Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
16 replies to this topic

#1 GipBrown

GipBrown

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 13 December 2009 - 08:33 PM

Howdy Folks - Have run various scans with WinDefender-AVG-HouseCall-Ad-Aware-ComboFix and cannot seem to find the cause - Have searched for a solution and found such a wide variety of suggestions that I figured this would be the best place to come for assistance to combat this Google Redirect.

Here is the HijackThis Log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:02, on 12/13/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Comodo\Firewall\CPF.exe
E:\Documents and Settings\Biff\Desktop\HijackThis.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = E:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1EC47B9F-EDB5-4398-A2A0-C4D817C310Fa} - (no file)
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - E:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] E:\Documents and Settings\Biff\Desktop\HijackThis.exe /startupscan
O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] E:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - E:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - E:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2122A47-76EC-4F5D-9C75-74962057A1C3}: NameServer = 208.67.222.222,208.67.222.220
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 4511 bytes

Here is the DDS.txt log


DDS (Ver_09-12-01.01) - NTFSx86
Run by Biff at 20:37:19.68 on Sun 12/13/2009
Internet Explorer: 5.00.3700.1000 BrowserJavaVersion: 1.6.0_13
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.22 [GMT -5:00]


============== Running Processes ===============

E:\WINNT\system32\spoolsv.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Comodo\Firewall\CPF.exe
E:\Documents and Settings\Biff\Desktop\HijackThis.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINNT\system32\NOTEPAD.EXE
E:\Documents and Settings\Biff\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = e:\windows\system32\blank.htm
mLocal Page = e:\windows\system32\blank.htm
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1EC47B9F-EDB5-4398-A2A0-C4D817C310Fa} - No File
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - e:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [HijackThis startup scan] e:\documents and settings\biff\desktop\HijackThis.exe /startupscan
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [Malwarebytes Anti-Malware (reboot)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Windows Defender] "e:\program files\windows defender\MSASCui.exe" -hide
mRun: [COMODO Firewall Pro] "e:\program files\comodo\firewall\CPF.exe" /background
dRunOnce: [KeyScrambler] e:\program files\keyscrambler\getting_started.html
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - e:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - e:\program files\keyscrambler\KeyScramblerIE.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - e:\winnt\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\program files\spybot - search & destroy\SDHelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {F2122A47-76EC-4F5D-9C75-74962057A1C3} = 208.67.222.222,208.67.222.220
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - e:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\biff\applic~1\mozilla\firefox\profiles\jdsgkojw.default\
FF - prefs.js: browser.startup.homepage - hxxp://slashdot.org/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: e:\documents and settings\biff\application data\mozilla\firefox\profiles\jdsgkojw.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: e:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;e:\winnt\system32\drivers\Lbd.sys [2009-6-28 64160]
R0 pavboot;pavboot;e:\winnt\system32\drivers\pavboot.sys [2009-10-18 28544]
R2 CmdAgent;Comodo Application Agent;e:\program files\comodo\firewall\cmdagent.exe [2009-11-19 361040]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 WinDefend;Windows Defender;e:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 KeyScrambler;KeyScrambler;e:\winnt\system32\drivers\keyscrambler.sys [2009-6-29 115312]

