Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Search Hijack


  • This topic is locked This topic is locked
17 replies to this topic

#1 collin81

collin81

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 02 February 2010 - 01:06 PM

I've been having this problem for about a week or so. Whenever I search anything in a search engine, (Whether it's google, yahoo, or bing doesn't make a difference) every other link I click ends up being redirected to a webpage that I wasn't supposed to go to. Right before I'm redirected, the tab will be relabeled "jump" for a moment as I'm being sent to the other page.

I've tried running Avast, Malwarebytes, Spybot, and adaware, and all of the searches come up finding nothing. I'm stuck! Please help.

DDS (Ver_09-12-01.01) - NTFSx86
Run by RtnOfcMan at 9:52:59.33 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_03
AV: avast! antivirus 4.8.1335 [VPS 100202-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1335 [VPS 100202-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.johnlscott.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\3.0\PEhelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Aim6]
uRun: [Google Update] "c:\users\rtnofcman\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [S3Trayp] S3trayp.exe -chkautorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [masqform.exe] c:\program files\ibm\lotus forms\viewer\3.0\masqform.exe -RunOnce"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TuneClone] c:\program files\tuneclone\TuneClone.exe /silence
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUplden-us.cab
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file:///C:/Users/RTNOFC~1/AppData/Local/Temp/IXP000.TMP/setup.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} - hxxp://www.merrillshop.com/SAXFile.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\rtnofc~1\appdata\roaming\mozilla\firefox\profiles\18zfjm6e.default\
FF - component: c:\users\rtnofcman\appdata\roaming\mozilla\firefox\profiles\18zfjm6e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmfv.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\rtnofcman\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\rtnofcman\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-02 17:45:54 0 d-----w- c:\program files\Trend Micro
2010-01-29 17:34:34 12131 ----a-w- c:\users\rtnofcman\.recently-used.xbel
2010-01-26 21:54:59 0 d-----w- c:\users\rtnofc~1\appdata\roaming\Malwarebytes
2010-01-26 21:54:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 21:54:06 0 d-----w- c:\programdata\Malwarebytes
2010-01-26 21:54:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 21:54:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-01-27 00:57:53 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-22 00:41:13 72080 ----a-w- c:\users\rtnofcman\g2mdlhlpx.exe
2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-28 20:30:02 171376 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 13:34:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30:40 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-09-09 22:50:52 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-09-09 22:50:52 86016 ----a-w- c:\windows\inf\infstor.dat
2009-03-03 19:55:59 174 --sha-w- c:\program files\desktop.ini
2009-03-03 19:51:00 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 9:53:19.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 PM

Posted 09 February 2010 - 07:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Gmer for rootkit checking

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 collin81

collin81
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 09 February 2010 - 09:15 PM

Hello! Thanks again for your help on this. Here is the GMER log that you asked for. Please let me know what I can do next.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-09 17:49:59
Windows 6.0.6000
Running: bilmzupg.exe; Driver: C:\Users\RTNOFC~1\AppData\Local\Temp\uflyypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x8CA1414C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x8CA1408C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x8CA140F0]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00190002
IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00190000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 PM

Posted 09 February 2010 - 09:27 PM

Hi collin81,

No rootkit showing on Gmer so we're going to go straight for the possible cause, which is also a rootkit but a sneaky, nasty one.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#5 collin81

collin81
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 10 February 2010 - 11:51 AM

