Solved AXWIN Frame Window: svchost.exe - Application Error

broni · 2010/02/01

Yes, reopen HJT, checkmark indicated entries, click "Fix checked" and post fresh log.

sallnjackn · 2010/02/01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:40 PM, on 2/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead2\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Fomine Net Send GUI\NetSendGUI.exe
C:\Program Files\MSWorks\Calendar\Wkcalrem.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
E:\downloaded program files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O1 - Hosts: Ã¿Ã¾127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ElnkPub.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ProtctIE.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\uninsttb.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\Toolbar.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [WinPatrol] H:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe "
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe /hide
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Secunia PSI.lnk = D:\program files\Secunia\PSI\psi.exe
O4 - Global Startup: Net Send GUI.lnk = C:\Program Files\Fomine Net Send GUI\NetSendGUI.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\SearchUI.dll/search.html
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\sallie\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O8 - Extra context menu item: ShaPlus Google Translator - res://E:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://a248.e.akamai.net
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: start.earthlink.net
O15 - Trusted Zone: scgi.ebay.com
O15 - Trusted Zone: messenger.hotmail.com
O15 - Trusted Zone: www.matchmaker.com
O15 - Trusted Zone: www.msphometour.com
O15 - Trusted Zone: http://ssl-hints.netflame.cc
O15 - Trusted Zone: www.nwa.com
O15 - Trusted Zone: *.officemax.com
O15 - Trusted Zone: loginnet.passport.com
O15 - Trusted Zone: login.passport.net
O15 - Trusted Zone: memberservicesnet.passport.net
O15 - Trusted Zone: http://www.vanishingpointgame.com
O15 - Trusted Zone: *.verisign
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/OneClickFix/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {14578416-1111-1111-1111-111111411123} -
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123999976890
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {66C643AB-AF09-438E-B1BB-F0B79955CCBA} - http://www.wsel.net/imcupdatefiles/whistlesilent615.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123999962031
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwba.ops.placeware.com/etc/place/6000-zr/pws-pw01/lib/quicksilver.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - D:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - D:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Update Service (gupdate1c8ea92b33f0c3c) (gupdate1c8ea92b33f0c3c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead2\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 18570 bytes

sallnjackn · 2010/02/01

Sorry it posted twice. I get an error saying I have to wait 15 seconds between posts and to try again when it has actually been at least 15 minutes.

broni · 2010/02/01

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

sallnjackn · 2010/02/02

I will certainly do all of your recommendations right away. I'm so surprised that I was infected. I keep my computer up to date and have anti virus but I guess it doesn't catch everything. I got the "survey" page when I rebooted and opened Firefox. I copied the address. It might be of help to you. "http://server2.mediajmp.com/surveys/cpv-index.html?sub=earthlink.net" without quotes. The Axwin error still comes up also. AVG said it found tracking cookies but when I tried to have it heal or quarantine it didn't work. I found them and deleted them. This 75 year old lady is pretty tired about now but I really appreciate all you have done for me and the hours spent. I'm so proud that XP is clean and hope I can keep it that way. My husband has a 2000 professional computer and I'm running Kaspersky on that right now. We use Avast on his machine. I have a 2 year old laptop that came with Vista and I upgraded it to 7 in October. I ran Kaspersky and found 1 infected object and 1 suspicious object. I have AVG on it but have a free year of Kaspersky that I haven't used yet.. I should probably install it. I will keep on top of the computers and take all of your advice. Tried to check for Windows updates but there was a problem. The tracking cookies were in IE. My computer is faster and not dragging it's heels like it was. Thanks again Broni and when you and I have time I will probably looking for help again. Sallie

broni · 2010/02/02

I don't like survey popup and the other error. Something wrong here.

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

sallnjackn · 2010/02/02

Tomorrow I will tackle Combofix again and get back to you. Thanks!

