Jump to content

Paladin antivirus


Kirja
 Share

Recommended Posts

Hi , i am new here and i need help. Yestarday i found out that my pc has some kind of Antivirus Called Paladin, wich instals on its own. I was using AVG antyvirus wich didn't help and stop working after short time at all with few other programs like PowerIS. All night i was trying new softwares to get ride of it , but most of them didn't even open after instalation or failed to fix the problem.

If u could help me would be Great :)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:44:40 AM, on 2/19/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\DOCUME~1\Kirja\LOCALS~1\Temp\eventcreatexp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hawking\HWU54D\HWU54D.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\ALCFDRTM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 64.16.193.26 l2authd.lineage2.com

O1 - Hosts: 216.107.250.194 update.nprotect.com

O1 - Hosts: 216.107.250.194 nprotect.lineage2.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: (no name) - {53FE12C2-4429-488F-847B-7B285F8F6778} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {F92AE24D-2C39-4C17-8324-E93E9E0A37A2} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [eventcreatexp.exe] C:\DOCUME~1\Kirja\LOCALS~1\Temp\eventcreatexp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Paladin Antivirus] "C:\Program Files\Paladin Antivirus\pav.exe" -noscan

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU54D\HWU54D.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...347/mcfscan.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--

End of file - 7720 bytes

Link to post
Share on other sites

Hi Kirja,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log and rkill.log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Link to post
Share on other sites

Hi deltalima and thank you, i was trying to dl Rkill and OTL how ever i was not able to open page i get error , i am still looking for it but no luck so far. How ever here is gmer with wich i had no problem dling it.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-19 19:56:02

Windows 5.1.2600 Service Pack 2

Running: t5y68r8f.exe; Driver: C:\DOCUME~1\Kirja\LOCALS~1\Temp\pwlcrpob.sys

---- System - GMER 1.0.15 ----

INT 0x63 ? 8AE9FBF8

INT 0x63 ? 8AE9FBF8

INT 0x63 ? 8AE9FBF8

INT 0x63 ? 8AE9FBF8

INT 0x63 ? 8AC49BF8

INT 0x63 ? 8AC49BF8

INT 0x63 ? 8AE9FBF8

INT 0x83 ? 8AEA2BF8

INT 0x83 ? 8AC49BF8

INT 0x83 ? 8AEA2BF8

INT 0x94 ? 8AC49BF8

INT 0xA4 ? 8AC49BF8

INT 0xA4 ? 8AC49BF8

Code 89DDD420 ZwEnumerateKey

Code 89DE1610 ZwFlushInstructionCache

Code 89DDFCBE IofCallDriver

Code 89E51236 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF09C 5 Bytes JMP 89DDFCC3

.text ntkrnlpa.exe!IofCompleteRequest 804EF12C 5 Bytes JMP 89E5123B

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B527E 5 Bytes JMP 89DE1614

PAGE ntkrnlpa.exe!ZwEnumerateKey 80622944 5 Bytes JMP 89DDD424

? spmn.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9035360, 0x372FAD, 0xE8000020]

.text USBPORT.SYS!DllUnload B901662C 5 Bytes JMP 8AC491D8

.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB462F300, 0x3ACC8, 0xE8000020]

.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBAC58300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 00C1000A

.text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpOpenRequestA 78064341 5 Bytes JMP 00D7000A

.text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!InternetConnectA 7806499A 5 Bytes JMP 00D9000A

.text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!InternetConnectW 78065B88 5 Bytes JMP 00D8000A

.text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpOpenRequestW 78065D62 5 Bytes JMP 00D6000A

.text C:\Program Files\Internet Explorer\iexplore.exe[604] WININET.dll!HttpAddRequestHeadersW 780CCF4D 5 Bytes JMP 00D5000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [bA6AC040] spmn.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [bA6AC13C] spmn.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [bA6AC0BE] spmn.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [bA6AC7FC] spmn.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [bA6AC6D2] spmn.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AEFC1F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{3721098D-45A7-4DFC-B113-2D11A402896F} 89D84500

