computer randomly freezing

[warmsummer]

Yes, my friend built this machine from parts he had laying around.



18:22:54:218 3484 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
18:22:54:218 3484 ============================================================ ====================
18:22:54:218 3484 SystemInfo:

18:22:54:218 3484 OS Version: 5.1.2600 ServicePack: 3.0
18:22:54:218 3484 Product type: Workstation
18:22:54:218 3484 ComputerName: DEN
18:22:54:218 3484 UserName: Jason
18:22:54:218 3484 Windows directory: C:\WINDOWS
18:22:54:218 3484 Processor architecture: Intel x86
18:22:54:218 3484 Number of processors: 2
18:22:54:218 3484 Page size: 0x1000
18:22:54:218 3484 Boot type: Normal boot
18:22:54:218 3484 ============================================================ ====================
18:22:54:218 3484 UnloadDriverW: NtUnloadDriver error 2
18:22:54:218 3484 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:22:54:218 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:22:54:234 3484 UtilityInit: KLMD drop and load success
18:22:54:234 3484 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
18:22:54:234 3484 UtilityInit: KLMD open success
18:22:54:234 3484 UtilityInit: Initialize success
18:22:54:234 3484
18:22:54:234 3484 Scanning Services ...
18:22:54:234 3484 CreateRegParser: Registry parser init started
18:22:54:234 3484 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
18:22:54:234 3484 CreateRegParser: DisableWow64Redirection error
18:22:54:234 3484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:22:54:234 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
18:22:54:234 3484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:22:54:234 3484 wfopen_ex: Trying to KLMD file open
18:22:54:234 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
18:22:54:234 3484 wfopen_ex: File opened ok (Flags 2)
18:22:54:234 3484 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384868
18:22:54:234 3484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:22:54:234 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
18:22:54:234 3484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:22:54:234 3484 wfopen_ex: Trying to KLMD file open
18:22:54:234 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
18:22:54:234 3484 wfopen_ex: File opened ok (Flags 2)
18:22:54:234 3484 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384910
18:22:54:234 3484 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
18:22:54:234 3484 CreateRegParser: EnableWow64Redirection error
18:22:54:234 3484 CreateRegParser: RegParser init completed
18:22:54:281 3484 GetAdvancedServicesInfo: Raw services enum returned 310 services
18:22:54:296 3484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:22:54:296 3484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:22:54:296 3484
18:22:54:296 3484 Scanning Kernel memory ...
18:22:54:296 3484 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:22:54:296 3484 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89D82A48
18:22:54:296 3484 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
18:22:54:296 3484
18:22:54:296 3484 DetectCureTDL3: DEVICE_OBJECT: 89D3C8A0
18:22:54:296 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D3C8A0
18:22:54:296 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D3C8A0[0x38]
18:22:54:296 3484 DetectCureTDL3: DRIVER_OBJECT: 89D82A48
18:22:54:296 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D82A48[0xA8]
18:22:54:296 3484 KLMD_ReadMem: Trying to ReadMemory 0xE1019210[0x18]
18:22:54:296 3484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:22:54:296 3484 DetectCureTDL3: IrpHandler (0) addr: B80EEBB0
18:22:54:296 3484 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (2) addr: B80EEBB0
18:22:54:296 3484 DetectCureTDL3: IrpHandler (3) addr: B80E8D1F
18:22:54:296 3484 DetectCureTDL3: IrpHandler (4) addr: B80E8D1F
18:22:54:296 3484 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (9) addr: B80E92E2
18:22:54:296 3484 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (14) addr: B80E93BB
18:22:54:296 3484 DetectCureTDL3: IrpHandler (15) addr: B80ECF28
18:22:54:296 3484 DetectCureTDL3: IrpHandler (16) addr: B80E92E2
18:22:54:296 3484 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (22) addr: B80EAC82
18:22:54:296 3484 DetectCureTDL3: IrpHandler (23) addr: B80EF99E
18:22:54:296 3484 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:22:54:296 3484 TDL3_FileDetect: Processing driver: Disk
18:22:54:296 3484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:296 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:312 3484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:22:54:312 3484