Here is the ComboFix log. Unfortunately, the problem is still occuring sad.gif

ComboFix 10-02-09.04 - RtnOfcMan 02/10/2010 8:29.1.2 - x86
Running from: c:\users\RtnOfcMan\Desktop\ComFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100210-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1368 [VPS 100210-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1570294309-495264288-2624377154-1003
c:\$recycle.bin\S-1-5-21-1570294309-495264288-2624377154-500
c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 16:38 . 2010-02-10 16:38 -------- d-----w- c:\users\RtnOfcMan\AppData\Local\temp
2010-02-10 16:23 . 2010-02-10 16:27 -------- d-----w- C:\32788R22FWJFW
2010-02-09 22:25 . 2010-02-09 22:25 -------- d-----w- c:\program files\3ivx
2010-02-09 22:25 . 2010-02-09 22:25 -------- d-----w- c:\program files\Flip Video
2010-02-09 22:25 . 2010-02-09 22:25 -------- d-----w- c:\programdata\Flip Video
2010-02-08 20:56 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-08 20:55 . 2010-02-08 20:56 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\threatwork.exe
2010-02-08 20:55 . 2010-02-08 20:55 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\lsdelete.exe
2010-02-08 20:55 . 2010-02-08 20:55 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\lavamessage.dll
2010-02-08 20:55 . 2010-02-08 20:55 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\lavalicense.dll
2010-02-08 20:55 . 2010-02-08 20:55 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\aawapi.dll
2010-02-08 20:55 . 2010-02-08 20:55 389784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\UpdateManager.dll
2010-02-08 20:55 . 2010-02-08 20:55 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\ShellExt.dll
2010-02-08 20:54 . 2010-02-08 20:54 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Resources.dll
2010-02-08 20:54 . 2010-02-08 20:54 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\RPAPI.dll
2010-02-08 20:54 . 2010-02-08 20:54 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2010-02-08 20:54 . 2010-02-08 20:54 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\CEAPI.dll
2010-02-08 20:54 . 2010-02-08 20:54 3803208 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2010-02-08 20:54 . 2010-02-08 20:54 816784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2010-02-08 20:54 . 2010-02-08 20:54 823928 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2010-02-08 20:54 . 2010-02-08 20:54 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2010-02-08 20:53 . 2010-02-08 20:54 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AAWTray.exe
2010-02-08 20:53 . 2010-02-08 20:53 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AAWService.exe
2010-02-08 20:52 . 2010-02-08 20:53 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-08 20:52 . 2009-12-07 14:10 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-02-08 20:51 . 2010-02-08 20:51 -------- d-----w- c:\program files\Lavasoft
2010-02-06 00:46 . 2010-02-06 00:46 2157 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-02-04 23:53 . 2010-02-04 23:53 24576 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mikogo\B-Capture.exe
2010-02-04 23:53 . 2010-02-04 23:53 185640 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mikogo\B-Service.exe
2010-02-04 23:49 . 2010-02-04 23:49 144688 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mikogo\remover.exe
2010-02-04 23:49 . 2010-02-04 23:49 1249280 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mikogo\SessionPlayer.exe
2010-02-04 23:49 . 2010-02-04 23:53 -------- d-----w- c:\users\RtnOfcMan\AppData\Roaming\Mikogo
2010-02-04 23:49 . 2010-02-04 23:49 2748416 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mikogo\Mikogo-Host.exe
2010-02-02 17:45 . 2010-02-02 17:45 -------- d-----w- c:\program files\Trend Micro
2010-01-26 21:54 . 2010-01-26 21:54 -------- d-----w- c:\users\RtnOfcMan\AppData\Roaming\Malwarebytes
2010-01-26 21:54 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 21:54 . 2010-01-26 21:54 -------- d-----w- c:\programdata\Malwarebytes
2010-01-26 21:54 . 2010-01-26 21:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 21:54 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 16:18 . 2009-06-30 22:46 -------- d-----w- c:\programdata\TuneClone
2010-02-09 21:52 . 2009-08-11 23:09 -------- d-----w- c:\users\RtnOfcMan\AppData\Roaming\.purple
2010-02-04 18:14 . 2009-08-12 18:42 -------- d-----w- c:\users\RtnOfcMan\AppData\Roaming\gtk-2.0
2010-01-22 00:41 . 2008-03-14 18:00 72080 ----a-w- c:\users\RtnOfcMan\g2mdlhlpx.exe
2010-01-14 19:12 . 2009-10-03 08:37 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 19:28 . 2010-01-05 19:28 2145 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\.purple\certificates\x509\tls_peers\ows.messenger.msn.com
2009-12-30 17:54 . 2009-12-30 17:54 -------- d-----w- c:\program files\GIMP-2.0
2009-12-28 20:30 . 2009-12-28 20:30 171376 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-17 01:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-17 00:43 . 2008-01-08 23:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-16 23:24 . 2008-05-01 17:49 -------- d-----w- c:\program files\iTunes
2009-12-16 23:23 . 2009-12-16 23:23 -------- d-----w- c:\program files\iPod
2009-12-16 23:23 . 2008-05-01 17:47 -------- d-----w- c:\program files\Common Files\Apple
2009-12-16 23:17 . 2009-12-16 23:17 -------- d-----w- c:\program files\QuickTime
2009-12-04 18:03 . 2009-12-04 18:03 251376 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-11-24 23:54 . 2008-06-25 16:15 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:50 . 2008-06-25 16:15 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-06-25 16:15 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-06-25 16:15 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-24 23:49 . 2008-06-25 16:15 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-06-25 16:15 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-06-25 16:15 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 06:40 . 2009-12-17 00:27 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-17 00:27 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-17 00:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-17 00:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 19:48 . 2009-11-30 15:56 872960 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mozilla\Firefox\Profiles\18zfjm6e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-11-30 15:56 43008 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mozilla\Firefox\Profiles\18zfjm6e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-11-30 15:56 340480 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mozilla\Firefox\Profiles\18zfjm6e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-11-30 15:56 346624 ----a-w- c:\users\RtnOfcMan\AppData\Roaming\Mozilla\Firefox\Profiles\18zfjm6e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-19 19:14 . 2009-11-19 19:14 4732800 ----a-w- c:\programdata\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe
2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"Google Update"="c:\users\RtnOfcMan\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-21 133104]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Trayp"="S3trayp.exe -chkautorun" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-09 1006264]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-03 32768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-05 6144000]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"masqform.exe"="c:\program files\IBM\Lotus Forms\Viewer\3.0\masqform.exe" [2008-01-17 991232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TuneClone"="c:\program files\TuneClone\TuneClone.exe" [2009-01-16 4530176]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-06-29 827904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1570294309-495264288-2624377154-1003]
"EnableNotificationsRef"=dword:00000002

