Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results redirecting in Firefox, IE and Opera after removal of Internet Security 2010 on Windows XP


  • Please log in to reply
15 replies to this topic

#1 LisaDroesdov

LisaDroesdov

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 15 February 2010 - 04:12 PM

My machine was recently infected with Internet Security 2010. I'm running Windows XP with Service Pack 3. After much tearing out of my hair, I cleared most of the infection up using Super Anti-Spyware, Malware Bytes Anti-Malware and a free trial of AVG Internet Security. All of the above were fully updated and I did uninstall, then reinstall MalwareBytes and run it again since I found information here stating that Internet Security 2010 damages MalwareBytes files.

Now the virus appears to be gone, but when I click a search result in Google it redirects to various spam URLs. Examples (altered to be non-clickable):

hxxp://bestsearchever.com/?q=avg%20free

hxxp://www.smarttechnik.com/search-results.aspx?keywords=avg+virus

This also happens when I copy and paste URLs that it has already redirected from into my browser bar, but not if I switch browsers and paste the URL into the new browser. More esoteric search terms sometimes don't produce redirects. Common terms like the names of various antivirus programs consistently do produce this result. Running rkill shuts down my browser but doesn't change this behavior once the browser is reopened. I checked add/remove programs and uninstalled something called "search assistant" or "search helper" or something like that, but that also had no effect.

Please help! This is one of the most frustrating infections I've ever dealt with. I'm sick of giving free traffic to spam sites every time I search!

BC AdBot (Login to Remove)

 


#2 LisaDroesdov

LisaDroesdov
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 16 February 2010 - 12:10 AM

Can anyone please help me with this? I do some work from home involving research and it is nearly impossible with this infection!

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 16 February 2010 - 12:42 AM

Hi Lisa.. Lets begin with below step..

Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 LisaDroesdov

LisaDroesdov
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 16 February 2010 - 02:22 AM

Hi Fenzodahl,

Thanks for the help. Unfortunately when I ran the GMER program it caused my computer to BSOD with message IRQL_DRIVER_NOT_LESS_OR_EQUAL (I think that's exact; I could be wrong). So I don't think I can use this tool. It ran for a while before it caused this error, but I'm afraid to try again and I think I should probably delete the file completely if it's causing instability. Is there another option?

-Lisa

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 16 February 2010 - 02:37 AM

Lets use this tool instead..


Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 LisaDroesdov

LisaDroesdov
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 16 February 2010 - 03:38 AM

I ran TDSSKiller, but I'm afraid I can't figure out how to attach a file as part of my reply. I must be missing something totally obvious, but could you point me in the right direction? I didn't want to just copy and paste in case that's not recommended here.

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 16 February 2010 - 03:51 AM

Just copy/paste the log.. Don't worry, if I determined this one should be moved to the right subforum, I'll ask a moderator or higher-up to move it for me smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 LisaDroesdov

LisaDroesdov
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 16 February 2010 - 04:01 AM

All right, here it is:



01:32:38:421 3384 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
01:32:38:421 3384 ================================================================================
01:32:38:421 3384 SystemInfo:

