Jump to content

Malwarebytes finds Rootkit.Agent


Recommended Posts

Hello. Long time user of MWBAM here. I upgraded to Pro today and have been very happy with my purchase. However, the other day I found a Rootkit.Agent on one of my frequent scans and have been unable to rid myself of the pest. Finally I decided that it was time to hit your forums and see if you could be of any further help. Here is what I came up with for you:

---

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3991

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/15/2010 12:24:31 PM

mbam-log-2010-04-15 (12-24-31).txt

Scan type: Quick scan

Objects scanned: 122153

Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\wytcrpm.sys (Rootkit.Agent) -> Delete on reboot.

---

DDS (Ver_10-03-17.01) - NTFSx86

Run by William Cuddy at 12:27:07.40 on Thu 04/15/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.441 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Linksys\WMP300N\WLService.exe

C:\Program Files\Linksys\WMP300N\WMP300N.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\William Cuddy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uWindow Title = Windows Internet Explorer provided by Comcast

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = localhost;*.local

uSearchAssistant = hxxp://www.google.com

mSearchAssistant = hxxp://www.google.com

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203646769078

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: TPSvc - TPSvc.dll

AppInit_DLLs: senozama.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli senozama.dll

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-15 303952]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-6 24652]

R2 WMP300NSvc;WMP300NSvc;c:\program files\linksys\wmp300n\WLService.exe [2010-3-24 53307]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-15 20824]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-15 38224]

R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2010-3-24 822400]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S4 bbonhl;bbonhl;c:\windows\system32\drivers\eqlk.sys [2010-4-13 54016]

=============== Created Last 30 ================

2010-04-15 19:24:46 54016 ----a-w- c:\windows\system32\drivers\qelxwla.sys

2010-04-15 19:12:59 0 ----a-w- c:\documents and settings\william cuddy\defogger_reenable

2010-04-15 16:54:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-15 16:54:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-14 17:16:21 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-14 04:31:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-04-14 04:06:12 33264 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-04-13 18:56:21 54016 ----a-w- c:\windows\system32\drivers\eqlk.sys

2010-04-13 17:49:41 823808 ----a-w- c:\windows\system32\drivers\wytcrpm.sys

2010-04-13 17:49:15 0 d-----w- C:\spoolerlogs

2010-04-13 17:48:41 0 d-----w- c:\docume~1\willia~1\applic~1\2DAABEF26DF89E1291D9E39EB3BA1667

2010-03-24 16:15:09 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS

2010-03-24 16:15:08 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll

2010-03-24 16:15:08 65536 ----a-w- c:\windows\system32\wltrynt.dll

2010-03-24 16:15:08 188416 ----a-w- c:\windows\system32\bcmwlu00.exe

2010-03-24 16:15:08 139264 ----a-w- c:\windows\system32\preflib.dll

2010-03-24 16:15:07 822400 ----a-w- c:\windows\system32\drivers\WMP300Nv1.sys

2010-03-24 16:15:07 753664 ----a-w- c:\windows\system32\bcm1xsup.dll

2010-03-24 16:15:07 2670592 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL

2010-03-24 16:15:07 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE

2010-03-24 16:15:07 1265664 ----a-w- c:\windows\system32\BCMWLTRY.EXE

2010-03-24 16:14:49 0 d-----w- c:\program files\Linksys

2010-03-24 16:14:36 786 ----a-w- c:\windows\system32\WLAN.INI

==================== Find3M ====================

2010-02-28 22:08:32 37979 ----a-w- c:\windows\scunin.dat

2010-02-28 22:08:23 70656 ----a-w- c:\windows\ScUnin.exe

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2009-09-11 17:45:51 19353 ----a-w- c:\program files\common files\efyvirypa.dll

2009-09-11 16:53:52 15102 ----a-w- c:\program files\common files\qubijo.dl

2009-09-11 16:44:45 12743 ----a-w- c:\program files\common files\ogidox.ban

2009-09-11 16:44:45 10090 ----a-w- c:\program files\common files\nepimyg.bat

2009-08-25 18:22:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082520090826\index.dat

============= FINISH: 12:28:52.06 ===============

---

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 12:12 on 15/04/2010 (William Cuddy)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Unable to read wytcrpm.sys

-=E.O.F=-

---

Also, one quick side note. Ever since I picked up the pro version, MWBAM has been frequently blocking 'suspected malicious websites' while I'm not even surfing. Does this have to with the Rootkit.Agent trying to contact these websites or something? I'm not picking up any other malicious programs from MWBAM or otherwise to suspect any different.

Thanks very much in advance for your help.

-William

Attach.zip

Link to post
Share on other sites

Hi williamjc And Welcome to Malwarebytes!

Your PC has a rootkit that has replaced your ide driver atapi.sys file with malware. That's 80 percent of your PC problems. I feel we can fix this.

We need to work on this together in a timely manner. OK.... :D

Also, Looking over your log it seems you don't have any evidence of an anti-virus software. Why is this?

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hello again and thank you for your timely response. Here is the log I received from ComboFix.

----------------------

ComboFix 10-04-14.04 - William Cuddy 04/15/2010 17:29:51.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.471 [GMT -7:00]

Running from: c:\documents and settings\William Cuddy\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\William Cuddy\Application Data\2DAABEF26DF89E1291D9E39EB3BA1667

c:\documents and settings\William Cuddy\Application Data\2DAABEF26DF89E1291D9E39EB3BA1667\enemies-names.txt

c:\documents and settings\William Cuddy\Cookies\azuqag.scr

c:\documents and settings\William Cuddy\Cookies\dehimyruj.dl

c:\documents and settings\William Cuddy\Cookies\ejexibib.bat

c:\documents and settings\William Cuddy\Cookies\inolo.com

c:\documents and settings\William Cuddy\Cookies\jykoki.bin

c:\documents and settings\William Cuddy\Cookies\kizowiz.lib

c:\documents and settings\William Cuddy\Cookies\kuzepop.sys

c:\documents and settings\William Cuddy\Cookies\lyjoquvus.vbs

c:\documents and settings\William Cuddy\Cookies\nurixota.dat

c:\documents and settings\William Cuddy\Cookies\nydi.vbs

c:\documents and settings\William Cuddy\Cookies\omomygajo.com

c:\documents and settings\William Cuddy\Cookies\qorerovu._dl

c:\documents and settings\William Cuddy\Cookies\zypaxa.reg

c:\program files\Shared

c:\recycler\S-1-5-21-2000478354-329068152-725345543-1003

c:\recycler\S-1-5-21-2528977068-3483749897-3602500226-1003

c:\windows\awub.dll

c:\windows\lucuryhep.exe

c:\windows\sole.scr

c:\windows\system32\drivers\eqlk.sys

c:\windows\system32\drivers\mnkdrc.sys

c:\windows\system32\drivers\wytcrpm.sys

c:\windows\system32\Thumbs.db

c:\windows\yxakakej.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Legacy_bbonhl

-------\Legacy_wytcrpm

-------\Service_bbonhl

-------\Service_ggrb

-------\Service_wytcrpm

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))

.