Device \Driver\usbuhci \Device\USBPDO-0 8AC48500

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AEFE1F8

Device \Driver\dmio \Device\DmControl\DmConfig 8AEFE1F8

Device \Driver\dmio \Device\DmControl\DmPnP 8AEFE1F8

Device \Driver\dmio \Device\DmControl\DmInfo 8AEFE1F8

Device \Driver\usbuhci \Device\USBPDO-1 8AC48500

Device \Driver\NetBT \Device\NetBT_Tcpip_{F72FE336-72EE-4474-8C17-3ACCD5E3A233} 89D84500

Device \Driver\usbuhci \Device\USBPDO-2 8AC48500

Device \Driver\usbehci \Device\USBPDO-3 8AC4A500

Device \Driver\usbehci \Device\USBPDO-4 8AC4A500

Device \Driver\usbuhci \Device\USBPDO-5 8AC48500

Device \Driver\usbuhci \Device\USBPDO-6 8AC48500

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AEA01F8

Device \Driver\usbuhci \Device\USBPDO-7 8AC48500

Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12 8AE9F1F8

Device \Driver\atapi \Device\Ide\IdePort0 8AE9F1F8

Device \Driver\atapi \Device\Ide\IdePort1 8AE9F1F8

Device \Driver\atapi \Device\Ide\IdePort2 8AE9F1F8

Device \Driver\atapi \Device\Ide\IdePort3 8AE9F1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 8AE9F1F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 89D84500

Device \Driver\NetBT \Device\NetbiosSmb 89D84500

Device \Driver\usbuhci \Device\USBFDO-0 8AC48500

Device \Driver\usbuhci \Device\USBFDO-1 8AC48500

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89CC61F8

Device \Driver\usbuhci \Device\USBFDO-2 8AC48500

Device \Driver\NetBT \Device\NetBT_Tcpip_{3A8B549D-1029-48F7-B9E4-4D0BEC5F4A43} 89D84500

Device \FileSystem\MRxSmb \Device\LanmanRedirector 89CC61F8

Device \Driver\usbehci \Device\USBFDO-3 8AC4A500

Device \Driver\usbuhci \Device\USBFDO-4 8AC48500

Device \Driver\Ftdisk \Device\FtControl 8AEA01F8

Device \Driver\usbuhci \Device\USBFDO-5 8AC48500

Device \Driver\usbuhci \Device\USBFDO-6 8AC48500

Device \Driver\usbehci \Device\USBFDO-7 8AC4A500

Device \Driver\JRAID \Device\Scsi\JRAID1 8AEFD1F8

Device \FileSystem\Cdfs \Cdfs 89EE9500

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\_VOIDyoulhyprqh.sys (*** hidden *** ) B6891000-B68AF000 (122880 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\_VOIDyoulhyprqh.sys (*** hidden *** ) [sYSTEM] _VOIDd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0xE6 0xBA 0xB9 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDyoulhyprqh.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDyoulhyprqh.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDdlypxumltk.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDmtvaoppjdx.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDlhbqoiqaim.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDmlguwybomf.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDerrors \\?\globalroot\systemroot\system32\_VOIDegobaeouft.log

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0xE6 0xBA 0xB9 ...

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDyoulhyprqh.sys

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDyoulhyprqh.sys

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDdlypxumltk.dll

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDmtvaoppjdx.dat

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDlhbqoiqaim.dll

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDmlguwybomf.dll

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDerrors \\?\globalroot\systemroot\system32\_VOIDegobaeouft.log

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll 1580 bytes

File C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll 10764 bytes

File C:\Documents and Settings\Kirja\Local Settings\Temp\_VOIDa1e5.tmp 343040 bytes executable

File C:\Program Files\Common Files\Sony Shared\OpenMG\OmgMp4LibWrapper.dll (size mismatch) 135168/434176 bytes executable

File C:\Program Files\Common Files\System\msadc\msdfmap.dll (size mismatch) 16384/36864 bytes executable

File C:\Program Files\Messenger\logowin.gif (size mismatch) 28672/4821 bytes executable

File C:\WINDOWS\$hf_mig$\KB887472\spuninst.exe (size mismatch) 7168/169984 bytes executable

File C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll (size mismatch) 151583/60192 bytes executable

File C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\inseng.dll (size mismatch) 251904/96256 bytes executable

File C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msisip.dll (size mismatch) 884736/44032 bytes executable

File C:\WINDOWS\system32\dllcache\atmepvc.sys (size mismatch) 59904/31360 bytes executable

