Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New process and wonky Windows... virus?


  • Please log in to reply
11 replies to this topic

#1 LBerry

LBerry

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 12 January 2010 - 05:15 PM

Greetings!

I had a rather nasty trojan a few months ago, and with the help of a few different trojan removal applications, I thought I got it all... but now I'm not so sure. Either that, or I'm thinking I may still have some sort of vulnerability.

Regardless, I noticed my computer was jamming up at odd intervals and investigated only to find that one of the "svchost.exe"s was taking up 99% of system resources. Then I found a new, shiny process in my task manager by the name of siszyd32.exe. I recently installed a game, Runes of Magic, on my computer and thought that it might be associated it in some way, but it doesn't look like it is. I'm wondering if I've been infected by a bug again, and if so, how to remove the sucker for good?

Thank you for your time.

Some info: I have Windows XP Media Center Edition, and am protected by ProcessGuard and Windows Firewall.

P.S.
Another random oddity I just noticed... the icon for my wireless is gone. Normally it sits in the lower right hand corner. This definitely isn't looking good. This is starting to mimic what happened before with my last trojan problem. :thumbsup:

BC AdBot (Login to Remove)

 


#2 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 13 January 2010 - 12:35 AM

Hi Lberry,
Use these great directions from boopme for SAS and ATF cleaner
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner from http://www.atribune.org/index.php?option=c...5&Itemid=25
and then SUPERAntiSpyware, Free Home Version from http://www.superantispyware.com/?rid=3324 Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Now, download Malwarebytes from http://malwarebytes.org/ update it and run a full scan. Remove any infections found and post the results in your next reply.

#3 LBerry

LBerry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 15 January 2010 - 10:59 PM

Um... I kind of can't.

I followed some of those steps and installed SUPERAntispyware, but it's acting funny. After installation, even after restarting the computer, the program's control center won't actually open. If I right click on the little bug icon for the program, it'll open the taskbar mini menu that will let me click things like "Scan for Spyware," "View Control Center," and "Check for Updates." However, instantly when I right click, my cursor turns into the hourglass and never returns to its normal mouse pointer until I hover away from the taskbar menu for the program. Additionally, when I click on, for exmaple, "View Control Center" or "Check for Updates" none of these functions work.

Some of my other programs are acting kind of funky as well. For example, when I try to use Google Chrome, I get the error message, "Windows Application Error - The application failed to initialize properly (0xc0000022). Click OK to terminate the application." At this point, I'd just be tempted to reinstall Windows because now I have so many little things that are acting wonky, but unfortunately my OS disc got broken when I recently moved so I'm kind of out of luck there.

Thank you for your time and suggetions,
LB.

#4 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 15 January 2010 - 11:29 PM

LB,
try downloading SASSAFERUN from http://www.superantispyware.com/downloads/SASSAFERUN.COM to your desktop.
Double click the file. Are you able to run the program? Did you install and run malwarebytes? You can also try to download Dr Web CureIt from http://www.freedrweb.com/cureit/?lng=en and run it and safe mode. Post the results.

#5 LBerry

LBerry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 16 January 2010 - 06:04 PM

Whew... this was an interesting process. I downloaded SASSAFERUN and it didn't work... then I happened to notice an alternative start for SAS and tried that... which worked, thankfully. I updated the definitions and tried to enter safemode, but when I hit f8 it didn't give me the option to enter safemode. It only offered to let me boot the regular version of windows. I'm not sure if the trojan was doing this or what...

I then went into msconfig and set the configuration to boot into safemode automatically, which worked. Ran the Cleaner program, which is kinda nifty. However, unfortunately SAS wouldn't work via the regular option, SASSAFERUN or the alternative start now. I then went into the folder for the program and found that every time I hit the alternative start button, a new executable would create itself. I selected the alternate that I thought had worked before and it popped up the working program. No idea why that one would work and the rest created by alternative start wouldn't, but I went with it.

I scanned and found five objects. I left my computer to grab something and returned to find my computer off. I'm not sure if it crashed, tried to reboot and failed or what... but I logged into Windows and checked the logs for the program and there weren't any... I'm going to assume it crashed or something. Since safemode was being a pain, I - as a last ditch effort - tried to run a quick scan in regular Windows. It found several objects and once I removed them my computer started acting normally again.

I tried going into safemode to try a full scan once more, but it was being pesky. For example, for some reason the safemode version of the program didn't have the updated definitions and also was acting wonky. I booted back into regular windows and did a full scan, which found a couple additional objects. Then I ran Malwarebytes and got a clean bill. I haven't tried going back into safemode yet for another scan... is this something I need to do? Or should I just let it go?

