Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Infection - InternetSecurity2010 and Broswer Re-directs


  • This topic is locked This topic is locked
65 replies to this topic

#1 David-In-Chicago

David-In-Chicago

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 19 December 2009 - 08:25 PM

My problems began Tuesday morning with a hydra-headed infection seeming to be from InternetSecurity2010 rogue program. I DID NOT click on it and have no idea how it got on my machine. It initially presented with a multiple array of popups warning of infections. I was on McAfee at the time of the infection and up to date. I've since DLd and scanned with SUPER-AntiSpyware, Ad-Aware, RKill.com, MalwareBytes Anti Malware, PCTools Spyware Dr, and Avira.

The scans find issues, quarantine, and remove them but problems are still there after reboots. The issues have been the popups of scareware, hijacked Task Manager, hijacked Administrator account, inability to run System Restore, redirects of browser links, inability to boot in Safe Mode, ad nauseum.

Some of the consistent elements are the InternetSecurity2010, redirects to Local-News-Online.com, thewebsitesurvey.com, findstuff.com, directdr.com, theclickcheck.com, 206.161.121.90, thewebantivirus.com, mdlinx,com. clickseekonline.com, etc etc etc

Suggestions?

Hijack This Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:50 AM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesAviraAntiVir Desktopsched.exe
C:Program FilesAviraAntiVir Desktopavguard.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesQuickTimeQTTask.exe
C:Program FilesHPQuickPlayQPService.exe
C:Program FilesMcAfee.comAgentmcagent.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe
C:Program FilesSpyware DoctorpctsTray.exe
C:Program FileshpqHP Wireless AssistantHP Wireless Assistant.exe
C:Program FilesHpHP Software UpdateHPWuSchd2.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesAviraAntiVir Desktopavgnt.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:PROGRA~1RINGCE~1RINGCE~1RCUI.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
C:Program FilesSpyware DoctorBDTBDTUpdateService.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesMcAfeeMPFMPFSrv.exe
C:WINDOWSsystem32HPZipm12.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:Program FilesSpyware DoctorpctsSvc.exe
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesHewlett-PackardSharedhpqwmiex.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:WINDOWSsystem32wbemwmiprvse.exe
C:PROGRA~1HPQSharedHPQTOA~1.EXE
C:WINDOWSSystem32alg.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesInternet Exploreriexplore.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSsystem32wbemwmiprvse.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:Program FilesSpyware DoctorBDTPCTBrowserDefender.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:Program FilesWindows LiveToolbarwltcore.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:Program FilesSpyware DoctorBDTPCTBrowserDefender.dll
O4 - HKLM..Run: [Sfopikazubijaxes] rundll32.exe "C:WINDOWSojafowas.dll",Startup
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [SynTPStart] C:Program FilesSynapticsSynTPSynTPStart.exe
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [RUNFBI] c:windowsregedit.exe -s c:appl.zipwxpetoolfpp_xp.reg
O4 - HKLM..Run: [Reminder] C:WindowsCREATORRemind_XP.exe
O4 - HKLM..Run: [RecGuard] C:WindowsSMINSTRecGuard.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [QPService] "C:Program FilesHPQuickPlayQPService.exe"
O4 - HKLM..Run: [QlbCtrl] %ProgramFiles%Hewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe /Start
O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [McENUI] C:PROGRA~1McAfeeMHNMcENUI.exe /hide
O4 - HKLM..Run: [mcagent_exe] "C:Program FilesMcAfee.comAgentmcagent.exe" /runkey
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [ISUSScheduler] "C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [ISUSPM Startup] "C:Program FilesCommon FilesInstallShieldUpdateServiceisuspm.exe" -startup
O4 - HKLM..Run: [ISTray] "C:Program FilesSpyware DoctorpctsTray.exe"
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [hpWirelessAssistant] C:Program FileshpqHP Wireless AssistantHP Wireless Assistant.exe
O4 - HKLM..Run: [HP Software Update] C:Program FilesHpHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM..Run: [Cpqset] C:Program FilesHPQDefault Settingscpqset.exe
O4 - HKLM..Run: [AutoLogon] regedit.exe /s appl.zipWXPetoollogon.reg
O4 - HKLM..Run: [ArcSoft Connection Service] C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Ad-Watch] C:Program FilesLavasoftAd-AwareAAWTray.exe
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir Desktopavgnt.exe" /min
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKCU..Run: [RCUI] "C:PROGRA~1RINGCE~1RINGCE~1RCUI.exe"
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengermsnmsgr.exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:Program FilesVongoTray.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~4OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:Program FilesPlotSoftPDFillDownloadPDF.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:Documents and SettingsownerStart MenuProgramsAbsolute PokerAbsolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:Documents and SettingsownerStart MenuProgramsAbsolute PokerAbsolute Poker.lnk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1220024871875
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O20 - AppInit_DLLs: C:WINDOWSsystem32curslib.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:Program FilesAviraAntiVir Desktopsched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir Desktopavguard.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:Program FilesSpyware DoctorBDTBDTUpdateService.exe
O23 - Service: Google Update Service (gupdate1c90e972ce72f2e) (gupdate1c90e972ce72f2e) - Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:Program FilesHewlett-PackardSharedhpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:Program FilesLavasoftAd-AwareAAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:Program FilesMcAfeeMPFMPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe

--
End of file - 13641 bytes

Edited by boopme, 23 December 2009 - 04:20 PM.
Merged 2 posts to 1 ~~boopme


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:10 AM

Posted 23 December 2009 - 10:40 PM

Hello David-In-Chicago :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:


Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.



If you have any CD emulation software, such as DAEMON Tools or Alcohol run Defogger before you run GMER below. If you don't then skip over this and go directly to GMER




Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.







Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries








Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 12:56 AM

DDS-SCR process did not work. I DLd and it started to run but an error message popped up after a few seconds - "An unknown error occurred. The program will be terminated." I tried to use the second link and it totally locked me up. Had to do power button shut down. Attempted to run the DDS during the ramp up of the reboot with the same error message. Tried to Run the DDS from the DL link rather than saving to desktop and still got sam error message.

Will atttempt to go on down the list. Is that a good thing or should the steps be sequential and not skipped if unable to execute?

#4 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 03:49 AM

OK, Gmer ran for 2 hours, 45 minutes. I'll paste the report. I tried the DDS.SCR as soon as Gmer was done with the hope that it might kick in. It didn't. Same unknon error - termination window.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-24 02:44:18
Windows 5.1.2600 Service Pack 3
Running: ve34cuw3.exe; Driver: C:\DOCUME~1\owner\LOCALS~1\Temp\kfporaog.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF71C7E52]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF71A8CDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF71A8ED0]
SSDT B12B4484 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF71C8640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF71C88F4]
SSDT B12B44A2 ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF71C6B44]
SSDT B12B4470 ZwOpenProcess
SSDT B12B4475 ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF71C8D60]
SSDT B12B44AC ZwReplaceKey
SSDT B12B44A7 ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF71C8112]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0x9F0BA0B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9EFFC796]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0x9EFFC8DF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0x9EFFC8C9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9EFFC7D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x9EFFC90B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9EFFC7AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0x9EFFC951]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0x9EFFC8B3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0x9EFFC89D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x9EFFC782]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x9EFFC76E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0x9EFFC8F5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9EFFC7EC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9EFFC7C0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:10 AM

Posted 24 December 2009 - 08:40 AM

You can hold up on DDS if you are still trying to run it. Let's see if we can get ComboFix running:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 11:33 AM

OUCH! This appears to have been the wrong move. I'm not sure if the combofix ran. There was a small red horizontal meter bar for a minute which seemed to be processing but there were no install or scan screens. I looked on the C drive for the ComboFix text file in the hopes that it had been working in the background. MEANWHILE, the machine went balistic with popping open browser windows, a few scareware popups, and then the off-green desktop of death with black scareware verbiage in the center. I shut it all down since the virus protection was all turned off.

