Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

-----Google Redirecting Issue.. maybe TDL3 rootkit?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Divy

Divy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 14 April 2010 - 07:50 PM

Computer type: Windows Vista HP
Browser: Firefox 3.5.3



So I've been experiencing the redirecting problem after clicking on a Google link. I haven't been redirected as often as I had before but I still see in my "History" a page called "nclk" which had redirected me before. Do I make any sense? I hope so. After searching for possible solutions, I came upon this website and have seen many with the same issue. Though I don't know if the solution is the same for everyone, thus making my own thread, sorry.

I currently have Malwarebytes + Spybot. Both updated and yet nothing harmful was found after completing their scans.

Found this topic and tried to follow it: http://www.bleepingcomputer.com/forums/t/308906/firefoxgoogle-search-redirection-suspect-rootkit/
I got up to the searching for agp440.sys by SystemLook.. don't know if it meant anything when it listed its findings (which there was quite a list).

Sorry to be of bother. I appreciate any help I can get with this. Thank you for your time. Let me know if I need to give more info on my computer stats. ALSO, I won't be on much longer today and I have to work tomorrow but I shall try to be on ASAP after work. I ask for your patience and apologize to any helpers helping me for the long wait.

Edited by Divy, 14 April 2010 - 08:04 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:30 PM

Posted 14 April 2010 - 08:50 PM

Hello,it was good to have your own topic. Not always good to follow someone elses as you probably did not run GMER.
You can post the SystemLook here and a GMER log.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Divy

Divy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 15 April 2010 - 07:03 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:06 on 14/04/2010 by Computer (Administrator - Elevation successful)

========== filefind ==========

Searching for "agp440.sys"
C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys --a--- 56376 bytes [04:25 03/05/2008] [07:42 19/01/2008] 13F9E33747E6B41A3FF305C37DB0D360
C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys --a--- 53864 bytes [10:25 02/11/2006] [09:49 02/11/2006] EF23439CDD587F64C2C1B8825CEAD7D8
C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys --a--- 56376 bytes [04:25 03/05/2008] [07:42 19/01/2008] 13F9E33747E6B41A3FF305C37DB0D360
C:\Windows\System32\drivers\AGP440.sys --a--- 53864 bytes [08:35 02/11/2006] [09:49 02/11/2006] EF23439CDD587F64C2C1B8825CEAD7D8
C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys --a--- 56376 bytes [04:25 03/05/2008] [07:42 19/01/2008] 13F9E33747E6B41A3FF305C37DB0D360
C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys --a--- 56376 bytes [04:25 03/05/2008] [07:42 19/01/2008] 13F9E33747E6B41A3FF305C37DB0D360

-=End Of File=-









GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 18:57:37
Windows 6.0.6002 Service Pack 2
Running: 4xrqe9pt.exe; Driver: C:\Users\Computer\AppData\Local\Temp\kwrirkoc.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? 83C99BF8
INT 0x62 ? 859E0F00
INT 0x72 ? 859E0F00
INT 0x72 ? 859E0F00
INT 0x82 ? 83C98BF8
INT 0x92 ? 83C99BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\sphr.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8679841B 5 Bytes JMP 859E04E0
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8AA04340, 0x3DA8C7, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8060C6D2] \SystemRoot\System32\Drivers\sphr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8060C040] \SystemRoot\System32\Drivers\sphr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8060C7FC] \SystemRoot\System32\Drivers\sphr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8060C0BE] \SystemRoot\System32\Drivers\sphr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8060C13C] \SystemRoot\System32\Drivers\sphr.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8061C048] \SystemRoot\System32\Drivers\sphr.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E37817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E8A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E3BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E2F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E2E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73E68395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73E3DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E2FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E2FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73EBCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73E5C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E2D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E26853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E2687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2356] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E32AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x50 0x6D 0x90 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8E 0xEB 0x3E 0x72 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x50 0x6D 0x90 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8E 0xEB 0x3E 0x72 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E422E02C-1120-AAAC-7DAC-2EA002DB71DE}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E422E02C-1120-AAAC-7DAC-2EA002DB71DE}@hajpkeafphghlpmo 0x6A 0x61 0x63 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E422E02C-1120-AAAC-7DAC-2EA002DB71DE}@iappefanbmhnhmmmfa 0x69 0x61 0x64 0x68 ...