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-08 1181328]
R3 B-Service;B-Service;c:\users\RtnOfcMan\AppData\Roaming\Mikogo\B-Service.exe [2010-02-04 185640]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [2008-05-12 20352]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2009-09-30 46824]
S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\VTGKModeDX32.sys [2008-04-29 833024]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1570294309-495264288-2624377154-1006Core.job
- c:\users\RtnOfcMan\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-21 18:15]

2009-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1570294309-495264288-2624377154-1006UA.job
- c:\users\RtnOfcMan\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-21 18:15]

2009-12-29 c:\windows\Tasks\User_Feed_Synchronization-{09B9EF19-0E5C-49FC-A6CB-875F7A666EA0}.job
- c:\windows\system32\msfeedssync.exe [2009-12-17 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.johnlscott.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file:///C:/Users/RTNOFC~1/AppData/Local/Temp/IXP000.TMP/setup.cab
DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} - hxxp://www.merrillshop.com/SAXFile.cab
FF - ProfilePath - c:\users\RtnOfcMan\AppData\Roaming\Mozilla\Firefox\Profiles\18zfjm6e.default\
FF - component: c:\users\RtnOfcMan\AppData\Roaming\Mozilla\Firefox\Profiles\18zfjm6e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmfv.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\RtnOfcMan\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\RtnOfcMan\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\RtnOfcMan\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 08:38
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\RTNOFC~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll viamraid.sys >>UNKNOWN [0x86AC48C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x81e63d1f
\Driver\ACPI -> acpi.sys @ 0x802329d6
\Driver\atapi -> ataport.SYS @ 0x807e69c6
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-02-10 08:41:59
ComboFix-quarantined-files.txt 2010-02-10 16:41

Pre-Run: 8,672,923,648 bytes free
Post-Run: 9,707,302,912 bytes free

- - End Of File - - 5E3709D8D5C8DCE82FA9027F060F9230

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 PM

Posted 10 February 2010 - 01:39 PM

Please run the following program which should reset the hosts file and end the redirections

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Let me know if this works before we go ahead with the next step. smile.gif
Posted Image
m0le is a proud member of UNITE

#7 collin81

collin81
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 10 February 2010 - 01:58 PM

Done, but it did not end the redirects.

One thing I did notice this morning, however, is that the redirects only occur in IE and Firefox. I have no problem if I run Chrome. I'm not sure if that would make a difference...

