Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirecting links, MBAM wont run, cant use safe mode


  • Please log in to reply
17 replies to this topic

#1 JaredS

JaredS

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 13 December 2009 - 10:38 PM

OK this all started 2 days ago when i got some rogue anti-spyware and links were being redirected, and my desktop was replaced with some critical warning thing that disabled changing my desktop, and that big red circle with the white X inside, which blocked the use of the task manager. anyway i updated and ran mbam, i thought i got rid of it but the red circle came back after a few hours, only this time it disabled MBAM and the task manager, so i used CA antivirus which hasnt been updated for months because of a virus a while ago that disabled it, CA got rid of the task list virus so i terminated a bunch of .exe's that had been created just today and the red circle disappeared, so now the rogue antispy and red circle is gone but i have active desktop recovery which i cant change and random antispyware pop ups and redirictings are still happening, all while i cant run MBAM in normal mode or in safe mode (because i get some blue screen that says an error message) CAN ANYONE HELP WITH THIS PROBLEM?!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:22 PM

Posted 13 December 2009 - 10:53 PM

I am moving this from the XP forum to the Am I Infected forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 14 December 2009 - 04:46 PM

ok im making some progress i downloaded and ran rkill, then downloaded SUPERantispyware and it deleted like a ton of things but i still cant get MBAM to work (i tried changing the name of everything but it always says unable to locate mbam.exe afterwards and i cant figure out how to change that name beforei install) and all links are being hijacked to uniquesearch8 stuff, and i still have active desktop recovery from that critical warning screensaver that got downloaded(it disabled my ability to change it back or delete it)

#4 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 14 December 2009 - 07:01 PM

got MBAM to work heres the log

Malwarebytes' Anti-Malware 1.42
Database version: 3361
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/14/2009 5:59:46 PM
mbam-log-2009-12-14 (17-59-46).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 151865
Time elapsed: 35 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 15
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BtwSrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fefayuruy (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7e8dfc8-4451-4452-bb14-3a473f9c153b}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,192.168.254.254 192.168.254.254 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\zahenese.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guesswhat\Local Settings\Temporary Internet Files\Content.IE5\8RRSXH3U\SetupIS2010[1].exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guesswhat\Local Settings\Temporary Internet Files\Content.IE5\MZOAUZU5\SetupIS2010[1].exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guesswhat\Local Settings\Temporary Internet Files\Content.IE5\YSFU6DUQ\SetupIS2010[1].exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR10.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jyjrjnrtm.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\n7ivmr0.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guesswhat\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guesswhat\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guesswhat\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guesswhat\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


ill reboot and see how my computer is doing

#5 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 14 December 2009 - 07:22 PM

ok everything i had a problem with i managed to fix myself now except the links being redirected to random pages, i need help to get rid of it

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 14 December 2009 - 07:27 PM

Hello and welcome to Bleeping Computer

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.


Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#7 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 18 December 2009 - 05:57 PM

ok i ran Dr. Web in fast mode and it found and deleted 1 item. Then i ran full scan and about half way through processes started encountering problems and closed like scvhost and some system32 thing and my pc forced a restart but now the re-directing and random pop ups seemed to have stopped so i don't know if Dr. Web got it or its just hiding or where i go from here

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 18 December 2009 - 06:44 PM

Please try to run Dr. Web again.
Computer Pro

#9 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 19 December 2009 - 12:38 PM

the pop ups came back hopefully these things were what caused it, only time will tell

Process in memory: C:\WINDOWS\system32\svchost.exe:212;;BackDoor.Tdss.565;Eradicated.;
02069015.FIL;C:\$VAULT$.AVG;Probably Trojan.Packed.375;Incurable.Deleted.;

#10 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 19 December 2009 - 12:40 PM

nope didn't work.

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 19 December 2009 - 10:32 PM

Then let's update Malwarebytes by going to the "Update" tab, and then rerun a Quick scan and post back the log.
Computer Pro

#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:22 AM

Posted 20 December 2009 - 01:29 AM

Process in memory: C:\WINDOWS\system32\svchost.exe:212;;BackDoor.Tdss.565;Eradicated.;

You may need to run Kaspersky's TDSSKiller to deal with the above-mentioned infection, and that will hopefully take care of most of the the issues that remain with your system.

