Computer Hope

Software => Computer viruses and spyware => Topic started by: punky on February 01, 2010, 03:39:32 PM

Title: here are my logs as requested
Post by: punky on February 01, 2010, 03:39:32 PM

thank you in advance for your help!



[Saving space, attachment deleted by admin]

Title: Re: here are my logs as requested
Post by: Dr Jay on February 01, 2010, 03:58:32 PM

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Title: Re: here are my logs as requested
Post by: punky on February 01, 2010, 06:11:45 PM

thanks for helping me...here yougo!

[Saving space, attachment deleted by admin]

Title: Re: here are my logs as requested
Post by: Dr Jay on February 01, 2010, 07:55:21 PM

Please download Cheetah-Anti-Rogue (http://hmoslabs.webs.com/Cheetah-Anti-Rogue.zip), and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
• Double-click on Cheetah-Anti-Rogue.cmd to start.
• It will finish quickly and launch a log.
• Post the contents of it in your next reply.

===

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky (http://telecharger.kaspersky.fr/GSI/GetSystemInfo.exe) and save it to your Desktop.
(http://www.spywareinfoforum.com/style_images/ip.boardpr/folder_post_icons/icon13.gif) Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.(http://i40.tinypic.com/2hd457o.gif)

(http://i41.tinypic.com/34gul1w.gif)

Set it to Maximum

(http://i41.tinypic.com/2n9gldh.gif)

(http://www.spywareinfoforum.com/style_images/ip.boardpr/folder_post_icons/icon13.gif)  IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.(http://i44.tinypic.com/2ekm73m.gif)

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser (http://www.getsysteminfo.com) and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

Title: Re: here are my logs as requested
Post by: punky on February 02, 2010, 05:59:23 AM

here you go

[Saving space, attachment deleted by admin]

Title: Re: here are my logs as requested
Post by: punky on February 02, 2010, 06:09:29 AM

heres the GSI parser URL

http://www.getsysteminfo.com/read.php?file=4e4c894ae5800dce43b32955ddd3d175

Title: Re: here are my logs as requested
Post by: Dr Jay on February 02, 2010, 08:22:57 AM

Open a run line by clicking start -> run

Copy and paste the following bolded text into the Open: box and click OK

cmd /k cd\ && dir c:\atapi.sys /a /s > atapi.txt && notepad atapi.txt

Paste back the contents of the atapi.txt

===

Title: Re: here are my logs as requested
Post by: punky on February 02, 2010, 08:59:08 AM

 Volume in drive C has no label.
 Volume Serial Number is 00CF-C567

 Directory of c:\WINDOWS\ServicePackFiles\i386

04/13/2008  02:40 PM            96,512 atapi.sys
               1 File(s)         96,512 bytes

 Directory of c:\WINDOWS\system32\drivers

01/31/2010  10:19 PM            95,360 atapi.sys
               1 File(s)         95,360 bytes

 Directory of c:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386

08/04/2004  08:00 PM            95,360 atapi.sys
               1 File(s)         95,360 bytes

 Directory of c:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386

08/03/2004  10:59 PM            95,360 atapi.sys
               1 File(s)         95,360 bytes

     Total Files Listed:
               4 File(s)        382,592 bytes
               0 Dir(s)  33,185,346,048 bytes free

Title: Re: here are my logs as requested
Post by: Dr Jay on February 02, 2010, 02:10:54 PM

Jotti File Submission:

• Please go to Jotti's malware scan (http://virusscan.jotti.org/)
  
  
• Copy and paste the following file path into  the  "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\SYSTEM32\drivers\atapi.sys
• Click on the submit button
• Please post the results (URL) in your next reply.

NOTE: re-scan the file. Please do not get a past result.

Title: Re: here are my logs as requested
Post by: punky on February 02, 2010, 02:29:41 PM

says it found nothing ???

http://virusscan.jotti.org/en/scanresult/875c16c3403d418b84e6bb5e79d2de57524f8e1f


i keep getting a redirect called Searchclick8

Title: Re: here are my logs as requested
Post by: Dr Jay on February 02, 2010, 02:37:46 PM

Please download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Title: Re: here are my logs as requested
Post by: punky on February 02, 2010, 04:49:06 PM

i just ran GMER and it ended then shut down the PC....when the PC rebooted, after the MICROSOFT WINDOWS XP page , it went to a black screen and would not move to the page where I enter my password....so I restarted it and was able to get thru...I Rerun GMER and i get the blue screen of death, and it shuts the PC again....now what?

Title: Re: here are my logs as requested
Post by: Dr Jay on February 03, 2010, 08:33:19 AM

It's being blocked by a rootkit.