01:32:38:421 3384 OS Version: 5.1.2600 ServicePack: 3.0
01:32:38:421 3384 Product type: Workstation
01:32:38:421 3384 ComputerName: PUPPY
01:32:38:421 3384 UserName: Jelena
01:32:38:421 3384 Windows directory: C:\WINDOWS
01:32:38:421 3384 Processor architecture: Intel x86
01:32:38:421 3384 Number of processors: 2
01:32:38:421 3384 Page size: 0x1000
01:32:38:421 3384 Boot type: Normal boot
01:32:38:421 3384 ================================================================================
01:32:38:437 3384 UnloadDriverW: NtUnloadDriver error 2
01:32:38:437 3384 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
01:32:38:437 3384 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
01:32:38:546 3384 UtilityInit: KLMD drop and load success
01:32:38:546 3384 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
01:32:38:546 3384 UtilityInit: KLMD open success
01:32:38:546 3384 UtilityInit: Initialize success
01:32:38:546 3384
01:32:38:546 3384 Scanning Services ...
01:32:38:546 3384 CreateRegParser: Registry parser init started
01:32:38:546 3384 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
01:32:38:546 3384 CreateRegParser: DisableWow64Redirection error
01:32:38:546 3384 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
01:32:38:578 3384 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
01:32:38:578 3384 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
01:32:38:578 3384 wfopen_ex: Trying to KLMD file open
01:32:38:578 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
01:32:38:578 3384 wfopen_ex: File opened ok (Flags 2)
01:32:38:578 3384 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394CF8
01:32:38:578 3384 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
01:32:38:578 3384 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
01:32:38:578 3384 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
01:32:38:578 3384 wfopen_ex: Trying to KLMD file open
01:32:38:578 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
01:32:38:578 3384 wfopen_ex: File opened ok (Flags 2)
01:32:38:578 3384 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394DA0
01:32:38:578 3384 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
01:32:38:578 3384 CreateRegParser: EnableWow64Redirection error
01:32:38:578 3384 CreateRegParser: RegParser init completed
01:32:39:343 3384 GetAdvancedServicesInfo: Raw services enum returned 413 services
01:32:39:359 3384 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
01:32:39:375 3384 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
01:32:39:375 3384
01:32:39:375 3384 Scanning Kernel memory ...
01:32:39:375 3384 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
01:32:39:375 3384 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 87186910
01:32:39:375 3384 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
01:32:39:375 3384
01:32:39:375 3384 DetectCureTDL3: DEVICE_OBJECT: 87182C68
01:32:39:375 3384 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87182C68
01:32:39:375 3384 KLMD_ReadMem: Trying to ReadMemory 0x87182C68[0x38]
01:32:39:375 3384 DetectCureTDL3: DRIVER_OBJECT: 87186910
01:32:39:375 3384 KLMD_ReadMem: Trying to ReadMemory 0x87186910[0xA8]
01:32:39:375 3384 KLMD_ReadMem: Trying to ReadMemory 0xE1021220[0x18]
01:32:39:375 3384 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_CREATE : F7683BB0
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_CLOSE : F7683BB0
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_READ : F767DD1F
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_WRITE : F767DD1F
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F767E2E2
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F767E3BB
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7681F28
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_SHUTDOWN : F767E2E2
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_POWER : F767FC82
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F768499E
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
01:32:39:375 3384 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
01:32:39:375 3384 TDL3_FileDetect: Processing driver: Disk
01:32:39:375 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:375 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:421 3384 TDL3_FileDetect: Processing driver: Disk
01:32:39:421 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:421 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:421 3384 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:32:39:421 3384
01:32:39:421 3384 DetectCureTDL3: DEVICE_OBJECT: 87173C68
01:32:39:421 3384 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87173C68
01:32:39:421 3384 KLMD_ReadMem: Trying to ReadMemory 0x87173C68[0x38]
01:32:39:421 3384 DetectCureTDL3: DRIVER_OBJECT: 87186910
01:32:39:421 3384 KLMD_ReadMem: Trying to ReadMemory 0x87186910[0xA8]
01:32:39:421 3384 KLMD_ReadMem: Trying to ReadMemory 0xE1021220[0x18]
01:32:39:421 3384 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CREATE : F7683BB0
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CLOSE : F7683BB0