broni · 2010/02/02

No problem

sallnjackn · 2010/02/02

When I started Combofix a window popped up saying Root kit detected. Combofix will reboot the machine. When the computer restarts it asks me if I want to use Windows Recovery System or XP. Here is the Combofix log.
ComboFix 10-02-01.05 - sallie 02/02/2010 14:46:27.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -6:00]
Running from: e:\downloaded program files\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-02-02 02:48 . 2010-02-02 02:48 -------- d-----w- c:\program files\Sun
2010-02-02 02:13 . 2010-02-02 02:13 -------- d-----w- c:\program files\CAM Development
2010-01-31 20:00 . 2010-01-31 20:00 -------- d-----w- c:\documents and settings\sallie\Application Data\AVG9
2010-01-31 03:51 . 2010-01-31 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-31 03:51 . 2010-01-31 03:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-31 03:51 . 2010-01-31 03:51 -------- d-----w- c:\documents and settings\sallie\Application Data\SUPERAntiSpyware.com
2010-01-31 03:49 . 2010-01-31 03:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-31 00:45 . 2010-01-31 00:45 -------- d-----w- C:\FOUND.002
2010-01-30 20:32 . 2010-01-30 20:32 -------- d-----w- C:\FOUND.001
2010-01-30 17:46 . 2010-01-30 17:46 -------- d-----w- C:\FOUND.000
2010-01-27 05:00 . 2010-01-27 05:00 -------- d-----w- c:\documents and settings\sallie\Application Data\JGoodies
2010-01-27 04:59 . 2010-01-27 04:59 -------- d-----w- c:\program files\JGoodies
2010-01-26 01:07 . 2010-01-26 01:07 -------- d-----w- c:\documents and settings\sallie\Local Settings\Application Data\IsolatedStorage
2010-01-24 03:59 . 2010-01-24 03:59 -------- d-----w- c:\program files\NOS
2010-01-23 17:47 . 2008-04-13 19:46 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2010-01-23 17:47 . 2008-04-13 19:36 14208 ----a-w- c:\windows\system32\dllcache\battc.sys
2010-01-23 17:47 . 2008-04-13 19:46 13696 ----a-w- c:\windows\system32\dllcache\avcstrm.sys
2010-01-23 17:46 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-01-20 23:28 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-01-20 23:28 . 2008-04-13 19:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-01-20 17:01 . 2010-01-20 17:01 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-20 17:01 . 2010-01-20 17:01 -------- d-----w- c:\program files\Microsoft Plus! Dancer LE
2010-01-20 17:01 . 2010-01-20 17:01 -------- d-----w- c:\program files\Microsoft Plus! Digital Media Edition
2010-01-13 17:56 . 2010-01-13 17:56 -------- d-----w- c:\documents and settings\sallie\Application Data\Notepad++
2010-01-07 02:09 . 2010-01-07 02:09 -------- d-----w- c:\documents and settings\sallie\Application Data\Malwarebytes
2010-01-07 02:09 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 02:09 . 2010-01-07 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-07 02:09 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 16:29 . 2010-01-04 16:29 -------- d-----w- c:\documents and settings\sallie\Application Data\OverDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 21:02 . 2008-09-20 15:01 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-02 21:02 . 2008-09-20 15:01 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-02 02:47 . 2008-11-29 16:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-31 03:52 . 2010-01-31 03:52 52224 ----a-w- c:\documents and settings\sallie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-31 03:52 . 2010-01-31 03:52 117760 ----a-w- c:\documents and settings\sallie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-27 04:41 . 2010-01-27 04:41 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-20 21:15 . 2010-01-27 07:12 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-20 21:15 . 2010-01-27 07:12 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-20 16:47 . 2009-06-23 20:53 7588 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-14 17:12 . 2009-10-03 02:02 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-01 05:54 . 2004-04-24 23:00 26 ----a-w- c:\windows\popcinfo.dat
2009-12-28 16:33 . 2009-12-28 16:33 73728 ----a-w- c:\windows\system32\w30Xnol32.dll
2009-12-21 19:14 . 2005-06-18 05:49 916480 ------w- c:\windows\system32\wininet.dll
2009-12-04 23:32 . 2009-12-04 23:14 69 ----a-w- c:\documents and settings\sallie\jagex_runescape_preferences2.dat
2009-12-04 23:14 . 2009-12-04 23:12 39 ----a-w- c:\documents and settings\sallie\jagex_runescape_preferences.dat
2009-11-21 15:51 . 2005-08-14 01:28 471552 ----a-w- c:\windows\AppPatch\AcLayers.dll
2009-11-20 14:56 . 2009-11-20 14:56 10134 ----a-r- c:\documents and settings\sallie\Application Data\Microsoft\Installer\{3101CB58-3482-4D21-AF1A-7057FC935355}\ARPPRODUCTICON.exe
2009-11-09 16:46 . 2008-05-01 15:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-06 03:03 . 2008-05-01 15:46 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-06 03:03 . 2008-05-01 15:46 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-06 03:03 . 2008-05-01 15:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2002-01-15 00:30 . 2002-01-15 00:30 21823560 ----a-w- c:\program files\dotnetfx.exe
2001-10-05 18:52 . 2003-09-15 23:25 21866 ------w- c:\program files\Common Files\tppupd98.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@= "{7D688A77-C613-11D0-999B-00C04FD655E1} "
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 8461312 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel "= "c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"LVCOMSX "= "c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"LogitechCommunicationsManager "= "c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2009-06-17 55824]
"LogitechQuickCamRibbon "= "c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2009-06-17 55824]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\sallie\Start Menu\Programs\Startup\