Thanks for your continued help.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 PM

Posted 10 February 2010 - 02:59 PM

Please open the command prompt:
Start > Run > type cmd and then ‘OK’. Then type the following, into the black window:
CODE
C:\>ipconfig /flushdns

Then tap the enter button on your keyboard.
You should see the following confirmation:
QUOTE
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.


Then run HostsXpert again.


Please then run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#9 collin81

collin81
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 10 February 2010 - 04:08 PM

Did both, in order, and the redirects are still happening. Malwarebytes came up with nothing. Thanks again for the continued help.

Malwarebytes' Anti-Malware 1.44
Database version: 3721
Windows 6.0.6000
Internet Explorer 8.0.6001.18865

2/10/2010 1:04:11 PM
mbam-log-2010-02-10 (13-04-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 245963
Time elapsed: 43 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 PM

Posted 10 February 2010 - 04:16 PM

Now we have to start looking for a hidden enemy. TDSS is one of those so let's try this.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#11 collin81

collin81
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 10 February 2010 - 05:19 PM

So...umm...oops.

I messed up and didnt do the run process you asked for. I just downloaded tdsskiller to the desktop, double clicked on it without going to run, and the following report generated in the C drive. (more explanation about the goof after the report):

14:06:04:738 4880 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
14:06:04:738 4880 ================================================================================
14:06:04:738 4880 SystemInfo:

14:06:04:738 4880 OS Version: 6.0.6000 ServicePack: 0.0
14:06:04:738 4880 Product type: Workstation
14:06:04:738 4880 ComputerName: RTNOFCMAN
14:06:04:738 4880 UserName: RtnOfcMan
14:06:04:738 4880 Windows directory: C:\Windows
14:06:04:738 4880 Processor architecture: Intel x86
14:06:04:738 4880 Number of processors: 2
14:06:04:738 4880 Page size: 0x1000
14:06:04:738 4880 Boot type: Normal boot
14:06:04:738 4880 ================================================================================
14:06:04:738 4880 UnloadDriverW: NtUnloadDriver error 2
14:06:04:738 4880 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:06:04:738 4880 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
14:06:07:234 4880 UtilityInit: KLMD drop and load success
14:06:07:234 4880 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
14:06:07:234 4880 UtilityInit: KLMD open success
14:06:07:234 4880 UtilityInit: Initialize success
14:06:07:234 4880
14:06:07:234 4880 Scanning Services ...
14:06:07:234 4880 CreateRegParser: Registry parser init started
14:06:07:234 4880 CreateRegParser: DisableWow64Redirection error
14:06:07:234 4880 wfopen_ex: Trying to open file C:\Windows\system32\config\system
14:06:07:234 4880 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
14:06:07:234 4880 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:06:07:234 4880 wfopen_ex: Trying to KLMD file open
14:06:07:234 4880 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
14:06:07:234 4880 wfopen_ex: File opened ok (Flags 2)
14:06:07:250 4880 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1A1480
14:06:07:250 4880 wfopen_ex: Trying to open file C:\Windows\system32\config\software
14:06:07:250 4880 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
14:06:07:250 4880 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:06:07:250 4880 wfopen_ex: Trying to KLMD file open
14:06:07:250 4880 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
14:06:07:250 4880 wfopen_ex: File opened ok (Flags 2)
14:06:07:250 4880 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1A14A8
14:06:07:250 4880 CreateRegParser: EnableWow64Redirection error
14:06:07:250 4880 CreateRegParser: RegParser init completed
14:06:07:920 4880 GetAdvancedServicesInfo: Raw services enum returned 423 services
14:06:07:920 4880 fclose_ex: Trying to close file C:\Windows\system32\config\system
14:06:07:920 4880 fclose_ex: Trying to close file C:\Windows\system32\config\software
14:06:07:920 4880
14:06:07:920 4880 Scanning Kernel memory ...
14:06:07:920 4880 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:06:07:920 4880 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85D25560
14:06:07:920 4880 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
14:06:07:920 4880
14:06:07:920 4880 DetectCureTDL3: DEVICE_OBJECT: 853471A8
14:06:07:920 4880 KLMD_GetLowerDeviceObject: Trying to get lower device object for 853471A8
14:06:07:920 4880 DetectCureTDL3: DEVICE_OBJECT: 8531F2A0
14:06:07:920 4880 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8531F2A0
14:06:07:920 4880 KLMD_ReadMem: Trying to ReadMemory 0x8531F2A0[0x38]
14:06:07:920 4880 DetectCureTDL3: DRIVER_OBJECT: 852FB470
14:06:07:920 4880 KLMD_ReadMem: Trying to ReadMemory 0x852FB470[0xA8]
14:06:07:920 4880 KLMD_ReadMem: Trying to ReadMemory 0x852FBFA0[0x1E]
14:06:07:920 4880 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:06:07:920 4880 DetectCureTDL3: IrpHandler (0) addr: 8C929B40
14:06:07:920 4880 DetectCureTDL3: IrpHandler (1) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (2) addr: 8C929BB8
14:06:07:920 4880 DetectCureTDL3: IrpHandler (3) addr: 8C929C30
14:06:07:920 4880 DetectCureTDL3: IrpHandler (4) addr: 8C929C30
14:06:07:920 4880 DetectCureTDL3: IrpHandler (5) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (6) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (7) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (8) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (9) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (10) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (11) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (12) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (13) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (14) addr: 8C929828
14:06:07:920 4880 DetectCureTDL3: IrpHandler (15) addr: 8C91E4AA
14:06:07:920 4880 DetectCureTDL3: IrpHandler (16) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (17) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (18) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (19) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (20) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (21) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (22) addr: 8C927F9A
14:06:07:920 4880 DetectCureTDL3: IrpHandler (23) addr: 8C9257A2
14:06:07:920 4880 DetectCureTDL3: IrpHandler (24) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (25) addr: 8201D1D9
14:06:07:920 4880 DetectCureTDL3: IrpHandler (26) addr: 8201D1D9
14:06:07:920 4880 KLMD_ReadMem: Trying to ReadMemory 0x8C920A44[0x400]
14:06:07:920 4880 TDL3_StartIoHookDetect: CheckParameters: 4, 8C924000, 0
14:06:07:920 4880 TDL3_FileDetect: Processing driver: USBSTOR
14:06:07:920 4880 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:06:07:920 4880 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:06:07:952 4880 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:06:07:952 4880
14:06:07:952 4880 DetectCureTDL3: DEVICE_OBJECT: 85D44AD8
14:06:07:952 4880 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85D44AD8