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89D3CC68
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D3CC68
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D3CC68[0x38]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT: 89D82A48
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D82A48[0xA8]
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0xE1019210[0x18]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:22:54:312 3484 DetectCureTDL3: IrpHandler (0) addr: B80EEBB0
18:22:54:312 3484 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (2) addr: B80EEBB0
18:22:54:312 3484 DetectCureTDL3: IrpHandler (3) addr: B80E8D1F
18:22:54:312 3484 DetectCureTDL3: IrpHandler (4) addr: B80E8D1F
18:22:54:312 3484 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (9) addr: B80E92E2
18:22:54:312 3484 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (14) addr: B80E93BB
18:22:54:312 3484 DetectCureTDL3: IrpHandler (15) addr: B80ECF28
18:22:54:312 3484 DetectCureTDL3: IrpHandler (16) addr: B80E92E2
18:22:54:312 3484 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (22) addr: B80EAC82
18:22:54:312 3484 DetectCureTDL3: IrpHandler (23) addr: B80EF99E
18:22:54:312 3484 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:22:54:312 3484 TDL3_FileDetect: Processing driver: Disk
18:22:54:312 3484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:312 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:312 3484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:22:54:312 3484
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89CFCAB8
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89CFCAB8
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89D3DF18
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D3DF18
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89D82030
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D82030
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D82030[0x38]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT: 89CB4208
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89CB4208[0xA8]
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0xE15E71E8[0x1A]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata
18:22:54:312 3484 DetectCureTDL3: IrpHandler (0) addr: B7F17894
18:22:54:312 3484 DetectCureTDL3: IrpHandler (1) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (2) addr: B7F17894
18:22:54:312 3484 DetectCureTDL3: IrpHandler (3) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (4) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (5) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (6) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (7) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (8) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (9) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (10) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (11) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (12) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (13) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (14) addr: B7F178AE
18:22:54:312 3484 DetectCureTDL3: IrpHandler (15) addr: B7F17D6E
18:22:54:312 3484 DetectCureTDL3: IrpHandler (16) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (17) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (18) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (19) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (20) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (21) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (22) addr: B7F17D0E
18:22:54:312 3484 DetectCureTDL3: IrpHandler (23) addr: B7F17A9C
18:22:54:312 3484 DetectCureTDL3: IrpHandler (24) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (25) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (26) addr: B7F17874
18:22:54:312 3484 TDL3_FileDetect: Processing driver: nvata
18:22:54:312 3484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
18:22:54:312 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\nvata.sys
18:22:54:312 3484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Clean
18:22:54:312 3484
18:22:54:312 3484 Completed
18:22:54:312 3484
18:22:54:312 3484 Results:
18:22:54:312 3484 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
18:22:54:312 3484 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:22:54:312 3484 File objects infected / cured / cured on reboot: 0 / 0 / 0
18:22:54:312 3484
18:22:54:312 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:22:54:312 3484 UtilityDeinit: KLMD(ARK) unloaded successfully