Secunia PSI.lnk - d:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Net Send GUI.lnk - c:\program files\Fomine Net Send GUI\NetSendGUI.exe [2008-2-25 258048]
Microsoft Works Calendar Reminders.lnk - c:\program files\MSWorks\Calendar\Wkcalrem.exe [1998-7-21 68368]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-8 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-11 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-06 03:03 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer "=DrvTrNTm.dll
"wave "=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IM "=c:\program files\EARTHLINKIM\aim.exe -cnetwait.odl
"NVIEW "=rundll32.exe nview.dll,nViewLoadHook
"<NO NAME> "=
"SlickRun "= "c:\program files\SLICKRUN\SR.EXE "
"E6TaskPanel "= "c:\program files\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
"msnmsgr "= "c:\program files\MSN MESSENGER\MSNMSGR.EXE" /background
"XSC SIP Client "= "e:\program files\EarthLink Free Online Calling Lite\EarthLinkLite.exe "
"AIM "=c:\program files\AIM\aim.exe -cnetwait.odl
"PhotoShow Deluxe Media Manager "=c:\progra~1\AHEAD\NEROPH~1\DATA\XTRAS\MSSYSMGR.EXE
"SpybotSD TeaTimer "=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QD FastAndSafe "=
"hpidschd.exe -log -- -log "= "c:\program files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe "
"agrsmMSG "=agrsmMSG.exe
"TPP Auto Loader "=c:\windows\TPPALDR.EXE
"wcmdmgr "=c:\windows\wt\updater\wcmdmgrl.exe -launch
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"DisplayTrayIcon "=c:\windows\SYSTEM32\TrayIcon.exe
"WinPoET "=c:\program files\iVasion\WinPoET\WinPPPoverEthernet.exe
"AVG_CC "=c:\progra~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
"MMTray "=c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
"QuickTime Task "= "c:\windows\SYSTEM32\qttask.exe" -atboottime
"Share-to-Web Namespace Daemon "=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"POINTER "=point32.exe
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PivotSoftware "=c:\program files\WinPortrait\wpctrl.exe
"zzzHPSETUP "=E:\Setup.exe
"ELNKProxy "=c:\windows\surfmonkey\smproxy.exe
"zBrowser Launcher "=c:\program files\Logitech\iTouch\iTouch.exe
"MBM 5 "= "c:\program files\MOTHERBOARD MONITOR 5\MBM5.EXE "
"bpcpost.exe "=c:\windows\SYSTEM\bpcpost.exe
"WildTangent CDA "=RUNDLL32.exe c:\progra~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
"Ad-aware "= "c:\program files\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
"Gene USB Monitor "=c:\windows\SYSTEM32\usbmonit.exe
"LoadQM "=loadqm.exe
"GhostStartTrayApp "=c:\program files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"CriticalUpdate "=c:\windows\SYSTEM32\WUCRTUPD.EXE -startup
"Necutray "=NECUTRAY.EXE
"KodakCCS "=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr "
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe "
"WinampAgent "=c:\program files\Winamp\winampa.exe
"NvCplDaemon "=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"TotalRecorderScheduler "= "e:\program files\HighCriteria\TotalRecorder\TotRecSched.exe "
"ViewMgr "=c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"StillImageMonitor "=c:\windows\SYSTEM32\STIMON.EXE
"Tweak UI "=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"msnappau "= "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Zone Labs Client "=c:\progra~1\ZONELA~1\ZONEAL~1\zlclient.exe
"TotalRecorderScheduler "= "e:\program files\HighCriteria\TotalRecorder\TotRecSched.exe "
"nwiz "=nwiz.exe /install
"Logitech Utility "=LOGI_MWX.EXE
"Tweak UI "=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent "=mstask.exe
"Tweak UI "=RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"TVWakeup "=c:\progra~1\TVView~1\tvwakeup.exe
"Announcements "=c:\program files\TV Viewer\annclist.exe
"CSINJECT.EXE "=c:\program files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
"GhostStartService "=c:\program files\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
"KB891711 "=c:\windows\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"e:\\Program Files\\MusicIP\\MusicIP Mixer\\mDNSResponder.exe "=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpse.exe "=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqsudi.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpsapp.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Fomine Net Send GUI\\NetSendGUI.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe "=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"d:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP "= 8097:TCP:EarthLink UHP Modem Support
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"67:UDP "= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/1/2008 9:46 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/1/2008 9:46 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/5/2009 9:00 PM 285392]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
R2 PDIHWCTL;PDIHWCTL;c:\windows\SYSTEM32\DRIVERS\pdihwctl.sys [1/29/2003 3:08 PM 14416]
R3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\SYSTEM32\DRIVERS\TotRec7.sys [2/3/2009 8:09 PM 126984]
S2 gupdate1c8ea92b33f0c3c;Google Update Service (gupdate1c8ea92b33f0c3c);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2008 1:03 PM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 DCamUSBAlaris;ALARIS QuickVideo weeCam USB;c:\windows\system32\DRIVERS\DVC2USB.sys --> c:\windows\system32\DRIVERS\DVC2USB.sys [?]
S3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [6/17/2009 6:20 AM 12648]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 22:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-31 c:\windows\Tasks\MimarSinan Rubber Ducky Updates.job
- c:\windows\Installer\MimarSinan Rubber Ducky Updates for All Users.lnk [2008-02-07 00:29]