=============== Created Last 30 ================

2009-12-14 01:37:21 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_2d8.dat
2009-12-14 01:07:47 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_494.dat
2009-12-13 13:54:43 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_3d8.dat
2009-12-11 18:44:55 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_4b4.dat
2009-12-11 17:16:53 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_580.dat
2009-12-03 07:04:27 0 d-----w- E:\ComboFix
2009-11-28 20:03:48 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_220.dat
2009-11-27 23:04:12 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_3d0.dat
2009-11-25 19:38:30 1491 ----a-w- e:\documents and settings\biff\.recently-used.xbel
2009-11-25 19:35:09 0 d-----w- e:\documents and settings\biff\.thumbnails
2009-11-25 19:32:42 0 d-----w- e:\documents and settings\biff\.gimp-2.6
2009-11-25 00:21:09 0 d-----w- e:\program files\GIMP-2.0
2009-11-25 00:00:17 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_668.dat
2009-11-23 05:23:56 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_49c.dat
2009-11-21 18:59:29 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_344.dat
2009-11-20 00:55:55 0 d-----w- e:\docume~1\biff\applic~1\Comodo
2009-11-20 00:55:52 0 d-----w- e:\docume~1\alluse~1\applic~1\Comodo
2009-11-20 00:47:49 0 d-----w- e:\program files\Comodo
2009-11-20 00:38:16 0 d-----w- e:\program files\Zone Labs
2009-11-19 23:27:27 0 d---a-w- e:\winnt\Internet Logs
2009-11-19 21:58:48 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_4e4.dat
2009-11-15 20:06:56 77312 ----a-w- e:\winnt\MBR.exe

==================== Find3M ====================

2009-11-14 06:47:57 260608 ----a-w- e:\winnt\PEV.exe
2009-11-03 01:42:06 195456 ------w- e:\winnt\system32\MpSigStub.exe
2009-10-27 19:02:12 451856 ----a-w- e:\winnt\system32\WININET.DLL
2009-10-27 15:44:58 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_544.dat
2009-10-25 17:46:28 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_5a0.dat
2009-10-24 14:17:33 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_4a0.dat
2009-10-23 21:33:47 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_3f8.dat
2009-10-23 01:30:48 16384 ----atw- e:\winnt\system32\Perflib_Perfdata_538.dat
2009-10-18 18:10:12 160272 ----a-w- e:\winnt\system32\drivers\tmcomm.sys
2009-10-16 21:45:58 796944 ----a-w- e:\winnt\system32\quartz.dll
2009-10-16 20:29:51 792064 ----a-w- e:\winnt\system32\comres.dll
2009-10-16 17:48:48 33824 ----a-w- e:\winnt\system32\drivers\oreans32.sys.gip
2009-10-16 15:55:30 15688 ----a-w- e:\winnt\system32\lsdelete.exe
2009-10-13 11:17:16 64784 ----a-w- e:\winnt\system32\mswsock.dll
2009-10-09 06:21:10 61200 ----a-w- e:\winnt\system32\RASCHAP.DLL
2009-10-09 06:21:10 101136 ----a-w- e:\winnt\system32\rastls.dll
2009-10-08 13:54:56 417552 ----a-w- e:\winnt\system32\oakley.dll
2009-06-28 21:54:47 271 ---h--w- e:\program files\desktop.ini
2009-06-28 21:54:47 21952 ---h--w- e:\program files\folder.htt
2003-07-14 12:00:00 32528 ----a-w- e:\winnt\inf\wbfirdma.sys

============= FINISH: 20:37:45.54 ===============

I have attached the Attach.txt

When I ran the RootRepeal I got an error -

DeviceIoControl Error! Error Code = 0x0

Thanks One and All,

Gip Brown

Attached Files


Edited by GipBrown, 13 December 2009 - 09:01 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:17 AM

Posted 14 December 2009 - 08:56 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 GipBrown

GipBrown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 14 December 2009 - 07:30 PM

Hi Sam - Thanks for your interest.

Ran OTL and the program terminated and displayed an error -
System Restore Interface Not Present - Clicked OK after several minutes and that was that.