Logs:

First SAS log, quick scan.

Application Version : 4.33.1000

Core Rules Database Version : 4484
Trace Rules Database Version: 2302

Scan type : Quick Scan
Total Scan Time : 00:36:25

Memory items scanned : 423
Memory threats detected : 1
Registry items scanned : 496
Registry threats detected : 8
File items scanned : 46471
File threats detected : 1

Adware.Vundo/Variant-2x
C:\WINDOWS\SYSTEM32\DISKNLPA.DLL
C:\WINDOWS\SYSTEM32\DISKNLPA.DLL

Rogue.Component/Trace
HKLM\Software\Microsoft\78ADAC15
HKLM\Software\Microsoft\78ADAC15#78adac15
HKLM\Software\Microsoft\78ADAC15#Version
HKLM\Software\Microsoft\78ADAC15#78ad0195
HKLM\Software\Microsoft\78ADAC15#78ad6870
HKU\S-1-5-21-40343008-1729162067-96507347-1006\Software\Microsoft\FIAS4018

Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys


Second SAS log, full scan.

Application Version : 4.33.1000

Core Rules Database Version : 4484
Trace Rules Database Version: 2302

Scan type : Complete Scan
Total Scan Time : 01:32:27

Memory items scanned : 415
Memory threats detected : 0
Registry items scanned : 6460
Registry threats detected : 0
File items scanned : 133314
File threats detected : 3

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP10\A0003089.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP10\A0003092.EXE

Trojan.Agent/Gen-NameThief[Smart]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP7\A0001789.SCR


Malwarebytes log

Malwarebytes' Anti-Malware 1.44
Database version: 3579
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/16/2010 5:40:24 PM
mbam-log-2010-01-16 (17-40-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 240912
Time elapsed: 47 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Edited by LBerry, 16 January 2010 - 06:05 PM.


#6 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 16 January 2010 - 08:54 PM

Can you Go to http://support.kaspersky.com/viruses/solutions?qid=208280684 and download TDSSKiller and run it.


Next run a scan at http://www.eset.com/onlinescan/ and post the results.

#7 LBerry

LBerry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 16 January 2010 - 10:11 PM

Here is the resulting log file from TDSS killer:

21:36:15:500 1484 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
21:36:15:500 1484 ================================================================================
21:36:15:500 1484 SystemInfo:

21:36:15:500 1484 OS Version: 5.1.2600 ServicePack: 2.0
21:36:15:500 1484 Product type: Workstation
21:36:15:500 1484 ComputerName: YOUR-E52CBAF922
21:36:15:500 1484 UserName: Owner
21:36:15:500 1484 Windows directory: C:\WINDOWS
21:36:15:500 1484 Processor architecture: Intel x86
21:36:15:500 1484 Number of processors: 1
21:36:15:500 1484 Page size: 0x1000
21:36:15:500 1484 Boot type: Normal boot
21:36:15:500 1484 ================================================================================
21:36:15:515 1484 UnloadDriverW: NtUnloadDriver error 2
21:36:15:515 1484 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
21:36:15:515 1484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
21:36:15:593 1484 UtilityInit: KLMD drop and load success
21:36:15:593 1484 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
21:36:15:593 1484 UtilityInit: KLMD open success
21:36:15:593 1484 UtilityInit: Initialize success
21:36:15:593 1484
21:36:15:593 1484 Scanning Services ...
21:36:15:593 1484 CreateRegParser: Registry parser init started
21:36:15:593 1484 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
21:36:15:593 1484 CreateRegParser: DisableWow64Redirection error
21:36:15:593 1484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
21:36:15:593 1484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
21:36:15:593 1484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:36:15:593 1484 wfopen_ex: Trying to KLMD file open
21:36:15:593 1484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
21:36:15:593 1484 wfopen_ex: File opened ok (Flags 2)
21:36:15:593 1484 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 9C4DA0
21:36:15:593 1484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
21:36:15:593 1484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
21:36:15:593 1484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:36:15:593 1484 wfopen_ex: Trying to KLMD file open
21:36:15:593 1484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
21:36:15:593 1484 wfopen_ex: File opened ok (Flags 2)
21:36:15:593 1484 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 9C4E48
21:36:15:593 1484 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
21:36:15:593 1484 CreateRegParser: EnableWow64Redirection error
21:36:15:593 1484 CreateRegParser: RegParser init completed
21:36:16:812 1484 GetAdvancedServicesInfo: Raw services enum returned 357 services
21:36:16:828 1484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
21:36:16:828 1484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
21:36:16:828 1484
21:36:16:828 1484 Scanning Kernel memory ...
21:36:16:828 1484 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
21:36:16:828 1484 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86557380
21:36:16:828 1484 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
21:36:16:828 1484
21:36:16:828 1484 DetectCureTDL3: DEVICE_OBJECT: 86582C68
21:36:16:828 1484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86582C68
21:36:16:828 1484 KLMD_ReadMem: Trying to ReadMemory 0x86582C68[0x38]
21:36:16:828 1484 DetectCureTDL3: DRIVER_OBJECT: 86557380
21:36:16:828 1484 KLMD_ReadMem: Trying to ReadMemory 0x86557380[0xA8]
21:36:16:828 1484 KLMD_ReadMem: Trying to ReadMemory 0xE19B9400[0x18]
21:36:16:828 1484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:36:16:828 1484 DetectCureTDL3: IrpHandler (0) addr: F7758C30
21:36:16:828 1484 DetectCureTDL3: IrpHandler (1) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (2) addr: F7758C30
21:36:16:828 1484 DetectCureTDL3: IrpHandler (3) addr: F7752D9B
21:36:16:828 1484 DetectCureTDL3: IrpHandler (4) addr: F7752D9B
21:36:16:828 1484 DetectCureTDL3: IrpHandler (5) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (6) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (7) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (8) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (9) addr: F7753366
21:36:16:828 1484 DetectCureTDL3: IrpHandler (10) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (11) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (12) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (13) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (14) addr: F775344D
21:36:16:828 1484 DetectCureTDL3: IrpHandler (15) addr: F7756FC3
21:36:16:828 1484 DetectCureTDL3: IrpHandler (16) addr: F7753366
21:36:16:828 1484 DetectCureTDL3: IrpHandler (17) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (18) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (19) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (20) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (21) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (22) addr: F7754EF3
21:36:16:828 1484 DetectCureTDL3: IrpHandler (23) addr: F7759A24
21:36:16:828 1484 DetectCureTDL3: IrpHandler (24) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (25) addr: 804F3520
21:36:16:828 1484 DetectCureTDL3: IrpHandler (26) addr: 804F3520
21:36:16:828 1484 TDL3_FileDetect: Processing driver: Disk
21:36:16:828 1484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:36:16:828 1484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:36:16:843 1484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:36:16:843 1484
21:36:16:843 1484 DetectCureTDL3: DEVICE_OBJECT: 8654C030
21:36:16:843 1484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8654C030
21:36:16:843 1484 KLMD_ReadMem: Trying to ReadMemory 0x8654C030[0x38]
21:36:16:843 1484 DetectCureTDL3: DRIVER_OBJECT: 86557380
21:36:16:843 1484 KLMD_ReadMem: Trying to ReadMemory 0x86557380[0xA8]
21:36:16:843 1484 KLMD_ReadMem: Trying to ReadMemory 0xE19B9400[0x18]
21:36:16:843 1484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:36:16:843 1484 DetectCureTDL3: IrpHandler (0) addr: F7758C30
21:36:16:843 1484 DetectCureTDL3: IrpHandler (1) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (2) addr: F7758C30
21:36:16:843 1484 DetectCureTDL3: IrpHandler (3) addr: F7752D9B
21:36:16:843 1484 DetectCureTDL3: IrpHandler (4) addr: F7752D9B
21:36:16:843 1484 DetectCureTDL3: IrpHandler (5) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (6) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (7) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (8) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (9) addr: F7753366
21:36:16:843 1484 DetectCureTDL3: IrpHandler (10) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (11) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (12) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (13) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (14) addr: F775344D
21:36:16:843 1484 DetectCureTDL3: IrpHandler (15) addr: F7756FC3
21:36:16:843 1484 DetectCureTDL3: IrpHandler (16) addr: F7753366
21:36:16:843 1484 DetectCureTDL3: IrpHandler (17) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (18) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (19) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (20) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (21) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (22) addr: F7754EF3
21:36:16:843 1484 DetectCureTDL3: IrpHandler (23) addr: F7759A24
21:36:16:843 1484 DetectCureTDL3: IrpHandler (24) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (25) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (26) addr: 804F3520
21:36:16:843 1484 TDL3_FileDetect: Processing driver: Disk
21:36:16:843 1484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:36:16:843 1484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:36:16:843 1484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:36:16:843 1484
21:36:16:843 1484 DetectCureTDL3: DEVICE_OBJECT: 8657F030
21:36:16:843 1484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8657F030
21:36:16:843 1484 DetectCureTDL3: DEVICE_OBJECT: 8654C9E8
21:36:16:843 1484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8654C9E8
21:36:16:843 1484 DetectCureTDL3: DEVICE_OBJECT: 8654E940
21:36:16:843 1484 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8654E940
21:36:16:843 1484 KLMD_ReadMem: Trying to ReadMemory 0x8654E940[0x38]
21:36:16:843 1484 DetectCureTDL3: DRIVER_OBJECT: 8651FF38
21:36:16:843 1484 KLMD_ReadMem: Trying to ReadMemory 0x8651FF38[0xA8]
21:36:16:843 1484 KLMD_ReadMem: Trying to ReadMemory 0xE1021F20[0x1A]
21:36:16:843 1484 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
21:36:16:843 1484 DetectCureTDL3: IrpHandler (0) addr: F74A9572
21:36:16:843 1484 DetectCureTDL3: IrpHandler (1) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (2) addr: F74A9572
21:36:16:843 1484 DetectCureTDL3: IrpHandler (3) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (4) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (5) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (6) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (7) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (8) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (9) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (10) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (11) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (12) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (13) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (14) addr: F74A9592
21:36:16:843 1484 DetectCureTDL3: IrpHandler (15) addr: F74A57B4
21:36:16:843 1484 DetectCureTDL3: IrpHandler (16) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (17) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (18) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (19) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (20) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (21) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (22) addr: F74A95BC
21:36:16:843 1484 DetectCureTDL3: IrpHandler (23) addr: F74B0164
21:36:16:843 1484 DetectCureTDL3: IrpHandler (24) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (25) addr: 804F3520
21:36:16:843 1484 DetectCureTDL3: IrpHandler (26) addr: 804F3520
21:36:16:843 1484 KLMD_ReadMem: Trying to ReadMemory 0xF74A67C6[0x400]
21:36:16:843 1484 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
21:36:16:843 1484 TDL3_FileDetect: Processing driver: atapi
21:36:16:843 1484 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
21:36:16:843 1484 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
21:36:16:875 1484 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
21:36:16:875 1484
21:36:16:875 1484 Completed
21:36:16:875 1484
21:36:16:875 1484 Results:
21:36:16:875 1484 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
21:36:16:875 1484 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:36:16:875 1484 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:36:16:875 1484
21:36:16:875 1484 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
21:36:16:875 1484 UtilityDeinit: KLMD(ARK) unloaded successfully