14:06:07:952 4880 DetectCureTDL3: DEVICE_OBJECT: 84BA5C20
14:06:07:952 4880 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84BA5C20
14:06:07:952 4880 DetectCureTDL3: DEVICE_OBJECT: 84BCF650
14:06:07:952 4880 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84BCF650
14:06:07:952 4880 KLMD_ReadMem: Trying to ReadMemory 0x84BCF650[0x38]
14:06:07:952 4880 DetectCureTDL3: DRIVER_OBJECT: 84BAD9E8
14:06:07:952 4880 KLMD_ReadMem: Trying to ReadMemory 0x84BAD9E8[0xA8]
14:06:07:952 4880 KLMD_ReadMem: Trying to ReadMemory 0x83DE1BD8[0x20]
14:06:07:952 4880 DetectCureTDL3: DRIVER_OBJECT name: \Driver\viamraid, Driver Name: viamraid
14:06:07:952 4880 DetectCureTDL3: IrpHandler (0) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (1) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (2) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (3) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (4) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (5) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (6) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (7) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (8) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (9) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (10) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (11) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (12) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (13) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (14) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (15) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (16) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (17) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (18) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (19) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (20) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (21) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (22) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (23) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (24) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (25) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: IrpHandler (26) addr: 8077EF0C
14:06:07:952 4880 DetectCureTDL3: All IRP handlers pointed to one addr: 8077EF0C
14:06:07:952 4880 KLMD_ReadMem: Trying to ReadMemory 0x8077EF0C[0x400]
14:06:07:952 4880 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
14:06:07:952 4880 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
14:06:07:952 4880 KLMD_ReadMem: Trying to ReadMemory 0x84B6FA04[0x4]
14:06:07:952 4880 TDL3_IrpHookDetect: New IrpHandler addr: 86AC48C8
14:06:07:952 4880 KLMD_ReadMem: Trying to ReadMemory 0x86AC48C8[0x400]
14:06:07:952 4880 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
14:06:07:952 4880 Driver "viamraid" Irp handler infected by TDSS rootkit ... 14:06:07:952 4880 KLMD_WriteMem: Trying to WriteMemory 0x86AC494E[0xD]
14:06:07:952 4880 cured
14:06:07:952 4880 TDL3_FileDetect: Processing driver: viamraid
14:06:07:952 4880 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\viamraid.sys
14:06:07:952 4880 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\viamraid.sys
14:06:07:967 4880 TDL3_FileDetect: C:\Windows\system32\DRIVERS\viamraid.sys - Verdict: Infected
14:06:07:967 4880 File C:\Windows\system32\DRIVERS\viamraid.sys infected by TDSS rootkit ... 14:06:07:967 4880 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\viamraid.sys
14:06:10:229 4880 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\viamraid.inf_feee6429\viamraid.sys:120832, checking..
14:06:10:245 4880 ValidateDriverFile: Stage 1 passed
14:06:10:245 4880 ValidateDriverFile: Stage 2 failed
14:06:10:245 4880 FileCallback: File doesn't pass validation
14:06:10:370 4880 ProcessDirEnumEx: FindFirstFile(C:\Windows\Driver Cache\*) error 3
14:06:10:370 4880 ProcessDirEnumEx: FindFirstFile(C:\Windows\OemDir\*) error 3
14:06:10:370 4880 ProcessDirEnumEx: FindFirstFile(C:\Windows\system32\ReinstallBackups\*) error 3
14:06:10:370 4880 ProcessDirEnumEx: FindFirstFile(C:\Windows\ServicePackFiles\*) error 3
14:06:10:370 4880 ProcessDirEnumEx: FindFirstFile(C:\Windows\system32\dllcache\*) error 3
14:06:10:370 4880 TDL3_FileCure: Backup copy not found, trying to cure infected file..
14:06:10:370 4880 TDL3_FileCure: Cure success, using it..
14:06:10:370 4880 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tsk6D9.tmp
14:06:10:370 4880 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk6D9.tmp, system32\drivers\viamraid.sys)
14:06:10:370 4880 TDL3_FileCure: KLMD jobs schedule success
14:06:10:370 4880 will be cured on next reboot
14:06:10:370 4880 UtilityBootReinit: Reboot required for cure complete..
14:06:10:370 4880 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
14:06:10:401 4880 UtilityBootReinit: KLMD drop success
14:06:10:401 4880 KLMD_ApplyPendList: Pending buffer(53BF_7607, 624) dropped successfully
14:06:10:401 4880 UtilityBootReinit: Cure on reboot scheduled successfully
14:06:10:401 4880
14:06:10:401 4880 Completed
14:06:10:401 4880
14:06:10:401 4880 Results:
14:06:10:401 4880 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
14:06:10:401 4880 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:06:10:401 4880 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:06:10:401 4880
14:06:10:401 4880 UnloadDriverW: NtUnloadDriver error 1
14:06:10:401 4880 KLMD_Unload: UnloadDriverW(klmd21) error 1
14:06:10:401 4880 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
14:06:10:401 4880 UtilityDeinit: KLMD(ARK) unloaded successfully

