Login | Live Chat & Podcast at 1:00PM Eastern on Sunday! |
 Search | |
| |
| Thread Tools |
04-Feb-2010, 11:24 AM
#1 | ||||||
 Help Identifying Redirect Virus Please I have had a redirect virus for awhile. It initially began when I was infected with a win.32.netsky worm. I have since run Malwarebyes, Adaware and Norton. All seems well now except this stupid redirect. I can use a Norton safe search via Ask.com with no problem but if I try Google (my fave) I get redirected all over the place. I am running Windows XP and prefer to browse with Firefox (IE and Safari also have the redirect). *sigh* HELP PLEASE!! Here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:13:48 AM, on 2/4/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mozillafirefox.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\IPSBHO.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\coIEPlg.dll O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: Makeover Madness by pogo - http://game3.pogo.com/v/8.1.7.44/app...hoes-en_US.cab O16 - DPF: Pinochle by pogo - http://game1.pogo.com/v/8.1.7.44/app...chle-en_US.cab O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120128955593 O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\coIEPlg.dll O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE O24 - Desktop Component 0: My Current Home Page - http://www.nationalgeographic.com/de...DM012359_c.jpg O24 - Desktop Component 1: (no name) - http://seabed.nationalgeographic.com...20020101.2.jpg -- End of file - 9152 bytes |
| |
08-Feb-2010, 08:40 AM
#8 | |||||
| First clear your Java cache as shown http://www.java.com/en/download/help/5000020300.xml Then follow advice here and post the logs those programs make in your next reply to this topic |
08-Feb-2010, 12:38 PM
#11 | ||||||
| I can only give you the DDS logs....every time I try to run GMER my PC freezes up. Have tried three times already. DDS (Ver_09-12-01.01) - NTFSx86 Run by AC at 9:28:11.43 on Mon 02/08/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.270 [GMT -6:00] AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe C:\Documents and Settings\Amanda Conley\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uStart Page = hxxp://mozillafirefox.com/ mSearch Page = hxxp://yahoo.sbc.com/dsl mStart Page = hxxp://yahoo.sbc.com/dsl uInternet Settings,ProxyOverride = 127.0.0.1;*.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.8.0.41\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.8.0.41\IPSBHO.DLL BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.8.0.41\coIEPlg.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File TB: {E92BEFBA-E79D-4F41-9733-68DA49C4492B} - No File TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter StartupFolder: c:\docume~1\amanda~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\logitech webcam software\eReg.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe uPolicies-explorer: NoThemesTab = 0 (0x0) uPolicies-system: NoColorChoice = 0 (0x0) uPolicies-system: NoSizeChoice = 0 (0x0) mPolicies-system: EnableLUA = 0 (0x0) IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: internet Trusted Zone: mcafee.com DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab DPF: Microsoft XML Parser for Java DPF: Pinochle by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/pinochle/pinochle-en_US.cab DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/LSSupCtl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120128955593 DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - hxxp://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.8.0.41\CoIEPlg.dll Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\amanda~1\applic~1\mozilla\firefox\profiles\h6bu7f3a.default\ FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432] R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100204.001\IDSXpx86.sys [2010-2-5 329592] R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-17 214664] R1 nmconpid;nmconpid;c:\windows\system32\drivers\nmconpid.sys [2005-10-7 11525] R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-23 102448] R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100207.021\NAVENG.SYS [2010-2-7 84912] R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100207.021\NAVEX15.SYS [2010-2-7 1324720] S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-17 79816] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-17 35272] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-17 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-17 40552] =============== Created Last 30 ================ ==================== Find3M ==================== 2010-01-23 20:37:40 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-01-23 20:37:26 107368 ----a-r- c:\windows\system32\GEARAspi.dll 2010-01-19 17:34:35 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-01-18 18:01:13 61224 ----a-w- c:\documents and settings\amanda conley\GoToAssistDownloadHelper.exe 2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe 2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe 2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll 2008-10-16 12:13:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat ============= FINISH: 9:29:17.42 =============== |
08-Feb-2010, 02:57 PM
#12 | |||||
| run tdss killer from http://support.kaspersky.com/viruses...?qid=208280684 post back with its log and we can go from there |
09-Feb-2010, 04:49 AM
#14 | |||||
| the log will be at C:\TDSSKiller.<lots of letters & numbers>_log.txt. see if it did make one there please then Delete any existing version of ComboFix you have sitting on your desktop Please read and follow all these instructions very carefully Download ComboFix from Here to your Desktop. **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer** -------------------------------------------------------------------- 1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
2. Close any open browsers and any other programs you might have running Double click on combofix.exe & follow the prompts. If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"Please select yes & let it download the files it needs to do this When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze **** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
09-Feb-2010, 08:04 AM
#15 | ||||||
| 15:10:18:728 3872 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00 15:10:18:728 3872 =========================================================================== ===== 15:10:18:728 3872 SystemInfo: 15:10:18:728 3872 OS Version: 5.1.2600 ServicePack: 3.0 15:10:18:728 3872 Product type: Workstation 15:10:18:728 3872 ComputerName: MANDYPC 15:10:18:728 3872 UserName: Amanda Conley 15:10:18:728 3872 Windows directory: C:\WINDOWS 15:10:18:728 3872 Processor architecture: Intel x86 15:10:18:728 3872 Number of processors: 1 15:10:18:728 3872 Page size: 0x1000 15:10:18:728 3872 Boot type: Normal boot 15:10:18:728 3872 =========================================================================== ===== 15:10:18:994 3872 UnloadDriverW: NtUnloadDriver error 2 15:10:19:025 3872 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 15:10:19:088 3872 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 15:10:21:025 3872 UtilityInit: KLMD drop and load success 15:10:21:025 3872 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010) 15:10:21:025 3872 UtilityInit: KLMD open success 15:10:21:025 3872 UtilityInit: Initialize success 15:10:21:025 3872 15:10:21:025 3872 Scanning Services ... 15:10:21:025 3872 CreateRegParser: Registry parser init started 15:10:21:025 3872 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127 15:10:21:025 3872 CreateRegParser: DisableWow64Redirection error 15:10:21:025 3872 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 15:10:21:025 3872 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043 15:10:21:025 3872 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 15:10:21:025 3872 wfopen_ex: Trying to KLMD file open 15:10:21:025 3872 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system 15:10:21:025 3872 wfopen_ex: File opened ok (Flags 2) 15:10:21:025 3872 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394900 15:10:21:025 3872 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 15:10:21:025 3872 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043 15:10:21:025 3872 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 15:10:21:025 3872 wfopen_ex: Trying to KLMD file open 15:10:21:025 3872 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software 15:10:21:025 3872 wfopen_ex: File opened ok (Flags 2) 15:10:21:025 3872 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3949A8 15:10:21:025 3872 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127 15:10:21:025 3872 CreateRegParser: EnableWow64Redirection error 15:10:21:025 3872 CreateRegParser: RegParser init completed 15:10:21:681 3872 GetAdvancedServicesInfo: Raw services enum returned 378 services 15:10:21:697 3872 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 15:10:21:697 3872 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 15:10:21:697 3872 15:10:21:697 3872 Scanning Kernel memory ... 15:10:21:697 3872 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 15:10:21:697 3872 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82FDEE18 15:10:21:697 3872 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects 15:10:21:697 3872 15:10:21:697 3872 DetectCureTDL3: DEVICE_OBJECT: 82F5B938 15:10:21:697 3872 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F5B938 15:10:21:697 3872 KLMD_ReadMem: Trying to ReadMemory 0x82F5B938[0x38] 15:10:21:697 3872 DetectCureTDL3: DRIVER_OBJECT: 82FDEE18 15:10:21:697 3872 KLMD_ReadMem: Trying to ReadMemory 0x82FDEE18[0xA8] 15:10:21:697 3872 KLMD_ReadMem: Trying to ReadMemory 0xE18053D0[0x18] 15:10:21:697 3872 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 15:10:21:697 3872 DetectCureTDL3: IrpHandler (0) addr: F86CABB0 15:10:21:697 3872 DetectCureTDL3: IrpHandler (1) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (2) addr: F86CABB0 15:10:21:697 3872 DetectCureTDL3: IrpHandler (3) addr: F86C4D1F 15:10:21:697 3872 DetectCureTDL3: IrpHandler (4) addr: F86C4D1F 15:10:21:697 3872 DetectCureTDL3: IrpHandler (5) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (6) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (7) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (8) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (9) addr: F86C52E2 15:10:21:697 3872 DetectCureTDL3: IrpHandler (10) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (11) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (12) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (13) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (14) addr: F86C53BB 15:10:21:697 3872 DetectCureTDL3: IrpHandler (15) addr: F86C8F28 15:10:21:697 3872 DetectCureTDL3: IrpHandler (16) addr: F86C52E2 15:10:21:697 3872 DetectCureTDL3: IrpHandler (17) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (18) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (19) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (20) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (21) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (22) addr: F86C6C82 15:10:21:697 3872 DetectCureTDL3: IrpHandler (23) addr: F86CB99E 15:10:21:697 3872 DetectCureTDL3: IrpHandler (24) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (25) addr: 804F9739 15:10:21:697 3872 DetectCureTDL3: IrpHandler (26) addr: 804F9739 15:10:21:697 3872 TDL3_FileDetect: Processing driver: Disk 15:10:21:697 3872 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 15:10:21:697 3872 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 15:10:21:744 3872 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 15:10:21:744 3872 15:10:21:744 3872 DetectCureTDL3: DEVICE_OBJECT: 82F5B030 15:10:21:744 3872 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F5B030 15:10:21:744 3872 KLMD_ReadMem: Trying to ReadMemory 0x82F5B030[0x38] 15:10:21:744 3872 DetectCureTDL3: DRIVER_OBJECT: 82FDEE18 15:10:21:744 3872 KLMD_ReadMem: Trying to ReadMemory 0x82FDEE18[0xA8] 15:10:21:744 3872 KLMD_ReadMem: Trying to ReadMemory 0xE18053D0[0x18] 15:10:21:744 3872 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 15:10:21:744 3872 DetectCureTDL3: IrpHandler (0) addr: F86CABB0 15:10:21:744 3872 DetectCureTDL3: IrpHandler (1) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (2) addr: F86CABB0 15:10:21:744 3872 DetectCureTDL3: IrpHandler (3) addr: F86C4D1F 15:10:21:744 3872 DetectCureTDL3: IrpHandler (4) addr: F86C4D1F 15:10:21:744 3872 DetectCureTDL3: IrpHandler (5) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (6) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (7) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (8) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (9) addr: F86C52E2 15:10:21:744 3872 DetectCureTDL3: IrpHandler (10) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (11) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (12) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (13) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (14) addr: F86C53BB 15:10:21:744 3872 DetectCureTDL3: IrpHandler (15) addr: F86C8F28 15:10:21:744 3872 DetectCureTDL3: IrpHandler (16) addr: F86C52E2 15:10:21:744 3872 DetectCureTDL3: IrpHandler (17) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (18) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (19) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (20) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (21) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (22) addr: F86C6C82 15:10:21:744 3872 DetectCureTDL3: IrpHandler (23) addr: F86CB99E 15:10:21:744 3872 DetectCureTDL3: IrpHandler (24) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (25) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (26) addr: 804F9739 15:10:21:744 3872 TDL3_FileDetect: Processing driver: Disk 15:10:21:744 3872 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 15:10:21:744 3872 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 15:10:21:744 3872 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 15:10:21:744 3872 15:10:21:744 3872 DetectCureTDL3: DEVICE_OBJECT: 82F55810 15:10:21:744 3872 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F55810 15:10:21:744 3872 KLMD_ReadMem: Trying to ReadMemory 0x82F55810[0x38] 15:10:21:744 3872 DetectCureTDL3: DRIVER_OBJECT: 82FDEE18 15:10:21:744 3872 KLMD_ReadMem: Trying to ReadMemory 0x82FDEE18[0xA8] 15:10:21:744 3872 KLMD_ReadMem: Trying to ReadMemory 0xE18053D0[0x18] 15:10:21:744 3872 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 15:10:21:744 3872 DetectCureTDL3: IrpHandler (0) addr: F86CABB0 15:10:21:744 3872 DetectCureTDL3: IrpHandler (1) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (2) addr: F86CABB0 15:10:21:744 3872 DetectCureTDL3: IrpHandler (3) addr: F86C4D1F 15:10:21:744 3872 DetectCureTDL3: IrpHandler (4) addr: F86C4D1F 15:10:21:744 3872 DetectCureTDL3: IrpHandler (5) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (6) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (7) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (8) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (9) addr: F86C52E2 15:10:21:744 3872 DetectCureTDL3: IrpHandler (10) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (11) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (12) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (13) addr: 804F9739 15:10:21:744 3872 DetectCureTDL3: IrpHandler (14) addr: F86C53BB 15:10:21:744 3872 DetectCureTDL3: IrpHandler (15) addr: F86C8F28 15:10:21:759 3872 DetectCureTDL3: IrpHandler (16) addr: F86C52E2 15:10:21:759 3872 DetectCureTDL3: IrpHandler (17) addr: 804F9739 15:10:21:759 3872 DetectCureTDL3: IrpHandler (18) addr: 804F9739 15:10:21:759 3872 DetectCureTDL3: IrpHandler (19) addr: 804F9739 15:10:21:759 3872 DetectCureTDL3: IrpHandler (20) addr: 804F9739 15:10:21:759 3872 DetectCureTDL3: IrpHandler (21) addr: 804F9739 15:10:21:759 3872 DetectCureTDL3: IrpHandler (22) addr: F86C6C82 15:10:21:759 3872 DetectCureTDL3: IrpHandler (23) addr: F86CB99E 15:10:21:759 3872 DetectCureTDL3: IrpHandler (24) addr: 804F9739 15:10:21:759 3872 DetectCureTDL3: IrpHandler (25) addr: 804F9739 15:10:21:759 3872 DetectCureTDL3: IrpHandler (26) addr: 804F9739 15:10:21:759 3872 TDL3_FileDetect: Processing driver: Disk 15:10:21:759 3872 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 15:10:21:759 3872 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 15:10:21:759 3872 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 15:10:21:759 3872 15:10:21:759 3872 DetectCureTDL3: DEVICE_OBJECT: 82FDE568 15:10:21:759 3872 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FDE568 15:10:21:759 3872 DetectCureTDL3: DEVICE_OBJECT: 82FD4B28 15:10:21:759 3872 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FD4B28 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0x82FD4B28[0x38] 15:10:21:759 3872 DetectCureTDL3: DRIVER_OBJECT: 82F8BB30 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0x82F8BB30[0xA8] 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0xE1801A78[0x1A] 15:10:21:759 3872 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 15:10:21:759 3872 DetectCureTDL3: IrpHandler (0) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (1) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (2) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (3) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (4) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (5) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (6) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (7) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (8) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (9) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (10) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (11) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (12) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (13) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (14) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (15) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (16) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (17) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (18) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (19) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (20) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (21) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (22) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (23) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (24) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (25) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: IrpHandler (26) addr: F855EB3A 15:10:21:759 3872 DetectCureTDL3: All IRP handlers pointed to one addr: F855EB3A 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0xF855EB3A[0x400] 15:10:21:759 3872 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4] 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0x82F8B504[0x4] 15:10:21:759 3872 TDL3_IrpHookDetect: New IrpHandler addr: 82F738C8 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0x82F738C8[0x400] 15:10:21:759 3872 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120 15:10:21:759 3872 Driver "atapi" Irp handler infected by TDSS rootkit ... 15:10:21:759 3872 KLMD_WriteMem: Trying to WriteMemory 0x82F7394E[0xD] 15:10:21:759 3872 cured 15:10:21:759 3872 KLMD_ReadMem: Trying to ReadMemory 0xF855C864[0x400] 15:10:21:759 3872 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 15:10:21:759 3872 TDL3_FileDetect: Processing driver: atapi 15:10:21:759 3872 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 15:10:21:759 3872 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys 15:10:21:775 3872 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected 15:10:21:775 3872 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 15:10:21:775 3872 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 15:10:21:775 3872 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 15:10:21:806 3872 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\I386\sp3.cab 15:10:21:869 3872 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting.. 15:10:21:916 3872 CabinetCallback: File extracted successfully: C:\DOCUME~1\AMANDA~1\LOCALS~1\Temp\bck1C.tmp 15:10:21:916 3872 ValidateDriverFile: Stage 1 passed 15:10:21:916 3872 ValidateDriverFile: Stage 2 passed 15:10:22:025 3872 DigitalSignVerifyByHandle: Embedded DS result: 800B0100 15:10:22:197 3872 DigitalSignVerifyByHandle: Cat DS result: 00000000 15:10:22:197 3872 ValidateDriverFile: Stage 3 passed 15:10:22:213 3872 CabinetCallback: File validated successfully, restore information prepared 15:10:22:213 3872 FindDriverFileBackup: Backup copy found in cab-file 15:10:22:213 3872 TDL3_FileCure: Backup copy found, using it.. 15:10:22:213 3872 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk1D.tmp 15:10:22:291 3872 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk1D.tmp, system32\drivers\atapi.sys) 15:10:22:306 3872 TDL3_FileCure: KLMD jobs schedule success 15:10:22:306 3872 will be cured on next reboot 15:10:22:306 3872 UtilityBootReinit: Reboot required for cure complete.. 15:10:22:322 3872 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000 15:10:22:384 3872 UtilityBootReinit: KLMD drop success 15:10:22:400 3872 KLMD_ApplyPendList: Pending buffer(3445_2CAD, 608) dropped successfully 15:10:22:400 3872 UtilityBootReinit: Cure on reboot scheduled successfully 15:10:22:400 3872 15:10:22:400 3872 Completed 15:10:22:400 3872 15:10:22:400 3872 Results: 15:10:22:400 3872 Memory objects infected / cured / cured on reboot: 1 / 1 / 0 15:10:22:400 3872 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 15:10:22:400 3872 File objects infected / cured / cured on reboot: 1 / 0 / 1 15:10:22:400 3872 15:10:22:400 3872 UnloadDriverW: NtUnloadDriver error 1 15:10:22:400 3872 KLMD_Unload: UnloadDriverW(klmd21) error 1 15:10:22:400 3872 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 15:10:22:400 3872 UtilityDeinit: KLMD(ARK) unloaded successfully |
|
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -4. The time now is 10:26 PM. Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved. |  |
Facebook
Twitter
TechGuy.tv
TSG Mobile