File C:\WINDOWS\system32\dllcache\dxgthk.sys (size mismatch) 2113536/3328 bytes executable

File C:\WINDOWS\system32\dllcache\fxsevent.dll (size mismatch) 27136/55296 bytes executable

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi again, i found Rkill but it didn't work for me , i tryed to run it in safe mode but it happened i am not even able to start my pc in safe mode , f8 doesn't work and when i actualy get to the point where i chose how i want pc to run my arrow keys are frozen and it starts in normal mode, tryed running as administrator but still didn't work think malware blocks it but idk. As for OTL i am still looking for avalible link wich i will be abble to open no luck so far.

Link to post
Share on other sites

Hi Kirja,

Please try the OTL download link again, it should work now.

Please delete your copy of RKill and download a new copy. Next reboot your computer and then run RKill and then OTL then post the logs back here.

If you still have problems with OTL then

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

dds_scr.gif

Download DDS and save it to your desktop

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt

    [*]A window will open instructing you save & post the logs

    [*]Save the logs to a convenient place such as your desktop

    [*]Copy the contents of both logs & post in your next reply

Link to post
Share on other sites

Hi OTL and Rkill still did not work for me, i will try dl it from clean PC to night.

Here is DDS:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Kirja at 16:29:36.70 on Sat 02/20/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2561 [GMT -5:00]

AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\RocketDock\RocketDock.exe

C:\DOCUME~1\Kirja\LOCALS~1\Temp\eventcreatexp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hawking\HWU54D\HWU54D.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\WINDOWS\ALCFDRTM.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\DOCUME~1\Kirja\LOCALS~1\Temp\fmkgesng.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Kirja\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {53FE12C2-4429-488F-847B-7B285F8F6778} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {F92AE24D-2C39-4C17-8324-E93E9E0A37A2} - No File

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"

uRun: [eventcreatexp.exe] c:\docume~1\kirja\locals~1\temp\eventcreatexp.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Paladin Antivirus] "c:\program files\paladin antivirus\pav.exe" -noscan

mRun: [skyTel] SkyTel.EXE

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

StartupFolder: c:\docume~1\kirja\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hawkin~1.lnk - c:\program files\hawking\hwu54d\HWU54D.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5347/mcfscan.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

SEH: {53FE12C2-4429-488F-847B-7B285F8F6778} - No File

LSA: Authentication Packages = msv1_0 c:\windows\system32\iifdEWmn

Hosts: 64.16.193.26 l2authd.lineage2.com

Hosts: 216.107.250.194 update.nprotect.com

Hosts: 216.107.250.194 nprotect.lineage2.com

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-20 162512]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-20 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-20 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-20 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-20 40384]

R3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [2009-4-12 273408]

S3 aaudstum;aaudstum;\??\c:\docume~1\kirja\locals~1\temp\aaudstum.sys --> c:\docume~1\kirja\locals~1\temp\aaudstum.sys [?]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-18 30104]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-18 30104]

S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2009-4-12 19200]

=============== Created Last 30 ================

2010-02-20 08:11:15 73728 ----a-w- c:\windows\ALCFDRTM.EXE

2010-02-20 07:59:06 69632 ----a-w- c:\windows\Alcmtr.exe

2010-02-20 07:58:11 0 d-----w- C:\Intel

2010-02-20 07:47:51 0 d-----w- c:\program files\Paladin Antivirus

2010-02-19 11:19:11 0 d-----w- c:\program files\Trend Micro

2010-02-19 08:27:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-02-19 07:11:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-02-19 04:36:04 0 d-----w- c:\docume~1\alluse~1\applic~1\ZILLAbar

2010-02-19 03:50:16 0 d-----w- c:\docume~1\kirja\applic~1\STOPzilla!

