Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected Search Results and Random Pop-ups


  • This topic is locked This topic is locked
41 replies to this topic

#1 tempos

tempos

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 07 January 2010 - 10:05 AM

Hi, I have some problems with search results being redirected and random survey pop-ups. I have tried IE and Firefox and Google and Yahoo and I still have the problem. A friend of mine tried to fix it with some tools, but was unable to and told me to try here.

I tried to use RootRepeal, but it was giving me error messages.

*EDIT UPDATE: I'm also getting redirected to a new window for thewebsitesurvey.com very often. And something with my media player keeps failing even though I'm not doing anything with it. It started to happen at the same time the other problem occurred.


DDS (Ver_09-12-01.01) - NTFSx86
Run by mobil1 at 19:56:09.13 on Thu 12/10/2009
Internet Explorer: 7.0.6000.16945 BrowserJavaVersion: 1.6.0_05
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1048 [GMT -6:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Users\mobil1\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\mobil1\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\mobil1\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [NWEReboot]
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
Trusted Zone: belmont.edu
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\mobil1\appdata\roaming\mozilla\firefox\profiles\yrvptujs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\mobil1\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-12 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-23 1153368]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2009-12-11 01:36:07 0 d-----w- c:\program files\TrendMicro
2009-12-09 14:22:23 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-09 14:19:45 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 14:19:44 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 14:19:43 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 14:15:32 274432 ----a-w- c:\windows\system32\raschap.dll
2009-12-09 14:15:32 232960 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 14:15:28 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-12-09 14:13:59 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-12-09 14:13:58 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-12-09 14:13:58 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-12-09 14:13:58 1260032 ----a-w- c:\windows\system32\msxml3.dll
2009-12-09 14:09:29 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-12-09 14:09:04 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-12-09 14:09:04 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-12-09 14:09:04 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-12-09 14:09:04 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-12-09 14:09:01 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-08 00:11:31 0 d-----w- c:\users\mobil1\appdata\roaming\PC

==================== Find3M ====================

2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 15:05:11 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 15:01:43 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-10-27 15:01:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 14:59:14 72704 ----a-w- c:\windows\system32\admparse.dll
2009-10-27 12:27:14 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-27 10:56:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-02-03 04:41:32 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-02-03 04:41:32 51200 ----a-w- c:\windows\inf\infpub.dat
2009-02-03 04:41:29 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-19 19:10:15 174 --sha-w- c:\program files\desktop.ini
2008-12-19 19:06:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:58:00.86 ===============

Attached Files


Edited by tempos, 07 January 2010 - 11:36 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:26 AM

Posted 14 January 2010 - 09:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 tempos

tempos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 14 January 2010 - 05:20 PM

I'm beginning to receive more random popups to new pages, but less redirects from search results now. It could just be in my head though.

I'm trying to run OTL, but it keeps hanging up and says (Not Responding) when it gets to the Internet Explorer Settings.

Also, in the settings it shows to scan 30/60/90/etc days. I think I've been having this problem for over 30 days now. Should I change that to 60?

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:26 AM

Posted 14 January 2010 - 05:26 PM

Hi,

yes please change the results to 60. If you are unable to finish a scan with OTL, please provide a DDS log instead.

Please also provide a log from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 tempos

tempos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 14 January 2010 - 07:59 PM

It completed with no problems. Here is the log...


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-14 18:42:45
Windows 6.0.6000
Running: dcsbfwij.exe; Driver: C:\Users\mobil1\AppData\Local\Temp\kxrdypod.sys


---- System - GMER 1.0.15 ----

SSDT A3A8C81C ZwCreateThread
SSDT A3A8C808 ZwOpenProcess
SSDT A3A8C80D ZwOpenThread
SSDT A3A8C817 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_alloca_probe + 164 81C55FB4 4 Bytes [1C, C8, A8, A3] {SBB AL, 0xc8; TEST AL, 0xa3}
.text ntoskrnl.exe!_alloca_probe + 334 81C56184 4 Bytes [08, C8, A8, A3] {OR AL, CL; TEST AL, 0xa3}
.text ntoskrnl.exe!_alloca_probe + 350 81C561A0 4 Bytes [0D, C8, A8, A3]
.text ntoskrnl.exe!_alloca_probe + 574 81C563C4 4 Bytes [17, C8, A8, A3]
.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8277C024]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[820] ole32.dll!CoCreateInstance 76D0DD8F 5 Bytes JMP 0092000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84637618

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:26 AM

Posted 14 January 2010 - 08:19 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 tempos

tempos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 14 January 2010 - 09:06 PM

I'll do whatever you think is best for me to do. I went ahead and ran the ComboFix as you said and here is the log from it.

Attached Files



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:26 AM

Posted 14 January 2010 - 09:12 PM

Hi,

If you wish to proceed, we will clean the PC. smile.gif

ComboFix did not catch the infection, please try TDSSKiller instead:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 tempos

tempos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 14 January 2010 - 09:26 PM

20:20:23:496 2252 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
20:20:23:496 2252 ================================================================================
20:20:23:496 2252 SystemInfo:

20:20:23:496 2252 OS Version: 6.0.6000 ServicePack: 0.0
20:20:23:496 2252 Product type: Workstation
20:20:23:496 2252 ComputerName: MOBIL
20:20:23:496 2252 UserName: mobil1
20:20:23:496 2252 Windows directory: C:\Windows
20:20:23:496 2252 Processor architecture: Intel x86
20:20:23:496 2252 Number of processors: 2
20:20:23:496 2252 Page size: 0x1000
20:20:23:496 2252 Boot type: Normal boot
20:20:23:496 2252 ================================================================================
20:20:23:496 2252 UnloadDriverW: NtUnloadDriver error 2
20:20:23:496 2252 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:20:23:512 2252 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
20:20:23:637 2252 UtilityInit: KLMD drop and load success
20:20:23:637 2252 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
20:20:23:637 2252 UtilityInit: KLMD open success
20:20:23:637 2252 UtilityInit: Initialize success
20:20:23:637 2252
20:20:23:637 2252 Scanning Services ...
20:20:23:637 2252 CreateRegParser: Registry parser init started
20:20:23:637 2252 CreateRegParser: DisableWow64Redirection error
20:20:23:637 2252 wfopen_ex: Trying to open file C:\Windows\system32\config\system
20:20:23:637 2252 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
20:20:23:637 2252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:20:23:637 2252 wfopen_ex: Trying to KLMD file open
20:20:23:637 2252 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
20:20:23:637 2252 wfopen_ex: File opened ok (Flags 2)
20:20:23:652 2252 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1271290
20:20:23:652 2252 wfopen_ex: Trying to open file C:\Windows\system32\config\software
20:20:23:652 2252 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
20:20:23:652 2252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:20:23:652 2252 wfopen_ex: Trying to KLMD file open
20:20:23:652 2252 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
20:20:23:652 2252 wfopen_ex: File opened ok (Flags 2)
20:20:23:652 2252 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 12712B8
20:20:23:652 2252 CreateRegParser: EnableWow64Redirection error
20:20:23:652 2252 CreateRegParser: RegParser init completed
20:20:24:760 2252 GetAdvancedServicesInfo: Raw services enum returned 442 services
20:20:24:775 2252 fclose_ex: Trying to close file C:\Windows\system32\config\system
20:20:24:775 2252 fclose_ex: Trying to close file C:\Windows\system32\config\software
20:20:24:775 2252
20:20:24:775 2252 Scanning Kernel memory ...
20:20:24:775 2252 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:20:24:775 2252 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8461D8B8
20:20:24:775 2252 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
20:20:24:775 2252
20:20:24:775 2252 DetectCureTDL3: DEVICE_OBJECT: 84625030
20:20:24:775 2252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84625030
20:20:24:775 2252 DetectCureTDL3: DEVICE_OBJECT: 838794A8
20:20:24:775 2252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 838794A8
20:20:24:775 2252 DetectCureTDL3: DEVICE_OBJECT: 83879BB0
20:20:24:775 2252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83879BB0
20:20:24:775 2252 KLMD_ReadMem: Trying to ReadMemory 0x83879BB0[0x38]
20:20:24:775 2252 DetectCureTDL3: DRIVER_OBJECT: 847C5810
20:20:24:775 2252 KLMD_ReadMem: Trying to ReadMemory 0x847C5810[0xA8]
20:20:24:775 2252 KLMD_ReadMem: Trying to ReadMemory 0x8461E028[0x38]
20:20:24:775 2252 KLMD_ReadMem: Trying to ReadMemory 0x83C429F8[0xA8]
20:20:24:775 2252 KLMD_ReadMem: Trying to ReadMemory 0x83C417E0[0x1A]
20:20:24:775 2252 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
20:20:24:775 2252 DetectCureTDL3: IrpHandler (0) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (1) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (2) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (3) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (4) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (5) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (6) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (7) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (8) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (9) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (10) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (11) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (12) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (13) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (14) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (15) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (16) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (17) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (18) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (19) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (20) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (21) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (22) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (23) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (24) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (25) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: IrpHandler (26) addr: 8462F618
20:20:24:775 2252 DetectCureTDL3: All IRP handlers pointed to one addr: 8462F618
20:20:24:775 2252 KLMD_ReadMem: Trying to ReadMemory 0x8462F618[0x400]
20:20:24:791 2252 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
20:20:24:791 2252 Driver "atapi" Irp handler infected by TDSS rootkit ... 20:20:24:791 2252 KLMD_WriteMem: Trying to WriteMemory 0x8462F67D[0xD]
20:20:24:791 2252 cured
20:20:24:791 2252 KLMD_ReadMem: Trying to ReadMemory 0x8462F4BF[0x400]
20:20:24:791 2252 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
20:20:24:791 2252 Driver "atapi" StartIo handler infected by TDSS rootkit ... 20:20:24:791 2252 TDL3_StartIoHookCure: Number of patches 1
20:20:24:791 2252 KLMD_WriteMem: Trying to WriteMemory 0x8462F5B6[0x6]
20:20:24:791 2252 cured
20:20:24:791 2252 TDL3_FileDetect: Processing driver: atapi
20:20:24:791 2252 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
20:20:24:791 2252 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
20:20:24:791 2252 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
20:20:24:791 2252 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 20:20:24:791 2252 TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
20:20:26:195 2252 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys:21560, checking..
20:20:26:242 2252 ValidateDriverFile: Stage 1 passed
20:20:26:242 2252 ValidateDriverFile: Stage 2 passed
20:20:26:507 2252 DigitalSignVerifyByHandle: Embedded DS result: 00000000
20:20:26:507 2252 ValidateDriverFile: Stage 3 passed
20:20:26:507 2252 FileCallback: File validated successfully, restore information prepared
20:20:28:551 2252 FindDriverFileBackup: Backup copy found in DriverStore
20:20:28:551 2252 TDL3_FileCure: Backup copy found, using it..
20:20:28:566 2252 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskA9C6.tmp
20:20:28:613 2252 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskA9C6.tmp, system32\drivers\atapi.sys)
20:20:28:613 2252 TDL3_FileCure: KLMD jobs schedule success
20:20:28:613 2252 will be cured on next reboot
20:20:28:613 2252 UtilityBootReinit: Reboot required for cure complete..
20:20:28:629 2252 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
20:20:28:644 2252 UtilityBootReinit: KLMD drop success
20:20:28:644 2252 KLMD_ApplyPendList: Pending buffer(6985_37C, 616) dropped successfully
20:20:28:644 2252 UtilityBootReinit: Cure on reboot scheduled successfully
20:20:28:644 2252
20:20:28:644 2252 Completed
20:20:28:644 2252
20:20:28:644 2252 Results:
20:20:28:644 2252 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
20:20:28:644 2252 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:20:28:644 2252 File objects infected / cured / cured on reboot: 1 / 0 / 1
20:20:28:644 2252
20:20:28:644 2252 UnloadDriverW: NtUnloadDriver error 1
20:20:28:644 2252 KLMD_Unload: UnloadDriverW(klmd21) error 1
20:20:28:644 2252 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
20:20:28:660 2252 UtilityDeinit: KLMD(ARK) unloaded successfully


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:26 AM

Posted 14 January 2010 - 09:30 PM

Hi,

that looks rather good. Please reboot and run a scan with gmer once more.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 tempos

tempos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 14 January 2010 - 10:27 PM

Here it is. How serious was this? You recommended I should contact my bank and such and change all my passwords and such.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-14 21:24:11
Windows 6.0.6000
Running: dcsbfwij.exe; Driver: C:\Users\mobil1\AppData\Local\Temp\kxrdypod.sys


---- System - GMER 1.0.15 ----

SSDT A41AA07C ZwCreateThread
SSDT A41AA068 ZwOpenProcess
SSDT A41AA06D ZwOpenThread
SSDT A41AA077 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_alloca_probe + 164 81C55FB4 4 Bytes [7C, A0, 1A, A4]
.text ntoskrnl.exe!_alloca_probe + 334 81C56184 4 Bytes [68, A0, 1A, A4]
.text ntoskrnl.exe!_alloca_probe + 350 81C561A0 4 Bytes [6D, A0, 1A, A4]
.text ntoskrnl.exe!_alloca_probe + 574 81C563C4 4 Bytes [77, A0, 1A, A4]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:26 AM

Posted 14 January 2010 - 10:43 PM

Hi,


I believe it would be wise to change your passwords and advise your bank. Please also run an online scan to check for possible left-overs:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 tempos

tempos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 14 January 2010 - 11:42 PM

I'm running the scan right now. It takes awhile smile.gif

I guess I'm just still worried about the possibility that anything has been compromised. Or know the chances that things were. I'll be changing my passwords and everything, but I'm still worried about the chances or severity of the infection. Also, is it possible that my flash drive has also been infected?

Thanks for all your help, I appreciate the time you're spending!

#14 tempos

tempos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 15 January 2010 - 01:14 AM

ESET scan finished and didn't find any threats so it didn't give me the option to provide a log file.

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:26 AM

Posted 15 January 2010 - 04:02 PM

Hi,

before we get to the final step I would like you to update your software:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Please let me know if you run into any problems.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users