2008-04-08 c:\windows\Tasks\Sound Recorder 1.job
- c:\windows\SYSTEM32\sndrec32.exe [2005-08-14 01:12]

2010-02-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-24 01:01]

2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-21 03:31]

2010-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-21 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\EARTHLINK TOTALACCESS\TOOLBAR\SearchUI.dll/search.html
IE: Send Image to Photo Library - file://c:\documents and settings\sallie\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
IE: ShaPlus Google Translator - e:\program files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm
Trusted Zone: akamai.net\a248.e
Trusted Zone: bitdefender.com\www
Trusted Zone: earthlink.net\start
Trusted Zone: ebay.com\scgi
Trusted Zone: hotmail.com\messenger
Trusted Zone: matchmaker.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\ntservicepack
Trusted Zone: microsoft.com\V4.Windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: msphometour.com\www
Trusted Zone: netflame.cc\ssl-hints
Trusted Zone: nwa.com\www
Trusted Zone: officemax.com
Trusted Zone: passport.com\loginnet
Trusted Zone: passport.net\login
Trusted Zone: passport.net\memberservicesnet
Trusted Zone: vanishingpointgame.com\www
Trusted Zone: verisign
Trusted Zone: windowsupdate.com\download
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {14578416-1111-1111-1111-111111411123}
DPF: {66C643AB-AF09-438E-B1BB-F0B79955CCBA} - hxxp://www.wsel.net/imcupdatefiles/whistlesilent615.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} - hxxp://scpwba.ops.placeware.com/etc/place/6000-zr/pws-pw01/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\sallie\Application Data\Mozilla\Firefox\Profiles\default.95a\
FF - prefs.js: browser.startup.homepage - hxxp://my.earthlink.net/|http://webmail.pas.earthlink.net/wam/index.jsp?x=-2084188008
FF - component: c:\documents and settings\sallie\Application Data\Mozilla\Firefox\Profiles\default.95a\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\sallie\Application Data\Mozilla\Firefox\Profiles\default.95a\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\sallie\Application Data\Mozilla\Firefox\Profiles\default.95a\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\sallie\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\sallie\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgooglevlc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: e:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: e:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 15:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(5332)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead2\InCD\InCDsrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Portrait Displays\MagicTune\dtsrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\SYSTEM32\ZONELABS\vsmon.exe
.
**************************************************************************
.
Completion time: 2010-02-02 15:17:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 21:17
ComboFix2.txt 2010-01-31 02:15

Pre-Run: 8,144,289,792 bytes free
Post-Run: 8,099,266,560 bytes free

- - End Of File - - 875A993786B481FDC28E42D087A45AF1

sallnjackn · 2010/02/02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:25 PM, on 2/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead2\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\MSWorks\Calendar\Wkcalrem.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\downloaded program files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ElnkPub.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ProtctIE.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\uninsttb.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\Toolbar.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe "
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Secunia PSI.lnk = D:\program files\Secunia\PSI\psi.exe
O4 - Global Startup: Net Send GUI.lnk = C:\Program Files\Fomine Net Send GUI\NetSendGUI.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\SearchUI.dll/search.html
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\sallie\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O8 - Extra context menu item: ShaPlus Google Translator - res://E:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://a248.e.akamai.net
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: start.earthlink.net
O15 - Trusted Zone: scgi.ebay.com
O15 - Trusted Zone: messenger.hotmail.com
O15 - Trusted Zone: www.matchmaker.com
O15 - Trusted Zone: www.msphometour.com
O15 - Trusted Zone: http://ssl-hints.netflame.cc
O15 - Trusted Zone: www.nwa.com
O15 - Trusted Zone: *.officemax.com
O15 - Trusted Zone: loginnet.passport.com
O15 - Trusted Zone: login.passport.net
O15 - Trusted Zone: memberservicesnet.passport.net
O15 - Trusted Zone: http://www.vanishingpointgame.com
O15 - Trusted Zone: *.verisign
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/OneClickFix/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {14578416-1111-1111-1111-111111411123} -
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123999976890
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {66C643AB-AF09-438E-B1BB-F0B79955CCBA} - http://www.wsel.net/imcupdatefiles/whistlesilent615.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123999962031
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwba.ops.placeware.com/etc/place/6000-zr/pws-pw01/lib/quicksilver.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - D:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - D:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Update Service (gupdate1c8ea92b33f0c3c) (gupdate1c8ea92b33f0c3c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead2\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 18070 bytes

broni · 2010/02/02

When the computer restarts it asks me if I want to use Windows Recovery System or XP.
Click to expand...