---- EOF - GMER 1.0.15 ----


thank you for helping me boopme

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:30 PM

Posted 15 April 2010 - 07:49 PM

You're welcome..
Lets's run TDDS Killer then run a new Gmer
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Divy

Divy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 15 April 2010 - 09:04 PM

21:02:20:779 0480 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
21:02:20:779 0480 ================================================================================
21:02:20:779 0480 SystemInfo:

21:02:20:779 0480 OS Version: 6.0.6002 ServicePack: 2.0
21:02:20:779 0480 Product type: Workstation
21:02:20:779 0480 ComputerName: COMPUTER-PC
21:02:20:779 0480 UserName: Computer
21:02:20:779 0480 Windows directory: C:\Windows
21:02:20:779 0480 Processor architecture: Intel x86
21:02:20:779 0480 Number of processors: 2
21:02:20:779 0480 Page size: 0x1000
21:02:20:779 0480 Boot type: Normal boot
21:02:20:779 0480 ================================================================================
21:02:20:805 0480 UnloadDriverW: NtUnloadDriver error 2
21:02:20:805 0480 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
21:02:24:965 0480 wfopen_ex: Trying to open file C:\Windows\system32\config\system
21:02:24:965 0480 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:02:24:965 0480 wfopen_ex: Trying to KLMD file open
21:02:24:965 0480 wfopen_ex: File opened ok (Flags 2)
21:02:24:974 0480 wfopen_ex: Trying to open file C:\Windows\system32\config\software
21:02:24:974 0480 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:02:24:974 0480 wfopen_ex: Trying to KLMD file open
21:02:24:974 0480 wfopen_ex: File opened ok (Flags 2)
21:02:24:974 0480 Initialize success
21:02:24:974 0480
21:02:24:974 0480 Scanning Services ...
21:02:25:628 0480 Raw services enum returned 426 services
21:02:25:661 0480
21:02:25:661 0480 Scanning Kernel memory ...
21:02:25:662 0480 Devices to scan: 5
21:02:25:662 0480
21:02:25:662 0480 Driver Name: USBSTOR
21:02:25:662 0480 IRP_MJ_CREATE : 8BFAD1F8
21:02:25:662 0480 IRP_MJ_CREATE_NAMED_PIPE : 8222DA22
21:02:25:662 0480 IRP_MJ_CLOSE : 8BFAD1F8
21:02:25:662 0480 IRP_MJ_READ : 8BFAD1F8
21:02:25:662 0480 IRP_MJ_WRITE : 8BFAD1F8
21:02:25:662 0480 IRP_MJ_QUERY_INFORMATION : 8222DA22
21:02:25:662 0480 IRP_MJ_SET_INFORMATION : 8222DA22
21:02:25:662 0480 IRP_MJ_QUERY_EA : 8222DA22
21:02:25:662 0480 IRP_MJ_SET_EA : 8222DA22
21:02:25:662 0480 IRP_MJ_FLUSH_BUFFERS : 8222DA22
21:02:25:662 0480 IRP_MJ_QUERY_VOLUME_INFORMATION : 8222DA22
21:02:25:662 0480 IRP_MJ_SET_VOLUME_INFORMATION : 8222DA22