So there's the report. I have yet to restart. Should I do that now?
Also, after I realized what I did, I ran it the way you told me to and came up with the report below. The problem persists, BTW. However, from what I can tell from the first scan i did, there are a couple items that will be removed on reboot.

14:14:49:341 4992 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
14:14:49:341 4992 ================================================================================
14:14:49:341 4992 SystemInfo:

14:14:49:341 4992 OS Version: 6.0.6000 ServicePack: 0.0
14:14:49:341 4992 Product type: Workstation
14:14:49:341 4992 ComputerName: RTNOFCMAN
14:14:49:341 4992 UserName: RtnOfcMan
14:14:49:341 4992 Windows directory: C:\Windows
14:14:49:341 4992 Processor architecture: Intel x86
14:14:49:341 4992 Number of processors: 2
14:14:49:341 4992 Page size: 0x1000
14:14:49:356 4992 Boot type: Normal boot
14:14:49:356 4992 ================================================================================
14:14:49:356 4992 UnloadDriverW: NtUnloadDriver error 1
14:14:49:356 4992 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
14:14:49:356 4992 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
14:14:49:356 4992 LoadDriverW: Driver already loaded
14:14:49:356 4992 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
14:14:49:356 4992 UtilityInit: KLMD drop and load failed, trying to open device
14:14:49:356 4992 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
14:14:49:356 4992 UtilityInit: KLMD open success
14:14:49:356 4992 UtilityInit: Initialize success
14:14:49:356 4992
14:14:49:356 4992 Scanning Services ...
14:14:49:356 4992 CreateRegParser: Registry parser init started
14:14:49:356 4992 CreateRegParser: DisableWow64Redirection error
14:14:49:356 4992 wfopen_ex: Trying to open file C:\Windows\system32\config\system
14:14:49:356 4992 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
14:14:49:356 4992 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:14:49:356 4992 wfopen_ex: Trying to KLMD file open
14:14:49:356 4992 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
14:14:49:356 4992 wfopen_ex: File opened ok (Flags 2)
14:14:49:372 4992 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 10A1480
14:14:49:372 4992 wfopen_ex: Trying to open file C:\Windows\system32\config\software
14:14:49:372 4992 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
14:14:49:372 4992 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:14:49:372 4992 wfopen_ex: Trying to KLMD file open
14:14:49:372 4992 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
14:14:49:372 4992 wfopen_ex: File opened ok (Flags 2)
14:14:49:372 4992 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 10A14A8
14:14:49:372 4992 CreateRegParser: EnableWow64Redirection error
14:14:49:372 4992 CreateRegParser: RegParser init completed
14:14:49:856 4992 GetAdvancedServicesInfo: Raw services enum returned 424 services
14:14:49:856 4992 fclose_ex: Trying to close file C:\Windows\system32\config\system
14:14:49:856 4992 fclose_ex: Trying to close file C:\Windows\system32\config\software
14:14:49:856 4992
14:14:49:856 4992 Scanning Kernel memory ...
14:14:49:856 4992 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:14:49:856 4992 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85D25560
14:14:49:856 4992 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
14:14:49:856 4992
14:14:49:856 4992 DetectCureTDL3: DEVICE_OBJECT: 853471A8
14:14:49:856 4992 KLMD_GetLowerDeviceObject: Trying to get lower device object for 853471A8
14:14:49:856 4992 DetectCureTDL3: DEVICE_OBJECT: 8531F2A0
14:14:49:856 4992 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8531F2A0
14:14:49:856 4992 KLMD_ReadMem: Trying to ReadMemory 0x8531F2A0[0x38]
14:14:49:856 4992 DetectCureTDL3: DRIVER_OBJECT: 852FB470
14:14:49:856 4992 KLMD_ReadMem: Trying to ReadMemory 0x852FB470[0xA8]
14:14:49:856 4992 KLMD_ReadMem: Trying to ReadMemory 0x852FBFA0[0x1E]
14:14:49:856 4992 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:14:49:856 4992 DetectCureTDL3: IrpHandler (0) addr: 8C929B40
14:14:49:856 4992 DetectCureTDL3: IrpHandler (1) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (2) addr: 8C929BB8
14:14:49:856 4992 DetectCureTDL3: IrpHandler (3) addr: 8C929C30
14:14:49:856 4992 DetectCureTDL3: IrpHandler (4) addr: 8C929C30
14:14:49:856 4992 DetectCureTDL3: IrpHandler (5) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (6) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (7) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (8) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (9) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (10) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (11) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (12) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (13) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (14) addr: 8C929828
14:14:49:856 4992 DetectCureTDL3: IrpHandler (15) addr: 8C91E4AA
14:14:49:856 4992 DetectCureTDL3: IrpHandler (16) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (17) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (18) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (19) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (20) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (21) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (22) addr: 8C927F9A
14:14:49:856 4992 DetectCureTDL3: IrpHandler (23) addr: 8C9257A2
14:14:49:856 4992 DetectCureTDL3: IrpHandler (24) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (25) addr: 8201D1D9
14:14:49:856 4992 DetectCureTDL3: IrpHandler (26) addr: 8201D1D9