This is normal. Recovery Partition comes really handy, if some computer troubleshooting is needed. If you don't touch anything, it'll automatically boot to Windows.

Is the survey pop-up still bothering you?

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

sallnjackn · 2010/02/02

Everything is working now. The computer is faster and I haven't had the survey or the AXWIN error. Do you still want me to run TDSSKILLER?

broni · 2010/02/02

Yes please.
I just want to make sure, nothing is hiding there.

sallnjackn · 2010/02/02

18:35:25:906 0644 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
18:35:25:906 0644 ================================================================================
18:35:25:906 0644 SystemInfo:

18:35:25:906 0644 OS Version: 5.1.2600 ServicePack: 3.0
18:35:25:906 0644 Product type: Workstation
18:35:25:921 0644 ComputerName: SALLIEDESKTOP
18:35:25:921 0644 UserName: sallie
18:35:25:921 0644 Windows directory: C:\WINDOWS
18:35:25:921 0644 Processor architecture: Intel x86
18:35:25:921 0644 Number of processors: 1
18:35:25:921 0644 Page size: 0x1000
18:35:25:921 0644 Boot type: Normal boot
18:35:25:921 0644 ================================================================================
18:35:25:921 0644 UnloadDriverW: NtUnloadDriver error 2
18:35:25:921 0644 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:35:25:921 0644 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:35:26:000 0644 UtilityInit: KLMD drop and load success
18:35:26:000 0644 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
18:35:26:000 0644 UtilityInit: KLMD open success
18:35:26:000 0644 UtilityInit: Initialize success
18:35:26:000 0644
18:35:26:015 0644 Scanning Services ...
18:35:26:015 0644 CreateRegParser: Registry parser init started
18:35:26:015 0644 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
18:35:26:015 0644 CreateRegParser: DisableWow64Redirection error
18:35:26:015 0644 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:35:26:015 0644 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
18:35:26:015 0644 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:35:26:015 0644 wfopen_ex: Trying to KLMD file open
18:35:26:015 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
18:35:26:015 0644 wfopen_ex: File opened ok (Flags 2)
18:35:26:015 0644 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: B24B10
18:35:26:015 0644 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:35:26:015 0644 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
18:35:26:015 0644 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:35:26:015 0644 wfopen_ex: Trying to KLMD file open
18:35:26:015 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
18:35:26:015 0644 wfopen_ex: File opened ok (Flags 2)
18:35:26:015 0644 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: B24A00
18:35:26:015 0644 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
18:35:26:015 0644 CreateRegParser: EnableWow64Redirection error
18:35:26:015 0644 CreateRegParser: RegParser init completed
18:35:26:546 0644 GetAdvancedServicesInfo: Raw services enum returned 400 services
18:35:26:562 0644 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:35:26:562 0644 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:35:26:562 0644
18:35:26:562 0644 Scanning Kernel memory ...
18:35:26:562 0644 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:35:26:562 0644 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 873A82C8
18:35:26:562 0644 DetectCureTDL3: KLMD_GetDeviceObjectList returned 9 DevObjects
18:35:26:562 0644
18:35:26:562 0644 DetectCureTDL3: DEVICE_OBJECT: 87241A00
18:35:26:562 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87241A00
18:35:26:562 0644 KLMD_ReadMem: Trying to ReadMemory 0x87241A00[0x38]
18:35:26:562 0644 DetectCureTDL3: DRIVER_OBJECT: 873A82C8
18:35:26:562 0644 KLMD_ReadMem: Trying to ReadMemory 0x873A82C8[0xA8]
18:35:26:562 0644 KLMD_ReadMem: Trying to ReadMemory 0xE184B008[0x18]
18:35:26:562 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:35:26:562 0644 DetectCureTDL3: IrpHandler (0) addr: F78A9BB0
18:35:26:562 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (2) addr: F78A9BB0
18:35:26:562 0644 DetectCureTDL3: IrpHandler (3) addr: F78A3D1F
18:35:26:562 0644 DetectCureTDL3: IrpHandler (4) addr: F78A3D1F
18:35:26:562 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (9) addr: F78A42E2
18:35:26:562 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (14) addr: F78A43BB
18:35:26:562 0644 DetectCureTDL3: IrpHandler (15) addr: F78A7F28
18:35:26:562 0644 DetectCureTDL3: IrpHandler (16) addr: F78A42E2
18:35:26:562 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (22) addr: F78A5C82
18:35:26:562 0644 DetectCureTDL3: IrpHandler (23) addr: F78AA99E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:562 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:562 0644 TDL3_FileDetect: Processing driver: Disk