[warmsummer]

ComboFix 10-02-07.06 - Jason 02/07/2010 18:28:38.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1597 [GMT -7:00]
Running from: c:\documents and settings\Jason\Desktop\456out.com
.

((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
.

2010-02-07 16:06 . 2010-02-07 16:06 -------- d-----w- c:\program files\Alwil Software
2010-02-07 16:06 . 2010-02-07 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-06 21:42 . 2010-02-08 00:52 -------- d-----w- c:\documents and settings\Jason\Application Data\vlc
2010-02-06 21:11 . 2010-02-06 21:23 -------- d-----w- c:\documents and settings\Jason\Application Data\Winamp
2010-02-06 21:11 . 2010-02-06 21:12 -------- d-----w- c:\program files\Winamp
2010-02-06 17:58 . 2003-01-10 21:13 33588 ----a-r- c:\windows\system32\drivers\wanatw4.sys
2010-02-06 17:58 . 2010-02-06 21:04 -------- d-----w- c:\program files\AOL 9.5
2010-02-06 17:58 . 2010-02-06 17:59 -------- d-----w- c:\program files\Common Files\aol
2010-02-06 17:58 . 2010-02-06 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-02-06 17:58 . 2010-02-06 17:59 -------- d-----w- c:\program files\Common Files\aolshare
2010-02-06 16:38 . 2010-02-06 16:38 -------- d-----w- c:\program files\VideoLAN
2010-02-06 16:25 . 2010-02-06 17:59 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\AOL
2010-02-06 15:52 . 2007-10-22 10:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2010-02-06 15:51 . 2010-02-06 15:51 -------- d-----w- c:\windows\Logs
2010-02-06 01:58 . 2010-02-06 01:58 -------- d-----w- c:\program files\Common Files\Java
2010-02-06 01:58 . 2010-02-06 01:58 61440 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-643513c5-n\decora-sse.dll
2010-02-06 01:58 . 2010-02-06 01:58 503808 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4486da3e-n\msvcp71.dll
2010-02-06 01:58 . 2010-02-06 01:58 499712 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4486da3e-n\jmc.dll
2010-02-06 01:58 . 2010-02-06 01:58 348160 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4486da3e-n\msvcr71.dll
2010-02-06 01:58 . 2010-02-06 01:58 12800 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-643513c5-n\decora-d3d.dll
2010-02-06 01:05 . 2010-02-06 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-05 02:11 . 2010-02-05 02:11 -------- d-----w- C:\rsit
2010-02-03 04:05 . 2010-02-03 04:05 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-02-03 00:23 . 2010-02-03 00:23 -------- d-----w- c:\program files\Trend Micro
2010-02-02 04:09 . 2006-11-07 06:58 356352 ----a-w- c:\windows\system32\nvunrm.exe
2010-02-02 04:09 . 2006-10-24 05:13 1732 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-02-02 03:42 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\Jason\Application Data\Uniblue
2010-02-02 03:42 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-01-31 23:27 . 2010-02-07 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 23:27 . 2010-01-31 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-31 23:26 . 2010-01-31 23:26 -------- d-----w- c:\documents and settings\HelpAssistant\log
2010-01-31 23:18 . 2010-01-31 23:18 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-31 23:18 . 2010-01-31 23:18 -------- d-----w- c:\documents and settings\Jason\log
2010-01-31 23:13 . 2010-01-31 23:13 -------- d-----w- c:\program files\CleanUp!
2010-01-31 20:03 . 2010-01-05 10:00 78336 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-31 20:03 . 2010-01-05 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-31 03:17 . 2007-07-30 00:51 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-31 03:17 . 2007-04-25 00:30 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-01-31 03:17 . 2010-02-06 21:14 -------- d-----w- c:\program files\ffdshow
2010-01-31 00:27 . 2010-01-31 00:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-31 00:22 . 2006-11-27 08:33 19968 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2010-01-31 00:22 . 2006-11-27 08:33 58368 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2010-01-31 00:22 . 2006-11-27 08:33 110592 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2010-01-31 00:22 . 2006-11-27 08:33 895744 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2010-01-31 00:22 . 2006-11-27 08:33 261632 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2010-01-31 00:22 . 2006-11-27 08:31 192512 ----a-w- c:\windows\system32\fdco1.dll
2010-01-31 00:22 . 2006-11-27 08:31 9216 ----a-w- c:\windows\system32\bdco1.dll
2010-01-31 00:22 . 2006-11-07 06:58 35840 ----a-w- c:\windows\system32\nvconrm.dll
2010-01-30 23:57 . 2010-01-30 23:57 -------- d-----w- c:\documents and settings\Jason\Application Data\Windows Search
2010-01-30 22:53 . 2010-01-30 22:53 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Identities
2010-01-30 22:53 . 2010-01-30 22:53 -------- d-----w- c:\windows\system32\GroupPolicy
2010-01-30 21:56 . 2010-01-30 21:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2010-01-30 21:01 . 2010-01-30 21:01 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2010-01-30 21:01 . 2010-01-30 21:01 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.e xe
