Trojans founds

  1. 25-03-2010  #1
    norman
    norman is offline Senior Member

    Trojans founds

    hello everyone, this computer is used by the kids and they like to visit web sites like, myspace, facebook..etc. I ran Malwarebytes, Superantispy and Dr. Webb...everything was removed after many runs of each program however, now on their log in you get this message..."C:/windows/blashost.dll can not be found" I don't know if this is something important or not? here is a HiJacklog:

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 8:48:06 PM, on 3/24/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [fcvr32] rundll32 "C:\WINDOWS\blasHost.dll",DllEntryPoint
    O4 - HKUS\S-1-5-21-3815776962-2705230258-4120942893-1007\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'HP_Administrator')
    O4 - HKUS\S-1-5-21-3815776962-2705230258-4120942893-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1256249654593
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
    O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 10591 bytes
  2. 25-03-2010  #2
    broni
    broni is offline Senior Member
    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. 25-03-2010  #3
    norman
    norman is offline Senior Member
    I have tired running Combofix twice and when it starts I get this message "are you trying to type CFScript if you are the spelling is incorrect." Then it closes now what?
  4. 25-03-2010  #4
    broni
    broni is offline Senior Member
    Delete your Combofix file.
    Download fresh one, but rename combofix.exe to broni.com BEFORE saving it to your desktop.
    Then, try again.
  5. 25-03-2010  #5
    norman
    norman is offline Senior Member
    samething still happens.
  6. 26-03-2010  #6
    broni
    broni is offline Senior Member
    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
  7. 26-03-2010  #7
    norman
    norman is offline Senior Member
    Here is the log file from that program but, I forgot I had this accout as "limited" so, I had to go and log into my accout and give it admin rights. Do you want me to retry combofix now?


    20:27:16:421 2836 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    20:27:16:421 2836 ================================================== ==============================
    20:27:16:421 2836 SystemInfo:

    20:27:16:421 2836 OS Version: 5.1.2600 ServicePack: 3.0
    20:27:16:421 2836 Product type: Workstation
    20:27:16:421 2836 ComputerName: FAMILY
    20:27:16:421 2836 UserName: Morons
    20:27:16:421 2836 Windows directory: C:\WINDOWS
    20:27:16:421 2836 Processor architecture: Intel x86
    20:27:16:421 2836 Number of processors: 2
    20:27:16:421 2836 Page size: 0x1000
    20:27:16:421 2836 Boot type: Normal boot
    20:27:16:421 2836 ================================================== ==============================
    20:27:16:437 2836 UnloadDriverW: NtUnloadDriver error 2
    20:27:16:437 2836 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    20:27:16:531 2836 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    20:27:16:531 2836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    20:27:16:531 2836 wfopen_ex: Trying to KLMD file open
    20:27:16:531 2836 wfopen_ex: File opened ok (Flags 2)
    20:27:16:531 2836 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    20:27:16:531 2836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    20:27:16:531 2836 wfopen_ex: Trying to KLMD file open
    20:27:16:531 2836 wfopen_ex: File opened ok (Flags 2)
    20:27:16:531 2836 Initialize success
    20:27:16:531 2836
    20:27:16:531 2836 Scanning Services ...
    20:27:16:578 2836 Raw services enum returned 367 services
    20:27:16:593 2836
    20:27:16:593 2836 Scanning Kernel memory ...
    20:27:16:593 2836 Devices to scan: 11
    20:27:16:593 2836
    20:27:16:593 2836 Driver Name: Disk
    20:27:16:593 2836 IRP_MJ_CREATE : BA10EBB0
    20:27:16:593 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:593 2836 IRP_MJ_CLOSE : BA10EBB0
    20:27:16:593 2836 IRP_MJ_READ : BA108D1F
    20:27:16:593 2836 IRP_MJ_WRITE : BA108D1F
    20:27:16:593 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:593 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:593 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:593 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:593 2836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
    20:27:16:593 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:593 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:593 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:593 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:593 2836 IRP_MJ_DEVICE_CONTROL : BA1093BB
    20:27:16:593 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    20:27:16:593 2836 IRP_MJ_SHUTDOWN : BA1092E2
    20:27:16:593 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:593 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:593 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:593 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:593 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:593 2836 IRP_MJ_POWER : BA10AC82
    20:27:16:593 2836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
    20:27:16:593 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:593 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:593 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:625 2836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    20:27:16:625 2836
    20:27:16:625 2836 Driver Name: Disk
    20:27:16:625 2836 IRP_MJ_CREATE : BA10EBB0
    20:27:16:625 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:625 2836 IRP_MJ_CLOSE : BA10EBB0
    20:27:16:625 2836 IRP_MJ_READ : BA108D1F
    20:27:16:625 2836 IRP_MJ_WRITE : BA108D1F
    20:27:16:625 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:625 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:625 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:625 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:625 2836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
    20:27:16:625 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:625 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:625 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:625 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:625 2836 IRP_MJ_DEVICE_CONTROL : BA1093BB
    20:27:16:625 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    20:27:16:625 2836 IRP_MJ_SHUTDOWN : BA1092E2
    20:27:16:625 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:625 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:625 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:625 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:625 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:625 2836 IRP_MJ_POWER : BA10AC82
    20:27:16:625 2836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
    20:27:16:625 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:625 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:625 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:640 2836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    20:27:16:640 2836
    20:27:16:640 2836 Driver Name: Disk
    20:27:16:640 2836 IRP_MJ_CREATE : BA10EBB0
    20:27:16:640 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:640 2836 IRP_MJ_CLOSE : BA10EBB0
    20:27:16:640 2836 IRP_MJ_READ : BA108D1F
    20:27:16:640 2836 IRP_MJ_WRITE : BA108D1F