18:35:26:562 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:562 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:593 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:35:26:593 0644
18:35:26:593 0644 DetectCureTDL3: DEVICE_OBJECT: 871EB3F0
18:35:26:593 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 871EB3F0
18:35:26:593 0644 DetectCureTDL3: DEVICE_OBJECT: 870D5030
18:35:26:593 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870D5030
18:35:26:593 0644 KLMD_ReadMem: Trying to ReadMemory 0x870D5030[0x38]
18:35:26:593 0644 DetectCureTDL3: DRIVER_OBJECT: 872C6F38
18:35:26:593 0644 KLMD_ReadMem: Trying to ReadMemory 0x872C6F38[0xA8]
18:35:26:593 0644 KLMD_ReadMem: Trying to ReadMemory 0xE1BA5A70[0x1E]
18:35:26:593 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:35:26:593 0644 DetectCureTDL3: IrpHandler (0) addr: F7BB8218
18:35:26:593 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (2) addr: F7BB8218
18:35:26:593 0644 DetectCureTDL3: IrpHandler (3) addr: F7BB823C
18:35:26:593 0644 DetectCureTDL3: IrpHandler (4) addr: F7BB823C
18:35:26:593 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (14) addr: F7BB8180
18:35:26:593 0644 DetectCureTDL3: IrpHandler (15) addr: F7BB39E6
18:35:26:593 0644 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (22) addr: F7BB75F0
18:35:26:593 0644 DetectCureTDL3: IrpHandler (23) addr: F7BB5A6E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:593 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:593 0644 KLMD_ReadMem: Trying to ReadMemory 0xF7BB4F26[0x400]
18:35:26:593 0644 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:35:26:593 0644 TDL3_FileDetect: Processing driver: USBSTOR
18:35:26:609 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:35:26:609 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:35:26:625 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:35:26:625 0644
18:35:26:625 0644 DetectCureTDL3: DEVICE_OBJECT: 872D5338
18:35:26:625 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 872D5338
18:35:26:625 0644 KLMD_ReadMem: Trying to ReadMemory 0x872D5338[0x38]
18:35:26:625 0644 DetectCureTDL3: DRIVER_OBJECT: 873A82C8
18:35:26:625 0644 KLMD_ReadMem: Trying to ReadMemory 0x873A82C8[0xA8]
18:35:26:625 0644 KLMD_ReadMem: Trying to ReadMemory 0xE184B008[0x18]
18:35:26:625 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:35:26:625 0644 DetectCureTDL3: IrpHandler (0) addr: F78A9BB0
18:35:26:625 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (2) addr: F78A9BB0
18:35:26:625 0644 DetectCureTDL3: IrpHandler (3) addr: F78A3D1F
18:35:26:625 0644 DetectCureTDL3: IrpHandler (4) addr: F78A3D1F
18:35:26:625 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (9) addr: F78A42E2
18:35:26:625 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (14) addr: F78A43BB
18:35:26:625 0644 DetectCureTDL3: IrpHandler (15) addr: F78A7F28
18:35:26:625 0644 DetectCureTDL3: IrpHandler (16) addr: F78A42E2
18:35:26:625 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (22) addr: F78A5C82
18:35:26:625 0644 DetectCureTDL3: IrpHandler (23) addr: F78AA99E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:625 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:625 0644 TDL3_FileDetect: Processing driver: Disk
18:35:26:625 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:625 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:625 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:35:26:640 0644
18:35:26:640 0644 DetectCureTDL3: DEVICE_OBJECT: 86FE02B0
18:35:26:640 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FE02B0
18:35:26:640 0644 DetectCureTDL3: DEVICE_OBJECT: 870D7030
18:35:26:640 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870D7030
18:35:26:640 0644 KLMD_ReadMem: Trying to ReadMemory 0x870D7030[0x38]
18:35:26:640 0644 DetectCureTDL3: DRIVER_OBJECT: 872C6F38
18:35:26:640 0644 KLMD_ReadMem: Trying to ReadMemory 0x872C6F38[0xA8]
18:35:26:640 0644 KLMD_ReadMem: Trying to ReadMemory 0xE1BA5A70[0x1E]
18:35:26:640 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:35:26:640 0644 DetectCureTDL3: IrpHandler (0) addr: F7BB8218
18:35:26:640 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (2) addr: F7BB8218
18:35:26:640 0644 DetectCureTDL3: IrpHandler (3) addr: F7BB823C
18:35:26:640 0644 DetectCureTDL3: IrpHandler (4) addr: F7BB823C
18:35:26:640 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (14) addr: F7BB8180
18:35:26:640 0644 DetectCureTDL3: IrpHandler (15) addr: F7BB39E6
18:35:26:640 0644 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (22) addr: F7BB75F0
18:35:26:640 0644 DetectCureTDL3: IrpHandler (23) addr: F7BB5A6E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:640 0644 KLMD_ReadMem: Trying to ReadMemory 0xF7BB4F26[0x400]