2010-01-30 19:54 . 2010-01-30 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-01-30 19:54 . 2010-01-30 19:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-30 19:54 . 2010-01-12 04:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-30 19:54 . 2010-01-12 04:03 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-30 19:54 . 2010-01-12 04:03 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-30 19:54 . 2010-01-12 04:03 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-30 19:54 . 2010-01-12 04:03 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-30 01:24 . 2010-01-30 01:24 -------- d-----w- c:\program files\AVG
2010-01-12 05:17 . 2010-01-12 05:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 05:17 . 2010-01-12 05:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 05:17 . 2010-01-12 05:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 05:17 . 2010-01-12 05:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 05:17 . 2010-01-12 05:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 05:17 . 2010-01-12 05:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-10 04:30 . 2010-02-07 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 21:16 . 2009-02-14 19:36 139152 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-02-07 21:16 . 2009-02-14 19:36 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-02-06 17:59 . 2009-02-08 21:02 -------- d-----w- c:\documents and settings\Jason\Application Data\AOL
2010-02-06 16:29 . 2009-02-07 23:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-06 15:33 . 2009-02-22 05:40 -------- d-----w- c:\program files\SpeedFan
2010-02-06 03:57 . 2009-02-08 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-06 01:58 . 2009-02-08 20:45 -------- d-----w- c:\program files\Java
2010-02-05 05:59 . 2009-02-09 00:24 -------- d-----w- c:\documents and settings\Jason\Application Data\uTorrent
2010-02-04 17:01 . 2010-02-06 15:53 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 17:01 . 2010-02-06 15:53 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 17:01 . 2010-02-06 15:53 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 17:01 . 2010-02-06 15:53 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-01-30 23:57 . 2009-02-08 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-30 23:45 . 2009-10-30 22:49 -------- d-----w- c:\documents and settings\Jason\Application Data\GetRightToGo
2010-01-30 19:55 . 2009-02-07 22:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-30 19:55 . 2009-02-07 22:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-24 15:30 . 2009-02-08 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 15:30 . 2009-02-12 03:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-12 04:03 . 2009-02-07 04:51 592488 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-12 04:03 . 2009-01-15 15:19 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2006-10-31 06:35 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2006-10-31 06:35 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2006-10-31 06:35 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03 . 2006-10-31 06:35 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2006-10-31 06:35 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2006-10-31 06:35 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-07 23:07 . 2009-02-08 22:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-02-08 22:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2008-04-14 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 00:35 . 2009-12-31 00:35 -------- d-----w- c:\documents and settings\Jason\Application Data\VirtualStore
2009-12-18 00:14 . 2009-02-08 20:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 04:42 . 2009-02-07 04:38 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-11 01:49 . 2009-02-07 04:44 20336 ----a-w- c:\documents and settings\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-02-07_21.45.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-08 01:16 . 2010-02-08 01:16 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"HostManager"="c:\program files\Common Files\AOL\1265479102\ee\AOLSoftware.exe" [2009-07-20 41264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\G:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand ardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\1265479102\\ee\\aolsoftware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand ardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"2426:TCP"= 2426:TCP:Services
"8144:TCP"= 8144:TCP:Services
"9004:TCP"= 9004:TCP:Services
"5832:TCP"= 5832:TCP:Services
"6425:TCP"= 6425:TCP:Services
"5613:TCP"= 5613:TCP:Services
"5941:TCP"= 5941:TCP:Services
"9316:TCP"= 9316:TCP:Services
"7879:TCP"= 7879:TCP:Services
"2020:TCP"= 2020:TCP:Services
"3458:TCP"= 3458:TCP:Services
"5004:TCP"= 5004:TCP:Services
"2847:TCP"= 2847:TCP:Services
"6753:TCP"= 6753:TCP:Services
"5191:TCP"= 5191:TCP:Services
"6050:TCP"= 6050:TCP:Services
"5550:TCP"= 5550:TCP:Services
"1691:TCP"= 1691:TCP:Services
"5113:TCP"= 5113:TCP:Services
"8019:TCP"= 8019:TCP:Services
"5082:TCP"= 5082:TCP:Services
"5441:TCP"= 5441:TCP:Services
"4910:TCP"= 4910:TCP:Services
"9629:TCP"= 9629:TCP:Services
"4722:TCP"= 4722:TCP:Services