21:02:25:662 0480 IRP_MJ_DIRECTORY_CONTROL : 8222DA22
21:02:25:662 0480 IRP_MJ_FILE_SYSTEM_CONTROL : 8222DA22
21:02:25:662 0480 IRP_MJ_DEVICE_CONTROL : 8BFAD1F8
21:02:25:662 0480 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8BFAD1F8
21:02:25:662 0480 IRP_MJ_SHUTDOWN : 8222DA22
21:02:25:662 0480 IRP_MJ_LOCK_CONTROL : 8222DA22
21:02:25:662 0480 IRP_MJ_CLEANUP : 8222DA22
21:02:25:662 0480 IRP_MJ_CREATE_MAILSLOT : 8222DA22
21:02:25:662 0480 IRP_MJ_QUERY_SECURITY : 8222DA22
21:02:25:663 0480 IRP_MJ_SET_SECURITY : 8222DA22
21:02:25:663 0480 IRP_MJ_POWER : 8BFAD1F8
21:02:25:663 0480 IRP_MJ_SYSTEM_CONTROL : 8BFAD1F8
21:02:25:663 0480 IRP_MJ_DEVICE_CHANGE : 8222DA22
21:02:25:663 0480 IRP_MJ_QUERY_QUOTA : 8222DA22
21:02:25:663 0480 IRP_MJ_SET_QUOTA : 8222DA22
21:02:25:713 0480 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:02:25:713 0480
21:02:25:713 0480 Driver Name: USBSTOR
21:02:25:713 0480 IRP_MJ_CREATE : 8BFAD1F8
21:02:25:713 0480 IRP_MJ_CREATE_NAMED_PIPE : 8222DA22
21:02:25:713 0480 IRP_MJ_CLOSE : 8BFAD1F8
21:02:25:713 0480 IRP_MJ_READ : 8BFAD1F8
21:02:25:713 0480 IRP_MJ_WRITE : 8BFAD1F8
21:02:25:713 0480 IRP_MJ_QUERY_INFORMATION : 8222DA22
21:02:25:713 0480 IRP_MJ_SET_INFORMATION : 8222DA22
21:02:25:713 0480 IRP_MJ_QUERY_EA : 8222DA22
21:02:25:713 0480 IRP_MJ_SET_EA : 8222DA22
21:02:25:713 0480 IRP_MJ_FLUSH_BUFFERS : 8222DA22
21:02:25:713 0480 IRP_MJ_QUERY_VOLUME_INFORMATION : 8222DA22
21:02:25:713 0480 IRP_MJ_SET_VOLUME_INFORMATION : 8222DA22
21:02:25:713 0480 IRP_MJ_DIRECTORY_CONTROL : 8222DA22
21:02:25:713 0480 IRP_MJ_FILE_SYSTEM_CONTROL : 8222DA22
21:02:25:714 0480 IRP_MJ_DEVICE_CONTROL : 8BFAD1F8
21:02:25:714 0480 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8BFAD1F8
21:02:25:714 0480 IRP_MJ_SHUTDOWN : 8222DA22
21:02:25:714 0480 IRP_MJ_LOCK_CONTROL : 8222DA22
21:02:25:714 0480 IRP_MJ_CLEANUP : 8222DA22
21:02:25:714 0480 IRP_MJ_CREATE_MAILSLOT : 8222DA22
21:02:25:714 0480 IRP_MJ_QUERY_SECURITY : 8222DA22
21:02:25:714 0480 IRP_MJ_SET_SECURITY : 8222DA22
21:02:25:714 0480 IRP_MJ_POWER : 8BFAD1F8
21:02:25:714 0480 IRP_MJ_SYSTEM_CONTROL : 8BFAD1F8
21:02:25:714 0480 IRP_MJ_DEVICE_CHANGE : 8222DA22
21:02:25:714 0480 IRP_MJ_QUERY_QUOTA : 8222DA22
21:02:25:714 0480 IRP_MJ_SET_QUOTA : 8222DA22
21:02:25:716 0480 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:02:25:716 0480
21:02:25:716 0480 Driver Name: USBSTOR
21:02:25:716 0480 IRP_MJ_CREATE : 8BFAD1F8
21:02:25:716 0480 IRP_MJ_CREATE_NAMED_PIPE : 8222DA22
21:02:25:716 0480 IRP_MJ_CLOSE : 8BFAD1F8
21:02:25:716 0480 IRP_MJ_READ : 8BFAD1F8
21:02:25:716 0480 IRP_MJ_WRITE : 8BFAD1F8
21:02:25:716 0480 IRP_MJ_QUERY_INFORMATION : 8222DA22