Upon reboot as the desktop was coming up (before Icons loaded) I got the following 6" x 2" window grey background:
Spyware Alert!
Security Warning!
Worm.Win32.NetSky detected on your machine.
This virus is distributed via the Internet through e-mail and Active=X objects.
The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself.
In worst case this worm can allow attachers to access your computer, stealing passwords and personal data.
Viruses can damage your onfidential data an work on your computer.
Continue working in unprotected mode is very dangerous.

Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista, 7
Security Risk (0-5): 5
Recomendations: It is necessary to perform a full system scan.

I closed it via red X rather than the "ok" button.

Immediately following, McAfee alert window showed briefly with the alert that it had removed trojans.

Avira popped up with warning on TR?Dropper.Gen trojan - I selected the move to quarantine option.

A 1" x 3" Windows grey background RUNDLL alert popped up. Error loading C:Windows\system32\msaouahn.dll - The specified mofule could not be found. OK box.

Desktop is black background with the icons on top.

I'm atttempting to run the ComboFix with the various virus/spyware programs running in the hopes that they "may not" interfere. The little red ComboFix meter ran and then dissappeared. I tried to open Task Manager to see if the ComboFix process was running and I got this Windows WARNING Application cannot be executed. The file is infected. Please activate your antivirus software. OK button. (I close this out with the uppper right hand X rather than clicking the OK)

The Internet Security 2010 (IS2010 henceforth) window popped up an began a scan. I closed the window and then another IS2010 window popped up with the scareware Critical vulnerables found! sales pitch. So I'm back to where the whole mess all started last Tuesday.

Avira is now popping up with an alert on C:\nbhfy.exe is the TR]Ertfor.A.1 Trojan. I selected MTQ.

What now?

Avira alerted to the TR Dropper Gen virus and I selected move to quarantine (MTQ henceforth).

#7 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 11:40 AM

Merry Christmas eve by the way!

Are you "working" through the holidays? I have the second machine so I can shut this down for a couple days if need be. Let me know what you want to do. I'm home now through the weekend so I can work on it or put it to bed until you're available.

Thanks for your help!

David

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:10 AM

Posted 24 December 2009 - 01:54 PM

I will be working logs off and on in between the things I will be doing with my family.

Merry Christmas to your and your family.Posted Image


Most of what is happening is the infection trying to block us from cleaning it off. These things do a good job of self-protection and it is very seldom that any two machines will act just alike. Some are easier than others and we'll just have to keep trying to slip around it.




Try running the following tool followed by another run of ComboFix. If the machine acts really squirrelly don't try to force the issue.




RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 02:21 PM

Tried all four links with the same results each time... DOS window opens and cursor blinks about 5-6 seconds before it kicks out the "Error! An Unknown error occurred - The program will be terminated" window.

If memory serves me correctly from last Tuesday, I was able to run MalwareBytes immediately following one of the rkill attempts and got it to find/shutdown the ISO2010. Should I try that or do you have another process?

Thanks!

#10 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 02:25 PM

PS on the Rkill attempts... I still have McAfee, Avira, Ad-Aware, SUPER Anti-Spyware, running. Do you want me to trim down the list to just one or two or shut them all down completely? I hesitate to totally "go commando" with an infection present but I could scale back to your recomendations.

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:10 AM

Posted 24 December 2009 - 02:58 PM

Are you running both Avira and McAfee antivirus? If you are then you'll need to remove one of them from your machine since they can cause conflicts as they both try to access the same files.

Also did you disable them prior to trying to run ComboFix because McAfee can cause serious issues itself when we try to run CF without it being disabled. The others should be OK and unless you have Windows Defender or Spybot TeaTimer they shouldn't be an issue.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 03:27 PM

Yes, I have both Avira and McAfee in the System Tray (along with Spyware Doctor, Ad-Aware and the SUPER Anit-Spyware there in the tray) MalwareByte is on the desktop. I will shut down McAfee for the duration seeing as how ( A ) it was the program orignally running when the malware got in, and ( B ) it has the conflicts with ComboFix.