    20:27:16:640 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:640 2836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
    20:27:16:640 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_DEVICE_CONTROL : BA1093BB
    20:27:16:640 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    20:27:16:640 2836 IRP_MJ_SHUTDOWN : BA1092E2
    20:27:16:640 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:640 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:640 2836 IRP_MJ_POWER : BA10AC82
    20:27:16:640 2836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
    20:27:16:640 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:640 2836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    20:27:16:640 2836
    20:27:16:640 2836 Driver Name: Disk
    20:27:16:640 2836 IRP_MJ_CREATE : BA10EBB0
    20:27:16:640 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:640 2836 IRP_MJ_CLOSE : BA10EBB0
    20:27:16:640 2836 IRP_MJ_READ : BA108D1F
    20:27:16:640 2836 IRP_MJ_WRITE : BA108D1F
    20:27:16:640 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:640 2836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
    20:27:16:640 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_DEVICE_CONTROL : BA1093BB
    20:27:16:640 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    20:27:16:640 2836 IRP_MJ_SHUTDOWN : BA1092E2
    20:27:16:640 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:640 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:640 2836 IRP_MJ_POWER : BA10AC82
    20:27:16:640 2836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
    20:27:16:640 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:640 2836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    20:27:16:640 2836
    20:27:16:640 2836 Driver Name: usbstor
    20:27:16:640 2836 IRP_MJ_CREATE : ADD54218
    20:27:16:640 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:640 2836 IRP_MJ_CLOSE : ADD54218
    20:27:16:640 2836 IRP_MJ_READ : ADD5423C
    20:27:16:640 2836 IRP_MJ_WRITE : ADD5423C
    20:27:16:640 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:640 2836 IRP_MJ_FLUSH_BUFFERS : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:640 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_DEVICE_CONTROL : ADD54180
    20:27:16:640 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : ADD4F9E6
    20:27:16:640 2836 IRP_MJ_SHUTDOWN : 804F4562
    20:27:16:640 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:640 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:640 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:640 2836 IRP_MJ_POWER : ADD535F0
    20:27:16:640 2836 IRP_MJ_SYSTEM_CONTROL : ADD51A6E
    20:27:16:640 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:640 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:640 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:656 2836 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    20:27:16:656 2836
    20:27:16:656 2836 Driver Name: usbstor
    20:27:16:656 2836 IRP_MJ_CREATE : ADD54218
    20:27:16:656 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:656 2836 IRP_MJ_CLOSE : ADD54218
    20:27:16:656 2836 IRP_MJ_READ : ADD5423C
    20:27:16:656 2836 IRP_MJ_WRITE : ADD5423C
    20:27:16:656 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:656 2836 IRP_MJ_FLUSH_BUFFERS : 804F4562
    20:27:16:656 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:656 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:656 2836 IRP_MJ_DEVICE_CONTROL : ADD54180
    20:27:16:656 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : ADD4F9E6
    20:27:16:656 2836 IRP_MJ_SHUTDOWN : 804F4562
    20:27:16:656 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:656 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:656 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:656 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:656 2836 IRP_MJ_POWER : ADD535F0
    20:27:16:656 2836 IRP_MJ_SYSTEM_CONTROL : ADD51A6E
    20:27:16:656 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:656 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:656 2836 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    20:27:16:656 2836
    20:27:16:656 2836 Driver Name: usbstor
    20:27:16:656 2836 IRP_MJ_CREATE : ADD54218
    20:27:16:656 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:656 2836 IRP_MJ_CLOSE : ADD54218
    20:27:16:656 2836 IRP_MJ_READ : ADD5423C
    20:27:16:656 2836 IRP_MJ_WRITE : ADD5423C
    20:27:16:656 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:656 2836 IRP_MJ_FLUSH_BUFFERS : 804F4562
    20:27:16:656 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:656 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:656 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:656 2836 IRP_MJ_DEVICE_CONTROL : ADD54180
    20:27:16:656 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : ADD4F9E6
    20:27:16:656 2836 IRP_MJ_SHUTDOWN : 804F4562
    20:27:16:656 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:656 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:656 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:656 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:656 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:656 2836 IRP_MJ_POWER : ADD535F0