* Download TDSSKiller and save it to your Desktop.
* Extract (right-click > "Extract all") its contents to your Desktop.
* Ensure that TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
* Go to Start > Run and then copy and paste the following into the text field.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

* Then click "OK".
* Note: You may see "Hidden service detected". DO NOT type anything in: Press <ENTER> on your keyboard to continue.
* When it is done, a log file should be created on your C: drive called "TDSSKiller.txt". (C:\TDSSKiller.txt)
* Please copy and paste the entire contents of that file in your next post.

Please let us know how your system is running now, and whether any issues remain to be resolved.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 25 December 2009 - 11:15 AM

10:03:21:500 3308 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
10:03:21:500 3308 ================================================================================
10:03:21:500 3308 SystemInfo:

10:03:21:500 3308 OS Version: 5.1.2600 ServicePack: 3.0
10:03:21:500 3308 Product type: Workstation
10:03:21:500 3308 ComputerName: GUESSWHA-1KS995
10:03:21:500 3308 UserName: Guesswhat
10:03:21:500 3308 Windows directory: C:\WINDOWS
10:03:21:500 3308 Processor architecture: Intel x86
10:03:21:500 3308 Number of processors: 1
10:03:21:500 3308 Page size: 0x1000
10:03:21:515 3308 Boot type: Normal boot
10:03:21:515 3308 ================================================================================
10:03:21:609 3308 ForceUnloadDriver: NtUnloadDriver error 2
10:03:21:609 3308 ForceUnloadDriver: NtUnloadDriver error 2
10:03:21:609 3308 ForceUnloadDriver: NtUnloadDriver error 2
10:03:21:609 3308 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
10:03:21:609 3308 main: Driver KLMD successfully dropped
10:03:21:828 3308 main: Driver KLMD successfully loaded
10:03:21:828 3308
Scanning Registry ...
10:03:21:843 3308 ScanServices: Searching service UACd.sys
10:03:21:843 3308 ScanServices: Open/Create key error 2
10:03:21:843 3308 ScanServices: Searching service TDSSserv.sys
10:03:21:843 3308 ScanServices: Open/Create key error 2
10:03:21:843 3308 ScanServices: Searching service gaopdxserv.sys
10:03:21:843 3308 ScanServices: Open/Create key error 2
10:03:21:843 3308 ScanServices: Searching service gxvxcserv.sys
10:03:21:843 3308 ScanServices: Open/Create key error 2
10:03:21:843 3308 ScanServices: Searching service MSIVXserv.sys
10:03:21:843 3308 ScanServices: Open/Create key error 2
10:03:21:875 3308 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
10:03:21:875 3308 UnhookRegistry: Kernel local addr: E40000
10:03:21:890 3308 UnhookRegistry: KeServiceDescriptorTable addr: EC3220
10:03:22:015 3308 UnhookRegistry: KiServiceTable addr: E4B6A8
10:03:22:031 3308 UnhookRegistry: NtEnumerateKey service number (local): 47
10:03:22:031 3308 UnhookRegistry: NtEnumerateKey local addr: EDC5A4
10:03:22:046 3308 KLMD_OpenDevice: Trying to open KLMD device
10:03:22:046 3308 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
10:03:22:046 3308 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
10:03:22:046 3308 KLMD_ReadMem: Trying to ReadMemory 0x804DCC49[0x4]
10:03:22:046 3308 UnhookRegistry: NtEnumerateKey service number (kernel): 47
10:03:22:046 3308 KLMD_ReadMem: Trying to ReadMemory 0x804E27C4[0x4]
10:03:22:046 3308 UnhookRegistry: NtEnumerateKey real addr: 805735A4
10:03:22:046 3308 UnhookRegistry: NtEnumerateKey calc addr: 805735A4
10:03:22:046 3308 UnhookRegistry: No SDT hooks found on NtEnumerateKey
10:03:22:046 3308 KLMD_ReadMem: Trying to ReadMemory 0x805735A4[0xA]
10:03:22:046 3308 UnhookRegistry: No splicing found on NtEnumerateKey
10:03:22:046 3308
Scanning Kernel memory ...
10:03:22:046 3308 KLMD_OpenDevice: Trying to open KLMD device
10:03:22:046 3308 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
10:03:22:046 3308 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:03:22:046 3308 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82F96CC0
10:03:22:046 3308 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
10:03:22:046 3308 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 82F71030
10:03:22:046 3308 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F71030
10:03:22:046 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F71030[0x38]
10:03:22:046 3308 DetectCureTDL3: DRIVER_OBJECT addr: 82F96CC0
10:03:22:046 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F96CC0[0xA8]
10:03:22:046 3308 KLMD_ReadMem: Trying to ReadMemory 0xE18EE308[0x208]
10:03:22:046 3308 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:03:22:046 3308 DetectCureTDL3: IrpHandler (0) addr: F8508BB0
10:03:22:046 3308 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (2) addr: F8508BB0
10:03:22:046 3308 DetectCureTDL3: IrpHandler (3) addr: F8502D1F
10:03:22:046 3308 DetectCureTDL3: IrpHandler (4) addr: F8502D1F
10:03:22:046 3308 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (9) addr: F85032E2
10:03:22:046 3308 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (14) addr: F85033BB
10:03:22:046 3308 DetectCureTDL3: IrpHandler (15) addr: F8506F28
10:03:22:046 3308 DetectCureTDL3: IrpHandler (16) addr: F85032E2
10:03:22:046 3308 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (22) addr: F8504C82
10:03:22:046 3308 DetectCureTDL3: IrpHandler (23) addr: F850999E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
10:03:22:046 3308 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
10:03:22:046 3308 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
10:03:22:046 3308 KLMD_ReadMem: DeviceIoControl error 1
10:03:22:046 3308 TDL3_StartIoHookDetect: Unable to get StartIo handler code
10:03:22:046 3308 TDL3_FileDetect: Processing driver: Disk
10:03:22:046 3308 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
10:03:22:046 3308 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
10:03:22:046 3308 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
10:03:22:093 3308 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 82F728A0
10:03:22:093 3308 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F728A0
10:03:22:093 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F728A0[0x38]
10:03:22:093 3308 DetectCureTDL3: DRIVER_OBJECT addr: 82F96CC0
10:03:22:093 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F96CC0[0xA8]
10:03:22:093 3308 KLMD_ReadMem: Trying to ReadMemory 0xE18EE308[0x208]
10:03:22:093 3308 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:03:22:093 3308 DetectCureTDL3: IrpHandler (0) addr: F8508BB0
10:03:22:093 3308 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (2) addr: F8508BB0
10:03:22:093 3308 DetectCureTDL3: IrpHandler (3) addr: F8502D1F
10:03:22:093 3308 DetectCureTDL3: IrpHandler (4) addr: F8502D1F
10:03:22:093 3308 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (9) addr: F85032E2