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD21
*Deregistered* - klmd21
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\149bzoj5.default\
FF - prefs.js: browser.startup.homepage -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

************************************************************ **************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 18:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************ **************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x890DE6E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> 0x890de6e8
\Driver\atapi -> atapi.sys @ 0xb7f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> 0x888ef330
PacketIndicateHandler -> NDIS.sys @ 0xb7e36a21
SendHandler -> NDIS.sys @ 0xb7e1487b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

************************************************************ **************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-07 18:32:38
ComboFix-quarantined-files.txt 2010-02-08 01:32
ComboFix2.txt 2010-02-07 21:46
ComboFix3.txt 2010-02-07 02:07

Pre-Run: 42,751,475,712 bytes free
Post-Run: 42,872,389,632 bytes free

- - End Of File - - 7EC82F81F5DA0A33F3B9B1BF744BDB40

[Jintan]

That does not appear to be the entire TDSSKiller log - please check logit.txt again and see if you left out the last portion.

[warmsummer]

Yes, that is everything from logit.txt



18:22:54:218 3484 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
18:22:54:218 3484 ============================================================ ====================
18:22:54:218 3484 SystemInfo:

18:22:54:218 3484 OS Version: 5.1.2600 ServicePack: 3.0
18:22:54:218 3484 Product type: Workstation
18:22:54:218 3484 ComputerName: DEN
18:22:54:218 3484 UserName: Jason
18:22:54:218 3484 Windows directory: C:\WINDOWS
18:22:54:218 3484 Processor architecture: Intel x86
18:22:54:218 3484 Number of processors: 2
18:22:54:218 3484 Page size: 0x1000
18:22:54:218 3484 Boot type: Normal boot
18:22:54:218 3484 ============================================================ ====================
18:22:54:218 3484 UnloadDriverW: NtUnloadDriver error 2
18:22:54:218 3484 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:22:54:218 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:22:54:234 3484 UtilityInit: KLMD drop and load success
18:22:54:234 3484 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
18:22:54:234 3484 UtilityInit: KLMD open success
18:22:54:234 3484 UtilityInit: Initialize success
18:22:54:234 3484
18:22:54:234 3484 Scanning Services ...
18:22:54:234 3484 CreateRegParser: Registry parser init started
18:22:54:234 3484 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
18:22:54:234 3484 CreateRegParser: DisableWow64Redirection error
18:22:54:234 3484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:22:54:234 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
18:22:54:234 3484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:22:54:234 3484 wfopen_ex: Trying to KLMD file open
18:22:54:234 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
18:22:54:234 3484 wfopen_ex: File opened ok (Flags 2)
18:22:54:234 3484 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384868
18:22:54:234 3484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:22:54:234 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
18:22:54:234 3484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:22:54:234 3484 wfopen_ex: Trying to KLMD file open
18:22:54:234 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
18:22:54:234 3484 wfopen_ex: File opened ok (Flags 2)
18:22:54:234 3484 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384910
18:22:54:234 3484 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
18:22:54:234 3484 CreateRegParser: EnableWow64Redirection error
18:22:54:234 3484 CreateRegParser: RegParser init completed
18:22:54:281 3484 GetAdvancedServicesInfo: Raw services enum returned 310 services
18:22:54:296 3484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:22:54:296 3484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:22:54:296 3484
18:22:54:296 3484 Scanning Kernel memory ...
18:22:54:296 3484 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:22:54:296 3484 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89D82A48
18:22:54:296 3484 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
18:22:54:296 3484
18:22:54:296 3484 DetectCureTDL3: DEVICE_OBJECT: 89D3C8A0
18:22:54:296 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D3C8A0
18:22:54:296 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D3C8A0[0x38]
18:22:54:296 3484 DetectCureTDL3: DRIVER_OBJECT: 89D82A48
18:22:54:296 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D82A48[0xA8]
18:22:54:296 3484 KLMD_ReadMem: Trying to ReadMemory 0xE1019210[0x18]
18:22:54:296 3484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:22:54:296 3484 DetectCureTDL3: IrpHandler (0) addr: B80EEBB0
18:22:54:296 3484 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (2) addr: B80EEBB0
18:22:54:296 3484 DetectCureTDL3: IrpHandler (3) addr: B80E8D1F
18:22:54:296 3484 DetectCureTDL3: IrpHandler (4) addr: B80E8D1F
18:22:54:296 3484 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (9) addr: B80E92E2
18:22:54:296 3484 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (14) addr: B80E93BB
18:22:54:296 3484 DetectCureTDL3: IrpHandler (15) addr: B80ECF28
18:22:54:296 3484 DetectCureTDL3: IrpHandler (16) addr: B80E92E2
18:22:54:296 3484 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (22) addr: B80EAC82
18:22:54:296 3484 DetectCureTDL3: IrpHandler (23) addr: B80EF99E
