Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constantly infected with spyware/malware


  • Please log in to reply
21 replies to this topic

#1 TygerTyger

TygerTyger

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 03 January 2010 - 07:06 AM

hello. As of recently my laptop has been constantly been infected with what I think is malware and spyware and each time I "get rid" of it to the point where my computer is no longer telling me i am infected. I'm only 16 so i'm not quite sure what the problem is. Usually I get the false Internet Security 2010 problem, and I follow instructions to remove it every time, but it keeps coming back and I do not know what to do. I've followed these instructions http://www.bleepingcomputer.com/virus-remo...t-security-2010 and it doesn't work.

I was thinking of clearing the hardrive because I believe it would clear infections as well, but I do not know how to do so and I am unsure whether doing so will delete my OS too. If it does, i'm not sure how I would reinstall it. I'm not sure what information is needed, but I have an Acer Aspire One with Windows XP, AVG is installed onmy computer, as is Malwarebytes and Ad-aware.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:18 AM

Posted 03 January 2010 - 07:31 AM

Welcome to BC, TygerTyger :thumbsup:

Let's see what we can do with your malware problem ....

:huh: Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
:trumpet: Please download Malwarebytes' Anti-Malware and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note 1: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless of whether you are prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2: MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


:flowers: Please download SUPERAntiSpyware
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your Desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and click View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
:inlove: Please scan with Dr.Web CureIt!
Download drweb-cureit.exe and save it to your desktop. DO NOT perform a scan yet.
Now, reboot your computer in "Safe Mode" using the F8 method. (To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows logo splashscreen appears) press the F8 key repeatedly. The "Windows Advanced Options Menu" will appear with several options. Use the Up/Down arrow keys to navigate and select the option to run Windows in "Safe Mode".)

Scan with Dr.Web CureIt! as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version.)
  • Read the "Virus check by DrWeb scanner" prompt and click Ok where asked to "Start scan now?" Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin. (This is a short scan of files currently running in memory, boot sectors, and targeted folders.)
  • If prompted to download the "Full version Free Trial", ignore it, and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured.)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply > Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo. (Please be patient as this scan could take a long time to complete.)
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click File and choose Save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web CureIt! when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report.)
:huh: Now, please run a Full Scan this time with MBAM after again updating. Remove what it finds and then post the log from that too.

Edited by AustrAlien, 03 January 2010 - 07:35 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 03 January 2010 - 08:58 AM

Hello, and thanks for the reply. So far I've done everything up to step 3 but it isn't letting me go into safe mode. something similar to this pops up http://www.meltdowndigital.com/screenshots/agp440.gif, it restarts but brings me to this http://i15.photobucket.com/albums/a361/ger...22/IMG_2921.jpg. And no matter how many times I try safe mode it only repeats this.


Also, I'm not sure if you want it right this moment, but here is the log from the malwarebytes scan

Malwarebytes' Anti-Malware 1.43
Database version: 3486
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/3/2010 8:05:44 AM
mbam-log-2010-01-03 (08-05-44).txt

Scan type: Quick Scan
Objects scanned: 106736
Time elapsed: 11 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\coptnc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\trhh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fnl15c4.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\mshlps.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\rrhzpns.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:18 AM

Posted 03 January 2010 - 05:10 PM

but it isn't letting me go into safe mode

I am sorry: I should have anticipated this, and included a note to run the scans in Windows "normal" mode if you could not load Windows in Safe Mode. Please go ahead, and run the remainder of the scans, and post the logs.

When you have done that, please try loading Windows in Safe Mode again. Let me know if it still does not work.
If you can start in Safe Mode, please run SAS and Dr.Web again, in Safe Mode, and post the logs.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 03 January 2010 - 11:26 PM

I downloaded drweb cureit but when I try to install it I get this http://fr.tinypic.com/r/29fuzv9/6. I saved it to the desktop and I'm not sure what to do if it won't let me install it.

Here is the log from superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/03/2010 at 07:31 PM

Application Version : 4.32.1000

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 00:45:15

Memory items scanned : 570
Memory threats detected : 0
Registry items scanned : 5902
Registry threats detected : 2
File items scanned : 15244
File threats detected : 16

Adware.Tracking Cookie
C:\Documents and Settings\TygerDiago\Cookies\tygerdiago@apmebf[1].txt
C:\Documents and Settings\TygerDiago\Cookies\tygerdiago@atdmt[1].txt
C:\Documents and Settings\TygerDiago\Cookies\tygerdiago@mediaplex[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickpayz6.91462.blueseek[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@earthbanner272[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bs.serving-sys[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@casalemedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@content.yieldmanager[1].txt

Trojan.Hugipon
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll

Trojan.Agent/Gen
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:18 AM

Posted 04 January 2010 - 05:09 AM

I am not sure what the problem is with Dr.Web CureIt!, but you are not the only one to have this problem atm.

:flowers: Export SafeBoot key for diagnosis
Let's have a look at your SafeBoot registry key.
  • Click Start > Run
  • Copy and paste the following line of code in the open Run box (Do not copy the word "code".)
regedit /e C:\SafeBootK.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"
  • Now click OK
  • Double-click/Open My Computer and then navigate to C:\ drive
  • In there, you should see a file called SafeBootK.txt
  • Double-click it to open the file with Notepad.
  • Copy and paste the whole contents of SafeBootK.txt in your next reply please.
If you have any problems let me know.


:thumbsup: Please perform a scan with Eset OnlineScanner (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Install ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab).
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the OnlineScanner will now prepare itself for running on your PC)
  • To do a full-scan, check "Remove found threats" and "Scan potentially unwanted applications"
  • Click Scan to start the online scan. (this could take some time to complete)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now go to Start > Run > and type C:\Program Files\EsetOnlineScanner\log.txt and then press the <ENTER> key.
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn it back on after you are finished.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 04 January 2010 - 07:07 AM

there isnt a file named SafeBootK.txt but there is one named aaw7boot.txt, so here is that one just in case

================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-11-05 09:47


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-11-07 14:42


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-10 08:29
[~] Preparing to execute queued commands
[~] Deleting file: C:\Program Files\NetBattle Supremacy\virtual.drv
[~] Finished processing queued commands


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-12 11:43


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-12 16:50
[~] Preparing to execute queued commands
[~] Deleting file: c:\program files\internetsecurity2010\is2010.exe
[~] Finished processing queued commands


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-16 21:09


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-20 15:37


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-24 12:52


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-24 15:43


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-27 20:56


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-30 03:24


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-30 18:30


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-31 03:08


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-31 11:37
[~] Preparing to execute queued commands
[~] Deleting file: c:\windows\system32\boyimeta.dll
[~] Deleting file: c:\windows\system32\winupdate86.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX02.906\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX10.125\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX12.234\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX33.515\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX42.671\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX46.687\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX47.968\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX48.796\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX57.718\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX61.000\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX83.296\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX88.609\Keygen.exe
[~] Deleting file: C:\Documents and Settings\TygerDiago\Local Settings\Temp\Rar$EX96.640\Keygen.exe
[~] Finished processing queued commands


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-12-31 16:29


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-01 17:57


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-01 19:38


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-02 21:40


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-02 22:49
[~] Preparing to execute queued commands
[~] Deleting file: c:\windows\system32\winupdate86.exe
[~] Deleting file: c:\program files\internetsecurity2010\is2010.exe
[~] Finished processing queued commands


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-03 01:14


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-03 12:12
[~] Preparing to execute queued commands
[~] Deleting file: c:\windows\system32\winupdate86.exe
[~] Finished processing queued commands


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-03 12:41


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-03 13:07


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-03 13:27


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-03 13:38


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-03 13:43


================================================================================
Boot Cleaner
================================================================================
[~] Cleaning started at 2010-01-04 01:09


Here is the log from ESET

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6eb1754d28c57248997f804970734998
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-04 12:04:49
# local_time=2010-01-04 07:04:50 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 1053240 1053240 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=76625
# found=7
# cleaned=7
# scan_time=5700
C:\Documents and Settings\TygerDiago\My Documents\LimeWire\Incomplete\Preview-T-5131555-a is for action ima robot top billboard hits.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\TygerDiago\My Documents\LimeWire\Incomplete\Preview-T-5548334-golfinger my everything extended studio edition.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\TygerDiago\My Documents\LimeWire\Incomplete\Preview-T-5875908-ima robot a is for action.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\TygerDiago\My Documents\My Music\pennywise competition song.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\ban1c.vbs VBS/Disabler.NAB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\Dzm331ltJsg11.vbs VBS/Disabler.NAB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus (deleted - quarantined) 00000000000000000000000000000000 C

#8 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:18 AM

Posted 04 January 2010 - 07:19 AM

there isnt a file named SafeBootK.txt

Please try Step 1 "Export SafeBoot key for diagnosis" again: I have just confirmed that it works OK on my machine, and that it results in a file "SafeBootK.txt" on C: drive.

Do this if necessary?
Show hidden and system files and folders by doing the following:
  • Launch Windows Explorer by opening "My Computer". On the menu bar, go to
  • Tools > Folder Options > and click on the "View" tab
  • Using the scroll bar at the side of the dialog box, find and check-mark "Show hidden files and folders", UNcheck "Hide protected operating system files (Recommended)", and also UNcheck "Hide extensions for known file types".
  • Click "Apply to All Folders", click "Apply" and click "OK".
If you are sure there is no file produced, then do the following ...
Download and run SafeBootKeyRepair
  • Please download SafeBootKeyRepair and save it to your desktop.
  • Close all programs/windows so that you have nothing open and are at your Desktop.
  • Run SafeBootKeyRepair by double-clicking on it, or right-click on it and click "Open". (If you are using Vista, please right-click and choose "Run as Administrator".)
  • A black command prompt window will appear with the message "Please wait..."
  • It will now begin to scan, please be patient while it scans The scan should take no longer than 1 minute.
  • Once it's done, the log containing the results will be opened.
  • Copy and paste the whole contents in your next reply.
  • Note: The log can also be retrieved from your C:\ drive with the filename entitled "SAFEBOOT_REPAIR.TXT"
Are you now able to load Windows in Safe Mode?

Edited by AustrAlien, 04 January 2010 - 07:23 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#9 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 04 January 2010 - 07:27 AM

I have to go to school. I'll try again and post the results when I come home.

#10 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 04 January 2010 - 06:29 PM

here is the safeboot thing. i will try seeing if it will let me go into safe mode now

EDIT: I was able to go into safe mode. Should I do those scans now?

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

Edited by TygerTyger, 04 January 2010 - 06:51 PM.


#11 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:18 AM

Posted 04 January 2010 - 11:56 PM

I was able to go into safe mode. Should I do those scans now?

Excellent! Apparently your entire SafeBoot key had been removed from the registry.

Yes please: Run the SAS and Dr.Web scans in Safe Mode now according to the instructions, and post the logs.
Then follow up with a Full Scan by MBAM and post the log.
Don't forget to update the definitions of MBAM & SAS before scanning.

Please delete any existing versions of Dr.Web that you have on your computer and download a fresh version of Dr.Web .... it seems to be working today!

Please scan with Dr.Web CureIt!

Download Dr.Web CureIt! and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (something like this ... 5mkuvc4z.exe).
(Or download drweb-cureit.exe from here )

Print these instructions (or copy them to a Notepad file) so they will be accessible: Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Now, reboot your computer in "Safe Mode" using the F8 method. (To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows logo splashscreen appears) press the F8 key repeatedly. The "Windows Advanced Options Menu" will appear with several options. Use the Up/Down arrow keys to navigate and select the option to run Windows in "Safe Mode".)

Scan with Dr.Web CureIt! as follows:
  • Double-click on <the randomly named file that you downloaded> to open the program and click Start.
  • If you see a message, warning that Dr.Web CureIt! is available free only for personal use, click Cancel to continue.
  • Click Start. (There is no need to update if you just downloaded the most current version.)
  • Read the "Dr.Web scanner anti-virus check" prompt and click Ok where asked to "Start scan now?"
    Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders.)
  • If prompted to download the "Full version / FREE trial", ignore it, and click the X to close the window.
  • If you see a message, warning that your HOSTS file has been modified and asking if you would like to restore it, click Yes.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured.)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply > Ok.
  • Back at the main window, click the green arrow Posted Image ("Start Scanning") button on the right, under the Dr.Web logo.
    (Please be patient as this scan could take a long time to complete.)
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click File and choose Save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web CureIt! when done.
Important! Reboot your computer normally (not to Safe Mode) because it could be possible that files in use will be moved/deleted during reboot.

After rebooting, post the contents of the log from Dr.Web.
  • On your Desktop, right-click on DrWeb.csv and choose Open with > Notepad
  • Copy and paste the entire file contents in your next reply.

Edited by AustrAlien, 05 January 2010 - 12:16 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 05 January 2010 - 05:16 AM

the first scan took quite some time so i'll have to do the next one when i return home later

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2010 at 04:56 AM

Application Version : 4.32.1000

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 03:38:36

Memory items scanned : 265
Memory threats detected : 0
Registry items scanned : 5922
Registry threats detected : 0
File items scanned : 76614
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\TygerDiago\Cookies\tygerdiago@atdmt[1].txt

#13 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 08 January 2010 - 12:45 AM

I finally managed to run the drweb cure it. This is the only thing that was in that file though. Is that good?


Process in memory: C:\WINDOWS\system32\svchost.exe:452;;BackDoor.Tdss.565;Eradicated.;

#14 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:18 AM

Posted 08 January 2010 - 01:42 AM

I finally managed to run the drweb cure it. This is the only thing that was in that file though. Is that good?
Process in memory: C:\WINDOWS\system32\svchost.exe:452;;BackDoor.Tdss.565;Eradicated.;

That is excellent: But no, that is definitely NOT good! It is expressly why I was so keen for you to run Dr.Web, to see if that showed up; and it did!

Please download Kaspersky's TDSSKiller and save it to your Desktop.
  • Extract (right-click > "Extract all") its contents to your Desktop.
  • Ensure that TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. <<< Important!
  • Go to Start > Run and then copy and paste the following line into the text field.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • Then click OK.
  • Note: You may see "Hidden service detected". DO NOT type anything in: Press <ENTER> on your keyboard to continue.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt". (C:\TDSSKiller.txt)
  • Please copy and paste the entire contents of that file in your next post.
    *****************************************************
Things should now be looking a whole lot better. Give your system a thorough work out, and let me know how it is running.

Please update MBAM and run a Full Scan with it, remove what it finds and post the log also.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 TygerTyger

TygerTyger
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 08 January 2010 - 05:20 AM

05:14:47:929 2056 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
05:14:47:929 2056 ================================================================================
05:14:47:929 2056 SystemInfo:

05:14:47:929 2056 OS Version: 5.1.2600 ServicePack: 3.0
05:14:47:929 2056 Product type: Workstation
05:14:47:929 2056 ComputerName: TYGER
05:14:47:929 2056 UserName: TygerDiago
05:14:47:929 2056 Windows directory: C:\WINDOWS
05:14:47:929 2056 Processor architecture: Intel x86
05:14:47:929 2056 Number of processors: 2
05:14:47:929 2056 Page size: 0x1000
05:14:47:929 2056 Boot type: Normal boot
05:14:47:929 2056 ================================================================================
05:14:47:929 2056 ForceUnloadDriver: NtUnloadDriver error 2
05:14:47:929 2056 ForceUnloadDriver: NtUnloadDriver error 2
05:14:47:929 2056 ForceUnloadDriver: NtUnloadDriver error 2
05:14:47:945 2056 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
05:14:47:945 2056 main: Driver KLMD successfully dropped
05:14:48:007 2056 main: Driver KLMD successfully loaded
05:14:48:007 2056
Scanning Registry ...
05:14:48:007 2056 ScanServices: Searching service UACd.sys
05:14:48:007 2056 ScanServices: Open/Create key error 2
05:14:48:007 2056 ScanServices: Searching service TDSSserv.sys
05:14:48:007 2056 ScanServices: Open/Create key error 2
05:14:48:007 2056 ScanServices: Searching service gaopdxserv.sys
05:14:48:007 2056 ScanServices: Open/Create key error 2
05:14:48:007 2056 ScanServices: Searching service gxvxcserv.sys
05:14:48:007 2056 ScanServices: Open/Create key error 2
05:14:48:007 2056 ScanServices: Searching service MSIVXserv.sys
05:14:48:007 2056 ScanServices: Open/Create key error 2
05:14:48:007 2056 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
05:14:48:054 2056 UnhookRegistry: Kernel local addr: E40000
05:14:48:054 2056 UnhookRegistry: KeServiceDescriptorTable addr: ECB520
05:14:48:132 2056 UnhookRegistry: KiServiceTable addr: E4D8B0
05:14:48:132 2056 UnhookRegistry: NtEnumerateKey service number (local): 47
05:14:48:132 2056 UnhookRegistry: NtEnumerateKey local addr: EE1E14
05:14:48:148 2056 KLMD_OpenDevice: Trying to open KLMD device
05:14:48:148 2056 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
05:14:48:148 2056 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
05:14:48:148 2056 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]
05:14:48:148 2056 UnhookRegistry: NtEnumerateKey service number (kernel): 47
05:14:48:148 2056 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]
05:14:48:148 2056 UnhookRegistry: NtEnumerateKey real addr: 80578E14
05:14:48:148 2056 UnhookRegistry: NtEnumerateKey calc addr: 80578E14
05:14:48:148 2056 UnhookRegistry: No SDT hooks found on NtEnumerateKey
05:14:48:148 2056 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA]
05:14:48:148 2056 UnhookRegistry: No splicing found on NtEnumerateKey
05:14:48:148 2056
Scanning Kernel memory ...
05:14:48:148 2056 KLMD_OpenDevice: Trying to open KLMD device
05:14:48:148 2056 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
05:14:48:148 2056 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
05:14:48:148 2056 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86F73C08
05:14:48:148 2056 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
05:14:48:148 2056 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86D42260
05:14:48:148 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D42260
05:14:48:148 2056 KLMD_ReadMem: Trying to ReadMemory 0x86D42260[0x38]
05:14:48:148 2056 DetectCureTDL3: DRIVER_OBJECT addr: 86F73C08
05:14:48:148 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F73C08[0xA8]
05:14:48:148 2056 KLMD_ReadMem: Trying to ReadMemory 0xE18E1540[0x208]
05:14:48:148 2056 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
05:14:48:148 2056 DetectCureTDL3: IrpHandler (0) addr: F76ADBB0
05:14:48:148 2056 DetectCureTDL3: IrpHandler (1) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (2) addr: F76ADBB0
05:14:48:148 2056 DetectCureTDL3: IrpHandler (3) addr: F76A7D1F
05:14:48:148 2056 DetectCureTDL3: IrpHandler (4) addr: F76A7D1F
05:14:48:148 2056 DetectCureTDL3: IrpHandler (5) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (6) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (7) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (8) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (9) addr: F76A82E2
05:14:48:148 2056 DetectCureTDL3: IrpHandler (10) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (11) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (12) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (13) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (14) addr: F76A83BB
05:14:48:148 2056 DetectCureTDL3: IrpHandler (15) addr: F76ABF28
05:14:48:148 2056 DetectCureTDL3: IrpHandler (16) addr: F76A82E2
05:14:48:148 2056 DetectCureTDL3: IrpHandler (17) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (18) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (19) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (20) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (21) addr: 804F9739
05:14:48:148 2056 DetectCureTDL3: IrpHandler (22) addr: F76A9C82
05:14:48:148 2056 DetectCureTDL3: IrpHandler (23) addr: F76AE99E
05:14:48:148 2056 DetectCureTDL3: IrpHandler (24) addr: 804F9739
05:14:48:163 2056 DetectCureTDL3: IrpHandler (25) addr: 804F9739
05:14:48:163 2056 DetectCureTDL3: IrpHandler (26) addr: 804F9739
05:14:48:163 2056 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
05:14:48:163 2056 KLMD_ReadMem: DeviceIoControl error 1
05:14:48:163 2056 TDL3_StartIoHookDetect: Unable to get StartIo handler code
05:14:48:163 2056 TDL3_FileDetect: Processing driver: Disk
05:14:48:163 2056 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
05:14:48:163 2056 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
05:14:48:163 2056 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
05:14:48:179 2056 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86BE84F8
05:14:48:179 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86BE84F8
05:14:48:179 2056 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86833798
05:14:48:179 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86833798
05:14:48:179 2056 KLMD_ReadMem: Trying to ReadMemory 0x86833798[0x38]
05:14:48:179 2056 DetectCureTDL3: DRIVER_OBJECT addr: 86831200
05:14:48:179 2056 KLMD_ReadMem: Trying to ReadMemory 0x86831200[0xA8]
05:14:48:179 2056 KLMD_ReadMem: Trying to ReadMemory 0xE1E10110[0x208]
05:14:48:179 2056 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
05:14:48:179 2056 DetectCureTDL3: IrpHandler (0) addr: A03DF218
05:14:48:179 2056 DetectCureTDL3: IrpHandler (1) addr: 804F9739
05:14:48:179 2056 DetectCureTDL3: IrpHandler (2) addr: A03DF218
05:14:48:179 2056 DetectCureTDL3: IrpHandler (3) addr: A03DF23C
05:14:48:179 2056 DetectCureTDL3: IrpHandler (4) addr: A03DF23C
05:14:48:179 2056 DetectCureTDL3: IrpHandler (5) addr: 804F9739
05:14:48:179 2056 DetectCureTDL3: IrpHandler (6) addr: 804F9739
05:14:48:179 2056 DetectCureTDL3: IrpHandler (7) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (8) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (9) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (10) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (11) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (12) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (13) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (14) addr: A03DF180
05:14:48:195 2056 DetectCureTDL3: IrpHandler (15) addr: A03DA9E6
05:14:48:195 2056 DetectCureTDL3: IrpHandler (16) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (17) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (18) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (19) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (20) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (21) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (22) addr: A03DE5F0
05:14:48:195 2056 DetectCureTDL3: IrpHandler (23) addr: A03DCA6E
05:14:48:195 2056 DetectCureTDL3: IrpHandler (24) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (25) addr: 804F9739
05:14:48:195 2056 DetectCureTDL3: IrpHandler (26) addr: 804F9739
05:14:48:195 2056 KLMD_ReadMem: Trying to ReadMemory 0xA03DBF26[0x400]
05:14:48:195 2056 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
05:14:48:195 2056 TDL3_FileDetect: Processing driver: USBSTOR
05:14:48:195 2056 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\usbstor.tsk, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\usbstor.tsk
05:14:48:195 2056 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
05:14:48:195 2056 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
05:14:48:226 2056 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86F5E250
05:14:48:226 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F5E250
05:14:48:226 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F5E250[0x38]
05:14:48:226 2056 DetectCureTDL3: DRIVER_OBJECT addr: 86F73C08
05:14:48:226 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F73C08[0xA8]
05:14:48:226 2056 KLMD_ReadMem: Trying to ReadMemory 0xE18E1540[0x208]
05:14:48:226 2056 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
05:14:48:226 2056 DetectCureTDL3: IrpHandler (0) addr: F76ADBB0
05:14:48:226 2056 DetectCureTDL3: IrpHandler (1) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (2) addr: F76ADBB0
05:14:48:226 2056 DetectCureTDL3: IrpHandler (3) addr: F76A7D1F
05:14:48:226 2056 DetectCureTDL3: IrpHandler (4) addr: F76A7D1F
05:14:48:226 2056 DetectCureTDL3: IrpHandler (5) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (6) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (7) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (8) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (9) addr: F76A82E2
05:14:48:226 2056 DetectCureTDL3: IrpHandler (10) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (11) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (12) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (13) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (14) addr: F76A83BB
05:14:48:226 2056 DetectCureTDL3: IrpHandler (15) addr: F76ABF28
05:14:48:226 2056 DetectCureTDL3: IrpHandler (16) addr: F76A82E2
05:14:48:226 2056 DetectCureTDL3: IrpHandler (17) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (18) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (19) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (20) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (21) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (22) addr: F76A9C82
05:14:48:226 2056 DetectCureTDL3: IrpHandler (23) addr: F76AE99E
05:14:48:226 2056 DetectCureTDL3: IrpHandler (24) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (25) addr: 804F9739
05:14:48:226 2056 DetectCureTDL3: IrpHandler (26) addr: 804F9739
05:14:48:241 2056 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
05:14:48:241 2056 KLMD_ReadMem: DeviceIoControl error 1
05:14:48:241 2056 TDL3_StartIoHookDetect: Unable to get StartIo handler code
05:14:48:241 2056 TDL3_FileDetect: Processing driver: Disk
05:14:48:241 2056 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
05:14:48:241 2056 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
05:14:48:241 2056 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
05:14:48:241 2056 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86FA1A38
05:14:48:241 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FA1A38
05:14:48:241 2056 KLMD_ReadMem: Trying to ReadMemory 0x86FA1A38[0x38]
05:14:48:241 2056 DetectCureTDL3: DRIVER_OBJECT addr: 86F73C08
05:14:48:241 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F73C08[0xA8]
05:14:48:241 2056 KLMD_ReadMem: Trying to ReadMemory 0xE18E1540[0x208]
05:14:48:241 2056 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
05:14:48:241 2056 DetectCureTDL3: IrpHandler (0) addr: F76ADBB0
05:14:48:241 2056 DetectCureTDL3: IrpHandler (1) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (2) addr: F76ADBB0
05:14:48:241 2056 DetectCureTDL3: IrpHandler (3) addr: F76A7D1F
05:14:48:241 2056 DetectCureTDL3: IrpHandler (4) addr: F76A7D1F
05:14:48:241 2056 DetectCureTDL3: IrpHandler (5) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (6) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (7) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (8) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (9) addr: F76A82E2