14:14:49:856 4992 KLMD_ReadMem: Trying to ReadMemory 0x8C920A44[0x400]
14:14:49:856 4992 TDL3_StartIoHookDetect: CheckParameters: 4, 8C924000, 0
14:14:49:856 4992 TDL3_FileDetect: Processing driver: USBSTOR
14:14:49:856 4992 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:14:49:856 4992 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:14:49:871 4992 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:14:49:871 4992
14:14:49:871 4992 DetectCureTDL3: DEVICE_OBJECT: 85D44AD8
14:14:49:871 4992 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85D44AD8
14:14:49:871 4992 DetectCureTDL3: DEVICE_OBJECT: 84BA5C20
14:14:49:871 4992 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84BA5C20
14:14:49:871 4992 DetectCureTDL3: DEVICE_OBJECT: 84BCF650
14:14:49:871 4992 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84BCF650
14:14:49:871 4992 KLMD_ReadMem: Trying to ReadMemory 0x84BCF650[0x38]
14:14:49:871 4992 DetectCureTDL3: DRIVER_OBJECT: 84BAD9E8
14:14:49:871 4992 KLMD_ReadMem: Trying to ReadMemory 0x84BAD9E8[0xA8]
14:14:49:871 4992 KLMD_ReadMem: Trying to ReadMemory 0x83DE1BD8[0x20]
14:14:49:871 4992 DetectCureTDL3: DRIVER_OBJECT name: \Driver\viamraid, Driver Name: viamraid
14:14:49:871 4992 DetectCureTDL3: IrpHandler (0) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (1) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (2) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (3) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (4) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (5) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (6) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (7) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (8) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (9) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (10) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (11) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (12) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (13) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (14) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (15) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (16) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (17) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (18) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (19) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (20) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (21) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (22) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (23) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (24) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (25) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: IrpHandler (26) addr: 8077EF0C
14:14:49:871 4992 DetectCureTDL3: All IRP handlers pointed to one addr: 8077EF0C
14:14:49:871 4992 KLMD_ReadMem: Trying to ReadMemory 0x8077EF0C[0x400]
14:14:49:871 4992 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
14:14:49:871 4992 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
14:14:49:871 4992 KLMD_ReadMem: Trying to ReadMemory 0x84B6FA04[0x4]
14:14:49:871 4992 TDL3_IrpHookDetect: New IrpHandler addr: 86AC48C8
14:14:49:871 4992 KLMD_ReadMem: Trying to ReadMemory 0x86AC48C8[0x400]
14:14:49:871 4992 TDL3_IrpHookDetect: TDL3 is already cured
14:14:49:871 4992 TDL3_FileDetect: Processing driver: viamraid
14:14:49:871 4992 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\tsk6D9.tmp
14:14:49:871 4992 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\tsk6D9.tmp
14:14:49:902 4992 TDL3_FileDetect: C:\Windows\system32\drivers\tsk6D9.tmp - Verdict: Clean
14:14:49:902 4992
14:14:49:902 4992 Completed
14:14:49:902 4992
14:14:49:902 4992 Results:
14:14:49:902 4992 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:14:49:902 4992 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:14:49:902 4992 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:14:49:902 4992
14:14:49:902 4992 UnloadDriverW: NtUnloadDriver error 1
14:14:49:902 4992 KLMD_Unload: UnloadDriverW(klmd21) error 1
14:14:49:902 4992 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
14:14:49:902 4992 UtilityDeinit: KLMD(ARK) unloaded successfully


Thanks again for your help, and sorry for the mistake.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 PM

Posted 10 February 2010 - 06:13 PM

Reboot the machine and then let's see what we have. TDSS was the infection and the program has removed it.

We may need to rerun HostsXpert - which should now let us replace the hijacked file. smile.gif
Posted Image
m0le is a proud member of UNITE

#13 collin81

collin81
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 10 February 2010 - 07:30 PM

I believe we have a winner. Upon reboot I ran HostsXpert, and no more signs of the infection!

Are there any other steps I should take?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 PM

Posted 11 February 2010 - 04:10 PM

Let's run another scanner to make sure. I think you're clean but I like to see it on the screen. tongue.gif


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If that's good we can go to the important final instructions.
Posted Image
m0le is a proud member of UNITE

#15 collin81

collin81
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 12 February 2010 - 12:45 PM

Due to the amount of time it takes to scan, I'm going to run the full scan on saturday night, because its hard for my computer to be down that long. I'll post the long when I'm finished, but I didn't want you to think I'm giving up on you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users