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code: [Select]

@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as  File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

Title: Re: here are my logs as requested
Post by: punky on February 03, 2010, 11:10:32 AM

still didnt work....same thing....runs for awhile, blue screen reboot, then Microsoft popup "The system has recovered from a serious error"

heres the data of the error
BCCode : 10000050     BCP1 : E4C84000     BCP2 : 00000000     BCP3 : B6F79C3E
BCP4 : 00000001     OSVer : 5_1_2600     SP : 3_0     Product : 256_1     

Title: Re: here are my logs as requested
Post by: Dr Jay on February 03, 2010, 12:10:17 PM

Oh ok...

Download this << file >> (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code: [Select]

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0Save this as fix.bat Choose to "Save type as  - All Files"
It should look like this: (http://i266.photobucket.com/albums/ii277/sUBs_/bat_icon.gif)
Double click on fix.bat & allow it to run

Post back to tell me what it says

Title: Re: here are my logs as requested
Post by: punky on February 03, 2010, 02:32:11 PM

16:31:37:218 3128   TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:31:37:218 3128   ================================================================================
16:31:37:218 3128   SystemInfo:

16:31:37:218 3128   OS Version: 5.1.2600 ServicePack: 3.0
16:31:37:218 3128   Product type: Workstation
16:31:37:218 3128   ComputerName: BOOBOO
16:31:37:218 3128   UserName: tony
16:31:37:218 3128   Windows directory: C:\WINDOWS
16:31:37:218 3128   Processor architecture: Intel x86
16:31:37:218 3128   Number of processors: 2
16:31:37:218 3128   Page size: 0x1000
16:31:37:218 3128   Boot type: Normal boot
16:31:37:218 3128   ================================================================================
16:31:37:234 3128   UnloadDriverW: NtUnloadDriver error 2
16:31:37:234 3128   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:31:37:234 3128   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:31:37:234 3128   UtilityInit: KLMD drop and load success
16:31:37:234 3128   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:31:37:234 3128   UtilityInit: KLMD open success
16:31:37:234 3128   UtilityInit: Initialize success
16:31:37:234 3128   
16:31:37:234 3128   Scanning   Services ...
16:31:37:234 3128   CreateRegParser: Registry parser init started
16:31:37:234 3128   DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:31:37:234 3128   CreateRegParser: DisableWow64Redirection error
16:31:37:234 3128   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:31:37:234 3128   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:31:37:234 3128   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:31:37:234 3128   wfopen_ex: Trying to KLMD file open
16:31:37:234 3128   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:31:37:234 3128   wfopen_ex: File opened ok (Flags 2)
16:31:37:234 3128   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394970
16:31:37:234 3128   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:31:37:234 3128   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:31:37:234 3128   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:31:37:234 3128   wfopen_ex: Trying to KLMD file open
16:31:37:234 3128   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:31:37:234 3128   wfopen_ex: File opened ok (Flags 2)
16:31:37:234 3128   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394A18
16:31:37:234 3128   EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:31:37:234 3128   CreateRegParser: EnableWow64Redirection error
16:31:37:234 3128   CreateRegParser: RegParser init completed
16:31:37:671 3128   GetAdvancedServicesInfo: Raw services enum returned 376 services
16:31:37:687 3128   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:31:37:687 3128   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:31:37:687 3128   
16:31:37:687 3128   Scanning   Kernel memory ...
16:31:37:687 3128   KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:31:37:687 3128   DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8714C348
16:31:37:687 3128   DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
16:31:37:687 3128   
16:31:37:687 3128   DetectCureTDL3: DEVICE_OBJECT: 871DF958
16:31:37:687 3128   KLMD_GetLowerDeviceObject: Trying to get lower device object for 871DF958
16:31:37:687 3128   KLMD_ReadMem: Trying to ReadMemory 0x871DF958[0x38]
16:31:37:687 3128   DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:687 3128   KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:687 3128   KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:687 3128   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:687 3128   DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:687 3128   DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:687 3128   DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:687 3128   DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:687 3128   DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:687 3128   DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:687 3128   DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:687 3128   DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:687 3128   DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:687 3128   DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:687 3128   DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:687 3128   DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:687 3128   TDL3_FileDetect: Processing driver: Disk
16:31:37:687 3128   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:687 3128   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128   
16:31:37:703 3128   DetectCureTDL3: DEVICE_OBJECT: 87148C68
16:31:37:703 3128   KLMD_GetLowerDeviceObject: Trying to get lower device object for 87148C68
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0x87148C68[0x38]
16:31:37:703 3128   DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:703 3128   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:703 3128   DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:703 3128   DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:703 3128   DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:703 3128   DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:703 3128   DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:703 3128   DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:703 3128   DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:703 3128   DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:703 3128   DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:703 3128   DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:703 3128   DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128   TDL3_FileDetect: Processing driver: Disk
16:31:37:703 3128   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128   
16:31:37:703 3128   DetectCureTDL3: DEVICE_OBJECT: 871E76F8
16:31:37:703 3128   KLMD_GetLowerDeviceObject: Trying to get lower device object for 871E76F8
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0x871E76F8[0x38]
16:31:37:703 3128   DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:703 3128   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:703 3128   DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:703 3128   DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:703 3128   DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:703 3128   DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:703 3128   DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:703 3128   DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:703 3128   DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:703 3128   DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:703 3128   DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:703 3128   DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:703 3128   DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128   TDL3_FileDetect: Processing driver: Disk
16:31:37:703 3128   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128   
16:31:37:703 3128   DetectCureTDL3: DEVICE_OBJECT: 870D9AB8
16:31:37:703 3128   KLMD_GetLowerDeviceObject: Trying to get lower device object for 870D9AB8
16:31:37:703 3128   DetectCureTDL3: DEVICE_OBJECT: 870EC9E8
16:31:37:703 3128   KLMD_GetLowerDeviceObject: Trying to get lower device object for 870EC9E8
16:31:37:703 3128   DetectCureTDL3: DEVICE_OBJECT: 87148940
16:31:37:703 3128   KLMD_GetLowerDeviceObject: Trying to get lower device object for 87148940
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0x87148940[0x38]
16:31:37:703 3128   DetectCureTDL3: DRIVER_OBJECT: 8714BF38
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0x8714BF38[0xA8]
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0xE18B6968[0x1A]
16:31:37:703 3128   DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:31:37:703 3128   DetectCureTDL3: IrpHandler (0) addr: F73C96F2
16:31:37:703 3128   DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (2) addr: F73C96F2
16:31:37:703 3128   DetectCureTDL3: IrpHandler (3) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (4) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (14) addr: F73C9712
16:31:37:703 3128   DetectCureTDL3: IrpHandler (15) addr: F73C5852
16:31:37:703 3128   DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (22) addr: F73C973C
16:31:37:703 3128   DetectCureTDL3: IrpHandler (23) addr: F73D0336
16:31:37:703 3128   DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128   DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128   KLMD_ReadMem: Trying to ReadMemory 0xF73C6864[0x400]
16:31:37:703 3128   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:31:37:703 3128   TDL3_FileDetect: Processing driver: atapi
16:31:37:703 3128   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
16:31:37:703 3128   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
16:31:37:734 3128   TDL3_FileDetect: C:\WINDOWS\system32\drivers\atapi.sys - Verdict: Clean
16:31:37:734 3128   
16:31:37:734 3128   Completed
16:31:37:734 3128   
16:31:37:734 3128   Results:
16:31:37:734 3128   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
16:31:37:734 3128   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
16:31:37:734 3128   File objects infected / cured / cured on reboot:   0 / 0 / 0
16:31:37:734 3128   
16:31:37:734 3128   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:31:37:734 3128   UtilityDeinit: KLMD(ARK) unloaded successfully