10:03:22:093 3308 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
10:03:22:093 3308 DetectCureTDL3: IrpHandler (14) addr: F85033BB
10:03:22:093 3308 DetectCureTDL3: IrpHandler (15) addr: F8506F28
10:03:22:093 3308 DetectCureTDL3: IrpHandler (16) addr: F85032E2
10:03:22:093 3308 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (22) addr: F8504C82
10:03:22:125 3308 DetectCureTDL3: IrpHandler (23) addr: F850999E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
10:03:22:125 3308 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
10:03:22:125 3308 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
10:03:22:125 3308 KLMD_ReadMem: DeviceIoControl error 1
10:03:22:125 3308 TDL3_StartIoHookDetect: Unable to get StartIo handler code
10:03:22:125 3308 TDL3_FileDetect: Processing driver: Disk
10:03:22:125 3308 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
10:03:22:125 3308 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
10:03:22:125 3308 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
10:03:22:140 3308 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 82F72C68
10:03:22:140 3308 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F72C68
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F72C68[0x38]
10:03:22:140 3308 DetectCureTDL3: DRIVER_OBJECT addr: 82F96CC0
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F96CC0[0xA8]
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0xE18EE308[0x208]
10:03:22:140 3308 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:03:22:140 3308 DetectCureTDL3: IrpHandler (0) addr: F8508BB0
10:03:22:140 3308 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (2) addr: F8508BB0
10:03:22:140 3308 DetectCureTDL3: IrpHandler (3) addr: F8502D1F
10:03:22:140 3308 DetectCureTDL3: IrpHandler (4) addr: F8502D1F
10:03:22:140 3308 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (9) addr: F85032E2
10:03:22:140 3308 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (14) addr: F85033BB
10:03:22:140 3308 DetectCureTDL3: IrpHandler (15) addr: F8506F28
10:03:22:140 3308 DetectCureTDL3: IrpHandler (16) addr: F85032E2
10:03:22:140 3308 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (22) addr: F8504C82
10:03:22:140 3308 DetectCureTDL3: IrpHandler (23) addr: F850999E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
10:03:22:140 3308 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
10:03:22:140 3308 KLMD_ReadMem: DeviceIoControl error 1
10:03:22:140 3308 TDL3_StartIoHookDetect: Unable to get StartIo handler code
10:03:22:140 3308 TDL3_FileDetect: Processing driver: Disk
10:03:22:140 3308 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
10:03:22:140 3308 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
10:03:22:140 3308 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
10:03:22:140 3308 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 82FA4030
10:03:22:140 3308 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FA4030
10:03:22:140 3308 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 82FAF030
10:03:22:140 3308 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FAF030
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82FAF030[0x38]
10:03:22:140 3308 DetectCureTDL3: DRIVER_OBJECT addr: 82FCEE78
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82FCEE78[0xA8]
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F8A030[0x38]
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F8B868[0xA8]
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0xE18F1F88[0x208]
10:03:22:140 3308 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:03:22:140 3308 DetectCureTDL3: IrpHandler (0) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (1) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (2) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (3) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (4) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (5) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (6) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (7) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (8) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (9) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (10) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (11) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (12) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (13) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (14) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (15) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (16) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (17) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (18) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (19) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (20) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (21) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (22) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (23) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (24) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (25) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: IrpHandler (26) addr: 82F4F618
10:03:22:140 3308 DetectCureTDL3: All IRP handlers pointed to one addr: 82F4F618
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F4F618[0x400]
10:03:22:140 3308 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
10:03:22:140 3308 Driver "atapi" Irp handler infected by TDSS rootkit ... 10:03:22:140 3308 KLMD_WriteMem: Trying to WriteMemory 0x82F4F67D[0xD]
10:03:22:140 3308 cured
10:03:22:140 3308 KLMD_ReadMem: Trying to ReadMemory 0x82F4F4BF[0x400]
10:03:22:140 3308 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1
10:03:22:140 3308 Driver "atapi" StartIo handler infected by TDSS rootkit ... 10:03:22:140 3308 TDL3_StartIoHookCure: Number of patches 1
10:03:22:140 3308 KLMD_WriteMem: Trying to WriteMemory 0x82F4F5B6[0x6]
10:03:22:140 3308 cured
10:03:22:140 3308 TDL3_FileDetect: Processing driver: atapi
10:03:22:140 3308 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk
10:03:22:140 3308 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
10:03:22:140 3308 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
10:03:22:171 3308 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 10:03:22:171 3308 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
10:03:22:171 3308 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
10:03:22:171 3308 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\atapi.tsk
10:03:22:250 3308 TDL3_FileCure: Image path (system32\Drivers\atapi.tsk) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
10:03:22:250 3308 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\atapi.tsk, C:\WINDOWS\system32\drivers\atapi.sys) success
10:03:22:250 3308 will be cured on next reboot
10:03:22:265 3308
Completed