18:22:54:296 3484 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:22:54:296 3484 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:22:54:296 3484 TDL3_FileDetect: Processing driver: Disk
18:22:54:296 3484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:296 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:312 3484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:22:54:312 3484
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89D3CC68
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D3CC68
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D3CC68[0x38]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT: 89D82A48
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D82A48[0xA8]
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0xE1019210[0x18]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:22:54:312 3484 DetectCureTDL3: IrpHandler (0) addr: B80EEBB0
18:22:54:312 3484 DetectCureTDL3: IrpHandler (1) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (2) addr: B80EEBB0
18:22:54:312 3484 DetectCureTDL3: IrpHandler (3) addr: B80E8D1F
18:22:54:312 3484 DetectCureTDL3: IrpHandler (4) addr: B80E8D1F
18:22:54:312 3484 DetectCureTDL3: IrpHandler (5) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (6) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (7) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (8) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (9) addr: B80E92E2
18:22:54:312 3484 DetectCureTDL3: IrpHandler (10) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (11) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (12) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (13) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (14) addr: B80E93BB
18:22:54:312 3484 DetectCureTDL3: IrpHandler (15) addr: B80ECF28
18:22:54:312 3484 DetectCureTDL3: IrpHandler (16) addr: B80E92E2
18:22:54:312 3484 DetectCureTDL3: IrpHandler (17) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (18) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (19) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (20) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (21) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (22) addr: B80EAC82
18:22:54:312 3484 DetectCureTDL3: IrpHandler (23) addr: B80EF99E
18:22:54:312 3484 DetectCureTDL3: IrpHandler (24) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (25) addr: 804F4562
18:22:54:312 3484 DetectCureTDL3: IrpHandler (26) addr: 804F4562
18:22:54:312 3484 TDL3_FileDetect: Processing driver: Disk
18:22:54:312 3484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:312 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:22:54:312 3484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:22:54:312 3484
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89CFCAB8
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89CFCAB8
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89D3DF18
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D3DF18
18:22:54:312 3484 DetectCureTDL3: DEVICE_OBJECT: 89D82030
18:22:54:312 3484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89D82030
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89D82030[0x38]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT: 89CB4208
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0x89CB4208[0xA8]
18:22:54:312 3484 KLMD_ReadMem: Trying to ReadMemory 0xE15E71E8[0x1A]
18:22:54:312 3484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata
18:22:54:312 3484 DetectCureTDL3: IrpHandler (0) addr: B7F17894
18:22:54:312 3484 DetectCureTDL3: IrpHandler (1) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (2) addr: B7F17894
18:22:54:312 3484 DetectCureTDL3: IrpHandler (3) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (4) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (5) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (6) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (7) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (8) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (9) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (10) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (11) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (12) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (13) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (14) addr: B7F178AE
18:22:54:312 3484 DetectCureTDL3: IrpHandler (15) addr: B7F17D6E
18:22:54:312 3484 DetectCureTDL3: IrpHandler (16) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (17) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (18) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (19) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (20) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (21) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (22) addr: B7F17D0E
18:22:54:312 3484 DetectCureTDL3: IrpHandler (23) addr: B7F17A9C
18:22:54:312 3484 DetectCureTDL3: IrpHandler (24) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (25) addr: B7F17874
18:22:54:312 3484 DetectCureTDL3: IrpHandler (26) addr: B7F17874
18:22:54:312 3484 TDL3_FileDetect: Processing driver: nvata
18:22:54:312 3484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
18:22:54:312 3484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\nvata.sys
18:22:54:312 3484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Clean
18:22:54:312 3484
18:22:54:312 3484 Completed
18:22:54:312 3484
18:22:54:312 3484 Results:
18:22:54:312 3484 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
18:22:54:312 3484 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:22:54:312 3484 File objects infected / cured / cured on reboot: 0 / 0 / 0
18:22:54:312 3484
18:22:54:312 3484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:22:54:312 3484 UtilityDeinit: KLMD(ARK) unloaded successfully