    20:27:16:671 2836 IRP_MJ_SYSTEM_CONTROL : ADD51A6E
    20:27:16:671 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:671 2836 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    20:27:16:671 2836
    20:27:16:671 2836 Driver Name: usbstor
    20:27:16:671 2836 IRP_MJ_CREATE : ADD54218
    20:27:16:671 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:671 2836 IRP_MJ_CLOSE : ADD54218
    20:27:16:671 2836 IRP_MJ_READ : ADD5423C
    20:27:16:671 2836 IRP_MJ_WRITE : ADD5423C
    20:27:16:671 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_FLUSH_BUFFERS : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_DEVICE_CONTROL : ADD54180
    20:27:16:671 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : ADD4F9E6
    20:27:16:671 2836 IRP_MJ_SHUTDOWN : 804F4562
    20:27:16:671 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:671 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_POWER : ADD535F0
    20:27:16:671 2836 IRP_MJ_SYSTEM_CONTROL : ADD51A6E
    20:27:16:671 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:671 2836 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    20:27:16:671 2836
    20:27:16:671 2836 Driver Name: Disk
    20:27:16:671 2836 IRP_MJ_CREATE : BA10EBB0
    20:27:16:671 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:671 2836 IRP_MJ_CLOSE : BA10EBB0
    20:27:16:671 2836 IRP_MJ_READ : BA108D1F
    20:27:16:671 2836 IRP_MJ_WRITE : BA108D1F
    20:27:16:671 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
    20:27:16:671 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_DEVICE_CONTROL : BA1093BB
    20:27:16:671 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    20:27:16:671 2836 IRP_MJ_SHUTDOWN : BA1092E2
    20:27:16:671 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:671 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_POWER : BA10AC82
    20:27:16:671 2836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
    20:27:16:671 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:671 2836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    20:27:16:671 2836
    20:27:16:671 2836 Driver Name: Disk
    20:27:16:671 2836 IRP_MJ_CREATE : BA10EBB0
    20:27:16:671 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:671 2836 IRP_MJ_CLOSE : BA10EBB0
    20:27:16:671 2836 IRP_MJ_READ : BA108D1F
    20:27:16:671 2836 IRP_MJ_WRITE : BA108D1F
    20:27:16:671 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
    20:27:16:671 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_DEVICE_CONTROL : BA1093BB
    20:27:16:671 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    20:27:16:671 2836 IRP_MJ_SHUTDOWN : BA1092E2
    20:27:16:671 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:671 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_POWER : BA10AC82
    20:27:16:671 2836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
    20:27:16:671 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:671 2836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    20:27:16:671 2836
    20:27:16:671 2836 Driver Name: iaStor
    20:27:16:671 2836 IRP_MJ_CREATE : B9E70FC2
    20:27:16:671 2836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    20:27:16:671 2836 IRP_MJ_CLOSE : B9E70FC2
    20:27:16:671 2836 IRP_MJ_READ : 804F4562
    20:27:16:671 2836 IRP_MJ_WRITE : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_EA : 804F4562
    20:27:16:671 2836 IRP_MJ_FLUSH_BUFFERS : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    20:27:16:671 2836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_DEVICE_CONTROL : B9E74CBE
    20:27:16:671 2836 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9E74F80
    20:27:16:671 2836 IRP_MJ_SHUTDOWN : 804F4562
    20:27:16:671 2836 IRP_MJ_LOCK_CONTROL : 804F4562
    20:27:16:671 2836 IRP_MJ_CLEANUP : 804F4562
    20:27:16:671 2836 IRP_MJ_CREATE_MAILSLOT : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_SECURITY : 804F4562
    20:27:16:671 2836 IRP_MJ_POWER : B9E79884
    20:27:16:671 2836 IRP_MJ_SYSTEM_CONTROL : B9E799E4
    20:27:16:671 2836 IRP_MJ_DEVICE_CHANGE : 804F4562
    20:27:16:671 2836 IRP_MJ_QUERY_QUOTA : 804F4562
    20:27:16:671 2836 IRP_MJ_SET_QUOTA : 804F4562
    20:27:16:671 2836 C:\WINDOWS\system32\DRIVERS\iastor.sys - Verdict: 1
    20:27:16:671 2836
    20:27:16:671 2836 Completed
    20:27:16:671 2836
    20:27:16:671 2836 Results:
    20:27:16:671 2836 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    20:27:16:671 2836 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    20:27:16:671 2836 File objects infected / cured / cured on reboot: 0 / 0 / 0
    20:27:16:671 2836
    20:27:16:671 2836 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    20:27:16:671 2836 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    20:27:16:671 2836 KLMD(ARK) unloaded successfully
  8. 26-03-2010  #8
    broni
    broni is offline Senior Member
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run broni.com.
  9. 26-03-2010  #9
    norman
    norman is offline Senior Member
    Okay, combofix did run and here is the log:

    ComboFix 10-03-25.04 - Morons 03/25/2010 21:17:35.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1546 [GMT -4:00]
    Running from: c:\documents and settings\Morons\Desktop\broni.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Tasks\zevijevk.job

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
    .

    2010-03-25 23:58 . 2010-03-25 23:58 -------- d-----w- C:\broni
    2010-03-25 00:47 . 2010-03-25 00:47 388096 ----a-r- c:\documents and settings\Morons\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-03-25 00:47 . 2010-03-25 00:47 -------- d-----w- c:\program files\TrendMicro
    2010-03-24 23:54 . 2010-03-25 00:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-03-24 23:54 . 2010-03-24 23:54 -------- d-----w- c:\documents and settings\Morons\Application Data\Windows Desktop Search
    2010-03-24 23:54 . 2010-03-24 23:54 -------- d-----w- c:\program files\Windows Desktop Search
    2010-03-24 23:53 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
    2010-03-24 23:53 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
    2010-03-24 23:53 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
    2010-03-24 01:46 . 2010-03-24 01:46 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-24 01:45 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Morons\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
    2010-03-24 01:45 . 2010-03-24 01:45 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-03-24 01:44 . 2010-03-24 01:44 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-03-24 01:44 . 2010-03-24 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-03-24 01:43 . 2010-03-24 01:43 -------- d-----w- c:\documents and settings\Morons\Application Data\AdobeUM
    2010-03-24 00:11 . 2008-11-10 15:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
    2010-03-24 00:11 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr .dll
    2010-03-24 00:08 . 2010-03-24 00:08 -------- d-----w- c:\program files\Microsoft.NET
    2010-03-24 00:06 . 2010-03-24 00:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-03-24 00:05 . 2010-03-24 00:05 -------- d-----w- c:\documents and settings\Morons\Local Settings\Application Data\Microsoft Help
    2010-03-24 00:05 . 2010-03-25 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-03-24 00:05 . 2010-03-24 00:05 -------- d-----r- C:\MSOCache
    2010-03-12 22:11 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-07 23:48 . 2010-03-07 23:48 152576 ----a-w- c:\documents and settings\Morons\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-03-07 23:47 . 2010-03-07 23:47 79488 ----a-w- c:\documents and settings\Morons\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-03-07 17:26 . 2010-03-07 23:38 664 ----a-w- c:\windows\system32\d3d9caps.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2010-03-25 00:58 . 2006-08-20 04:45 -------- d-----w- c:\program files\Microsoft Works
    2010-03-24 00:09 . 2009-09-05 17:11 -------- d-----w- c:\program files\MSBuild
    2010-03-21 19:05 . 2009-08-10 16:32 -------- d-----w- c:\program files\LimeWire
    2010-03-14 20:15 . 2010-01-23 18:23 117760 ----a-w- c:\documents and settings\Morons\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
    2010-03-07 23:49 . 2006-08-20 04:13 -------- d-----w- c:\program files\Java
    2010-01-23 18:29 . 2010-01-22 22:57 54560 ----a-w- c:\documents and settings\Morons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-01-23 18:23 . 2010-01-23 18:23 52224 ----a-w- c:\documents and settings\Morons\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ SD10005.dll
    2010-01-09 17:37 . 2009-04-12 21:54 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-07 21:07 . 2009-02-09 21:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 21:07 . 2009-02-09 21:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-31 16:50 . 2004-08-10 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys
    2006-12-04 16:51 . 2008-12-22 05:03 32 --sha-w- c:\windows\SMINST\HPCD.SYS
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
    "NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2006-08-12 86016]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-20 180269]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-20 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-20 27136]

    c:\documents and settings\Morons\Start Menu\Programs\Startup\
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-20 27136]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
    "c:\\Program Files\\EA SPORTS\\Madden NFL 08\\mainapp.exe"=
    "c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/18/2009 12:53 AM 108289]
    S0 eyejp;eyejp;c:\windows\system32\drivers\yfdgypq.sy s --> c:\windows\system32\drivers\yfdgypq.sys [?]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [7/7/2009 10:07 AM 100992]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMD21
    *Deregistered* - klmd21
    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B82304 18585.job
    - c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://msn.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILI ON&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILI ON&pf=desktop
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    Trusted Zone: trymedia.com
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-fcvr32 - c:\windows\blasHost.dll



    ************************************************** ************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    ************************************************** ************************
    .
    Completion time: 2010-03-25 21:24:40
    ComboFix-quarantined-files.txt 2010-03-26 01:24

    Pre-Run: 204,656,721,920 bytes free
    Post-Run: 206,903,676,928 bytes free

    - - End Of File - - 1405DA6F29D795C733FD3E8C20D5BEDD
  10. 26-03-2010  #10
    broni
    broni is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\drivers\yfdgypq.sys


Folder::

Driver::
eyejp


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-


RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
« Xp smart security malware/virus | 2.tmp Bad Image »