05:14:48:241 2056 DetectCureTDL3: IrpHandler (10) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (11) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (12) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (13) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (14) addr: F76A83BB
05:14:48:241 2056 DetectCureTDL3: IrpHandler (15) addr: F76ABF28
05:14:48:241 2056 DetectCureTDL3: IrpHandler (16) addr: F76A82E2
05:14:48:241 2056 DetectCureTDL3: IrpHandler (17) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (18) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (19) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (20) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (21) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (22) addr: F76A9C82
05:14:48:241 2056 DetectCureTDL3: IrpHandler (23) addr: F76AE99E
05:14:48:241 2056 DetectCureTDL3: IrpHandler (24) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (25) addr: 804F9739
05:14:48:241 2056 DetectCureTDL3: IrpHandler (26) addr: 804F9739
05:14:48:241 2056 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
05:14:48:241 2056 KLMD_ReadMem: DeviceIoControl error 1
05:14:48:241 2056 TDL3_StartIoHookDetect: Unable to get StartIo handler code
05:14:48:241 2056 TDL3_FileDetect: Processing driver: Disk
05:14:48:241 2056 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
05:14:48:241 2056 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
05:14:48:241 2056 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
05:14:48:241 2056 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86F73478
05:14:48:241 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F73478
05:14:48:241 2056 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86F63EB0
05:14:48:241 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F63EB0
05:14:48:241 2056 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86FDDD98
05:14:48:241 2056 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FDDD98
05:14:48:257 2056 KLMD_ReadMem: Trying to ReadMemory 0x86FDDD98[0x38]
05:14:48:257 2056 DetectCureTDL3: DRIVER_OBJECT addr: 86EE75A8
05:14:48:257 2056 KLMD_ReadMem: Trying to ReadMemory 0x86EE75A8[0xA8]
05:14:48:257 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F79030[0x38]
05:14:48:257 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F89A38[0xA8]
05:14:48:257 2056 KLMD_ReadMem: Trying to ReadMemory 0xE101C9A8[0x208]
05:14:48:257 2056 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
05:14:48:257 2056 DetectCureTDL3: IrpHandler (0) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (1) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (2) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (3) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (4) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (5) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (6) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (7) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (8) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (9) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (10) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (11) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (12) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (13) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (14) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (15) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (16) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (17) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (18) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (19) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (20) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (21) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (22) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (23) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (24) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (25) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: IrpHandler (26) addr: 86F25618
05:14:48:257 2056 DetectCureTDL3: All IRP handlers pointed to one addr: 86F25618
05:14:48:257 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F25618[0x400]
05:14:48:257 2056 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
05:14:48:257 2056 Driver "atapi" Irp handler infected by TDSS rootkit ... 05:14:48:257 2056 KLMD_WriteMem: Trying to WriteMemory 0x86F2567D[0xD]
05:14:48:257 2056 cured
05:14:48:257 2056 KLMD_ReadMem: Trying to ReadMemory 0x86F254BF[0x400]
05:14:48:257 2056 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1
05:14:48:257 2056 Driver "atapi" StartIo handler infected by TDSS rootkit ... 05:14:48:257 2056 TDL3_StartIoHookCure: Number of patches 1
05:14:48:257 2056 KLMD_WriteMem: Trying to WriteMemory 0x86F255B6[0x6]
05:14:48:257 2056 cured
05:14:48:257 2056 TDL3_FileDetect: Processing driver: atapi
05:14:48:257 2056 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk
05:14:48:257 2056 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
05:14:48:257 2056 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
05:14:48:273 2056 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 05:14:48:273 2056 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
05:14:48:273 2056 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
05:14:48:288 2056 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\atapi.tsk
05:14:48:366 2056 TDL3_FileCure: Image path (system32\Drivers\atapi.tsk) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
05:14:48:366 2056 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\atapi.tsk, C:\WINDOWS\system32\drivers\atapi.sys) success
05:14:48:366 2056 will be cured on next reboot
05:14:48:366 2056
Completed

Results:
05:14:48:366 2056 Infected objects in memory: 2
05:14:48:366 2056 Cured objects in memory: 2
05:14:48:366 2056 Infected objects on disk: 1
05:14:48:366 2056 Objects on disk cured on reboot: 1
05:14:48:366 2056 Objects on disk deleted on reboot: 0
05:14:48:366 2056 Registry nodes deleted on reboot: 0
05:14:48:366 2056




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users