2010-04-15 16:54 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-15 16:54 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-15 10:42 . 2010-04-15 10:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-04-14 17:16 . 2010-04-14 17:16 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-14 04:31 . 2010-04-14 04:31 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-04-14 02:02 . 2010-04-14 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-13 17:49 . 2010-04-13 17:49 -------- d-----w- C:\spoolerlogs

2010-03-24 16:15 . 2007-07-23 22:18 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS

2010-03-24 16:15 . 2007-07-23 22:18 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll

2010-03-24 16:15 . 2007-07-23 22:18 65536 ----a-w- c:\windows\system32\wltrynt.dll

2010-03-24 16:15 . 2007-07-23 22:18 139264 ----a-w- c:\windows\system32\preflib.dll

2010-03-24 16:15 . 2007-07-23 22:17 188416 ----a-w- c:\windows\system32\bcmwlu00.exe

2010-03-24 16:15 . 2007-10-18 13:17 822400 ----a-w- c:\windows\system32\drivers\WMP300Nv1.sys

2010-03-24 16:15 . 2007-07-23 22:18 753664 ----a-w- c:\windows\system32\bcm1xsup.dll

2010-03-24 16:15 . 2007-07-23 22:18 2670592 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL

2010-03-24 16:15 . 2007-07-23 22:18 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE

2010-03-24 16:15 . 2007-07-23 22:18 1265664 ----a-w- c:\windows\system32\BCMWLTRY.EXE

2010-03-24 16:14 . 2010-03-24 16:14 -------- d-----w- c:\program files\Linksys

2010-03-24 16:14 . 2010-03-24 16:14 -------- d-----w- c:\documents and settings\William Cuddy\Application Data\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-15 16:57 . 2009-10-07 06:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-15 03:04 . 2009-10-07 04:50 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-15 03:02 . 2006-10-10 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-15 01:37 . 2009-09-11 19:06 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-15 01:29 . 2009-09-11 17:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-14 05:31 . 2009-09-11 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2010-04-14 04:52 . 2010-04-14 04:06 33264 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-04-14 04:31 . 2006-01-07 21:24 -------- d-----w- c:\program files\Java

2010-04-14 04:30 . 2010-04-14 04:30 152576 ----a-w- c:\documents and settings\William Cuddy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-04-14 04:29 . 2010-04-14 04:29 79488 ----a-w- c:\documents and settings\William Cuddy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-04-14 04:09 . 2008-03-24 03:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-04-14 04:05 . 2009-09-01 18:43 -------- d-----w- c:\program files\Steam

2010-03-24 16:14 . 2005-09-30 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-22 20:44 . 2008-05-07 05:58 -------- d-----w- c:\program files\Common Files\AOL

2010-03-14 06:14 . 2005-10-01 02:12 -------- d-----w- c:\program files\Games

2010-03-10 06:15 . 2006-09-02 13:21 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-28 22:08 . 2010-01-31 21:58 37979 ----a-w- c:\windows\scunin.dat

2010-02-28 22:08 . 2010-01-31 21:58 967 ----a-w- c:\windows\ScUnin.pif

2010-02-28 22:08 . 2010-01-31 21:58 70656 ----a-w- c:\windows\ScUnin.exe

2010-02-28 18:25 . 2010-02-28 18:25 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-25 06:24 . 2006-09-02 13:21 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 17:16 . 2009-12-05 15:14 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11 . 2006-09-02 13:21 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 16:10 . 2006-09-02 13:21 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2006-09-02 13:21 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-09-02 13:21 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-01-22 15:34 . 2010-01-22 16:14 38784 ----a-w- c:\documents and settings\William Cuddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-09-11 17:45 . 2009-09-11 17:45 19353 ----a-w- c:\program files\Common Files\efyvirypa.dll

2009-09-11 16:53 . 2009-09-11 16:53 15102 ----a-w- c:\program files\Common Files\qubijo.dl

2009-09-11 16:44 . 2009-09-11 16:44 12743 ----a-w- c:\program files\Common Files\ogidox.ban

2009-09-11 16:44 . 2009-09-11 16:44 10090 ----a-w- c:\program files\Common Files\nepimyg.bat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-12-01 77824]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-14 149280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Games\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\half-life\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\opposing force\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\half-life blue shift\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"48475:TCP"= 48475:TCP:Limewire TCP

"48475:UDP"= 48475:UDP:Limewire UDP

"3724:UDP"= 3724:UDP:bliz

"6881:TCP"= 6881:TCP:bliz

"6112:TCP"= 6112:TCP:bliz

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/15/2010 9:54 AM 303952]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/6/2008 10:59 PM 24652]

R2 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [3/24/2010 9:14 AM 53307]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/15/2010 9:54 AM 20824]

R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [3/24/2010 9:15 AM 822400]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = localhost;*.local

uSearchAssistant = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Notify-TPSvc - TPSvc.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-15 17:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F4AAC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7656f28

\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8

\Driver\atapi -> atapi.sys @ 0xf736a852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7263bb0

PacketIndicateHandler -> NDIS.sys @ 0xf7252a0d

SendHandler -> NDIS.sys @ 0xf7266b40

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-676704559-2313130421-1357480422-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:07,fe,e1,79,f2,ec,08,e6,69,36,d7,6c,9a,07,d0,44,3c,6f,48,2b,54,3f,91,

64,73,2e,f3,91,b7,70,a5,4d,83,85,40,e2,ed,27,8d,07,f1,e7,75,ab,38,c9,66,54,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-676704559-2313130421-1357480422-1006\Software\SecuROM\License information*]

"datasecu"=hex:7e,65,a2,2d,dd,8f,31,b0,2e,68,40,1f,c9,07,33,f0,2a,f0,cd,20,35,

74,41,9e,f4,68,4d,b9,a1,08,3f,d3,be,f8,82,2b,41,e2,c8,67,b6,46,d8,3d,80,b8,\

"rkeysecu"=hex:a2,47,2f,1e,cc,00,95,77,61,a2,d2,96,bd,a3,d2,cb

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)

c:\windows\system32\WININET.dll

c:\windows\System32\BCMLogon.dll

c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(848)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3924)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe

c:\program files\Linksys\WMP300N\WMP300N.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\SOUNDMAN.EXE

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-04-15 17:53:00 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-16 00:52

Pre-Run: 22,082,736,128 bytes free

Post-Run: 22,234,959,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - A8746BD805B98FB0194DEF096750BB84

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

Again, thank you for your timely response. Here is the TDSSKiller Log.

---------------------------

18:30:40:593 3212 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

18:30:40:593 3212 ================================================================================

18:30:40:593 3212 SystemInfo:

18:30:40:593 3212 OS Version: 5.1.2600 ServicePack: 3.0

18:30:40:593 3212 Product type: Workstation

18:30:40:593 3212 ComputerName: WILLIAM

18:30:40:593 3212 UserName: William Cuddy

18:30:40:593 3212 Windows directory: C:\WINDOWS

18:30:40:593 3212 Processor architecture: Intel x86

18:30:40:593 3212 Number of processors: 1

18:30:40:593 3212 Page size: 0x1000

18:30:40:593 3212 Boot type: Normal boot

18:30:40:593 3212 ================================================================================

18:30:40:593 3212 UnloadDriverW: NtUnloadDriver error 1

18:30:40:593 3212 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1

18:30:40:593 3212 LoadDriverW: Driver already loaded

18:30:40:593 3212 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

18:30:40:593 3212 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:30:40:593 3212 wfopen_ex: Trying to KLMD file open

18:30:40:593 3212 wfopen_ex: File opened ok (Flags 2)

18:30:40:593 3212 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

18:30:40:593 3212 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:30:40:593 3212 wfopen_ex: Trying to KLMD file open

18:30:40:593 3212 wfopen_ex: File opened ok (Flags 2)

18:30:40:593 3212 Initialize success

18:30:40:593 3212

18:30:40:593 3212 Scanning Services ...

18:30:40:921 3212 Raw services enum returned 327 services

18:30:40:921 3212

18:30:40:921 3212 Scanning Kernel memory ...

18:30:40:921 3212 Devices to scan: 10

18:30:40:921 3212

18:30:40:921 3212 Driver Name: Disk

18:30:40:921 3212 IRP_MJ_CREATE : F7658BB0

18:30:40:921 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:921 3212 IRP_MJ_CLOSE : F7658BB0

18:30:40:921 3212 IRP_MJ_READ : F7652D1F

18:30:40:921 3212 IRP_MJ_WRITE : F7652D1F

18:30:40:921 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:921 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:921 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:921 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:921 3212 IRP_MJ_FLUSH_BUFFERS : F76532E2

18:30:40:921 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:921 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:921 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:921 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:921 3212 IRP_MJ_DEVICE_CONTROL : F76533BB

18:30:40:921 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7656F28

18:30:40:921 3212 IRP_MJ_SHUTDOWN : F76532E2

18:30:40:921 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:921 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:921 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:921 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:921 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:921 3212 IRP_MJ_POWER : F7654C82

18:30:40:921 3212 IRP_MJ_SYSTEM_CONTROL : F765999E

18:30:40:921 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:921 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:921 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:953 3212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

18:30:40:953 3212

18:30:40:953 3212 Driver Name: Disk

18:30:40:953 3212 IRP_MJ_CREATE : F7658BB0

18:30:40:953 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:953 3212 IRP_MJ_CLOSE : F7658BB0

18:30:40:953 3212 IRP_MJ_READ : F7652D1F

18:30:40:953 3212 IRP_MJ_WRITE : F7652D1F

18:30:40:953 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:953 3212 IRP_MJ_FLUSH_BUFFERS : F76532E2

18:30:40:953 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_DEVICE_CONTROL : F76533BB

18:30:40:953 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7656F28

18:30:40:953 3212 IRP_MJ_SHUTDOWN : F76532E2

18:30:40:953 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:953 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_POWER : F7654C82

18:30:40:953 3212 IRP_MJ_SYSTEM_CONTROL : F765999E

18:30:40:953 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:953 3212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

18:30:40:953 3212

18:30:40:953 3212 Driver Name: Disk

18:30:40:953 3212 IRP_MJ_CREATE : F7658BB0

18:30:40:953 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:953 3212 IRP_MJ_CLOSE : F7658BB0

18:30:40:953 3212 IRP_MJ_READ : F7652D1F

18:30:40:953 3212 IRP_MJ_WRITE : F7652D1F

18:30:40:953 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:953 3212 IRP_MJ_FLUSH_BUFFERS : F76532E2

18:30:40:953 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_DEVICE_CONTROL : F76533BB

18:30:40:953 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7656F28

18:30:40:953 3212 IRP_MJ_SHUTDOWN : F76532E2

18:30:40:953 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:953 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_POWER : F7654C82

18:30:40:953 3212 IRP_MJ_SYSTEM_CONTROL : F765999E

18:30:40:953 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:953 3212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

18:30:40:953 3212

18:30:40:953 3212 Driver Name: Disk

18:30:40:953 3212 IRP_MJ_CREATE : F7658BB0

18:30:40:953 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:953 3212 IRP_MJ_CLOSE : F7658BB0

18:30:40:953 3212 IRP_MJ_READ : F7652D1F

18:30:40:953 3212 IRP_MJ_WRITE : F7652D1F

18:30:40:953 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:953 3212 IRP_MJ_FLUSH_BUFFERS : F76532E2

18:30:40:953 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_DEVICE_CONTROL : F76533BB

18:30:40:953 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7656F28

18:30:40:953 3212 IRP_MJ_SHUTDOWN : F76532E2

18:30:40:953 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:953 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_POWER : F7654C82

18:30:40:953 3212 IRP_MJ_SYSTEM_CONTROL : F765999E

18:30:40:953 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:953 3212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

18:30:40:953 3212

18:30:40:953 3212 Driver Name: usbstor

18:30:40:953 3212 IRP_MJ_CREATE : F78F7218

18:30:40:953 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:953 3212 IRP_MJ_CLOSE : F78F7218

18:30:40:953 3212 IRP_MJ_READ : F78F723C

18:30:40:953 3212 IRP_MJ_WRITE : F78F723C

18:30:40:953 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:953 3212 IRP_MJ_FLUSH_BUFFERS : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:953 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_DEVICE_CONTROL : F78F7180

18:30:40:953 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78F29E6

18:30:40:953 3212 IRP_MJ_SHUTDOWN : 804F355A

18:30:40:953 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:953 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:953 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:953 3212 IRP_MJ_POWER : F78F65F0

18:30:40:953 3212 IRP_MJ_SYSTEM_CONTROL : F78F4A6E

18:30:40:953 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:953 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:953 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:968 3212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

18:30:40:968 3212

18:30:40:968 3212 Driver Name: usbstor

18:30:40:968 3212 IRP_MJ_CREATE : F78F7218

18:30:40:968 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:968 3212 IRP_MJ_CLOSE : F78F7218

18:30:40:968 3212 IRP_MJ_READ : F78F723C

18:30:40:968 3212 IRP_MJ_WRITE : F78F723C

18:30:40:968 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:968 3212 IRP_MJ_FLUSH_BUFFERS : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_DEVICE_CONTROL : F78F7180

18:30:40:968 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78F29E6

18:30:40:968 3212 IRP_MJ_SHUTDOWN : 804F355A

18:30:40:968 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:968 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_POWER : F78F65F0

18:30:40:968 3212 IRP_MJ_SYSTEM_CONTROL : F78F4A6E

18:30:40:968 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:968 3212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

18:30:40:968 3212

18:30:40:968 3212 Driver Name: usbstor

18:30:40:968 3212 IRP_MJ_CREATE : F78F7218

18:30:40:968 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:968 3212 IRP_MJ_CLOSE : F78F7218

18:30:40:968 3212 IRP_MJ_READ : F78F723C

18:30:40:968 3212 IRP_MJ_WRITE : F78F723C

18:30:40:968 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:968 3212 IRP_MJ_FLUSH_BUFFERS : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_DEVICE_CONTROL : F78F7180

18:30:40:968 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78F29E6

18:30:40:968 3212 IRP_MJ_SHUTDOWN : 804F355A

18:30:40:968 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:968 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_POWER : F78F65F0

18:30:40:968 3212 IRP_MJ_SYSTEM_CONTROL : F78F4A6E

18:30:40:968 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:968 3212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

18:30:40:968 3212

18:30:40:968 3212 Driver Name: usbstor

18:30:40:968 3212 IRP_MJ_CREATE : F78F7218

18:30:40:968 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:968 3212 IRP_MJ_CLOSE : F78F7218

18:30:40:968 3212 IRP_MJ_READ : F78F723C

18:30:40:968 3212 IRP_MJ_WRITE : F78F723C

18:30:40:968 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:968 3212 IRP_MJ_FLUSH_BUFFERS : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_DEVICE_CONTROL : F78F7180

18:30:40:968 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78F29E6

18:30:40:968 3212 IRP_MJ_SHUTDOWN : 804F355A

18:30:40:968 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:968 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_POWER : F78F65F0

18:30:40:968 3212 IRP_MJ_SYSTEM_CONTROL : F78F4A6E

18:30:40:968 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:968 3212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

18:30:40:968 3212

18:30:40:968 3212 Driver Name: Disk

18:30:40:968 3212 IRP_MJ_CREATE : F7658BB0

18:30:40:968 3212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:30:40:968 3212 IRP_MJ_CLOSE : F7658BB0

18:30:40:968 3212 IRP_MJ_READ : F7652D1F

18:30:40:968 3212 IRP_MJ_WRITE : F7652D1F

18:30:40:968 3212 IRP_MJ_QUERY_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_EA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_EA : 804F355A

18:30:40:968 3212 IRP_MJ_FLUSH_BUFFERS : F76532E2

18:30:40:968 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:30:40:968 3212 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_DEVICE_CONTROL : F76533BB

18:30:40:968 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7656F28

18:30:40:968 3212 IRP_MJ_SHUTDOWN : F76532E2

18:30:40:968 3212 IRP_MJ_LOCK_CONTROL : 804F355A

18:30:40:968 3212 IRP_MJ_CLEANUP : 804F355A

18:30:40:968 3212 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_SET_SECURITY : 804F355A

18:30:40:968 3212 IRP_MJ_POWER : F7654C82

18:30:40:968 3212 IRP_MJ_SYSTEM_CONTROL : F765999E

18:30:40:968 3212 IRP_MJ_DEVICE_CHANGE : 804F355A

18:30:40:968 3212 IRP_MJ_QUERY_QUOTA : 804F355A

18:30:40:968 3212 IRP_MJ_SET_QUOTA : 804F355A

18:30:40:968 3212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

18:30:40:968 3212

18:30:40:968 3212 Driver Name: atapi

18:30:40:968 3212 IRP_MJ_CREATE : 86F4AAC8

18:30:40:968 3212 IRP_MJ_CREATE_NAMED_PIPE : 86F4AAC8

18:30:40:968 3212 IRP_MJ_CLOSE : 86F4AAC8

18:30:40:968 3212 IRP_MJ_READ : 86F4AAC8

18:30:40:968 3212 IRP_MJ_WRITE : 86F4AAC8

18:30:40:968 3212 IRP_MJ_QUERY_INFORMATION : 86F4AAC8

18:30:40:968 3212 IRP_MJ_SET_INFORMATION : 86F4AAC8

18:30:40:968 3212 IRP_MJ_QUERY_EA : 86F4AAC8

18:30:40:968 3212 IRP_MJ_SET_EA : 86F4AAC8

18:30:40:968 3212 IRP_MJ_FLUSH_BUFFERS : 86F4AAC8

18:30:40:968 3212 IRP_MJ_QUERY_VOLUME_INFORMATION : 86F4AAC8

18:30:40:968 3212 IRP_MJ_SET_VOLUME_INFORMATION : 86F4AAC8

18:30:40:968 3212 IRP_MJ_DIRECTORY_CONTROL : 86F4AAC8

18:30:40:968 3212 IRP_MJ_FILE_SYSTEM_CONTROL : 86F4AAC8

18:30:40:968 3212 IRP_MJ_DEVICE_CONTROL : 86F4AAC8

18:30:40:968 3212 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86F4AAC8

18:30:40:968 3212 IRP_MJ_SHUTDOWN : 86F4AAC8

18:30:40:968 3212 IRP_MJ_LOCK_CONTROL : 86F4AAC8

18:30:40:968 3212 IRP_MJ_CLEANUP : 86F4AAC8

18:30:40:968 3212 IRP_MJ_CREATE_MAILSLOT : 86F4AAC8

18:30:40:968 3212 IRP_MJ_QUERY_SECURITY : 86F4AAC8

18:30:40:968 3212 IRP_MJ_SET_SECURITY : 86F4AAC8

18:30:40:968 3212 IRP_MJ_POWER : 86F4AAC8

18:30:40:968 3212 IRP_MJ_SYSTEM_CONTROL : 86F4AAC8

18:30:40:968 3212 IRP_MJ_DEVICE_CHANGE : 86F4AAC8

18:30:40:968 3212 IRP_MJ_QUERY_QUOTA : 86F4AAC8

18:30:40:968 3212 IRP_MJ_SET_QUOTA : 86F4AAC8

18:30:40:968 3212 Driver "atapi" infected by TDSS rootkit!

18:30:40:968 3212 C:\WINDOWS\system32\drivers\tskA.tmp - Verdict: 3

18:30:40:968 3212

18:30:40:968 3212 Completed

18:30:40:968 3212

18:30:40:968 3212 Results:

18:30:40:968 3212 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

18:30:40:968 3212 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

18:30:40:968 3212 File objects infected / cured / cured on reboot: 0 / 0 / 0

18:30:40:968 3212

18:30:40:968 3212 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

18:30:40:968 3212 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

18:30:40:968 3212 UnloadDriverW: NtUnloadDriver error 1

18:30:40:968 3212 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Check a file/files

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to

c:\windows\system32\drivers\kgpcpy.cfg

then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Next

Please download RunScanner from here

  • Save runscanner.exe to your desktop and double-click it to run it.
  • Once it starts, select Expert Mode and click Ok
  • When the main program opens, click on the Scan Computer button at the top, be patient it may take a few moments.
  • Once that's done click on the Save run file button at the top and when the save dialogue box opens, save the file as runlog and save it to your desktop.
  • Now right-click on the runlog.run file located on your desktop and highlight Send To and select Compressed (zipped) Folder
  • Please attach the runlog.zip file you just created to your next post.

Link to post
Share on other sites

Hello again, Kenny. Here are my results as requested:

File kgpcpy.cfg received on 2010.04.16 19:05:09 (UTC)

Current status: finished

Result: 0/40 (0.00%)

Compact Print results Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.04.16 -

AhnLab-V3 5.0.0.2 2010.04.16 -

AntiVir 7.10.6.115 2010.04.16 -

Antiy-AVL 2.0.3.7 2010.04.16 -

Authentium 5.2.0.5 2010.04.16 -

Avast 4.8.1351.0 2010.04.16 -

Avast5 5.0.332.0 2010.04.16 -

AVG 9.0.0.787 2010.04.16 -

BitDefender 7.2 2010.04.16 -

CAT-QuickHeal 10.00 2010.04.16 -

ClamAV 0.96.0.3-git 2010.04.16 -

Comodo 4616 2010.04.16 -

DrWeb 5.0.2.03300 2010.04.16 -

eSafe 7.0.17.0 2010.04.15 -

eTrust-Vet 35.2.7430 2010.04.16 -

F-Prot 4.5.1.85 2010.04.16 -

F-Secure 9.0.15370.0 2010.04.16 -

Fortinet 4.0.14.0 2010.04.16 -

GData 19 2010.04.16 -

Ikarus T3.1.1.80.0 2010.04.16 -

Jiangmin 13.0.900 2010.04.16 -

Kaspersky 7.0.0.125 2010.04.16 -

McAfee 5.400.0.1158 2010.04.16 -

McAfee-GW-Edition 6.8.5 2010.04.16 -

Microsoft 1.5605 2010.04.16 -

NOD32 5034 2010.04.16 -

Norman 6.04.11 2010.04.16 -

nProtect 2010-04-16.01 2010.04.16 -

Panda 10.0.2.7 2010.04.16 -

PCTools 7.0.3.5 2010.04.16 -

Prevx 3.0 2010.04.16 -

Rising 22.43.04.04 2010.04.16 -

Sophos 4.52.0 2010.04.16 -

Sunbelt 6184 2010.04.16 -

Symantec 20091.2.0.41 2010.04.16 -

TheHacker 6.5.2.0.262 2010.04.15 -

TrendMicro 9.120.0.1004 2010.04.15 -

VBA32 3.12.12.4 2010.04.15 -

ViRobot 2010.4.16.2280 2010.04.16 -

VirusBuster 5.0.27.0 2010.04.16 -

Additional information

File size: 33264 bytes

MD5 : f94ef8ea1ee6c7d0672dea1b35ed4248

SHA1 : 0ac1138a5f00391e7774cbe7987e1ccc0e229a0c

SHA256: 12cc0d2da88eb9d640edda7c427766cd64b82cc21117c43267d6ff46399b0815

TrID : File type identification

Unknown!

ssdeep: 768:Syxdo2LHu71HadyzpZ7HJJCXhXOmBk5SVJcPox3ck7Gpk6Icc1XHgTkqL:SyY2LORHoyzX7pJCXh

XOma5SVKA3ck7E

sigcheck: publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEiD : -

RDS : NSRL Reference Data Set

-

runlog.zip

Link to post
Share on other sites

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer

Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

  • Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
  • avast! 5 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Link to post
Share on other sites

I did a scan for updates, however, it isn't coming up with anything. It just scans for a couple of minutes then says "Status: An error occured during download."

We'll deal with this after we are done.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi.sys*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 10:14 on 17/04/2010 by William Cuddy (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys*"

C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [17:51 25/08/2009] [08:05 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [00:50 16/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [17:44 25/08/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\atapi.sys --a--- 96512 bytes [00:56 26/11/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys --a--- 96512 bytes [17:44 25/08/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys --a--- 96512 bytes [01:55 29/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [22:59 03/08/2004] [16:38 16/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--- 95360 bytes [13:40 02/09/2006] [08:05 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--- 95360 bytes [13:40 02/09/2006] [08:05 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Link to post
Share on other sites

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

File::
c:\windows\system32\bcmwlu00.exe
c:\windows\system32\wltrynt.dll
c:\program files\Common Files\efyvirypa.dll
c:\program files\Common Files\qubijo.dl
c:\program files\Common Files\ogidox.ban
c:\program files\Common Files\nepimyg.bat

Fcopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Lets run ComboFix again. But run DeFogger before you run ComboFix. Drag ComboFix ICON into the Recycle Bin.

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

Do not run in safe mode.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 10-04-17.01 - William Cuddy 04/17/2010 13:26:28.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.683 [GMT -7:00]

Running from: c:\documents and settings\William Cuddy\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))

.

2010-04-17 19:08 . 2010-04-17 19:08 22384 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-17 16:36 . 2010-04-17 16:36 -------- d-----w- c:\documents and settings\William Cuddy\Application Data\Avira

2010-04-17 16:32 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-04-17 16:32 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-04-17 16:32 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-04-17 16:32 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-04-17 16:32 . 2010-04-17 16:32 -------- d-----w- c:\program files\Avira

2010-04-17 16:32 . 2010-04-17 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-04-16 19:08 . 2010-04-16 19:08 -------- d-----w- c:\documents and settings\William Cuddy\Local Settings\Application Data\Runscanner.net

2010-04-15 16:54 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-15 16:54 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-15 10:42 . 2010-04-15 10:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-04-14 17:16 . 2010-04-17 18:54 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-14 04:31 . 2010-04-14 04:31 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-04-14 04:30 . 2010-04-14 04:30 152576 ----a-w- c:\documents and settings\William Cuddy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-04-14 04:29 . 2010-04-14 04:29 79488 ----a-w- c:\documents and settings\William Cuddy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-04-14 02:02 . 2010-04-14 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-13 17:49 . 2010-04-13 17:49 -------- d-----w- C:\spoolerlogs

2010-03-24 16:15 . 2007-07-23 22:18 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS

2010-03-24 16:15 . 2007-07-23 22:18 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll

2010-03-24 16:15 . 2007-07-23 22:18 139264 ----a-w- c:\windows\system32\preflib.dll

2010-03-24 16:15 . 2007-10-18 13:17 822400 ----a-w- c:\windows\system32\drivers\WMP300Nv1.sys

2010-03-24 16:15 . 2007-07-23 22:18 753664 ----a-w- c:\windows\system32\bcm1xsup.dll

2010-03-24 16:15 . 2007-07-23 22:18 2670592 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL

2010-03-24 16:15 . 2007-07-23 22:18 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE

2010-03-24 16:15 . 2007-07-23 22:18 1265664 ----a-w- c:\windows\system32\BCMWLTRY.EXE

2010-03-24 16:14 . 2010-03-24 16:14 -------- d-----w- c:\program files\Linksys

2010-03-24 16:14 . 2010-03-24 16:14 -------- d-----w- c:\documents and settings\William Cuddy\Application Data\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-16 02:52 . 2006-09-02 13:29 40840 ----a-w- c:\windows\system32\drivers\termdd.sys

2010-04-15 16:57 . 2009-10-07 06:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-15 03:04 . 2009-10-07 04:50 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-15 03:02 . 2006-10-10 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-15 01:37 . 2009-09-11 19:06 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-15 01:29 . 2009-09-11 17:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-14 05:31 . 2009-09-11 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2010-04-14 04:52 . 2010-04-14 04:06 33264 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-04-14 04:31 . 2006-01-07 21:24 -------- d-----w- c:\program files\Java

2010-04-14 04:09 . 2008-03-24 03:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-04-14 04:05 . 2009-09-01 18:43 -------- d-----w- c:\program files\Steam

2010-03-24 16:14 . 2005-09-30 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-22 20:44 . 2008-05-07 05:58 -------- d-----w- c:\program files\Common Files\AOL

2010-03-14 06:14 . 2005-10-01 02:12 -------- d-----w- c:\program files\Games

2010-03-10 06:15 . 2006-09-02 13:21 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-28 22:08 . 2010-01-31 21:58 37979 ----a-w- c:\windows\scunin.dat

2010-02-28 22:08 . 2010-01-31 21:58 967 ----a-w- c:\windows\ScUnin.pif

2010-02-28 22:08 . 2010-01-31 21:58 70656 ----a-w- c:\windows\ScUnin.exe

2010-02-28 18:25 . 2010-02-28 18:25 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-25 06:24 . 2006-09-02 13:21 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 17:16 . 2009-12-05 15:14 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11 . 2006-09-02 13:21 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 16:10 . 2006-09-02 13:21 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2006-09-02 13:21 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-09-02 13:21 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-01-22 15:34 . 2010-01-22 16:14 38784 ----a-w- c:\documents and settings\William Cuddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-04-17_19.26.04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-17 20:25 . 2010-04-17 20:25 16384 c:\windows\temp\Perflib_Perfdata_88.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-12-01 77824]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-14 149280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Games\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\half-life\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\opposing force\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\half-life blue shift\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jcudd\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Games\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"48475:TCP"= 48475:TCP:Limewire TCP

"48475:UDP"= 48475:UDP:Limewire UDP

"3724:UDP"= 3724:UDP:bliz

"6881:TCP"= 6881:TCP:bliz

"6112:TCP"= 6112:TCP:bliz

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/17/2010 9:32 AM 135336]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/15/2010 9:54 AM 303952]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/6/2008 10:59 PM 24652]

R2 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [3/24/2010 9:14 AM 53307]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/15/2010 9:54 AM 20824]

R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [3/24/2010 9:15 AM 822400]

S3 AJ;AJ;c:\docume~1\ADMINI~1\LOCALS~1\Temp\AJ.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\AJ.exe [?]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 UD;UD;c:\docume~1\ADMINI~1\LOCALS~1\Temp\UD.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\UD.exe [?]

.

Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = localhost;*.local

uSearchAssistant = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-17 13:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-676704559-2313130421-1357480422-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:07,fe,e1,79,f2,ec,08,e6,69,36,d7,6c,9a,07,d0,44,3c,6f,48,2b,54,3f,91,

64,73,2e,f3,91,b7,70,a5,4d,83,85,40,e2,ed,27,8d,07,f1,e7,75,ab,38,c9,66,54,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-676704559-2313130421-1357480422-1006\Software\SecuROM\License information*]

"datasecu"=hex:7e,65,a2,2d,dd,8f,31,b0,2e,68,40,1f,c9,07,33,f0,2a,f0,cd,20,35,

74,41,9e,f4,68,4d,b9,a1,08,3f,d3,be,f8,82,2b,41,e2,c8,67,b6,46,d8,3d,80,b8,\

"rkeysecu"=hex:a2,47,2f,1e,cc,00,95,77,61,a2,d2,96,bd,a3,d2,cb

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)

c:\windows\System32\BCMLogon.dll

c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL

.

