Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kryptik/Olmarik Trojan or Virus


  • Please log in to reply
9 replies to this topic

#1 Hank_the_Tank

Hank_the_Tank

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:53 AM

Posted 02 January 2010 - 12:49 AM

Just starting today, out of the blue I was getting all these pop ups for Malware and Antivirus protection, they looked real like the windows program but i assumed they were not. My friend luckily installed an antivirus program on this new computer and havent had any problems for the first couple months of this new computer. When this happened just today we couldent figure out what to do, the antivirus as it said found 4 infections and cleaned 3 of them. The last "one" that is supposedly there is still causing these pop ups and i can't figure out what to do. My Friend who is very smart with computers suggested i go here and make a post. If anyone could help me or steer me in the right direction i would greatly appretiaite it.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 02 January 2010 - 10:43 AM

Hello and welcome. I am moving this out of the HJT forum as there is no log and the HJT team will not review. You will be in Security /Am I Infected now.

Please run these and post back the scan log

RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Hank_the_Tank

Hank_the_Tank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:53 AM

Posted 02 January 2010 - 03:31 PM

First off I would like to say thank you for taking time to help me, I greatly appretiate it. I followed all of your steps without any problems, the only thing that is somewhat troubling to me is that one particular pop up keeps coming up all throughout the installation, It was for Adobe Flash, and im guessing its just another fake pop up. As requested here is the entire log from the Malware Bytes program.

Malwarebytes' Anti-Malware 1.43
Database version: 3481
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/2/2010 12:21:30 PM
mbam-log-2010-01-02 (12-21-30).txt

Scan type: Quick Scan
Objects scanned: 100822
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTylyputawhk.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
C:\Documents and Settings\McCABE\Start Menu\Programs\malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTylyputawhk.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\malware Defense\help.ico (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
C:\Program Files\malware Defense\md.db (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
C:\Documents and Settings\McCABE\Start Menu\Programs\malware Defense\Malware Defense Support.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
C:\Documents and Settings\McCABE\Start Menu\Programs\malware Defense\Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
C:\Documents and Settings\McCABE\Start Menu\Programs\malware Defense\Uninstall Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\McCABE\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 02 January 2010 - 05:22 PM

Your welcome. It's possible the Adobe flash player needs an update.
The laest is here. Adobe Flash Player version 10.0.42.34
Uncheck the in front of Free Google Toolbar (optional)

Since we have found TDDS on here we will run more tools. This will steal your passwords and financil info.. So if you do online banking etc.. you need to change those.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Hank_the_Tank

Hank_the_Tank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:53 AM

Posted 03 January 2010 - 05:59 PM

For some reason i could follow all of your steps up untill booting into safe mode. I could not get it to register me mashing my f8 key, at first i thought it was my keyboard just not registering my pressing it. But after swtiching out and using two other keyboards i couldent get it to work. So i am guessing you need to boot into safe mode for the cleaning of the virus to work, so I am at a loss, if you have anything in mind on how to get in into safe mode then i could probably follow and finish the rest of the steps. :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 03 January 2010 - 07:08 PM

Hi, try this and if still no Safe mode then run in Normal but let me know.

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
  • You may be asked to reboot your computer for the changes to take effect.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Hank_the_Tank

Hank_the_Tank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:53 AM

Posted 03 January 2010 - 08:37 PM

Just to let you know i still could not get the computer into safe mode, I ran it in normal mode as you said as a back up plan, followed all the steps and was pleased that the Spyware program only found one threat/problem, So needless to say I am happy :thumbsup: . Here is the first log from the TDSS killer log as requested.

14:10:32:359 3544 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
14:10:32:359 3544 ================================================================================
14:10:32:359 3544 SystemInfo:

14:10:32:359 3544 OS Version: 5.1.2600 ServicePack: 3.0
14:10:32:359 3544 Product type: Workstation
14:10:32:359 3544 ComputerName: PETER-EA7DBFF1E
14:10:32:359 3544 UserName: McCABE
14:10:32:359 3544 Windows directory: C:\WINDOWS
14:10:32:359 3544 Processor architecture: Intel x86
14:10:32:359 3544 Number of processors: 2
14:10:32:359 3544 Page size: 0x1000
14:10:32:359 3544 Boot type: Normal boot
14:10:32:359 3544 ================================================================================
14:10:32:359 3544 ForceUnloadDriver: NtUnloadDriver error 2
14:10:32:359 3544 ForceUnloadDriver: NtUnloadDriver error 2
14:10:32:359 3544 ForceUnloadDriver: NtUnloadDriver error 2
14:10:32:359 3544 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
14:10:32:390 3544 main: Driver KLMD successfully dropped
14:10:32:390 3544 main: Driver KLMD successfully loaded
14:10:32:390 3544
Scanning Registry ...
14:10:32:390 3544 ScanServices: Searching service UACd.sys
14:10:32:390 3544 ScanServices: Open/Create key error 2
14:10:32:390 3544 ScanServices: Searching service TDSSserv.sys
14:10:32:390 3544 ScanServices: Open/Create key error 2
14:10:32:390 3544 ScanServices: Searching service gaopdxserv.sys
14:10:32:390 3544 ScanServices: Open/Create key error 2
14:10:32:390 3544 ScanServices: Searching service gxvxcserv.sys
14:10:32:390 3544 ScanServices: Open/Create key error 2
14:10:32:390 3544 ScanServices: Searching service MSIVXserv.sys
14:10:32:390 3544 ScanServices: Open/Create key error 2
14:10:32:390 3544 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
14:10:32:390 3544 UnhookRegistry: Kernel local addr: A40000
14:10:32:390 3544 UnhookRegistry: KeServiceDescriptorTable addr: ACB520
14:10:32:390 3544 UnhookRegistry: KiServiceTable addr: A4D8B0
14:10:32:390 3544 UnhookRegistry: NtEnumerateKey service number (local): 47
14:10:32:390 3544 UnhookRegistry: NtEnumerateKey local addr: AE1E14
14:10:32:390 3544 KLMD_OpenDevice: Trying to open KLMD device
14:10:32:390 3544 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
14:10:32:390 3544 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
14:10:32:390 3544 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]
14:10:32:390 3544 UnhookRegistry: NtEnumerateKey service number (kernel): 47
14:10:32:390 3544 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]
14:10:32:390 3544 UnhookRegistry: NtEnumerateKey real addr: 80578E14
14:10:32:390 3544 UnhookRegistry: NtEnumerateKey calc addr: 80578E14
14:10:32:390 3544 UnhookRegistry: No SDT hooks found on NtEnumerateKey
14:10:32:390 3544 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA]
14:10:32:390 3544 UnhookRegistry: No splicing found on NtEnumerateKey
14:10:32:390 3544
Scanning Kernel memory ...
14:10:32:390 3544 KLMD_OpenDevice: Trying to open KLMD device
14:10:32:390 3544 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
14:10:32:390 3544 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:10:32:390 3544 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A142A08
14:10:32:390 3544 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
14:10:32:406 3544 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8A1499F0
14:10:32:406 3544 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A1499F0
14:10:32:406 3544 KLMD_ReadMem: Trying to ReadMemory 0x8A1499F0[0x38]
14:10:32:406 3544 DetectCureTDL3: DRIVER_OBJECT addr: 8A142A08
14:10:32:406 3544 KLMD_ReadMem: Trying to ReadMemory 0x8A142A08[0xA8]
14:10:32:406 3544 KLMD_ReadMem: Trying to ReadMemory 0xE152B588[0x208]
14:10:32:406 3544 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:10:32:406 3544 DetectCureTDL3: IrpHandler (0) addr: F763DBB0
14:10:32:406 3544 DetectCureTDL3: IrpHandler (1) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (2) addr: F763DBB0
14:10:32:406 3544 DetectCureTDL3: IrpHandler (3) addr: F7637D1F
14:10:32:406 3544 DetectCureTDL3: IrpHandler (4) addr: F7637D1F
14:10:32:406 3544 DetectCureTDL3: IrpHandler (5) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (6) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (7) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (8) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (9) addr: F76382E2
14:10:32:406 3544 DetectCureTDL3: IrpHandler (10) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (11) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (12) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (13) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (14) addr: F76383BB
14:10:32:406 3544 DetectCureTDL3: IrpHandler (15) addr: F763BF28
14:10:32:406 3544 DetectCureTDL3: IrpHandler (16) addr: F76382E2
14:10:32:406 3544 DetectCureTDL3: IrpHandler (17) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (18) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (19) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (20) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (21) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (22) addr: F7639C82
14:10:32:406 3544 DetectCureTDL3: IrpHandler (23) addr: F763E99E
14:10:32:406 3544 DetectCureTDL3: IrpHandler (24) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (25) addr: 804F9739
14:10:32:406 3544 DetectCureTDL3: IrpHandler (26) addr: 804F9739
14:10:32:406 3544 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
14:10:32:406 3544 KLMD_ReadMem: DeviceIoControl error 1
14:10:32:406 3544 TDL3_StartIoHookDetect: Unable to get StartIo handler code
14:10:32:406 3544 TDL3_FileDetect: Processing driver: Disk
14:10:32:406 3544 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
14:10:32:406 3544 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
14:10:32:406 3544 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
14:10:32:421 3544 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A14CAB8
14:10:32:421 3544 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A14CAB8
14:10:32:421 3544 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A1D7658
14:10:32:421 3544 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A1D7658
14:10:32:421 3544 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A14ED98
14:10:32:421 3544 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A14ED98
14:10:32:421 3544 KLMD_ReadMem: Trying to ReadMemory 0x8A14ED98[0x38]
14:10:32:421 3544 DetectCureTDL3: DRIVER_OBJECT addr: 8A207030
14:10:32:421 3544 KLMD_ReadMem: Trying to ReadMemory 0x8A207030[0xA8]
14:10:32:421 3544 KLMD_ReadMem: Trying to ReadMemory 0xE151DA40[0x208]
14:10:32:421 3544 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:10:32:421 3544 DetectCureTDL3: IrpHandler (0) addr: F7849B40
14:10:32:421 3544 DetectCureTDL3: IrpHandler (1) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (2) addr: F7849B40
14:10:32:421 3544 DetectCureTDL3: IrpHandler (3) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (4) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (5) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (6) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (7) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (8) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (9) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (10) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (11) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (12) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (13) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (14) addr: F7849B40
14:10:32:421 3544 DetectCureTDL3: IrpHandler (15) addr: F7849B40
14:10:32:421 3544 DetectCureTDL3: IrpHandler (16) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (17) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (18) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (19) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (20) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (21) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (22) addr: F7849B40
14:10:32:421 3544 DetectCureTDL3: IrpHandler (23) addr: F7849B40
14:10:32:421 3544 DetectCureTDL3: IrpHandler (24) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (25) addr: 804F9739
14:10:32:421 3544 DetectCureTDL3: IrpHandler (26) addr: 804F9739
14:10:32:421 3544 KLMD_ReadMem: Trying to ReadMemory 0xF7847864[0x400]
14:10:32:421 3544 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
14:10:32:421 3544 TDL3_FileDetect: Processing driver: atapi
14:10:32:421 3544 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk
14:10:32:421 3544 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
14:10:32:421 3544 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
14:10:32:421 3544
Completed