18:35:26:640 0644 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:35:26:640 0644 TDL3_FileDetect: Processing driver: USBSTOR
18:35:26:640 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:35:26:640 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:35:26:640 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:35:26:640 0644
18:35:26:640 0644 DetectCureTDL3: DEVICE_OBJECT: 87391C68
18:35:26:640 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87391C68
18:35:26:640 0644 KLMD_ReadMem: Trying to ReadMemory 0x87391C68[0x38]
18:35:26:640 0644 DetectCureTDL3: DRIVER_OBJECT: 873A82C8
18:35:26:640 0644 KLMD_ReadMem: Trying to ReadMemory 0x873A82C8[0xA8]
18:35:26:640 0644 KLMD_ReadMem: Trying to ReadMemory 0xE184B008[0x18]
18:35:26:640 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:35:26:640 0644 DetectCureTDL3: IrpHandler (0) addr: F78A9BB0
18:35:26:640 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (2) addr: F78A9BB0
18:35:26:640 0644 DetectCureTDL3: IrpHandler (3) addr: F78A3D1F
18:35:26:640 0644 DetectCureTDL3: IrpHandler (4) addr: F78A3D1F
18:35:26:640 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (9) addr: F78A42E2
18:35:26:640 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (14) addr: F78A43BB
18:35:26:640 0644 DetectCureTDL3: IrpHandler (15) addr: F78A7F28
18:35:26:640 0644 DetectCureTDL3: IrpHandler (16) addr: F78A42E2
18:35:26:640 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (22) addr: F78A5C82
18:35:26:640 0644 DetectCureTDL3: IrpHandler (23) addr: F78AA99E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:640 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:640 0644 TDL3_FileDetect: Processing driver: Disk
18:35:26:640 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:640 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:656 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:35:26:656 0644
18:35:26:656 0644 DetectCureTDL3: DEVICE_OBJECT: 87356588
18:35:26:656 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87356588
18:35:26:656 0644 KLMD_ReadMem: Trying to ReadMemory 0x87356588[0x38]
18:35:26:656 0644 DetectCureTDL3: DRIVER_OBJECT: 873A82C8
18:35:26:656 0644 KLMD_ReadMem: Trying to ReadMemory 0x873A82C8[0xA8]
18:35:26:656 0644 KLMD_ReadMem: Trying to ReadMemory 0xE184B008[0x18]
18:35:26:656 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:35:26:656 0644 DetectCureTDL3: IrpHandler (0) addr: F78A9BB0
18:35:26:656 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (2) addr: F78A9BB0
18:35:26:656 0644 DetectCureTDL3: IrpHandler (3) addr: F78A3D1F
18:35:26:656 0644 DetectCureTDL3: IrpHandler (4) addr: F78A3D1F
18:35:26:656 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (9) addr: F78A42E2
18:35:26:656 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (14) addr: F78A43BB
18:35:26:656 0644 DetectCureTDL3: IrpHandler (15) addr: F78A7F28
18:35:26:656 0644 DetectCureTDL3: IrpHandler (16) addr: F78A42E2
18:35:26:656 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (22) addr: F78A5C82
18:35:26:656 0644 DetectCureTDL3: IrpHandler (23) addr: F78AA99E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:656 0644 TDL3_FileDetect: Processing driver: Disk
18:35:26:656 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:656 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:656 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:35:26:656 0644
18:35:26:656 0644 DetectCureTDL3: DEVICE_OBJECT: 87355C68
18:35:26:656 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87355C68
18:35:26:656 0644 KLMD_ReadMem: Trying to ReadMemory 0x87355C68[0x38]
18:35:26:656 0644 DetectCureTDL3: DRIVER_OBJECT: 873A82C8
18:35:26:656 0644 KLMD_ReadMem: Trying to ReadMemory 0x873A82C8[0xA8]
18:35:26:656 0644 KLMD_ReadMem: Trying to ReadMemory 0xE184B008[0x18]
18:35:26:656 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:35:26:656 0644 DetectCureTDL3: IrpHandler (0) addr: F78A9BB0
18:35:26:656 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (2) addr: F78A9BB0
18:35:26:656 0644 DetectCureTDL3: IrpHandler (3) addr: F78A3D1F
18:35:26:656 0644 DetectCureTDL3: IrpHandler (4) addr: F78A3D1F
18:35:26:656 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (9) addr: F78A42E2
18:35:26:656 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (14) addr: F78A43BB
18:35:26:656 0644 DetectCureTDL3: IrpHandler (15) addr: F78A7F28
18:35:26:656 0644 DetectCureTDL3: IrpHandler (16) addr: F78A42E2
18:35:26:656 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:656 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (22) addr: F78A5C82
18:35:26:671 0644 DetectCureTDL3: IrpHandler (23) addr: F78AA99E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:671 0644 TDL3_FileDetect: Processing driver: Disk