Completion time: 2010-04-17 13:35:53

ComboFix-quarantined-files.txt 2010-04-17 20:35

ComboFix2.txt 2010-04-17 19:29

ComboFix3.txt 2010-04-17 18:52

Pre-Run: 21,973,798,912 bytes free

Post-Run: 21,936,160,768 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 38B9C981F826754151B7E440D2BB00E6

Link to post
Share on other sites

15:53:04:375 0244 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

15:53:04:375 0244 ================================================================================

15:53:04:375 0244 SystemInfo:

15:53:04:375 0244 OS Version: 5.1.2600 ServicePack: 3.0

15:53:04:375 0244 Product type: Workstation

15:53:04:390 0244 ComputerName: WILLIAM

15:53:04:390 0244 UserName: William Cuddy

15:53:04:390 0244 Windows directory: C:\WINDOWS

15:53:04:390 0244 Processor architecture: Intel x86

15:53:04:390 0244 Number of processors: 1

15:53:04:390 0244 Page size: 0x1000

15:53:04:390 0244 Boot type: Normal boot

15:53:04:390 0244 ================================================================================

15:53:04:390 0244 UnloadDriverW: NtUnloadDriver error 2

15:53:04:390 0244 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

15:53:04:421 0244 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

15:53:04:421 0244 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:53:04:421 0244 wfopen_ex: Trying to KLMD file open

15:53:04:421 0244 wfopen_ex: File opened ok (Flags 2)

15:53:04:421 0244 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

15:53:04:421 0244 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:53:04:421 0244 wfopen_ex: Trying to KLMD file open

15:53:04:421 0244 wfopen_ex: File opened ok (Flags 2)

15:53:04:421 0244 Initialize success

15:53:04:421 0244

15:53:04:421 0244 Scanning Services ...

15:53:04:765 0244 Raw services enum returned 334 services

15:53:04:765 0244

15:53:04:765 0244 Scanning Kernel memory ...

15:53:04:765 0244 Devices to scan: 10

15:53:04:765 0244

15:53:04:765 0244 Driver Name: Disk

15:53:04:765 0244 IRP_MJ_CREATE : F7622BB0

15:53:04:765 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:765 0244 IRP_MJ_CLOSE : F7622BB0

15:53:04:765 0244 IRP_MJ_READ : F761CD1F

15:53:04:765 0244 IRP_MJ_WRITE : F761CD1F

15:53:04:765 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:765 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:765 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:765 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:765 0244 IRP_MJ_FLUSH_BUFFERS : F761D2E2

15:53:04:765 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:765 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:765 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:765 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:765 0244 IRP_MJ_DEVICE_CONTROL : F761D3BB

15:53:04:765 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28

15:53:04:765 0244 IRP_MJ_SHUTDOWN : F761D2E2

15:53:04:765 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:765 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:765 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:765 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:765 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:765 0244 IRP_MJ_POWER : F761EC82

15:53:04:765 0244 IRP_MJ_SYSTEM_CONTROL : F762399E

15:53:04:765 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:765 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:765 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:796 0244 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:53:04:796 0244

15:53:04:796 0244 Driver Name: Disk

15:53:04:796 0244 IRP_MJ_CREATE : F7622BB0

15:53:04:796 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:796 0244 IRP_MJ_CLOSE : F7622BB0

15:53:04:796 0244 IRP_MJ_READ : F761CD1F

15:53:04:796 0244 IRP_MJ_WRITE : F761CD1F

15:53:04:796 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:796 0244 IRP_MJ_FLUSH_BUFFERS : F761D2E2

15:53:04:796 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_DEVICE_CONTROL : F761D3BB

15:53:04:796 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28

15:53:04:796 0244 IRP_MJ_SHUTDOWN : F761D2E2

15:53:04:796 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:796 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_POWER : F761EC82

15:53:04:796 0244 IRP_MJ_SYSTEM_CONTROL : F762399E

15:53:04:796 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:796 0244 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:53:04:796 0244

15:53:04:796 0244 Driver Name: Disk

15:53:04:796 0244 IRP_MJ_CREATE : F7622BB0

15:53:04:796 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:796 0244 IRP_MJ_CLOSE : F7622BB0

15:53:04:796 0244 IRP_MJ_READ : F761CD1F

15:53:04:796 0244 IRP_MJ_WRITE : F761CD1F

15:53:04:796 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:796 0244 IRP_MJ_FLUSH_BUFFERS : F761D2E2

15:53:04:796 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_DEVICE_CONTROL : F761D3BB

15:53:04:796 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28

15:53:04:796 0244 IRP_MJ_SHUTDOWN : F761D2E2

15:53:04:796 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:796 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_POWER : F761EC82

15:53:04:796 0244 IRP_MJ_SYSTEM_CONTROL : F762399E

15:53:04:796 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:796 0244 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:53:04:796 0244

15:53:04:796 0244 Driver Name: Disk

15:53:04:796 0244 IRP_MJ_CREATE : F7622BB0

15:53:04:796 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:796 0244 IRP_MJ_CLOSE : F7622BB0

15:53:04:796 0244 IRP_MJ_READ : F761CD1F

15:53:04:796 0244 IRP_MJ_WRITE : F761CD1F

15:53:04:796 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:796 0244 IRP_MJ_FLUSH_BUFFERS : F761D2E2

15:53:04:796 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_DEVICE_CONTROL : F761D3BB

15:53:04:796 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28

15:53:04:796 0244 IRP_MJ_SHUTDOWN : F761D2E2

15:53:04:796 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:796 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_POWER : F761EC82

15:53:04:796 0244 IRP_MJ_SYSTEM_CONTROL : F762399E

15:53:04:796 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:796 0244 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:53:04:796 0244

15:53:04:796 0244 Driver Name: usbstor

15:53:04:796 0244 IRP_MJ_CREATE : F79D9218

15:53:04:796 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:796 0244 IRP_MJ_CLOSE : F79D9218

15:53:04:796 0244 IRP_MJ_READ : F79D923C

15:53:04:796 0244 IRP_MJ_WRITE : F79D923C

15:53:04:796 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:796 0244 IRP_MJ_FLUSH_BUFFERS : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:796 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_DEVICE_CONTROL : F79D9180

15:53:04:796 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F79D49E6

15:53:04:796 0244 IRP_MJ_SHUTDOWN : 804F355A

15:53:04:796 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:796 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:796 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:796 0244 IRP_MJ_POWER : F79D85F0

15:53:04:796 0244 IRP_MJ_SYSTEM_CONTROL : F79D6A6E

15:53:04:796 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:796 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:796 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:828 0244 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:53:04:828 0244