Do you want me to uninstall the others? Here's the sequence of how they all came to be together. McAfee was running because it's Security Suite is gratis with our ISP so I put in on to replace my expiring Norton 4-5 weeks ago. I put on the SUPER Anti-Spyware at the recomendation of Comcast tech after an issue on my boss's computer two weeks ago. I've always liked Lavasoft's Ad-Aware so it was on from way back. I put on the Spyware Doctor last week after spending hours trying to clean up with the other programs. (SD cleaned me up from a trojan about 3 years ago but I dropped the subscription when we got the Norton through work. It helped then so I was hoping it would do the trick this time.) I put Avira on a couple days ago, again, hoping to find the magic bullet.

I will turn off the McAfee completely, disable the Avira and try the CF again.

David


For what it's worth, here are screen captures of most of the various popups from earlier this morning.

Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image

#13 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 03:46 PM

Removed McAfee, inactivated the AntiVir Guard for Avira, and tried the CF. Meter runs through, hear a windows beep and then nothing. I presume there should be screens for the scanning process...

next?

Should I maybe run MBam and Avira scans to clean off what they can and then try the rkill and CF processes?

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:10 AM

Posted 24 December 2009 - 04:38 PM

The way this is acting I believe we are dealing with a rootkit. I was really hoping the GMER scan would show more than it did. I want you to try the following just in case this is a new form of TDL3 OR Max++ which is not being picked up.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.





Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2009 - 06:05 PM

OK, here's the results.

As I was running the TDSS it got to this screen:
Posted Image

I selected the Y option and it rebooted.

Upon the reboot, these two alerts came up:

Posted Image

Posted Image

Notice that the screen shot of the TDSS showed some issues but the text shows none. I presume this is because the applet cleaned up between the screen shot and writing of the text file?

Here is the TDSS Kapersky report text:

16:46:01:125 3884 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
16:46:01:125 3884 ================================================================================
16:46:01:125 3884 SystemInfo:

16:46:01:125 3884 OS Version: 5.1.2600 ServicePack: 3.0
16:46:01:125 3884 Product type: Workstation
16:46:01:125 3884 ComputerName: YOUR-E1C77F8D14
16:46:01:125 3884 UserName: owner
16:46:01:125 3884 Windows directory: C:\WINDOWS
16:46:01:125 3884 Processor architecture: Intel x86
16:46:01:125 3884 Number of processors: 2
16:46:01:125 3884 Page size: 0x1000
16:46:01:140 3884 Boot type: Normal boot
16:46:01:140 3884 ================================================================================
16:46:01:171 3884 ForceUnloadDriver: NtUnloadDriver error 2
16:46:01:187 3884 ForceUnloadDriver: NtUnloadDriver error 2
16:46:01:187 3884 ForceUnloadDriver: NtUnloadDriver error 2
16:46:01:187 3884 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
16:46:01:187 3884 main: Driver KLMD successfully dropped
16:46:01:218 3884 main: Driver KLMD successfully loaded
16:46:01:218 3884
Scanning Registry ...
16:46:01:234 3884 ScanServices: Searching service UACd.sys
16:46:01:234 3884 ScanServices: Open/Create key error 2
16:46:01:234 3884 ScanServices: Searching service TDSSserv.sys
16:46:01:234 3884 ScanServices: Open/Create key error 2
16:46:01:234 3884 ScanServices: Searching service gaopdxserv.sys
16:46:01:234 3884 ScanServices: Open/Create key error 2
16:46:01:234 3884 ScanServices: Searching service gxvxcserv.sys
16:46:01:234 3884 ScanServices: Open/Create key error 2
16:46:01:234 3884 ScanServices: Searching service MSIVXserv.sys
16:46:01:234 3884 ScanServices: Open/Create key error 2
16:46:01:265 3884 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
16:46:01:281 3884 UnhookRegistry: Kernel local addr: A40000
16:46:01:312 3884 UnhookRegistry: KeServiceDescriptorTable addr: AC5700
16:46:01:437 3884 UnhookRegistry: KiServiceTable addr: A6D460
16:46:01:453 3884 UnhookRegistry: NtEnumerateKey service number (local): 47
16:46:01:453 3884 UnhookRegistry: NtEnumerateKey local addr: B8CFF2
16:46:01:468 3884 KLMD_OpenDevice: Trying to open KLMD device
16:46:01:468 3884 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
16:46:01:468 3884 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
16:46:01:468 3884 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
16:46:01:468 3884 UnhookRegistry: NtEnumerateKey service number (kernel): 47
16:46:01:468 3884 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
16:46:01:468 3884 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
16:46:01:468 3884 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
16:46:01:468 3884 UnhookRegistry: No SDT hooks found on NtEnumerateKey
16:46:01:468 3884 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
16:46:01:468 3884 UnhookRegistry: No splicing found on NtEnumerateKey
16:46:01:468 3884
Scanning Kernel memory ...
16:46:01:468 3884 KLMD_OpenDevice: Trying to open KLMD device
16:46:01:468 3884 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
16:46:01:468 3884 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:46:01:468 3884 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A894AE0
16:46:01:468 3884 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
16:46:01:468 3884 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 89FA38A0
16:46:01:468 3884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89FA38A0
16:46:01:468 3884 KLMD_ReadMem: Trying to ReadMemory 0x89FA38A0[0x38]
16:46:01:468 3884 DetectCureTDL3: DRIVER_OBJECT addr: 8A894AE0
16:46:01:468 3884 KLMD_ReadMem: Trying to ReadMemory 0x8A894AE0[0xA8]
16:46:01:468 3884 KLMD_ReadMem: Trying to ReadMemory 0xE1CD95A8[0x208]
16:46:01:468 3884 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:46:01:468 3884 DetectCureTDL3: IrpHandler (0) addr: F74EDBB0
16:46:01:468 3884 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (2) addr: F74EDBB0
16:46:01:468 3884 DetectCureTDL3: IrpHandler (3) addr: F74E7D1F
16:46:01:468 3884 DetectCureTDL3: IrpHandler (4) addr: F74E7D1F
16:46:01:468 3884 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (9) addr: F74E82E2
16:46:01:468 3884 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (14) addr: F74E83BB
16:46:01:468 3884 DetectCureTDL3: IrpHandler (15) addr: F74EBF28
16:46:01:468 3884 DetectCureTDL3: IrpHandler (16) addr: F74E82E2
16:46:01:468 3884 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (22) addr: F74E9C82
16:46:01:468 3884 DetectCureTDL3: IrpHandler (23) addr: F74EE99E
16:46:01:468 3884 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:46:01:468 3884 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:46:01:484 3884 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:46:01:484 3884 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:46:01:484 3884 KLMD_ReadMem: DeviceIoControl error 1
16:46:01:484 3884 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:46:01:484 3884 TDL3_FileDetect: Processing driver: Disk
16:46:01:484 3884 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
16:46:01:484 3884 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
16:46:01:484 3884 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