18:35:26:671 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:671 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:35:26:671 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:35:26:671 0644
18:35:26:671 0644 DetectCureTDL3: DEVICE_OBJECT: 87354AB8
18:35:26:671 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87354AB8
18:35:26:671 0644 DetectCureTDL3: DEVICE_OBJECT: 8735E9E8
18:35:26:671 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8735E9E8
18:35:26:671 0644 DetectCureTDL3: DEVICE_OBJECT: 8738ED98
18:35:26:671 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8738ED98
18:35:26:671 0644 KLMD_ReadMem: Trying to ReadMemory 0x8738ED98[0x38]
18:35:26:671 0644 DetectCureTDL3: DRIVER_OBJECT: 873A7A58
18:35:26:671 0644 KLMD_ReadMem: Trying to ReadMemory 0x873A7A58[0xA8]
18:35:26:671 0644 KLMD_ReadMem: Trying to ReadMemory 0xE1019E20[0x1A]
18:35:26:671 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
18:35:26:671 0644 DetectCureTDL3: IrpHandler (0) addr: F77D66F2
18:35:26:671 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (2) addr: F77D66F2
18:35:26:671 0644 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (14) addr: F77D6712
18:35:26:671 0644 DetectCureTDL3: IrpHandler (15) addr: F77D2852
18:35:26:671 0644 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (22) addr: F77D673C
18:35:26:671 0644 DetectCureTDL3: IrpHandler (23) addr: F77DD336
18:35:26:671 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:671 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:671 0644 KLMD_ReadMem: Trying to ReadMemory 0xF77D3864[0x400]
18:35:26:671 0644 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:35:26:671 0644 TDL3_FileDetect: Processing driver: atapi
18:35:26:671 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:35:26:671 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
18:35:26:718 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
18:35:26:718 0644
18:35:26:718 0644 DetectCureTDL3: DEVICE_OBJECT: 87390AB8
18:35:26:718 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87390AB8
18:35:26:718 0644 DetectCureTDL3: DEVICE_OBJECT: 8734AF18
18:35:26:718 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8734AF18
18:35:26:718 0644 DetectCureTDL3: DEVICE_OBJECT: 8735ED98
18:35:26:718 0644 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8735ED98
18:35:26:718 0644 KLMD_ReadMem: Trying to ReadMemory 0x8735ED98[0x38]
18:35:26:718 0644 DetectCureTDL3: DRIVER_OBJECT: 873A7A58
18:35:26:718 0644 KLMD_ReadMem: Trying to ReadMemory 0x873A7A58[0xA8]
18:35:26:718 0644 KLMD_ReadMem: Trying to ReadMemory 0xE1019E20[0x1A]
18:35:26:718 0644 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
18:35:26:718 0644 DetectCureTDL3: IrpHandler (0) addr: F77D66F2
18:35:26:718 0644 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (2) addr: F77D66F2
18:35:26:718 0644 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (14) addr: F77D6712
18:35:26:718 0644 DetectCureTDL3: IrpHandler (15) addr: F77D2852
18:35:26:718 0644 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (22) addr: F77D673C
18:35:26:718 0644 DetectCureTDL3: IrpHandler (23) addr: F77DD336
18:35:26:718 0644 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
18:35:26:718 0644 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
18:35:26:718 0644 KLMD_ReadMem: Trying to ReadMemory 0xF77D3864[0x400]
18:35:26:718 0644 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
18:35:26:718 0644 TDL3_FileDetect: Processing driver: atapi
18:35:26:718 0644 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:35:26:718 0644 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
18:35:26:718 0644 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
18:35:26:718 0644
18:35:26:718 0644 Completed
18:35:26:734 0644
18:35:26:734 0644 Results:
18:35:26:734 0644 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
18:35:26:734 0644 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:35:26:734 0644 File objects infected / cured / cured on reboot: 0 / 0 / 0
18:35:26:734 0644
18:35:26:734 0644 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:35:26:734 0644 UtilityDeinit: KLMD(ARK) unloaded successfully

broni · 2010/02/02

Very good
Nothing found.
Since you said, all problems are gone, I'll mark this thread as resolved.
Happy surfing
Stay safe

sallnjackn · 2010/02/02

I think it's looking good!

sallnjackn · 2010/02/02

Thanks to you Broni and Windows BBS for providing such excellent help. My hat is off to you! You are a GEM. Sallie

broni · 2010/02/02

You're very welcome

Log in or Sign up

Solved AXWIN Frame Window: svchost.exe - Application Error

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved AXWIN Frame Window: svchost.exe - Application Error

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

sallnjackn Well-Known Member Thread Starter

sallnjackn Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches