Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijack -


  • This topic is locked This topic is locked
101 replies to this topic

#1 fiery

fiery

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 05 December 2009 - 02:36 PM

Hi,
Thank you all for offering this service. I'm asking for help on a machine our kids use. Each has their own login. A few weeks ago, my daughter opened IE and it started spawning new windows - some of which were porn sites. A friend came over ran spybot, malwarebytes, avg, locked down her user settings and said we were good to go. The files he thought he removed were some type of virtumonde. The machine still ran very slowly, I switched to kids to Firefox and we had no more highjacked browsers. I had doubts as some of the programs he ran showed nothing - not even adware, but it was working, so I let it be. Two days ago the other daughter logged in, did a goggle search in Firefox and it started spawning new windows. She also got an error message saying that the file wenumivu.dll couldn't be run. A search of this didn't turn up much information about this file. Some sites - which I don't know anything about - said the file need to be deleted. I've moved it to the recyle bin, but it's still on the machine.

Malwarebytes, AVG, show nothing. I went to http://www.bleepingcomputer.com/virus-remo...undo-virtumonde and followed the instructions and found nothing. But I know we still have an issue.

I'm pasting a DDS log and attaching a file. I tried to run RootRepeal, but it's giving me an error message (Could not load driver (oxc0000035)!) I appreciate any help - I'm just computer literate enough to be dangerous, but I really don't know what I'm doing and I'm very grateful for your assistance.

Here's the log:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Sina at 12:02:13.68 on Sat 12/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.310 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Sina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\sina\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet 7100 series\bin\hpogrp07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\norton~1.lnk - c:\program files\norton goback\GBTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{00cd55d6-ee5a-4570-9875-8a306628c032}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: <NO NAME> =
IE: &Viewpoint Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179253685187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D441AB53-A39C-42AE-AB79-3C05B7298F34} - hxxp://aolsvc.aol.com/onlinegames/free-trial-astro-avenger-ii/AstroAvenger2Loader.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://iwon.oberon-media.com/online/online2/zuma/popcaploader_v5.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sina\applic~1\mozilla\firefox\profiles\gcq7qe5d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\sina\application data\mozilla\firefox\profiles\gcq7qe5d.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [2005-3-3 23040]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-8 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-8 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-8 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSXpx86.sys [2009-11-12 329592]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2003-2-10 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [2002-12-18 36064]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-8 117640]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2004-11-10 1251720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091204.051\NAVENG.SYS [2009-12-5 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091204.051\NAVEX15.SYS [2009-12-5 1323568]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-12-04 17:41:12 0 d-----w- C:\VundoFix Backups
2009-12-04 15:01:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 16:40:03 0 d-----w- c:\docume~1\alluse~1\applic~1\kovunuta
2009-11-28 16:40:03 0 d-----w- c:\docume~1\alluse~1\applic~1\kehatibi
2009-11-28 16:39:29 0 d-----w- c:\docume~1\alluse~1\applic~1\wojukoro
2009-11-28 16:39:29 0 d-----w- c:\docume~1\alluse~1\applic~1\pohepalo
2009-11-28 16:39:29 0 d-----w- c:\docume~1\alluse~1\applic~1\kadohaya
2009-11-28 16:39:29 0 d-----w- c:\docume~1\alluse~1\applic~1\hotutosa
2009-11-27 23:15:48 0 d-----w- c:\docume~1\alluse~1\applic~1\panipubu
2009-11-27 23:15:48 0 d-----w- c:\docume~1\alluse~1\applic~1\nakuviza
2009-11-27 23:15:47 0 d-----w- c:\docume~1\alluse~1\applic~1\wefivaya
2009-11-27 23:15:47 0 d-----w- c:\docume~1\alluse~1\applic~1\figakezo
2009-11-26 01:49:41 0 d-----w- c:\docume~1\alluse~1\applic~1\tilerove
2009-11-26 01:49:40 0 d-----w- c:\docume~1\alluse~1\applic~1\nusayuta
2009-11-26 01:49:40 0 d-----w- c:\docume~1\alluse~1\applic~1\najejifo
2009-11-26 01:44:37 0 d-----w- c:\docume~1\alluse~1\applic~1\wosarako
2009-11-26 01:44:37 0 d-----w- c:\docume~1\alluse~1\applic~1\loyuwisa
2009-11-26 01:44:37 0 d-----w- c:\docume~1\alluse~1\applic~1\dufizige
2009-11-10 11:44:52 0 d-----w- c:\program files\PTC
2009-11-07 01:00:42 52012 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-07 00:54:46 0 d-----w- c:\program files\iPod
2009-11-07 00:54:40 0 d-----w- c:\program files\iTunes
2009-11-07 00:54:40 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-09 00:25:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2004-01-07 03:21:28 38996098 ----a-w- c:\program files\NISP2004.exe
2002-08-29 11:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 12:03:06.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 07 December 2009 - 07:51 PM

Hello fiery :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.




Since you could not get RootRepeal to run try the following:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries











Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 14 December 2009 - 12:28 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 14 December 2009 - 09:30 PM

Reopened at user's request.

If you are going to be longer than 5 days replying let me know and I won't close the topic. If I ask you to do something and it won't work just go ahead and inform me. We understand when we post instructions that users will often encounter problems, this is normal, so if you have tried something a reasonable amount of times and it doesn't work advise me of it and we'll try for a workaround.

Try running the following and then give GMER another try.


RKill by Grinler

Link #1
Link #2
Link #3

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 fiery

fiery
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 15 December 2009 - 09:48 AM

Still not working - I tried all the links and got the black screen on each, it stayed up for a while, then when it disappeared the image of the desktop on the machine flashed (icons disappeared then came back). When I tried GMER, the machine just restarts.

I'm starting to think that whatever I've got is buried so deeply that I may just be better off wiping the hard drive and starting fresh. My concern would be if whatever's in the machine has infected the files that I'd reload. I have the disks that came with the machine when we first so they should be fine. But how do I know what documents, cookies, etc... are safe? Any thoughts on this?

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 15 December 2009 - 11:19 AM

Reinstallation is always an option in these cases and some people choose to go that route. I am of the opinion you have a rootkit which is blocking our attempts to run the ARKs, this is fairly common as they are programmed to block attempts to locate and remove them. If I can identify and remove it you stand a good chance of being cleaned up.

Without knowing exactly what you have it is kind of hard to say what is safe to reload and what is not. If you happened to have a file infecter such as Virut then that limits what you can safely save and reinstall. I don't see anything that leads me to believe you are infected with that but again since our diagnostic tools are not working yet we are kind of shooting in the blind.


Here's another ARK we can give a try:

Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section. Also tick the "Hidden Objects Only" options
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and attach the log here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 fiery

fiery
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 15 December 2009 - 12:25 PM

It looks like it ran! I've attached the log.

Attached Files



#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 15 December 2009 - 12:45 PM

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 fiery

fiery
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 15 December 2009 - 02:05 PM

It did not mention anything about hidden services. Here is the file:

Host Name: KED-0001
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Richard E Kniseley Jr
Registered Organization:
Product ID: 55274-OEM-0011903-00102
Original Install Date: 1/6/2004, 4:03:04 PM
System Up Time: 0 Days, 4 Hours, 19 Minutes, 21 Seconds
System Manufacturer: Dell Computer Corporation
System Model: OptiPlex GX270
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3192 Mhz
BIOS Version: DELL - 8
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 1,023 MB
Available Physical Memory: 491 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: HOME
Logon Server: \\KED-0001
Hotfix(s): 200 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: Q147222
[88]: M953297 - Update
[89]: S867460 - Update
[90]: KB870669
[91]: Q823718
[92]: Q832483
[93]: Q927978
[94]: Q936181
[95]: Q954430
[96]: Q973688
[97]: KB898458 - Update
[98]: KB923723 - Update
[99]: KB837272
[100]: KB952069_WM9
[101]: KB954155_WM9
[102]: KB968816_WM9
[103]: KB973540_WM9L
[104]: Q828026 - Update
[105]: wm817787
[106]: wm828026
[107]: KB911565
[108]: KB917734_WMP10
[109]: KB936782_WMP10
[110]: KB925398_WMP64
[111]: KB923689
[112]: KB941569
[113]: KB968220-IE8 - Update
[114]: KB969897-IE8 - Update
[115]: KB971961-IE8 - Update
[116]: KB972260-IE8 - Update
[117]: KB974455-IE8 - Update
[118]: KB976325-IE8 - Update
[119]: KB976749-IE8 - Update
[120]: KB811113 - Service Pack
[121]: KB936929 - Service Pack
[122]: KB923561 - Update
[123]: KB938464 - Update
[124]: KB946648 - Update
[125]: KB950759 - Update
[126]: KB950760 - Update
[127]: KB950762 - Update
[128]: KB950974 - Update
[129]: KB951066 - Update
[130]: KB951072-v2 - Update
[131]: KB951376 - Update
[132]: KB951376-v2 - Update
[133]: KB951698 - Update
[134]: KB951748 - Update
[135]: KB951978 - Update
[136]: KB952004 - Update
[137]: KB952287 - Update
[138]: KB952954 - Update
[139]: KB953838 - Update
[140]: KB953839 - Update
[141]: KB954211 - Update
[142]: KB954550-v5 - Update
[143]: KB954600 - Update
[144]: KB955069 - Update
[145]: KB955839 - Update
[146]: KB956390 - Update
[147]: KB956391 - Update
[148]: KB956572 - Update
[149]: KB956744 - Update
[150]: KB956802 - Update
[151]: KB956803 - Update
[152]: KB956841 - Update
[153]: KB956844 - Update
[154]: KB957095 - Update
[155]: KB957097 - Update
[156]: KB958215 - Update
[157]: KB958644 - Update
[158]: KB958687 - Update
[159]: KB958690 - Update
[160]: KB958869 - Update
[161]: KB959426 - Update
[162]: KB960225 - Update
[163]: KB960714 - Update
[164]: KB960715 - Update
[165]: KB960803 - Update
[166]: KB960859 - Update
[167]: KB961118 - Update
[168]: KB961371 - Update
[169]: KB961373 - Update
[170]: KB961501 - Update
[171]: KB963027 - Update
[172]: KB967715 - Update
[173]: KB968389 - Update
[174]: KB968537 - Update
[175]: KB969059 - Update
[176]: KB969898 - Update
[177]: KB969947 - Update
[178]: KB970238 - Update
[179]: KB970430 - Update
[180]: KB970653-v3 - Update
[181]: KB971486 - Update
[182]: KB971557 - Update
[183]: KB971633 - Update
[184]: KB971657 - Update
[185]: KB971737 - Update
[186]: KB973346 - Update
[187]: KB973354 - Update
[188]: KB973507 - Update
[189]: KB973525 - Update
[190]: KB973687 - Update
[191]: KB973815 - Update
[192]: KB973869 - Update
[193]: KB973904 - Update
[194]: KB974112 - Update
[195]: KB974318 - Update
[196]: KB974392 - Update
[197]: KB974571 - Update
[198]: KB975025 - Update
[199]: KB975467 - Update
[200]: KB976098-v2 - Update
NetWork Card(s): 2 NIC(s) Installed.
[01]: Intel® PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.107
[02]: Cisco Systems VPN Adapter
Connection Name: Local Area Connection 2
14:3:11:437 6116 ForceUnloadDriver: NtUnloadDriver error 2
14:3:11:453 6116 ForceUnloadDriver: NtUnloadDriver error 2
14:3:11:453 6116 ForceUnloadDriver: NtUnloadDriver error 2
14:3:11:531 6116 main: Driver KLMD successfully dropped
14:3:12:109 6116 main: Driver KLMD successfully loaded
14:3:12:109 6116
Scanning Registry ...
14:3:12:156 6116 ScanServices: Searching service UACd.sys
14:3:12:156 6116 ScanServices: Open/Create key error 2
14:3:12:156 6116 ScanServices: Searching service TDSSserv.sys
14:3:12:156 6116 ScanServices: Open/Create key error 2
14:3:12:156 6116 ScanServices: Searching service gaopdxserv.sys
14:3:12:156 6116 ScanServices: Open/Create key error 2
14:3:12:156 6116 ScanServices: Searching service gxvxcserv.sys
14:3:12:156 6116 ScanServices: Open/Create key error 2
14:3:12:156 6116 ScanServices: Searching service MSIVXserv.sys
14:3:12:156 6116 ScanServices: Open/Create key error 2
14:3:12:156 6116 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
14:3:12:156 6116 UnhookRegistry: Kernel local addr: A40000
14:3:12:171 6116 UnhookRegistry: KeServiceDescriptorTable addr: ACB520
14:3:12:515 6116 UnhookRegistry: KiServiceTable addr: A4D8B0
14:3:12:515 6116 UnhookRegistry: NtEnumerateKey service number (local): 47
14:3:12:515 6116 UnhookRegistry: NtEnumerateKey local addr: AE1E14
14:3:12:546 6116 KLMD_OpenDevice: Trying to open KLMD device
14:3:12:546 6116 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
14:3:12:546 6116 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
14:3:12:546 6116 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]
14:3:12:546 6116 UnhookRegistry: NtEnumerateKey service number (kernel): 47
14:3:12:546 6116 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]
14:3:12:546 6116 UnhookRegistry: NtEnumerateKey real addr: 80578E14
14:3:12:546 6116 UnhookRegistry: NtEnumerateKey calc addr: 80578E14
14:3:12:546 6116 UnhookRegistry: No SDT hooks found on NtEnumerateKey
14:3:12:546 6116 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA]
14:3:12:546 6116 UnhookRegistry: No splicing found on NtEnumerateKey
14:3:12:546 6116
Scanning Kernel memory ...
14:3:12:546 6116 KLMD_OpenDevice: Trying to open KLMD device
14:3:12:546 6116 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
14:3:12:546 6116 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:3:12:546 6116 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 87753A08
14:3:12:546 6116 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
14:3:12:546 6116 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 87744C68
14:3:12:546 6116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87744C68
14:3:12:546 6116 KLMD_ReadMem: Trying to ReadMemory 0x87744C68[0x38]
14:3:12:546 6116 DetectCureTDL3: DRIVER_OBJECT addr: 87753A08
14:3:12:546 6116 KLMD_ReadMem: Trying to ReadMemory 0x87753A08[0xA8]
14:3:12:546 6116 KLMD_ReadMem: Trying to ReadMemory 0xE1D2D9A0[0x208]
14:3:12:546 6116 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:3:12:546 6116 DetectCureTDL3: IrpHandler (0) addr: F77E7BB0
14:3:12:546 6116 DetectCureTDL3: IrpHandler (1) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (2) addr: F77E7BB0
14:3:12:546 6116 DetectCureTDL3: IrpHandler (3) addr: F7639F80
14:3:12:546 6116 DetectCureTDL3: IrpHandler (4) addr: F763A1A0
14:3:12:546 6116 DetectCureTDL3: IrpHandler (5) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (6) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (7) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (8) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (9) addr: F763A290
14:3:12:546 6116 DetectCureTDL3: IrpHandler (10) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (11) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (12) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (13) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (14) addr: F763A380
14:3:12:546 6116 DetectCureTDL3: IrpHandler (15) addr: F77E5F28
14:3:12:546 6116 DetectCureTDL3: IrpHandler (16) addr: F77E22E2
14:3:12:546 6116 DetectCureTDL3: IrpHandler (17) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (18) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (19) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (20) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (21) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (22) addr: F77E3C82
14:3:12:546 6116 DetectCureTDL3: IrpHandler (23) addr: F77E899E
14:3:12:546 6116 DetectCureTDL3: IrpHandler (24) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (25) addr: 804F9739
14:3:12:546 6116 DetectCureTDL3: IrpHandler (26) addr: 804F9739
14:3:12:546 6116 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
14:3:12:546 6116 KLMD_ReadMem: DeviceIoControl error 1
14:3:12:546 6116 TDL3_StartIoHookDetect: Unable to get StartIo handler code
14:3:12:562 6116 TDL3_FileDetect: Processing driver: Disk
14:3:12:562 6116 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
14:3:12:562 6116 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
14:3:12:562 6116 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
14:3:12:562 6116 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 877969F0
14:3:12:562 6116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 877969F0
14:3:12:562 6116 KLMD_ReadMem: Trying to ReadMemory 0x877969F0[0x38]
14:3:12:562 6116 DetectCureTDL3: DRIVER_OBJECT addr: 87753A08
14:3:12:562 6116 KLMD_ReadMem: Trying to ReadMemory 0x87753A08[0xA8]
14:3:12:562 6116 KLMD_ReadMem: Trying to ReadMemory 0xE1D2D9A0[0x208]
14:3:12:562 6116 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:3:12:562 6116 DetectCureTDL3: IrpHandler (0) addr: F77E7BB0
14:3:12:562 6116 DetectCureTDL3: IrpHandler (1) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (2) addr: F77E7BB0
14:3:12:578 6116 DetectCureTDL3: IrpHandler (3) addr: F7639F80
14:3:12:578 6116 DetectCureTDL3: IrpHandler (4) addr: F763A1A0
14:3:12:578 6116 DetectCureTDL3: IrpHandler (5) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (6) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (7) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (8) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (9) addr: F763A290
14:3:12:578 6116 DetectCureTDL3: IrpHandler (10) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (11) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (12) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (13) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (14) addr: F763A380
14:3:12:578 6116 DetectCureTDL3: IrpHandler (15) addr: F77E5F28
14:3:12:578 6116 DetectCureTDL3: IrpHandler (16) addr: F77E22E2
14:3:12:578 6116 DetectCureTDL3: IrpHandler (17) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (18) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (19) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (20) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (21) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (22) addr: F77E3C82
14:3:12:578 6116 DetectCureTDL3: IrpHandler (23) addr: F77E899E
14:3:12:578 6116 DetectCureTDL3: IrpHandler (24) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (25) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (26) addr: 804F9739
14:3:12:578 6116 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
14:3:12:578 6116 KLMD_ReadMem: DeviceIoControl error 1
14:3:12:578 6116 TDL3_StartIoHookDetect: Unable to get StartIo handler code
14:3:12:578 6116 TDL3_FileDetect: Processing driver: Disk
14:3:12:578 6116 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
14:3:12:578 6116 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
14:3:12:578 6116 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
14:3:12:578 6116 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 87798AB8
14:3:12:578 6116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87798AB8
14:3:12:578 6116 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 87752B00
14:3:12:578 6116 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87752B00
14:3:12:578 6116 KLMD_ReadMem: Trying to ReadMemory 0x87752B00[0x38]
14:3:12:578 6116 DetectCureTDL3: DRIVER_OBJECT addr: 8774B308
14:3:12:578 6116 KLMD_ReadMem: Trying to ReadMemory 0x8774B308[0xA8]
14:3:12:578 6116 KLMD_ReadMem: Trying to ReadMemory 0xE1D33CB0[0x208]
14:3:12:578 6116 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:3:12:578 6116 DetectCureTDL3: IrpHandler (0) addr: F76EE6F2
14:3:12:578 6116 DetectCureTDL3: IrpHandler (1) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (2) addr: F76EE6F2
14:3:12:578 6116 DetectCureTDL3: IrpHandler (3) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (4) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (5) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (6) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (7) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (8) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (9) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (10) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (11) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (12) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (13) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (14) addr: F76EE712
14:3:12:578 6116 DetectCureTDL3: IrpHandler (15) addr: F76EA852
14:3:12:578 6116 DetectCureTDL3: IrpHandler (16) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (17) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (18) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (19) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (20) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (21) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (22) addr: F76EE73C
14:3:12:578 6116 DetectCureTDL3: IrpHandler (23) addr: F76F5336
14:3:12:578 6116 DetectCureTDL3: IrpHandler (24) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (25) addr: 804F9739
14:3:12:578 6116 DetectCureTDL3: IrpHandler (26) addr: 804F9739
14:3:12:578 6116 KLMD_ReadMem: Trying to ReadMemory 0xF76EB864[0x400]
14:3:12:578 6116 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
14:3:12:578 6116 TDL3_FileDetect: Processing driver: atapi
14:3:12:578 6116 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
14:3:12:578 6116 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
14:3:12:578 6116 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
14:3:12:593 6116
Completed

Results:
14:3:12:593 6116 Infected objects in memory: 0
14:3:12:593 6116 Cured objects in memory: 0
14:3:12:593 6116 Infected objects on disk: 0
14:3:12:593 6116 Objects on disk cured on reboot: 0
14:3:12:593 6116 Objects on disk deleted on reboot: 0
14:3:12:593 6116 Registry nodes deleted on reboot: 0
14:3:12:593 6116

#10 fiery

fiery
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 15 December 2009 - 02:08 PM

Forgot to add, SysProt won't close with the red x in the upper right corner - can I click "OK" to shut it or should I just leave it up?

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 15 December 2009 - 02:26 PM

You can go ahead and click OK. Our #1 tool that I want to use is off-line right now and I'm not sure exactly when it will be back up so it I am having to approach this in a different manner. I will be back with you a little later after I decide which way we need to proceed next.

Edited by thewall, 15 December 2009 - 02:26 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 fiery

fiery
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 15 December 2009 - 02:28 PM

ok, thanks

#13 fiery

fiery
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 15 December 2009 - 02:30 PM

does it mean anything that even clicking ok won't get sysprot to close? It's just sitting there with the log tab up, nothing I click on for that program's window responds. I can't even switch to a different tab.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 15 December 2009 - 02:34 PM

It shouldn't be doing that. Can you stop it by using the Task Manager?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:27 AM

Posted 15 December 2009 - 10:29 PM

Let me know when you are back with me and if you got sysprot to close up.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users