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_READ : F767DD1F
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_WRITE : F767DD1F
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F767E2E2
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F767E3BB
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7681F28
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SHUTDOWN : F767E2E2
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_POWER : F767FC82
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F768499E
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
01:32:39:421 3384 TDL3_FileDetect: Processing driver: Disk
01:32:39:421 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:421 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:421 3384 TDL3_FileDetect: Processing driver: Disk
01:32:39:421 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:421 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:421 3384 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:32:39:421 3384
01:32:39:421 3384 DetectCureTDL3: DEVICE_OBJECT: 8714EC68
01:32:39:421 3384 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8714EC68
01:32:39:421 3384 KLMD_ReadMem: Trying to ReadMemory 0x8714EC68[0x38]
01:32:39:421 3384 DetectCureTDL3: DRIVER_OBJECT: 87186910
01:32:39:421 3384 KLMD_ReadMem: Trying to ReadMemory 0x87186910[0xA8]
01:32:39:421 3384 KLMD_ReadMem: Trying to ReadMemory 0xE1021220[0x18]
01:32:39:421 3384 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CREATE : F7683BB0
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_CLOSE : F7683BB0
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_READ : F767DD1F
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_WRITE : F767DD1F
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F767E2E2
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F767E3BB
01:32:39:421 3384 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7681F28
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SHUTDOWN : F767E2E2
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_POWER : F767FC82
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F768499E
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
01:32:39:437 3384 TDL3_FileDetect: Processing driver: Disk
01:32:39:437 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:437 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:437 3384 TDL3_FileDetect: Processing driver: Disk
01:32:39:437 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:437 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:32:39:437 3384 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:32:39:437 3384
01:32:39:437 3384 DetectCureTDL3: DEVICE_OBJECT: 8714FAB8
01:32:39:437 3384 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8714FAB8
01:32:39:437 3384 DetectCureTDL3: DEVICE_OBJECT: 8711FF18
01:32:39:437 3384 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8711FF18
01:32:39:437 3384 DetectCureTDL3: DEVICE_OBJECT: 87177940
01:32:39:437 3384 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87177940
01:32:39:437 3384 KLMD_ReadMem: Trying to ReadMemory 0x87177940[0x38]
01:32:39:437 3384 DetectCureTDL3: DRIVER_OBJECT: 871A4960
01:32:39:437 3384 KLMD_ReadMem: Trying to ReadMemory 0x871A4960[0xA8]
01:32:39:437 3384 KLMD_ReadMem: Trying to ReadMemory 0xE100AD68[0x1A]
01:32:39:437 3384 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_CREATE : F74D06F2
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_CLOSE : F74D06F2
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_READ : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_WRITE : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F74D0712
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CC852
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_POWER : F74D073C
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F74D7336
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
01:32:39:437 3384 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
01:32:39:437 3384 TDL3_FileDetect: Processing driver: atapi
01:32:39:437 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
01:32:39:437 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
01:32:39:468 3384 KLMD_ReadMem: Trying to ReadMemory 0xF74CD864[0x400]
01:32:39:484 3384 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
01:32:39:484 3384 TDL3_FileDetect: Processing driver: atapi
01:32:39:484 3384 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
01:32:39:484 3384 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
01:32:39:500 3384 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
01:32:39:500 3384
01:32:39:500 3384 Completed
01:32:39:500 3384
01:32:39:500 3384 Results:
01:32:39:500 3384 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
01:32:39:500 3384 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
01:32:39:500 3384 File objects infected / cured / cured on reboot: 0 / 0 / 0
01:32:39:500 3384
01:32:39:500 3384 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
01:32:39:500 3384 UtilityDeinit: KLMD(ARK) unloaded successfully