2010-02-19 03:18:14 976 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg

2010-02-19 03:03:50 496 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-02-19 02:52:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard

2010-02-19 02:51:42 0 d-----w- c:\program files\common files\iS3

2010-02-19 02:51:42 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

2010-02-19 02:34:06 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-02-19 02:34:06 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-02-19 02:34:06 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-02-19 02:34:06 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-02-19 02:34:04 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2010-02-19 02:34:04 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-02-19 02:33:52 0 d-----w- c:\program files\common files\PC Tools

2010-02-19 02:33:52 0 d-----w- c:\docume~1\kirja\applic~1\PC Tools

2010-02-19 02:33:52 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-02-19 02:06:49 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-02-19 01:28:45 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2010-02-19 01:28:45 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2010-02-19 01:13:18 0 d-----w- c:\docume~1\kirja\applic~1\AVG8

2010-02-18 23:12:24 18864 ----a-w- c:\docume~1\alluse~1\applic~1\fiosejgfse.dll

2010-02-18 22:59:02 9 ----a-w- c:\docume~1\alluse~1\applic~1\mswintmp.dat

==================== Find3M ====================

2010-01-23 17:15:52 80248 ----a-w- c:\windows\War3Unin.dat

2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr

2008-06-28 13:45:12 657319 --sha-w- c:\windows\system32\nmWEdfii.ini2

2008-10-16 11:10:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat

============= FINISH: 16:30:04.42 ===============

DDS ATTACH:

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 6/6/2008 11:10:00 PM

System Uptime: 2/20/2010 4:20:38 PM (0 hours ago)

Motherboard: http://www.abit.com.tw/ | | IP35 PRO(P35+ICH9R)

Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2447/272mhz

Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2448/272mhz

Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2448/272mhz

Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2448/272mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 140 GiB total, 20.624 GiB free.

D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\ABT2005\3&2411E6FE&0

Manufacturer:

Name:

PNP Device ID: ACPI\ABT2005\3&2411E6FE&0

Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: AVG miniport driver

Device ID: ROOT\GR_AVGFWMP\0002

Manufacturer: AVG Technologies

Name: AVG miniport driver #3

PNP Device ID: ROOT\GR_AVGFWMP\0002

Service: Avgfwdx

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AAC Decoder

Adobe Flash Player 10 ActiveX

Adobe Reader 8.1.0

AutoUpdate

avast! Free Antivirus

BitComet 1.06

CDDRV_Installer

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

Easy Avi/Divx/Xvid to DVD Burner 2.5.1

H.264 Decoder

Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter

Heroes of Might and Magic V Collector Edition

Heroes of Might and Magic

Link to post
Share on other sites

Hi Kirja,

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply

Link to post
Share on other sites

9:859 3288 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31

17:20:19:859 3288 ================================================================================

17:20:19:859 3288 SystemInfo:

17:20:19:859 3288 OS Version: 5.1.2600 ServicePack: 2.0

17:20:19:859 3288 Product type: Workstation

17:20:19:859 3288 ComputerName: BEELZEBUB

17:20:19:859 3288 UserName: Kirja

17:20:19:859 3288 Windows directory: C:\WINDOWS

17:20:19:859 3288 Processor architecture: Intel x86

17:20:19:859 3288 Number of processors: 4

17:20:19:859 3288 Page size: 0x1000

17:20:19:859 3288 Boot type: Normal boot

17:20:19:859 3288 ================================================================================

17:20:19:859 3288 UnloadDriverW: NtUnloadDriver error 2

17:20:19:859 3288 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

17:20:19:859 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

17:20:19:859 3288 UtilityInit: KLMD drop and load success

17:20:19:859 3288 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)

17:20:19:859 3288 UtilityInit: KLMD open success

17:20:19:859 3288 UtilityInit: Initialize success

17:20:19:859 3288

17:20:19:859 3288 Scanning Services ...

17:20:19:859 3288 CreateRegParser: Registry parser init started

17:20:19:859 3288 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

17:20:19:859 3288 CreateRegParser: DisableWow64Redirection error

17:20:19:859 3288 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

17:20:19:859 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

17:20:19:859 3288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:20:19:859 3288 wfopen_ex: Trying to KLMD file open

17:20:19:859 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

17:20:19:859 3288 wfopen_ex: File opened ok (Flags 2)

17:20:19:859 3288 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: B84C30

17:20:19:859 3288 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

17:20:19:859 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

17:20:19:859 3288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:20:19:859 3288 wfopen_ex: Trying to KLMD file open

17:20:19:859 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

17:20:19:859 3288 wfopen_ex: File opened ok (Flags 2)