*Running Win2k - No Restore

Ran GMER - and here is the log-

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 19:20:09
Windows 5.0.2195 Service Pack 4
Running: 713dwdfr.exe; Driver: E:\DOCUME~1\Biff\LOCALS~1\Temp\kxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwConnectPort [0xBDB2F102]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateFile [0xBDB313EE]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xED03087E]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreatePort [0xBDB2F05C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateSection [0xBDB2FAE0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateThread [0xBDB2ED36]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteFile [0xBDB30DAA]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteKey [0xBDB2FF5C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteValueKey [0xBDB2FE76]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenProcess [0xBDB2FC30]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenSection [0xBDB2FA10]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenThread [0xBDB2FD4C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetContextThread [0xBDB2EBD8]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetInformationFile [0xBDB30EDA]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetValueKey [0xBDB2F29A]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwShutdownSystem [0xBDB3003C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwTerminateProcess [0xBDB2EF96]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFile [0xBDB3123E]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFileGather [0xBDB310B0]

---- User code sections - GMER 1.0.15 ----

.text E:\Program Files\Comodo\Firewall\CPF.exe[880] ntdll.dll!LdrLoadDll 77F85B2C 6 Bytes JMP 5F05001E
.text E:\Program Files\Comodo\Firewall\CPF.exe[880] kernel32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F08001E

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [ED0436D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [ED043730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [ED043950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [ED043910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [ED043910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [ED043950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [ED043730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [ED0436D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [ED043910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [ED043730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [ED0436D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [ED043950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [ED043910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [ED0436D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [ED043730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)

---- User IAT/EAT - GMER 1.0.15 ----

IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessA] [4AD84AE3] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] E:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\WINNT\Explorer.EXE[984] @ E:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] E:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHELL32.DLL [USER32.dll!GetSysColor] [63601FC4] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHELL32.DLL [USER32.dll!DefWindowProcW] [63602065] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHELL32.DLL [USER32.dll!TrackPopupMenu] [636015C8] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHELL32.DLL [USER32.dll!TrackPopupMenuEx] [636015EF] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHELL32.DLL [KERNEL32.dll!LoadLibraryExW] [63602B3E] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHELL32.DLL [KERNEL32.dll!LoadLibraryA] [63602A5B] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1516] @ E:\WINNT\system32\SHELL32.DLL [KERNEL32.dll!LoadLibraryW] [63602AA2] E:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service E:\WINNT\system32\MSTask.exe? (*** hidden *** ) [DISABLED] Schedule <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

The program ended and indicated there is evidence of a rootkit.

Thanks and I'll await your response.
Gip

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:17 AM

Posted 15 December 2009 - 07:54 AM

Try running OTL again, but this time remove the last line, "CREATERESTOREPOINT" from the custom scan.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 GipBrown

GipBrown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 15 December 2009 - 10:27 AM

Hi Sam - The OTL app will not launch -

When I dbl clk it -
System Restore Interface Not Present.

The only option available is - OK

Click OK and the app is done

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:17 AM

Posted 15 December 2009 - 05:10 PM

Ok.
We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 GipBrown

GipBrown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 15 December 2009 - 09:19 PM