16:46:01:531 3884 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 89FA3C68
16:46:01:531 3884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89FA3C68
16:46:01:531 3884 KLMD_ReadMem: Trying to ReadMemory 0x89FA3C68[0x38]
16:46:01:531 3884 DetectCureTDL3: DRIVER_OBJECT addr: 8A894AE0
16:46:01:531 3884 KLMD_ReadMem: Trying to ReadMemory 0x8A894AE0[0xA8]
16:46:01:531 3884 KLMD_ReadMem: Trying to ReadMemory 0xE1CD95A8[0x208]
16:46:01:531 3884 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:46:01:531 3884 DetectCureTDL3: IrpHandler (0) addr: F74EDBB0
16:46:01:531 3884 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (2) addr: F74EDBB0
16:46:01:531 3884 DetectCureTDL3: IrpHandler (3) addr: F74E7D1F
16:46:01:531 3884 DetectCureTDL3: IrpHandler (4) addr: F74E7D1F
16:46:01:531 3884 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (9) addr: F74E82E2
16:46:01:531 3884 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (14) addr: F74E83BB
16:46:01:531 3884 DetectCureTDL3: IrpHandler (15) addr: F74EBF28
16:46:01:531 3884 DetectCureTDL3: IrpHandler (16) addr: F74E82E2
16:46:01:531 3884 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (22) addr: F74E9C82
16:46:01:531 3884 DetectCureTDL3: IrpHandler (23) addr: F74EE99E
16:46:01:531 3884 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:46:01:531 3884 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:46:01:531 3884 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:46:01:531 3884 KLMD_ReadMem: DeviceIoControl error 1
16:46:01:531 3884 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:46:01:531 3884 TDL3_FileDetect: Processing driver: Disk
16:46:01:531 3884 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
16:46:01:531 3884 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
16:46:01:531 3884 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
16:46:01:546 3884 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 89FA4AB8
16:46:01:546 3884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89FA4AB8
16:46:01:546 3884 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A894808
16:46:01:546 3884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A894808
16:46:01:546 3884 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A897158
16:46:01:546 3884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A897158
16:46:01:546 3884 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A903030
16:46:01:546 3884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A903030
16:46:01:546 3884 KLMD_ReadMem: Trying to ReadMemory 0x8A903030[0x38]
16:46:01:546 3884 DetectCureTDL3: DRIVER_OBJECT addr: 8A897270
16:46:01:546 3884 KLMD_ReadMem: Trying to ReadMemory 0x8A897270[0xA8]
16:46:01:546 3884 KLMD_ReadMem: Trying to ReadMemory 0xE1CBCFE0[0x208]
16:46:01:546 3884 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
16:46:01:546 3884 DetectCureTDL3: IrpHandler (0) addr: F71E5186
16:46:01:546 3884 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (2) addr: F71E5186
16:46:01:546 3884 DetectCureTDL3: IrpHandler (3) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (4) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (14) addr: F71E8896
16:46:01:546 3884 DetectCureTDL3: IrpHandler (15) addr: F71E8B58
16:46:01:546 3884 DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (22) addr: F71EDE66
16:46:01:546 3884 DetectCureTDL3: IrpHandler (23) addr: F71EDFC6
16:46:01:546 3884 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:46:01:546 3884 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:46:01:546 3884 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:46:01:546 3884 KLMD_ReadMem: DeviceIoControl error 1
16:46:01:546 3884 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:46:01:546 3884 TDL3_FileDetect: Processing driver: iaStor
16:46:01:546 3884 TDL3_FileDetect: Similar paths for origin and cured (C:\WINDOWS\system32\drivers\iastor.tsk)! Generate new path
16:46:01:546 3884 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\iastor.tsk, C:\WINDOWS\system32\Drivers\iastor.ts0, SYSTEM\CurrentControlSet\Services\iaStor, system32\Drivers\iastor.ts0
16:46:01:546 3884 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iastor.tsk
16:46:01:546 3884 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iastor.tsk
16:46:01:609 3884
Completed

Results:
16:46:01:609 3884 Infected objects in memory: 0
16:46:01:609 3884 Cured objects in memory: 0
16:46:01:609 3884 Infected objects on disk: 0
16:46:01:609 3884 Objects on disk cured on reboot: 0
16:46:01:609 3884 Objects on disk deleted on reboot: 0
16:46:01:609 3884 Registry nodes deleted on reboot: 0
16:46:01:609 3884


********************************************
And here is the WINDIAG report:
Running from: C:\Documents and Settings\owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

********************************************

Let me know next moves. Still have the ISO2010 popups popping.

Thanks! David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users