17:20:19:859 3288 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: B84CD8

17:20:19:859 3288 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

17:20:19:859 3288 CreateRegParser: EnableWow64Redirection error

17:20:19:859 3288 CreateRegParser: RegParser init completed

17:20:20:109 3288 GetAdvancedServicesInfo: Raw services enum returned 323 services

17:20:20:109 3288 ScanTDL2Services: Heur detect _VOIDd.sys

17:20:20:109 3288 RegNode HKLM\SYSTEM\ControlSet001\services\_VOIDd.sys infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 DeleteTDL2Service: SafeBoot Minimal doesn't infected

17:20:20:109 3288 DeleteTDL2Service: SafeBoot Network doesn't infected

17:20:20:109 3288 RegNode HKLM\SYSTEM\ControlSet002\services\_VOIDd.sys infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 DeleteTDL2Service: SafeBoot Minimal doesn't infected

17:20:20:109 3288 DeleteTDL2Service: SafeBoot Network doesn't infected

17:20:20:109 3288 File C:\WINDOWS\system32\drivers\_VOIDyoulhyprqh.sys infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDd. Type: 1

17:20:20:109 3288 DeleteTDL2Service: Module clone ImagePath, skipping

17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDc. Type: 1

17:20:20:109 3288 File C:\WINDOWS\system32\_VOIDdlypxumltk.dll infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDsrcr. Type: 1

17:20:20:109 3288 File C:\WINDOWS\system32\_VOIDmtvaoppjdx.dat infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _voidserf. Type: 1

17:20:20:109 3288 File C:\WINDOWS\system32\_VOIDlhbqoiqaim.dll infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _voidbbr. Type: 1

17:20:20:109 3288 File C:\WINDOWS\system32\_VOIDmlguwybomf.dll infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 DeleteTDL2Service: Module enum: Name: _VOIDerrors. Type: 1

17:20:20:109 3288 File C:\WINDOWS\system32\_VOIDegobaeouft.log infected by TDSS rootkit ... 17:20:20:109 3288 will be deleted on reboot

17:20:20:109 3288 ScanTDL2Services: DeleteEvilService(_VOIDd.sys) success

17:20:20:109 3288 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

17:20:20:109 3288 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

17:20:20:109 3288

17:20:20:109 3288 Scanning Kernel memory ...

17:20:20:109 3288 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

17:20:20:109 3288 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AEF6218

17:20:20:109 3288 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects

17:20:20:109 3288

17:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8AE7A5E8

17:20:20:109 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE7A5E8

17:20:20:109 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AE7A5E8[0x38]

17:20:20:109 3288 DetectCureTDL3: DRIVER_OBJECT: 8AEF6218

17:20:20:109 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AEF6218[0xA8]

17:20:20:109 3288 KLMD_ReadMem: Trying to ReadMemory 0xE1623120[0x18]

17:20:20:109 3288 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_CREATE : BA91EC30

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_CLOSE : BA91EC30

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_READ : BA918D9B

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_WRITE : BA918D9B

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_EA : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA919366

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA91944D

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC3

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA919366

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_POWER : BA91AEF3

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA91FA24

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4456

17:20:20:109 3288 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4456

17:20:20:109 3288 TDL3_FileDetect: Processing driver: Disk

17:20:20:109 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:20:20:109 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:20:20:109 3288 TDL3_FileDetect: Processing driver: Disk

17:20:20:109 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:20:20:109 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:20:20:109 3288 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:20:20:109 3288

17:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8ADFAAB8

17:20:20:109 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADFAAB8

17:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8AE649E8

17:20:20:109 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE649E8

17:20:20:109 3288 DetectCureTDL3: DEVICE_OBJECT: 8AE63940

17:20:20:125 3288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE63940

17:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AE63940[0x38]

17:20:20:125 3288 DetectCureTDL3: DRIVER_OBJECT: 8AE6CB60

17:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0x8AE6CB60[0xA8]

17:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0xE1629130[0x1A]

17:20:20:125 3288 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_CREATE : 8AE9F1F8

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_CLOSE : 8AE9F1F8

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_READ : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_WRITE : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_EA : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 8AE9F1F8

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 8AE9F1F8

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_POWER : 8AE9F1F8

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 8AE9F1F8

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4456

17:20:20:125 3288 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4456

17:20:20:125 3288 TDL3_FileDetect: Processing driver: atapi

17:20:20:125 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

17:20:20:125 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

17:20:20:125 3288 KLMD_ReadMem: Trying to ReadMemory 0xBA5FD7C6[0x400]

17:20:20:125 3288 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

17:20:20:125 3288 TDL3_FileDetect: Processing driver: atapi

17:20:20:125 3288 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

17:20:20:125 3288 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

17:20:20:125 3288 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean

17:20:20:125 3288 UtilityBootReinit: Reboot required for cure complete..