Alrighty Sam - Here is the log file from TDSSKiller -

"Old windows version"
20:23:2:109 1736 ForceUnloadDriver: NtUnloadDriver error 2
20:23:2:671 1736 ForceUnloadDriver: NtUnloadDriver error 2
20:23:2:671 1736 ForceUnloadDriver: NtUnloadDriver error 2
20:23:2:812 1736 main: Driver KLMD successfully dropped
20:23:2:937 1736 main: Driver KLMD successfully loaded
20:23:2:937 1736
Scanning Registry ...
20:23:2:953 1736 ScanServices: Searching service UACd.sys
20:23:2:953 1736 ScanServices: Open/Create key error 2
20:23:2:953 1736 ScanServices: Searching service TDSSserv.sys
20:23:2:953 1736 ScanServices: Open/Create key error 2
20:23:2:953 1736 ScanServices: Searching service gaopdxserv.sys
20:23:2:953 1736 ScanServices: Open/Create key error 2
20:23:2:953 1736 ScanServices: Searching service gxvxcserv.sys
20:23:2:953 1736 ScanServices: Open/Create key error 2
20:23:2:953 1736 ScanServices: Searching service MSIVXserv.sys
20:23:2:953 1736 ScanServices: Open/Create key error 2
20:23:2:984 1736 UnhookRegistry: Kernel module file name: E:\winnt\system32\ntoskrnl.exe, base addr: 80400000
20:23:3:15 1736 UnhookRegistry: Kernel local addr: 900000
20:23:3:31 1736 UnhookRegistry: KeServiceDescriptorTable addr: 9808E0
20:23:3:156 1736 UnhookRegistry: KiServiceTable addr: 9721E8
20:23:3:156 1736 UnhookRegistry: NtEnumerateKey service number (local): 3C
20:23:3:156 1736 UnhookRegistry: NtEnumerateKey local addr: A1263E
20:23:3:187 1736 KLMD_OpenDevice: Trying to open KLMD device
20:23:3:187 1736 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
20:23:3:187 1736 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
20:23:3:187 1736 KLMD_ReadMem: Trying to ReadMemory 0x8042FC31[0x4]
20:23:3:187 1736 UnhookRegistry: NtEnumerateKey service number (kernel): 3C
20:23:3:187 1736 KLMD_ReadMem: Trying to ReadMemory 0x804722D8[0x4]
20:23:3:187 1736 UnhookRegistry: NtEnumerateKey real addr: 8051263E
20:23:3:187 1736 UnhookRegistry: NtEnumerateKey calc addr: 8051263E
20:23:3:187 1736 UnhookRegistry: No SDT hooks found on NtEnumerateKey
20:23:3:187 1736 KLMD_ReadMem: Trying to ReadMemory 0x8051263E[0xA]
20:23:3:187 1736 UnhookRegistry: No splicing found on NtEnumerateKey
20:23:3:203 1736
Scanning Kernel memory ...
20:23:3:203 1736 KLMD_OpenDevice: Trying to open KLMD device
20:23:3:203 1736 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
20:23:3:203 1736 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:23:3:203 1736 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 81810730
20:23:3:203 1736 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
20:23:3:203 1736 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 81884D90
20:23:3:203 1736 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81884D90
20:23:3:203 1736 KLMD_ReadMem: Trying to ReadMemory 0x81884D90[0x38]
20:23:3:203 1736 DetectCureTDL3: DRIVER_OBJECT addr: 81810730
20:23:3:203 1736 KLMD_ReadMem: Trying to ReadMemory 0x81810730[0xA8]
20:23:3:203 1736 KLMD_ReadMem: Trying to ReadMemory 0xE132F208[0x208]
20:23:3:203 1736 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:23:3:203 1736 DetectCureTDL3: IrpHandler (0) addr: ED02692C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (2) addr: ED02692C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (3) addr: ED020A7F
20:23:3:203 1736 DetectCureTDL3: IrpHandler (4) addr: ED020A7F
20:23:3:203 1736 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (9) addr: ED022A2F
20:23:3:203 1736 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
20:23:3:203 1736 DetectCureTDL3: IrpHandler (14) addr: ED022127
20:23:3:218 1736 DetectCureTDL3: IrpHandler (15) addr: ED022AC3
20:23:3:218 1736 DetectCureTDL3: IrpHandler (16) addr: ED022A2F
20:23:3:218 1736 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
20:23:3:218 1736 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
20:23:3:218 1736 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
20:23:3:218 1736 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
20:23:3:218 1736 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
20:23:3:218 1736 DetectCureTDL3: IrpHandler (22) addr: ED02345F
20:23:3:218 1736 DetectCureTDL3: IrpHandler (23) addr: ED0264FE
20:23:3:218 1736 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
20:23:3:218 1736 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
20:23:3:218 1736 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
20:23:3:218 1736 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
20:23:3:218 1736 KLMD_ReadMem: DeviceIoControl error 1
20:23:3:218 1736 TDL3_StartIoHookDetect: Unable to get StartIo handler code