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 16 February 2010 - 04:20 AM

Ok, I'm gonna ask Moderator or higher-ups to move this topic into "Virus, Trojan, Spyware, and Malware Removal Logs" subforum below.. Then we'll continue from there smile.gif

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/



Edited by elise025, 16 February 2010 - 04:25 AM.
Moved as requested.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 16 February 2010 - 04:31 AM

Ok, now lets use a big gun..


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 LisaDroesdov

LisaDroesdov
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 17 February 2010 - 02:42 AM

I'm trying to follow the instructions. I got to the part with ComboFix and it's warning me that McAfee Virus Scan is still active. Only, I uninstalled McAfee a long time ago! There still seems to be a component of it on my system called "McAfee Personal Firewall Plus," and I can't find any disable option for it. I checked all four pages of the thread you linked. Any ideas?

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 17 February 2010 - 06:03 AM

Please uninstall the McAfee Firewall first.. If its indeed been uninstall previously, just run ComboFix and ignore the warning smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 LisaDroesdov

LisaDroesdov
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 18 February 2010 - 10:35 PM

OK! Sorry it took so long, but here's a log:

ComboFix 10-02-16.02 - Jelena 02/18/2010 20:08:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.365 [GMT -7:00]
Running from: c:\documents and settings\Jelena\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
c:\windows\system32\2cuh6S2WZ7.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-17 07:27 . 2010-02-17 07:27 -------- d-----w- c:\program files\ERUNT
2010-02-16 06:25 . 2010-02-16 06:25 -------- d-----w- c:\documents and settings\Jelena\Local Settings\Application Data\AVG Security Toolbar
2010-02-16 05:05 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-02-16 05:05 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-02-16 05:05 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\irmon.dll
2010-02-16 05:05 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2010-02-16 05:05 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\irftp.exe
2010-02-16 05:05 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2010-02-15 07:31 . 2010-02-15 07:31 -------- d-----w- C:\$AVG
2010-02-15 07:30 . 2010-02-15 07:30 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-15 07:30 . 2010-02-15 07:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-15 07:30 . 2010-02-15 07:30 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-15 07:30 . 2010-02-15 07:30 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-15 07:30 . 2010-02-15 07:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-15 07:30 . 2010-02-15 07:30 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-15 07:30 . 2010-02-19 03:00 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-15 07:30 . 2010-02-15 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-15 07:29 . 2010-02-16 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-15 05:33 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 05:33 . 2010-02-15 05:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 05:33 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 00:22 . 2010-02-15 00:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-12 08:10 . 2010-02-12 08:10 -------- d-----w- c:\program files\Trend Micro
2010-02-12 07:50 . 2010-02-12 07:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-29 08:55 . 2010-01-29 08:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-29 08:50 . 2010-01-29 08:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 03:20 . 2008-11-29 05:52 -------- d-----w- c:\documents and settings\Jelena\Application Data\WTablet
2010-02-17 07:52 . 2006-10-03 14:34 -------- d-----w- c:\documents and settings\Dazzle\Application Data\McAfee.com Personal Firewall
2010-02-16 06:50 . 2008-11-29 17:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-02-16 06:24 . 2006-08-10 09:15 39736 ----a-w- c:\documents and settings\Jelena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-16 06:22 . 2006-07-04 08:02 -------- d-----w- c:\program files\Google
2010-02-15 20:22 . 2006-07-04 07:47 -------- d-----w- c:\program files\Dell
2010-02-15 20:19 . 2007-12-18 05:38 -------- d-----w- c:\documents and settings\Jelena\Application Data\StumbleUpon
2010-02-15 07:30 . 2009-01-22 04:57 -------- d-----w- c:\program files\AVG
2010-02-15 04:39 . 2009-01-22 02:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 02:58 . 2008-01-17 02:32 -------- d-----w- c:\program files\Trillian
2010-02-12 02:56 . 2007-11-11 08:01 -------- d-----w- c:\documents and settings\Jelena\Application Data\U3
2010-01-29 09:19 . 2006-09-13 07:54 -------- d-----w- c:\documents and settings\Jelena\Application Data\OpenOffice.org2
2010-01-29 08:51 . 2006-07-04 07:51 -------- d-----w- c:\program files\Common Files\aolshare
2010-01-29 08:50 . 2009-01-22 02:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-29 08:43 . 2006-07-04 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-01-29 08:42 . 2007-02-28 03:29 -------- d-----w- c:\program files\Magic Workstation
2010-01-16 18:15 . 2010-01-16 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\kds_kodak
2010-01-16 18:14 . 2006-08-16 05:18 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-16 18:14 . 2006-08-16 05:18 88 --sh--r- c:\windows\system32\8C827517F5.sys
2010-01-05 10:00 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-06-10 06:06 . 2007-06-10 06:06 6785 ----a-w- c:\program files\resume2.rtf
2007-06-10 06:06 . 2007-06-10 06:04 6785 ----a-w- c:\program files\resumevet.rtf
2007-05-25 01:42 . 2007-05-25 01:42 671894 ----a-w- c:\program files\commanderftp.exe
2007-05-24 23:42 . 2007-05-24 23:42 49384 ----a-w- c:\program files\transfer.zip
2002-08-01 01:55 . 2007-05-24 23:47 106 --sh--w- c:\windows\WSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 20:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"POV"="c:\program files\IPEVO\POV\POV.exe" [2007-12-14 1720320]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-15 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-09 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-08 1511424]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