17:20:20:125 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000

17:20:20:125 3288 UtilityBootReinit: KLMD drop success

17:20:20:125 3288 KLMD_ApplyPendList: Pending buffer(5458_7DEF, 1032) dropped successfully

17:20:20:125 3288 UtilityBootReinit: Cure on reboot scheduled successfully

17:20:20:125 3288

17:20:20:125 3288 Completed

17:20:20:125 3288

17:20:20:125 3288 Results:

17:20:20:125 3288 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

17:20:20:125 3288 Registry objects infected / cured / cured on reboot: 2 / 0 / 2

17:20:20:125 3288 File objects infected / cured / cured on reboot: 6 / 0 / 6

17:20:20:125 3288

17:20:20:984 3288 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

17:20:20:984 3288 UtilityDeinit: KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Hi Kirja,

Please reboot your computer.

Now please run RKill one more time.

Malwarebytes Anti-Malware:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.

The log can also be found here:

  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please post the Malwarebytes log and the Rkill log in your next reply and let me know how the computer is running now.

Link to post
Share on other sites

18:01:20:453 1516 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31

18:01:20:453 1516 ================================================================================

18:01:20:453 1516 SystemInfo:

18:01:20:453 1516 OS Version: 5.1.2600 ServicePack: 2.0

18:01:20:453 1516 Product type: Workstation

18:01:20:453 1516 ComputerName: BEELZEBUB

18:01:20:453 1516 UserName: Kirja

18:01:20:453 1516 Windows directory: C:\WINDOWS

18:01:20:453 1516 Processor architecture: Intel x86

18:01:20:453 1516 Number of processors: 4

18:01:20:453 1516 Page size: 0x1000

18:01:20:453 1516 Boot type: Normal boot

18:01:20:453 1516 ================================================================================

18:01:20:468 1516 UnloadDriverW: NtUnloadDriver error 2

18:01:20:468 1516 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

18:01:20:468 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

18:01:20:500 1516 UtilityInit: KLMD drop and load success

18:01:20:500 1516 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)

18:01:20:500 1516 UtilityInit: KLMD open success

18:01:20:500 1516 UtilityInit: Initialize success

18:01:20:500 1516

18:01:20:500 1516 Scanning Services ...

18:01:20:500 1516 CreateRegParser: Registry parser init started

18:01:20:500 1516 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

18:01:20:500 1516 CreateRegParser: DisableWow64Redirection error

18:01:20:500 1516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

18:01:20:500 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

18:01:20:500 1516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:01:20:500 1516 wfopen_ex: Trying to KLMD file open

18:01:20:500 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

18:01:20:500 1516 wfopen_ex: File opened ok (Flags 2)

18:01:20:500 1516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384C30

18:01:20:500 1516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

18:01:20:500 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

18:01:20:500 1516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:01:20:500 1516 wfopen_ex: Trying to KLMD file open

18:01:20:500 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

18:01:20:500 1516 wfopen_ex: File opened ok (Flags 2)

18:01:20:500 1516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384CD8

18:01:20:500 1516 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

18:01:20:500 1516 CreateRegParser: EnableWow64Redirection error

18:01:20:500 1516 CreateRegParser: RegParser init completed

18:01:20:765 1516 GetAdvancedServicesInfo: Raw services enum returned 321 services

18:01:20:765 1516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

18:01:20:765 1516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

18:01:20:765 1516

18:01:20:765 1516 Scanning Kernel memory ...