I tried to use the online scanner, and then tried to use the downloaded version and ran into the same problem both times. It would scan all of nine files, and when it hit the ninth - DVDPath.txt in C: - it wouldn't scan anymore files. It just stayed on that file and the counter kept going.

#8 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 16 January 2010 - 11:25 PM

Try to use the online scanner at http://www.bitdefender.com/scanner/online/free.html
Are you still experiencing any symptoms?

Edited by trev47, 16 January 2010 - 11:26 PM.


#9 LBerry

LBerry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 17 January 2010 - 12:22 AM

So far the only thing that has seemed fishy is the eset.com scan not working... everything else seems to be normal.

The BitDefender scan came up clean.

#10 LBerry

LBerry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 18 January 2010 - 02:50 PM

Sorry for the double post... don't seem to be able to edit the one above.

So am I free and clear, do you think?

Thank you so much for all of your help, by the by... I was kind of getting ready to throw my laptop out the window. Literally. I wanted to pick it up and pitch it. :]

#11 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 18 January 2010 - 09:38 PM

Lberry,
you look clean. Run Malwarebytes regularly (weekly), and AV scans every other week to stay clean (or at the first sign of infection).

#12 LBerry

LBerry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 20 January 2010 - 02:31 AM

Thank you once again for all of your help and assistance, trev47. You have been such an immense help. :]

I ran my computer through the ropes a bit in hopes to see how everything was working one last time. Everything seems to check out with the exception of one area. When I use Google search and click one of the search results, it sometimes redirects me to another site. That doesn't seem like a good sign, but aside from that, everything else is running wonderfully.

I scanned again with SAS and found two tracking cookies, but nothing else... so far I haven't been able to replicate the page redirect since removing them a moment ago. Is it possible for tracking cookies to do such a thing? O-o

Sorry for all of the questions... it seems like more come up every time!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users