[warmsummer]

I have noticed that I am getting redirected after some Google searches. This has probably been happening since the 29th when this started and I just never noticed.

[Jintan]

Sorry, my mistake. I see now the Kaspersky "unload" command indicating the log end. And right to "hmmm", as far as what method this malware is using there. What we don't want to do is act on data, like the MBR log info, that so far is not being validated with other scans.


Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

!!!Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it.

That will be a very large log file, so just zip a copy of it, then send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -warmsummer/hjt/rdx" as the email Subject.

[warmsummer]

Email sent to you with the log file.

Thank you.

[Jintan]

I received the Radix log, thanks. The System and Services.exe processes have unseen "ethreading" activities, and other processes show the Winsock dll as being altered. Before we try to act on that ethreading issue (which is not without at least a risk of an immediate reboot), let's see if you can copy that other hook file.


Open Radix again.

Click the Tools tab, then click the Memory Dumper button. Next to "Dump memory of process" use the dropdown box to bring the following into that window:

jqs.exe

Then next to "Module", again use the dropdown box to bring the following into that window:

WS2_32.dll

Then next to "Dump memory region", type in this information:

012B0000

In the area to the right of that, type in this information:

012CD000

Make no other changes in that display. Then click the Dump button (and agree to any warnings).

Then under "Save As" click the small folder icon, click the Desktop icon in the display that opens, and name the dumped information as bobby.txt, and save that to your desktop.


Then just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select those two files on your computer.

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

[warmsummer]

When I hit "dump" I received the Error message "System cannot find the path specified" then "Not all pages could be dumped correctly"

I did it twice and received that message both times. Should I continue?

Edit: tried to continue but am unable to save anything to my desktop.

[warmsummer]

I have TDSSKILLER.exe on my desktop still from a prior exercise. Should I remove it and install again?