20:23:3:218 1736 TDL3_FileDetect: Processing driver: Disk
20:23:3:218 1736 TDL3_FileDetect: Parameters: E:\WINNT\system32\drivers\disk.sys, E:\WINNT\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
20:23:3:218 1736 TDL3_FileDetect: Processing driver file: E:\WINNT\system32\drivers\disk.sys
20:23:3:218 1736 KLMD_CreateFileW: Trying to open file E:\WINNT\system32\drivers\disk.sys
20:23:3:359 1736 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8181C550
20:23:3:359 1736 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8181C550
20:23:3:359 1736 KLMD_ReadMem: Trying to ReadMemory 0x8181C550[0x38]
20:23:3:359 1736 DetectCureTDL3: DRIVER_OBJECT addr: 81810730
20:23:3:359 1736 KLMD_ReadMem: Trying to ReadMemory 0x81810730[0xA8]
20:23:3:359 1736 KLMD_ReadMem: Trying to ReadMemory 0xE132F208[0x208]
20:23:3:359 1736 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:23:3:359 1736 DetectCureTDL3: IrpHandler (0) addr: ED02692C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (2) addr: ED02692C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (3) addr: ED020A7F
20:23:3:359 1736 DetectCureTDL3: IrpHandler (4) addr: ED020A7F
20:23:3:359 1736 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (9) addr: ED022A2F
20:23:3:359 1736 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (14) addr: ED022127
20:23:3:359 1736 DetectCureTDL3: IrpHandler (15) addr: ED022AC3
20:23:3:359 1736 DetectCureTDL3: IrpHandler (16) addr: ED022A2F
20:23:3:359 1736 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (22) addr: ED02345F
20:23:3:359 1736 DetectCureTDL3: IrpHandler (23) addr: ED0264FE
20:23:3:359 1736 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
20:23:3:359 1736 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
20:23:3:359 1736 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
20:23:3:375 1736 KLMD_ReadMem: DeviceIoControl error 1
20:23:3:375 1736 TDL3_StartIoHookDetect: Unable to get StartIo handler code
20:23:3:375 1736 TDL3_FileDetect: Processing driver: Disk
20:23:3:375 1736 TDL3_FileDetect: Parameters: E:\WINNT\system32\drivers\disk.sys, E:\WINNT\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
20:23:3:375 1736 TDL3_FileDetect: Processing driver file: E:\WINNT\system32\drivers\disk.sys
20:23:3:375 1736 KLMD_CreateFileW: Trying to open file E:\WINNT\system32\drivers\disk.sys
20:23:3:375 1736 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8181C030
20:23:3:375 1736 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8181C030
20:23:3:375 1736 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 81810AF0
20:23:3:375 1736 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81810AF0
20:23:3:375 1736 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 81810030
20:23:3:375 1736 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81810030
20:23:3:375 1736 KLMD_ReadMem: Trying to ReadMemory 0x81810030[0x38]
20:23:3:375 1736 DetectCureTDL3: DRIVER_OBJECT addr: 8187C730
20:23:3:375 1736 KLMD_ReadMem: Trying to ReadMemory 0x8187C730[0xA8]
20:23:3:375 1736 KLMD_ReadMem: Trying to ReadMemory 0xE1371928[0x208]
20:23:3:375 1736 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
20:23:3:375 1736 DetectCureTDL3: IrpHandler (0) addr: BFF8D132
20:23:3:375 1736 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
20:23:3:375 1736 DetectCureTDL3: IrpHandler (2) addr: BFF8D132
20:23:3:375 1736 DetectCureTDL3: IrpHandler (3) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (4) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (9) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (14) addr: BFF8D148
20:23:3:390 1736 DetectCureTDL3: IrpHandler (15) addr: BFF88B5C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (16) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (22) addr: BFF8D168
20:23:3:390 1736 DetectCureTDL3: IrpHandler (23) addr: BFF92FD0
20:23:3:390 1736 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
20:23:3:390 1736 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
20:23:3:390 1736 KLMD_ReadMem: Trying to ReadMemory 0xBFF890DA[0x400]
20:23:3:390 1736 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 343, 0
20:23:3:390 1736 TDL3_FileDetect: Processing driver: atapi
20:23:3:390 1736 TDL3_FileDetect: Parameters: E:\WINNT\system32\drivers\atapi.sys, E:\WINNT\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
20:23:3:390 1736 TDL3_FileDetect: Processing driver file: E:\WINNT\system32\drivers\atapi.sys
20:23:3:390 1736 KLMD_CreateFileW: Trying to open file E:\WINNT\system32\drivers\atapi.sys
20:23:4:46 1736
Completed