21:02:25:716 0480 IRP_MJ_SET_INFORMATION : 8222DA22
21:02:25:716 0480 IRP_MJ_QUERY_EA : 8222DA22
21:02:25:716 0480 IRP_MJ_SET_EA : 8222DA22
21:02:25:716 0480 IRP_MJ_FLUSH_BUFFERS : 8222DA22
21:02:25:716 0480 IRP_MJ_QUERY_VOLUME_INFORMATION : 8222DA22
21:02:25:717 0480 IRP_MJ_SET_VOLUME_INFORMATION : 8222DA22
21:02:25:717 0480 IRP_MJ_DIRECTORY_CONTROL : 8222DA22
21:02:25:717 0480 IRP_MJ_FILE_SYSTEM_CONTROL : 8222DA22
21:02:25:717 0480 IRP_MJ_DEVICE_CONTROL : 8BFAD1F8
21:02:25:717 0480 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8BFAD1F8
21:02:25:717 0480 IRP_MJ_SHUTDOWN : 8222DA22
21:02:25:717 0480 IRP_MJ_LOCK_CONTROL : 8222DA22
21:02:25:717 0480 IRP_MJ_CLEANUP : 8222DA22
21:02:25:717 0480 IRP_MJ_CREATE_MAILSLOT : 8222DA22
21:02:25:717 0480 IRP_MJ_QUERY_SECURITY : 8222DA22
21:02:25:717 0480 IRP_MJ_SET_SECURITY : 8222DA22
21:02:25:717 0480 IRP_MJ_POWER : 8BFAD1F8
21:02:25:717 0480 IRP_MJ_SYSTEM_CONTROL : 8BFAD1F8
21:02:25:717 0480 IRP_MJ_DEVICE_CHANGE : 8222DA22
21:02:25:717 0480 IRP_MJ_QUERY_QUOTA : 8222DA22
21:02:25:717 0480 IRP_MJ_SET_QUOTA : 8222DA22
21:02:25:719 0480 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:02:25:719 0480
21:02:25:719 0480 Driver Name: USBSTOR
21:02:25:719 0480 IRP_MJ_CREATE : 8BFAD1F8
21:02:25:719 0480 IRP_MJ_CREATE_NAMED_PIPE : 8222DA22
21:02:25:719 0480 IRP_MJ_CLOSE : 8BFAD1F8
21:02:25:719 0480 IRP_MJ_READ : 8BFAD1F8
21:02:25:719 0480 IRP_MJ_WRITE : 8BFAD1F8
21:02:25:719 0480 IRP_MJ_QUERY_INFORMATION : 8222DA22
21:02:25:719 0480 IRP_MJ_SET_INFORMATION : 8222DA22
21:02:25:719 0480 IRP_MJ_QUERY_EA : 8222DA22
21:02:25:719 0480 IRP_MJ_SET_EA : 8222DA22
21:02:25:719 0480 IRP_MJ_FLUSH_BUFFERS : 8222DA22
21:02:25:719 0480 IRP_MJ_QUERY_VOLUME_INFORMATION : 8222DA22
21:02:25:719 0480 IRP_MJ_SET_VOLUME_INFORMATION : 8222DA22
21:02:25:719 0480 IRP_MJ_DIRECTORY_CONTROL : 8222DA22
21:02:25:719 0480 IRP_MJ_FILE_SYSTEM_CONTROL : 8222DA22
21:02:25:719 0480 IRP_MJ_DEVICE_CONTROL : 8BFAD1F8
21:02:25:719 0480 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8BFAD1F8
21:02:25:719 0480 IRP_MJ_SHUTDOWN : 8222DA22
21:02:25:720 0480 IRP_MJ_LOCK_CONTROL : 8222DA22
21:02:25:720 0480 IRP_MJ_CLEANUP : 8222DA22
21:02:25:720 0480 IRP_MJ_CREATE_MAILSLOT : 8222DA22
21:02:25:720 0480 IRP_MJ_QUERY_SECURITY : 8222DA22
21:02:25:720 0480 IRP_MJ_SET_SECURITY : 8222DA22
21:02:25:720 0480 IRP_MJ_POWER : 8BFAD1F8
21:02:25:720 0480 IRP_MJ_SYSTEM_CONTROL : 8BFAD1F8
21:02:25:720 0480 IRP_MJ_DEVICE_CHANGE : 8222DA22
21:02:25:720 0480 IRP_MJ_QUERY_QUOTA : 8222DA22
21:02:25:720 0480 IRP_MJ_SET_QUOTA : 8222DA22