Results:
14:10:32:437 3544 Infected objects in memory: 0
14:10:32:437 3544 Cured objects in memory: 0
14:10:32:437 3544 Infected objects on disk: 0
14:10:32:437 3544 Objects on disk cured on reboot: 0
14:10:32:437 3544 Objects on disk deleted on reboot: 0
14:10:32:437 3544 Registry nodes deleted on reboot: 0
14:10:32:437 3544


Here is the second log from Super Anti Spyware,

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/03/2010 at 05:23 PM

Application Version : 4.32.1000

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 00:27:18

Memory items scanned : 405
Memory threats detected : 0
Registry items scanned : 3680
Registry threats detected : 0
File items scanned : 48390
File threats detected : 1

Rogue.SmartProtector
C:\WINDOWS\system32\srcr.dat


All of this means nothing to me and i hope you can figure if my computer is finally clean! :flowers: Looking forward to your next post and thank you for all your help thus far

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 03 January 2010 - 10:27 PM

Ok great that's a lot of malware that was removed.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Try the Safe mode"Repairs fix again now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Hank_the_Tank

Hank_the_Tank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:53 AM

Posted 04 January 2010 - 02:03 PM

Here is the new scan log, Only three things were found, all of them being rootkit things. Not sure what those are but I'm guessing bad?

Malwarebytes' Anti-Malware 1.43
Database version: 3492
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/4/2010 10:58:35 AM
mbam-log-2010-01-04 (10-58-35).txt

Scan type: Quick Scan
Objects scanned: 98103
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\H8SRTqkfmuarual.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTbmniqaimpm.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 04 January 2010 - 02:31 PM

Hello, unfortunately TDDS has survived..
You will need to run HJT/DDS. The HJT Team will have to find what is protecting it.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users