:20:468 1516 UnloadDriverW: NtUnloadDriver error 218:01:20:468 1516 ForceUnloadDriverW: UnloadDriverW(klmd21) error 218:01:20:468 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 0000000018:01:20:500 1516 UtilityInit: KLMD drop and load success18:01:20:500 1516 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)18:01:20:500 1516 UtilityInit: KLMD open success18:01:20:500 1516 UtilityInit: Initialize success18:01:20:500 1516 18:01:20:500 1516 Scanning Services ...18:01:20:500 1516 CreateRegParser: Registry parser init started18:01:20:500 1516 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 12718:01:20:500 1516 CreateRegParser: DisableWow64Redirection error18:01:20:500 1516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system18:01:20:500 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C000004318:01:20:500 1516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)18:01:20:500 1516 wfopen_ex: Trying to KLMD file open18:01:20:500 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system18:01:20:500 1516 wfopen_ex: File opened ok (Flags 2)18:01:20:500 1516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384C3018:01:20:500 1516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software18:01:20:500 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C000004318:01:20:500 1516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)18:01:20:500 1516 wfopen_ex: Trying to KLMD file open18:01:20:500 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software18:01:20:500 1516 wfopen_ex: File opened ok (Flags 2)18:01:20:500 1516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384CD818:01:20:500 1516 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 12718:01:20:500 1516 CreateRegParser: EnableWow64Redirection error18:01:20:500 1516 CreateRegParser: RegParser init completed18:01:20:765 1516 GetAdvancedServicesInfo: Raw services enum returned 321 services18:01:20:765 1516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system18:01:20:765 1516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software18:01:20:765 1516 18:01:20:765 1516 Scanning Kernel memory ...18:01:20:781 1516 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk18:01:20:781 1516 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AE6B03018:01:20:781 1516 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects18:01:20:781 1516 18:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8AE53C6818:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE53C6818:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE53C68[0x38]18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT: 8AE6B03018:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE6B030[0xA8]18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0xE164AE60[0x18]18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE : BA91EC3018:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLOSE : BA91EC3018:01:20:781 1516 DetectCureTDL3: IRP_MJ_READ : BA918D9B18:01:20:781 1516 DetectCureTDL3: IRP_MJ_WRITE : BA918D9B18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_EA : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA91936618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA91944D18:01:20:781 1516 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC318:01:20:781 1516 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA91936618:01:20:781 1516 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLEANUP : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_POWER : BA91AEF318:01:20:781 1516 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA91FA2418:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F445618:01:20:781 1516 TDL3_FileDetect: Processing driver: Disk18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys18:01:20:781 1516 TDL3_FileDetect: Processing driver: Disk18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys18:01:20:781 1516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean18:01:20:781 1516 18:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8ADAFAB818:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADAFAB818:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8ADB933818:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADB933818:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8AE5394018:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE5394018:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE53940[0x38]18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT: 8AE67B6018:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE67B60[0xA8]18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0xE16505C8[0x1A]18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE : 8AE931F818:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLOSE : 8AE931F818:01:20:781 1516 DetectCureTDL3: IRP_MJ_READ : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_WRITE : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_EA : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 8AE931F818:01:20:781 1516 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 8AE931F818:01:20:781 1516 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLEANUP : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_POWER : 8AE931F818:01:20:781 1516 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 8AE931F818:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F445618:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F445618:01:20:781 1516 TDL3_FileDetect: Processing driver: atapi18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0xBA5FD7C6[0x400]18:01:20:781 1516 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 018:01:20:781 1516 TDL3_FileDetect: Processing driver: atapi18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys18:01:20:796 1516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean18:01:20:796 1516 18:01:20:796 1516 Completed18:01:20:796 1516 18:01:20:796 1516 Results:18:01:20:796 1516 Memory objects infected / cured / cured on reboot: 0 / 0 / 018:01:20:796 1516 Registry objects infected / cured / cured on reboot: 0 / 0 / 018:01:20:796 1516 File objects infected / cured / cured on reboot: 0 / 0 / 018:01:20:796 1516 18:01:21:640 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 0000000018:01:21:640 1516 UtilityDeinit: KLMD(ARK) unloaded successfully Link to post Share on other sites More sharing options...
deltalima Posted February 20, 2010 ID:203312 Share Posted February 20, 2010 Hi Kirja,That was a TDSSKiller log, please run Malwarbytes Antimalware and post the log. Link to post Share on other sites More sharing options...