18:01:20:781 1516 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

18:01:20:781 1516 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AE6B030

18:01:20:781 1516 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects

18:01:20:781 1516

18:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8AE53C68

18:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE53C68

18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE53C68[0x38]

18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT: 8AE6B030

18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE6B030[0xA8]

18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0xE164AE60[0x18]

18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE : BA91EC30

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLOSE : BA91EC30

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_READ : BA918D9B

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_WRITE : BA918D9B

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_EA : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA919366

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA91944D

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC3

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA919366

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_POWER : BA91AEF3

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA91FA24

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4456

18:01:20:781 1516 TDL3_FileDetect: Processing driver: Disk

18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

18:01:20:781 1516 TDL3_FileDetect: Processing driver: Disk

18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

18:01:20:781 1516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

18:01:20:781 1516

18:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8ADAFAB8

18:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADAFAB8

18:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8ADB9338

18:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADB9338

18:01:20:781 1516 DetectCureTDL3: DEVICE_OBJECT: 8AE53940

18:01:20:781 1516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE53940

18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE53940[0x38]

18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT: 8AE67B60

18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0x8AE67B60[0xA8]

18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0xE16505C8[0x1A]

18:01:20:781 1516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE : 8AE931F8

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLOSE : 8AE931F8

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_READ : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_WRITE : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_EA : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 8AE931F8

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 8AE931F8

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_POWER : 8AE931F8

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 8AE931F8

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4456

18:01:20:781 1516 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4456

18:01:20:781 1516 TDL3_FileDetect: Processing driver: atapi

18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

18:01:20:781 1516 KLMD_ReadMem: Trying to ReadMemory 0xBA5FD7C6[0x400]

18:01:20:781 1516 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

18:01:20:781 1516 TDL3_FileDetect: Processing driver: atapi

18:01:20:781 1516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

18:01:20:781 1516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

18:01:20:796 1516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean

18:01:20:796 1516

18:01:20:796 1516 Completed

18:01:20:796 1516

18:01:20:796 1516 Results:

18:01:20:796 1516 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

18:01:20:796 1516 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

18:01:20:796 1516 File objects infected / cured / cured on reboot: 0 / 0 / 0

18:01:20:796 1516

18:01:21:640 1516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

18:01:21:640 1516 UtilityDeinit: KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.44

Database version: 3768

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

2/20/2010 6:09:03 PM

mbam-log-2010-02-20 (18-09-03).txt

Scan type: Quick Scan

Objects scanned: 108409

Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 14

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Kirja\Local Settings\Temp\SPAM.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kirja\Local Settings\Temp\fmkgesng.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Program Files\Paladin Antivirus\pav.db (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Program Files\Paladin Antivirus\phook.dll (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Program Files\Paladin Antivirus\uninstall.exe (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\BM9b331d56.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BM9b331d56.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi Kirja,

That's looking better now.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply along with a fresh HijackThis log and also let me know how your computer is running now.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:18:13 PM, on 2/21/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hawking\HWU54D\HWU54D.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\WINDOWS\ALCFDRTM.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 64.16.193.26 l2authd.lineage2.com

O1 - Hosts: 216.107.250.194 update.nprotect.com

O1 - Hosts: 216.107.250.194 nprotect.lineage2.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {F92AE24D-2C39-4C17-8324-E93E9E0A37A2} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Paladin Antivirus] "C:\Program Files\Paladin Antivirus\pav.exe" -noscan

O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU54D\HWU54D.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...347/mcfscan.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--

End of file - 8311 bytes

Hi, i am sorry about yestarday i was already late and had to run, PC seems to run ok did not notice any problems so far, as for kaspersky scan log i will try with different browser, unable to open or save report when i run it in Opera browser, however it detected nothing. Will do it asap.

Link to post
Share on other sites

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, February 21, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, February 21, 2010 20:49:11

Records in database: 3610312

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

Scan statistics:

Objects scanned: 90985

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 01:02:10

No threats found. Scanned area is clean.

Selected area has been scanned.

Link to post
Share on other sites

Hi Kirja,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.

All versions numbered lower than 9.3 are vulnerable.

  • Go HERE , UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader.
  • After it completes the Installation, close the Download Manager.

Please delete the TDSSKiller icon, folder and log from your desktop.

Remove GMER

Delete the GMER icon from your desktop, it will be named t5y68r8f.exe

Remove all used tools

Please download OTC and save it to desktop.

  • Double-click OTC.exe..
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Create a new, clean System Restore point which you can use in case of future system problems:

  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Update your AntiVirus Software and keep your other programs up-to-date

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office

Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.