21:02:25:722 0480 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:02:25:722 0480
21:02:25:722 0480 Driver Name: nvstor32
21:02:25:722 0480 IRP_MJ_CREATE : 8462B1F8
21:02:25:722 0480 IRP_MJ_CREATE_NAMED_PIPE : 8222DA22
21:02:25:722 0480 IRP_MJ_CLOSE : 8462B1F8
21:02:25:722 0480 IRP_MJ_READ : 8222DA22
21:02:25:722 0480 IRP_MJ_WRITE : 8222DA22
21:02:25:722 0480 IRP_MJ_QUERY_INFORMATION : 8222DA22
21:02:25:722 0480 IRP_MJ_SET_INFORMATION : 8222DA22
21:02:25:722 0480 IRP_MJ_QUERY_EA : 8222DA22
21:02:25:722 0480 IRP_MJ_SET_EA : 8222DA22
21:02:25:722 0480 IRP_MJ_FLUSH_BUFFERS : 8222DA22
21:02:25:722 0480 IRP_MJ_QUERY_VOLUME_INFORMATION : 8222DA22
21:02:25:722 0480 IRP_MJ_SET_VOLUME_INFORMATION : 8222DA22
21:02:25:722 0480 IRP_MJ_DIRECTORY_CONTROL : 8222DA22
21:02:25:722 0480 IRP_MJ_FILE_SYSTEM_CONTROL : 8222DA22
21:02:25:722 0480 IRP_MJ_DEVICE_CONTROL : 8462B1F8
21:02:25:723 0480 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8462B1F8
21:02:25:723 0480 IRP_MJ_SHUTDOWN : 8222DA22
21:02:25:723 0480 IRP_MJ_LOCK_CONTROL : 8222DA22
21:02:25:723 0480 IRP_MJ_CLEANUP : 8222DA22
21:02:25:723 0480 IRP_MJ_CREATE_MAILSLOT : 8222DA22
21:02:25:723 0480 IRP_MJ_QUERY_SECURITY : 8222DA22
21:02:25:723 0480 IRP_MJ_SET_SECURITY : 8222DA22
21:02:25:723 0480 IRP_MJ_POWER : 8462B1F8
21:02:25:723 0480 IRP_MJ_SYSTEM_CONTROL : 8462B1F8
21:02:25:723 0480 IRP_MJ_DEVICE_CHANGE : 8222DA22
21:02:25:723 0480 IRP_MJ_QUERY_QUOTA : 8222DA22
21:02:25:723 0480 IRP_MJ_SET_QUOTA : 8222DA22
21:02:25:741 0480 C:\Windows\system32\drivers\nvstor32.sys - Verdict: 1
21:02:25:741 0480
21:02:25:741 0480 Completed
21:02:25:741 0480
21:02:25:741 0480 Results:
21:02:25:742 0480 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
21:02:25:742 0480 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:02:25:742 0480 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:02:25:742 0480
21:02:25:743 0480 fclose_ex: Trying to close file C:\Windows\system32\config\system
21:02:25:743 0480 fclose_ex: Trying to close file C:\Windows\system32\config\software
21:02:25:745 0480 KLMD(ARK) unloaded successfully

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:30 PM

Posted 15 April 2010 - 09:52 PM

OK that did not do it. I do not like these 2 files,, kwrirkoc.sys and nvlddmkm.sys.... Tho the latter is with NVidia I think it's involved.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the SystemLOOK and GMER logs you posted earlier.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:30 PM

Posted 18 April 2010 - 08:23 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/310670/google-redirecting-problem/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users