15:53:04:828 0244 Driver Name: usbstor

15:53:04:828 0244 IRP_MJ_CREATE : F79D9218

15:53:04:828 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:828 0244 IRP_MJ_CLOSE : F79D9218

15:53:04:828 0244 IRP_MJ_READ : F79D923C

15:53:04:828 0244 IRP_MJ_WRITE : F79D923C

15:53:04:828 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:828 0244 IRP_MJ_FLUSH_BUFFERS : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_DEVICE_CONTROL : F79D9180

15:53:04:828 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F79D49E6

15:53:04:828 0244 IRP_MJ_SHUTDOWN : 804F355A

15:53:04:828 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:828 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_POWER : F79D85F0

15:53:04:828 0244 IRP_MJ_SYSTEM_CONTROL : F79D6A6E

15:53:04:828 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:828 0244 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:53:04:828 0244

15:53:04:828 0244 Driver Name: usbstor

15:53:04:828 0244 IRP_MJ_CREATE : F79D9218

15:53:04:828 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:828 0244 IRP_MJ_CLOSE : F79D9218

15:53:04:828 0244 IRP_MJ_READ : F79D923C

15:53:04:828 0244 IRP_MJ_WRITE : F79D923C

15:53:04:828 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:828 0244 IRP_MJ_FLUSH_BUFFERS : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_DEVICE_CONTROL : F79D9180

15:53:04:828 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F79D49E6

15:53:04:828 0244 IRP_MJ_SHUTDOWN : 804F355A

15:53:04:828 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:828 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_POWER : F79D85F0

15:53:04:828 0244 IRP_MJ_SYSTEM_CONTROL : F79D6A6E

15:53:04:828 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:828 0244 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:53:04:828 0244

15:53:04:828 0244 Driver Name: usbstor

15:53:04:828 0244 IRP_MJ_CREATE : F79D9218

15:53:04:828 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:828 0244 IRP_MJ_CLOSE : F79D9218

15:53:04:828 0244 IRP_MJ_READ : F79D923C

15:53:04:828 0244 IRP_MJ_WRITE : F79D923C

15:53:04:828 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:828 0244 IRP_MJ_FLUSH_BUFFERS : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_DEVICE_CONTROL : F79D9180

15:53:04:828 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F79D49E6

15:53:04:828 0244 IRP_MJ_SHUTDOWN : 804F355A

15:53:04:828 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:828 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_POWER : F79D85F0

15:53:04:828 0244 IRP_MJ_SYSTEM_CONTROL : F79D6A6E

15:53:04:828 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:828 0244 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:53:04:828 0244

15:53:04:828 0244 Driver Name: Disk

15:53:04:828 0244 IRP_MJ_CREATE : F7622BB0

15:53:04:828 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:828 0244 IRP_MJ_CLOSE : F7622BB0

15:53:04:828 0244 IRP_MJ_READ : F761CD1F

15:53:04:828 0244 IRP_MJ_WRITE : F761CD1F

15:53:04:828 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:828 0244 IRP_MJ_FLUSH_BUFFERS : F761D2E2

15:53:04:828 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_DEVICE_CONTROL : F761D3BB

15:53:04:828 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28

15:53:04:828 0244 IRP_MJ_SHUTDOWN : F761D2E2

15:53:04:828 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:828 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_POWER : F761EC82

15:53:04:828 0244 IRP_MJ_SYSTEM_CONTROL : F762399E

15:53:04:828 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:828 0244 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:53:04:828 0244

15:53:04:828 0244 Driver Name: atapi

15:53:04:828 0244 IRP_MJ_CREATE : F746F6F2

15:53:04:828 0244 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

15:53:04:828 0244 IRP_MJ_CLOSE : F746F6F2

15:53:04:828 0244 IRP_MJ_READ : 804F355A

15:53:04:828 0244 IRP_MJ_WRITE : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_EA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_EA : 804F355A

15:53:04:828 0244 IRP_MJ_FLUSH_BUFFERS : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

15:53:04:828 0244 IRP_MJ_DIRECTORY_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_DEVICE_CONTROL : F746F712

15:53:04:828 0244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F746B852

15:53:04:828 0244 IRP_MJ_SHUTDOWN : 804F355A

15:53:04:828 0244 IRP_MJ_LOCK_CONTROL : 804F355A

15:53:04:828 0244 IRP_MJ_CLEANUP : 804F355A

15:53:04:828 0244 IRP_MJ_CREATE_MAILSLOT : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_SET_SECURITY : 804F355A

15:53:04:828 0244 IRP_MJ_POWER : F746F73C

15:53:04:828 0244 IRP_MJ_SYSTEM_CONTROL : F7476336

15:53:04:828 0244 IRP_MJ_DEVICE_CHANGE : 804F355A

15:53:04:828 0244 IRP_MJ_QUERY_QUOTA : 804F355A

15:53:04:828 0244 IRP_MJ_SET_QUOTA : 804F355A

15:53:04:875 0244 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1

15:53:04:875 0244

15:53:04:875 0244 Completed

15:53:04:875 0244

15:53:04:875 0244 Results:

15:53:04:875 0244 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

15:53:04:875 0244 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

15:53:04:875 0244 File objects infected / cured / cured on reboot: 0 / 0 / 0

15:53:04:875 0244

15:53:04:875 0244 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

15:53:04:875 0244 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

15:53:04:875 0244 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

Next

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Link to post
Share on other sites

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, April 17, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, April 17, 2010 23:11:39

Records in database: 3949259

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

F:\

G:\

H:\

I:\

Scan statistics:

Objects scanned: 76185

Threats found: 1

Infected objects found: 2

Suspicious objects found: 0

Scan duration: 02:01:24

File name / Threat / Threats count

C:\Documents and Settings\William Cuddy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-526002f4-5f8568ff.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1

C:\Documents and Settings\William Cuddy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-1f442ed4-735f0832.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1

Selected area has been scanned.

Link to post
Share on other sites

Please remove these two Folders in My Documents:

C:\Documents and Settings\William Cuddy\Application Data\Sun\Java

C:\Documents and Settings\William Cuddy\Application Data\Sun\Java\

How are things now William?

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Hi Kenny. Things are great! No pop ups so far and no websites attempting to intrude on my computer. Here is the MWBAM log to support that:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/18/2010 10:48:48 AM

mbam-log-2010-04-18 (10-48-48).txt

Scan type: Quick scan

Objects scanned: 114371

Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you William.

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.