Results:
10:03:22:265 3308 Infected objects in memory: 2
10:03:22:265 3308 Cured objects in memory: 2
10:03:22:265 3308 Infected objects on disk: 1
10:03:22:265 3308 Objects on disk cured on reboot: 1
10:03:22:265 3308 Objects on disk deleted on reboot: 0
10:03:22:265 3308 Registry nodes deleted on reboot: 0
10:03:22:265 3308


i've been browsing for a few minutes and so far so good

#14 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:22 AM

Posted 25 December 2009 - 11:44 AM

JaredS

The TDSSKiller log looks promising.

Let's see what else we can find to clean up:
Please follow the instructions provided by boopme in post #2 at the following link ...
http://www.bleepingcomputer.com/forums/ind...t&p=1550799

I would like you to run ATF Cleaner, MBAM (make sure the "Perform Quick Scan" option is selected) and SAS.
Remember to update the definition files of both MBAM and SAS before running.
Remember to remove all malware found.

Please post the logs of both MBAM and SAS.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 JaredS

JaredS
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 25 December 2009 - 07:45 PM

I updates SAS and MBAM, MBAM didnt find anything but SAS found some things heres the Log;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/25/2009 at 06:27 PM

Application Version : 4.32.1000

Core Rules Database Version : 4410
Trace Rules Database Version: 2243

Scan type : Quick Scan
Total Scan Time : 00:08:41

Memory items scanned : 489
Memory threats detected : 0
Registry items scanned : 411
Registry threats detected : 1
File items scanned : 4320
File threats detected : 4

Rogue.InternetSecurity2010
HKU\S-1-5-21-606747145-1425521274-725345543-1004\Software\IS2010

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@overture[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@imrworldwide[2].txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users