Results:
20:23:4:46 1736 Infected objects in memory: 0
20:23:4:62 1736 Cured objects in memory: 0
20:23:4:62 1736 Infected objects on disk: 0
20:23:4:62 1736 Objects on disk cured on reboot: 0
20:23:4:62 1736 Objects on disk deleted on reboot: 0
20:23:4:62 1736 Registry nodes deleted on reboot: 0
20:23:4:62 1736


Your attention is greatly appreciated.

If I may ask - I know you are busy but I am very interested -
Can you explain what do these apps we are running do?
Just wondering how to interpret these logs -
Gip

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:17 AM

Posted 16 December 2009 - 08:05 AM

The logs that you have posted don't show any sign of an active infection. That's not uncommon in the case of a rootkit infection, but we do need to be able to identify what's causing your redirection. So the tools that we're running are being used to try to do that.

Does this redirection happen if you use IE?
Or does it appear to be just a Firefox issue?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 GipBrown

GipBrown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 16 December 2009 - 01:01 PM

Firefox -
Did a search for popeye and went to -
http://www.searchfindsite.com/6924/search....353&cid=BPO

Was supposed to goto -
www.imdb.com/title/tt0081353/

another goes to -
http://www.allgive.com/alt/results.php?sea...a14&cid=BPO

Was supposedto goto -
www.toonopedia.com/popeye.htm

If I goto the cached site it works as it should

IE seems to work fine although I don't like to use IE.

A point to note maybe -
Comodo firewall comes up with Win32 Services Internet requests (Application svchost.exe Parent SERVICES.EXE)
I ignore them (just drag the Alert to the bottom of the screen) as I'm sure it is part of the problem and the alert will go away for a while and reappear.
The one staring at me now is for 65.55.27.220 Port : http(80) TCP
It goes away and another for 65.55.200.155 Port : http(80) TCP comes up

Thanks,
Gip

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:17 AM

Posted 16 December 2009 - 06:09 PM

Open Firefox and click Tools -> Add-ons.
Select the Extensions tab.
Let me know what extensions you have installed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 GipBrown

GipBrown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 16 December 2009 - 07:23 PM

BitDefender Quick Scanner 0.9.8.2

Flashblock 1.5.11.2

Java Quick Starter 1.0

Kaspersky URL Advisor 9.0.0.463

KeyScrambler 2.6.0.0

URL Cache 1.0

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:17 AM

Posted 17 December 2009 - 08:46 AM

Disable this extension.

URL Cache 1.0

Try a few searches and let me know if you are still being redirected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 GipBrown

GipBrown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 17 December 2009 - 09:42 AM

Hi Sam - Seems to be working with URL Cache disabled -

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:17 AM

Posted 17 December 2009 - 07:39 PM

I had a feeling it would. :(

Now we'll remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 GipBrown

GipBrown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 17 December 2009 - 09:38 PM

Hi Sam - What is the problem with URL Cache 1.0?
Should it be uninstalled?

You feel the machine is clean now?
The PC is running horribly slow and the CPU usage is off the chart -
I am still seeing way too many svchost.exe processes running and keep seeing them trying to access the Internet.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users