c:\documents and settings\Jelena\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-23 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-02-15 04:39 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-15 07:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
2005-07-13 21:54 118784 ----a-w- c:\program files\Broadcom\BACS\BacsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2005-05-19 13:47 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
2005-02-23 20:57 57344 ------w- c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 942]
2005-04-28 09:08 294912 ----a-w- c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellMCM]
2004-07-27 16:08 262144 ----a-w- c:\program files\Dell Photo AIO Printer 942\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-08-14 09:00 1838592 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-07-15 00:04 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-07-15 00:08 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-07-15 00:07 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-18 20:12 843776 ----a-w- c:\windows\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB300NSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"xmlprov"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"MskService"=2 (0x2)
"McShield"=2 (0x2)
"MpfService"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2/15/2010 12:30 AM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2/15/2010 12:30 AM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2010 12:30 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2010 12:30 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 2:17 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 2:17 PM 74480]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/15/2010 12:30 AM 285392]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2/15/2010 12:30 AM 5832712]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [4/17/2009 12:08 PM 32768]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [11/28/2008 10:50 PM 1373480]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2/15/2010 12:30 AM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2/15/2010 12:30 AM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2/15/2010 12:30 AM 25736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 2:17 PM 7408]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [5/4/2009 12:15 PM 279960]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/15/2007 7:11 PM 24652]
S4 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [12/9/2008 8:32 PM 53307]
.
Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jelena\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: musicmatch.com\online
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
FF - ProfilePath - c:\documents and settings\Jelena\Application Data\Mozilla\Firefox\Profiles\hch1p4ev.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McRegWiz - c:\progra~1\mcafee.com\agent\mcregwiz.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 20:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib]
@DACL=(02 0000)
@="{29D67D3C-509A-4544-903F-C8C1B8236554}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib]
@DACL=(02 0000)
@="{E47CAEE0-DEEA-464A-9326-3F2801535A4D}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\`*& 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Ø*}*0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\snmp.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-02-18 20:29:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-19 03:29

Pre-Run: 48,808,329,216 bytes free
Post-Run: 52,320,411,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DCAE7DA5D5A99A81E0371DA62AD51EFD

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 19 February 2010 - 04:15 AM

Please show hidden files and folders

Please go to VirusTotal.

1. Browse these files.. You can only scan one file at a time

c:\windows\WSYS049.SYS

2. Hit the Send File >> Don't close the browser!

3. If the files have been analyze before, click on the Reanalyze file now button

4. Let it do the scanning until finish

5. Copy the report and paste it here (alternatively you can just post the link of the result)

Note: you can only send one file at a time..




Please download HijackThis and save it into Desktop.
  • Double-click on HJTInstall.exe and install HijackThis in its default location C:\Program Files\Trend Micro\HijackThis folder
  • Next, please click on Do a system scan and save a logfile
  • After the scan finished, a HijackThis log will pop-on to your Desktop.
  • Please DO NOT fix anything inside HijackThis.. Most of the entries are legit and even needed..
  • Please post the content of that log in your next reply..

Edited by fenzodahl512, 19 February 2010 - 04:16 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 LisaDroesdov

LisaDroesdov
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 19 February 2010 - 04:28 AM

Here's the VirusTotal link: http://www.virustotal.com/analisis/0880e8c...98c6-1266571526

Doing HijackThis now...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users