Title: Re: here are my logs as requested
Post by: Dr Jay on February 03, 2010, 09:43:40 PM

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe (http://oldtimer.geekstogo.com/OTC.exe) by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or Changelog.fr (http://screen317.changelog.fr/SecurityCheck.exe).

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Title: Re: here are my logs as requested
Post by: punky on February 04, 2010, 11:22:04 AM

btw last night...I was recommended by a friend to use Kapersky online scanner...it said I only had 1 threat  C:\Documents and Settings\tony\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen   1   "

so i went thru all my files in outlook  and deleted them.....will that be sufficient?

did everthing you asked and here is the request:

 Results of screen317's Security Check version 0.99.1    
 Windows XP Service Pack 3 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 Avira AntiVir Personal - Free Antivirus
 Antivirus up to date! 
``````````````````````````````
Anti-malware/Other Utilities Check:
 Spybot - Search & Destroy
 SUPERAntiSpyware Free Edition   
 CCleaner     
 Wise Disk Cleaner 4.84 
 Wise Registry Cleaner 4 Free 4.92
 Java(TM) 6 Update 17 
 Adobe Flash Player 10 
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Title: Re: here are my logs as requested
Post by: Dr Jay on February 04, 2010, 01:21:52 PM

It should be fine.

Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com (http://www.java.com/en/download/manual.jsp).

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor (http://www.tallemu.com/products-online-armor-free.php): the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall (http://www.comodo.com/home/internet-security/firewall.php): the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus (http://www.pctools.com/firewall/download/): free and excellent firewall.

AntiSpyware

• SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here (http://www.bleepingcomputer.com/tutorials/tutorial49.html).
  
• Spybot - Search & Destroy (http://www.safer-networking.org/en/tutorial/index.html).
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://www.spywarewarrior.com/rogue_anti-spyware.htm)

Securing your computer

• Windows Updates (http://update.microsoft.com) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.  To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file (http://hosts-file.net) replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com (http://www.getfirefox.com)
  
• Opera is available here: http://www.opera.com/download/ (http://www.opera.com/download/)
  

See this page (http://www.geekpolice.net/computer-security-f27/preventing-malware-and-being-resistant-to-the-dangers-of-the-internet-t16961.htm) for more info about malware and prevention.

Title: Re: here are my logs as requested
Post by: punky on February 04, 2010, 02:31:59 PM

Jay

 thank you so much for all your help and suggestions!