Kirja Posted February 20, 2010 Author ID:203314 Share Posted February 20, 2010 Malwarebytes' Anti-Malware 1.44Database version: 3768Windows 5.1.2600 Service Pack 2Internet Explorer 7.0.5730.132/20/2010 6:09:03 PMmbam-log-2010-02-20 (18-09-03).txtScan type: Quick ScanObjects scanned: 108409Time elapsed: 2 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 14Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 1Files Infected: 10Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Program Files\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.Files Infected:C:\Documents and Settings\Kirja\Local Settings\Temp\SPAM.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\Documents and Settings\Kirja\Local Settings\Temp\fmkgesng.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\Program Files\Paladin Antivirus\pav.db (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.C:\Program Files\Paladin Antivirus\phook.dll (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.C:\Program Files\Paladin Antivirus\uninstall.exe (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\BM9b331d56.txt (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\BM9b331d56.xml (Trojan.Vundo) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
deltalima Posted February 20, 2010 ID:203318 Share Posted February 20, 2010 Hi Kirja,That's looking better now.Please go to Kaspersky website and perform an online antivirus scan.Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.When the downloads have finished, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programsArchives[*]Click on My Computer under Scan.[*]Once the scan is complete, it will display the results. Click on View Scan Report.[*]You will see a list of infected items there. Click on Save Report As....[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.[*]Please post this log in your next reply along with a fresh HijackThis log and also let me know how your computer is running now. Link to post Share on other sites More sharing options...
Kirja Posted February 21, 2010 Author ID:203808 Share Posted February 21, 2010 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:18:13 PM, on 2/21/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exeC:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\PROGRA~1\ALWILS~1\Avast5\avastUI.exeC:\Program Files\RocketDock\RocketDock.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Hawking\HWU54D\HWU54D.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\WINDOWS\ALCFDRTM.EXEC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Pando Networks\Media Booster\PMB.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O1 - Hosts: 64.16.193.26 l2authd.lineage2.comO1 - Hosts: 216.107.250.194 update.nprotect.comO1 - Hosts: 216.107.250.194 nprotect.lineage2.comO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: (no name) - {F92AE24D-2C39-4C17-8324-E93E9E0A37A2} - (no file)O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)O4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /noguiO4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Paladin Antivirus] "C:\Program Files\Paladin Antivirus\pav.exe" -noscanO4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exeO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU54D\HWU54D.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htmO8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htmO8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htmO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cabO16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...347/mcfscan.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe--End of file - 8311 bytesHi, i am sorry about yestarday i was already late and had to run, PC seems to run ok did not notice any problems so far, as for kaspersky scan log i will try with different browser, unable to open or save report when i run it in Opera browser, however it detected nothing. Will do it asap. Link to post Share on other sites More sharing options...
Kirja Posted February 21, 2010 Author ID:203839 Share Posted February 21, 2010 KASPERSKY ONLINE SCANNER 7.0: scan report Sunday, February 21, 2010 Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Sunday, February 21, 2010 20:49:11 Records in database: 3610312--------------------------------------------------------------------------------Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yesScan area - My Computer: A:\ C:\ D:\Scan statistics: Objects scanned: 90985 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 01:02:10No threats found. Scanned area is clean.Selected area has been scanned. Link to post Share on other sites More sharing options...
deltalima Posted February 22, 2010 ID:204011 Share Posted February 22, 2010 Hi Kirja,Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:Update Java RuntimeYou are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.Download the latest version of Java Runtime Environment (JRE) 6 HereScroll down to where it says "JDK 6 Update 18 (JDK or JRE)"Click the orange Download JRE button to the rightSelect the Windows platform from the dropdown menuRead the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refreshClick on the link to download Windows Offline Installation & save the file to your desktopClose any programs you may have running - especially your web browserGo to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of JavaCheck (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the nameClick the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versionsReboot your computer once all Java components are removedThen from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest versionYou should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.All versions numbered lower than 9.3 are vulnerable.Go HERE , UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader. After it completes the Installation, close the Download Manager.Please delete the TDSSKiller icon, folder and log from your desktop.Remove GMERDelete the GMER icon from your desktop, it will be named t5y68r8f.exeRemove all used toolsPlease download OTC and save it to desktop.Double-click OTC.exe..Click the CleanUp! button.Select Yes when the "Begin cleanup Process?" prompt appears.If you are prompted to Reboot during the cleanup, select Yes.The tool will delete itself once it finishes, if not delete it by yourself.Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.Create a new, clean System Restore point which you can use in case of future system problems:Press Start >> All Programs >> Accessories >>System Tools >> System RestoreSelect Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press CloseNow remove old, infected System Restore points:Next click Start >> Run and type cleanmgr in the box and press OKEnsure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.Select the More Options tab, under System Restore press Clean up... and say Yes to the promptPress OK and Yes to confirmUpdate your AntiVirus Software and keep your other programs up-to-dateUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckSecurity Updates for Windows, Internet Explorer & Microsoft OfficeWhenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.A tutorial on installing & using this product can be found here:Using SpywareBlaster to protect your computer from Spyware and MalwareUpdate all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will enhance your safetyMVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computerWinpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here: Using Winpatrol to protect your computer from malicious softwareAlso, please read this great article by Tony Klein So How Did I Get Infected In First PlaceHappy surfing and stay clean! Link to post Share on other sites More sharing options...
Kirja Posted February 22, 2010 Author ID:204219 Share Posted February 22, 2010 Thank you ) u The Best Link to post Share on other sites More sharing options...
Recommended Posts